Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. In this article, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it.IP spoofing is a technique used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. There are a few variations on the types of attacks that using IP spoofing.

Spoofing Attacks:

1.non-blind spoofing

This attack takes place when the attacker is on the same subnet as the target that could see sequence and acknowledgement of packets. The threat of this type of spoofing is session hijacking and an attacker could bypass any authentication measures taken place to build the connection. This is accomplished by corrupting the DataStream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine.

2.Blind spoofing

This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to sample sequence numbers, which is doable in older days. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target.

3.Man in the Middle Attack

This is also called connection hijacking. In this attacks, a malicious party intercepts a legitimate communication between two hosts to controls the flow of communication and to eliminate or alter the information sent by one of the original participants without their knowledge. In this way, an attacker can fool a target into disclosing confidential information by spoofing the identity of the original sender or receiver. Connection hijacking exploits a "desynchronized state" in TCP communication. When the sequence number in a received packet is not the same as the expected sequence number, the connection is called "desynchronized." Depending on the actual value of the received sequence number, the TCP layer may either discard or buffer the packet. When two hosts are desynchronized enough, they will discard/ignore packets from each other. An attacker can then inject forged packets with the correct sequence numbers and potentially modify or add messages to the communication. This requires the attacker to be located on the communication path between the two hosts in order to replicate packets being sent. The key to this attack is creating the desynchronized state.

4.Denial of Service Attack

IP spoofing is almost always used in denial of service attacks (DoS), in which attackers are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time. To effectively conducting the attack, attackers spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block the traffic.

Article source: http://www.symantec.com/connect/articles/ip-spoofing-introduction
Article source: http://archive.networknewz.com/networknewz-10-20050518IntroductionIPSpoofing.html