1

My understanding is that IP address spoofing would not be possible if all ISPs would be doing egress filtering. That is, each ISP would not allow any IP packet to go outside of it's network if it sees a source IP, which does not belong to the source sub-network.

But what is the modern empirical evidence of it actually happening? How many "spoofed" packets manage to go far enough on the Internet highways that they can reach the destination, given that this destination is on another continent for example.

I understand that for a spoofing attempt to be effective, it needs to make sure that a response is also routed to the "malicious" destination. But I'm more interested in the initial "request" IP packets and the "real life" experience of spoofed packets on the Internet managing to get far outside the real source ISP.

Improve this question
5
  • Are you aware of the massive problem of spoofed packets used in DDoS attacks? Commented Nov 18, 2019 at 14:46
  • 1
    Google "ddos ip spoofing" and you will get flooded (pardon the pun) with info. Here's my top hit: blog.cloudflare.com/the-root-cause-of-large-ddos-ip-spoofing Commented Nov 18, 2019 at 14:48
  • So, I'm a little uncertain about your question. I think that you have a very specific type of spoofing in mind. Can you comment on what you are asking in the light of DDoS and amplification attacks? Commented Nov 18, 2019 at 14:51
  • Very useful comments! I haven't looked at this problem from the DDoS point of view (that's probably why I didn't find it). I was more interested in how effective it is as an additional layer of security to block certain protocol connections only from known IPs. Also, I was interested in why can't all IP spoofing be stopped by ISPs doing egress filtering. The link has the answers. Thanks! Commented Nov 18, 2019 at 14:58
  • 1
    Because not all traffic originates from within the ISP's IP range. Commented Nov 18, 2019 at 14:59

1 Answer 1

Reset to default
1

Egress filtering is not what you want to do because you don't always have authoritative proof of the source of the traffic (the Internet is a mesh, not a hub/spoke). Ingress filtering is a more effective tool.

With ingress filtering, you know whether or not an IP is within your IP range. If a packet comes in with a source that was supposed to be from your network and you never saw it leave your network, then you know that something is wrong.

That's more difficult with UDP (connectionless), and the resource overhead is high.

Improve this answer
5
  • I guess egress filtering is exactly what we would like to be happening unless it would break "mesh" traffic. That is, if egress filtering would not break connectivity, it would be 100% effective. I'm just thinking about attackers sitting on a home connection, spoofing their IP traffic. I think it would be valid for an ISP to block IP packets from such connections if they contain a source IP, which is not the one that was given to an attacker (it's probably at most one, certainly not a range). Commented Nov 18, 2019 at 15:21
  • That still assumes that a node within a residential ISP is always the initiating node. What if the home computer is acting as a VPN/Tor node/proxy/etc.? Commented Nov 18, 2019 at 15:23
  • So, in order to trigger an IP spoofing attack, one needs to be on a corporate network with high requirements for their connectivity on the Internet, when an ISP could not do any effective "border control". Commented Nov 18, 2019 at 15:24
  • Or, you know, on a cloud service, a web server, VPS, etc. Commented Nov 18, 2019 at 15:25
  • VPN is more of a tunneling application. Do you need to route "foreign" IP packets to make it work? How often is it a requirement for a residential connection to be able to route "foreign" traffic? I though it is not a frequent mode of using the Internet from home. Sorry if we got to too basic of a level and my understanding of the Internet is not appropriate :) I guess it's my last comment on the topic. Thanks for your help! Commented Nov 18, 2019 at 15:31

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.