• In an IP spoofing attack an external or internal adversary pretends to be using a trusted device by using the address of that device. This can be either an IP address within a range of trusted internal addresses for a network or an authorised external address that is trusted and allowed access to specified network resources. Spoofing an address might enable data to be sent through a router interface with filtering based on that address.
    • IP address spoofing is used to mask botnet device locations in DDoS attacks and to stage DrDoS attacks.
    • IP spoofing can also be used to bypass IP address-based authentication.
  • In an ARP spoofing attack, an adversary sends spoofed ARP messages over a LAN in order to link the adversary's MAC address with the IP address of a legitimate member of the network. Data that is intended for the host’s IP address gets sent to the adversary instead.
    • ARP spoofing can be used to steal information, modify data-in-transit or stop traffic on a LAN.
    • ARP spoofing attacks can also be used to facilitate other types of attacks, including DoS attacks, session hijacking and MitM attacks.
  • DNS spoofing can be achieved by DNS redirection, an attack in which an adversary modifies a DNS server in order to redirect a specific domain name to a different IP address. In many cases, the new IP address will be for a server controlled by the adversary which contains files infected with malware. Cache poisoning is another way to achieve DNS spoofing, without relying on DNS hijacking (physically taking over the DNS settings). An adversary inserts a forged DNS entry, containing an alternative IP destination for the same domain name. The DNS server resolves the domain to the spoofed website, until the cache is refreshed.
    • DNS server spoofing attacks are often used to spread computer worms and viruses.
    • This kind of attack is also often used for pharming.
  • In HTTPS session spoofing and adversary uses stolen or counterfeit session tokens to initiate a new session and impersonate the original user, who might not be aware of the attack. The difference between HTTPS session hijacking and spoofing lies in the timing of the attack. Session hijacking is done against a user who is logged in and authenticated, so from the target's point of view the attack will most likely cause the application to behave unpredictably or crash.
    • SSL stripping is one of the most potent MitM attacks between a client device and a server because it allows for exploitation of services that people assume to be secure.


  • Change router passwords (no default passwords)
  • Install antivirus on all endpoints

Application development

  • Use Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols that encrypt data before it is sent and authenticate data as it is received.
  • Use additional multi-step authentication methods.

IP spoofing

The threat of IP spoofing can be reduced (not completely eliminated) by:

  • Packet filters are useful in IP address spoofing attack prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa)
    • Ingress filtering for preventing IP addresses from coming into a network segment that should already be on that segment (RFC 2827).
    • Address allocation for preventing “private” addresses from entering or exiting a network segment (RFC 1918).
  • Monitoring networks for atypical activity.
  • Migrate sites to IPv6, making IP spoofing harder by including encryption and authentication.
  • Develop protocols that do not rely on trust relationships (or as little as possible). Trust relationships only use IP addresses for authentication.

ARP spoofing

  • There are many ARP spoofing detection tools that inspect and certify data before it is transmitted and blocking data that appears to be spoofed. An open source solution is ArpON ARP handler inspection.
  • Note that the existence of multiple IP addresses associated with a single MAC address can indicate an ARP spoof attack, but there are also legitimate uses of such a configuration (virtual machines, device gateways).

DNS spoofing

  • Shut down unneeded DNS resolvers.
  • Place legitimate resolvers behind a firewall with no access from outside the organization.
  • Use a random source port, randomize query ID and upper/lower case in domain names (DNS cache poisoning).
  • Do not run an authoritative name server and a resolver on the same server to prevent one from taking down the other.
  • Allow only slave name servers to request a zone transfer (a partial copy of DNS records). Zone records contain information that is valuable to adversaries.

Site owners

  • Use two-factor authentication when accessing the DNS registrar, to avoid compromise. If available as option, define a whitelist of IP addresses that are allowed to access DNS settings.
  • Check if the DNS registrar supports client lock (change lock), which prevents changes to your DNS records without approval from a specific named individual.
  • Use a DNS registrar that supports DNSSEC, and enable it. DNSSEC digitally signs DNS communication, making it more difficult (but not impossible) for adversaries to intercept and spoof.

  • Last modified: 2019/11/07 16:06