Hi malware fighters,
Spoofing is not only under all counts malicious, is also destructive.
Spoofing does not mean anything else as pretending to be someone or something else. On the world wide web it is mainly used in spam emails. The sender address of the electronic mail often is non-existent or under all circumstances not the real sender address. In such a way it is harder to identify the spammer. Spoofing can also be used with IP packets. Also as with spam here the sender is not who he says he is.
In the case of spam when the target has been reached and eventually the spam message has been opened spoofing has been succesful. In the case of an IP packet this is less clear. There cannot be any communication if the sender is not the sender, reactions to the packet sent will probably be directed to the wrong address.
But how is it possible that users on the Internet could change their real IP address. The answer is very simple, they do not, they just use a proxy server. They will send their request for a certain page through a proxy, and the proxy server will get that page and will send it back in its turn. For the one offering the webpage it seems that the request is from a user with the proxy IP. This could be called spoofing but there is no other technique involved as the normal use of a browser. Just proxy servers are slow to use and they may not forward all sorts of traffic. They can be only used to “spoof” HTTP traffic.
All right, I may not be able to spoof my IP address and surf with this spoofed address. So what good could that be? As has been made clear now normal use in combination with spoofed packets is not possible. But malicious ways can be figured out. It is possible to use spoofed IP packets to perform a Denial of Service (DoS) attack. When two machines want to “converse” with each other via TCP/IP they first have to interchange a so-called 3-way handshake. Where people that meet say “How do you do? - I am fine, and how are you? - Not too bad really” computers have learned to keep this conversation a lot simpler in the form of a “Syn - Syn/Ack - Ack”. That is the way for them to make clear they are in for a TCP/IP session. After one machine has received a Syn packet, he will reserve a connection and send back a Syn/Ack. When no Ack gets back in response, then he will keep on sending Syn/Acks until the session is confirmed through an Ack or when a timeout has passed and the connection is set free again. So by producing an enormous amount of Syn packets with a spoofed sender, all available connections will be used up because no answer in the form of a Syn/Ack packet arrives. The machine is just waiting for an answer that won’t come. All available connections are being used, normal connections are not available either, so the machine cannot be reached.
Well as you can establish from all this spoofing an IP address is malicious under all circumstances. Normal TCP/IP communication has become impossible, the only goal here is to cause damage. For being anonymous on the Internet there are better ways like the use of proxies.
There are however several ways to prevent attacks, and a quality managed hosting company will use some or all of them on its dedicated servers.
The first and most important line of defense is a traffic analyzer. These software products consists of a suite of computer programs that constantly analyze the source and details of traffic, looking for the most common signs of false traffic requests and other markers that are frequently found as part of DDoS attacks. Once this sort of traffic is found, the best software is capable of filtering it out and preventing it from reaching the server in the first place. Then, in the next line of defense, a dedicated server company will have a firewall that further filters traffic. Firewalls work by preventing access to rarely used server ports and resources according to specified guidelines. By restricting these usually unprotected resources in the server’s software, firewalls block and prevent some of the most common access points and weak spots for Denial of Service attacks. And finally, many managed hosting companies will provide a backup cluster with a separate and distinct address and data connection, so that in the event of a DDoS attack, services can be switched over to the backup which remains unaffected.
polonus