Originally Published: Saturday, 10 June 2000 Author: Kapil Sharma
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Std View]

An Overview of TCP and IP Spoofing

TCP and IP spoofing attacks can be very dangerous! In this article, Kapil Sharma introduces TCP and IP spoofing and lists measures to prevent your network from these attacks.

The opinions expressed by contributors to Linux.com are their own. Linux.com bears no responsibility for its contributors' opinions.

A spoofing attack involves forging one's source IP address. It is the act of using one machine to impersonate another. Most of the applications and tools in Unix systems, including Linux, rely on source IP address authentication, and many developers have used host-based access controls to secure their networks. The source IP address is a unique identifier, but it is not a reliable one. It can easily be spoofed.

To understand the spoofing process, I will begin by explaining the TCP and IP authentication process. Then I will discuss how an attacker can spoof your network.

TCP uses sequence numbers. When a virtual circuit establishes between two hosts, TCP assigns each packet a number as an identifying index. Both hosts use this number for error-checking and reporting.

Rik Farrow, in his article "Sequence Number Attacks," explains the sequence number system as follows:

The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgement (there can't be one yet). If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgement: the initial sequence number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgement: the server's initial sequence number plus one."
Thus an attacker is faced with two challenges:
  1. He must forge the source address.
  2. He must maintain a sequence number with the target.
The second task is the most complicated one, because when target sets the initial sequence number, the attacker must respond with the correct response. Once the attacker correctly guesses the sequence number, he can synchronize with the target and establish a valid session.

Services Vulnerable to IP Spoofing

Configuration and services that are vulnerable to IP spoofing attacks include:

TCP and IP Spoofing Tools
  1. Mendax for Linux: Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
  2. spoofit.h: spoofit.h is a well-commented library for including IP spoofing functionality into applications.
  3. ipspoof: ipspoof is a TCP and IP spoofing utility.
  4. hunt: hunt is a sniffer which also offers many spoofing functions.
Measures to Prevent IP Spoofing Attacks

So how does a system administrator prevent IP spoofing attacks. Some good measures are:


Spoofing attacks are very dangerous and difficult to detect. As they become increasingly popular, the only way to prevent these attacks are to implement security measures such as encrypted authentication to secure your network.

Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux systems for more than 2 years. He has a web site, http://www.linux4biz.net, if you are interested in learning more about him.