Friday, January 23, 2009

My attempts with IP Spoofing

Why did I wanted to spoof source IP addresses? and why did I failed? Here's the story before you:

UPDATE Sep/2010: Dear Filipe (see comments below) had proven to me that spoofing over the internet is indeed possible, read all about it on the continuation post: My attempts with IP Spoofing – Revisited. Now back to the original story:

When customers install our product, they often forget to setup firewall rules to accept incoming connections from public IM (instant messaging) providers. Without the firewall rules in place the product does not function properly, of course, and the customer rushes to open a support trouble ticket. Troubleshooting to pinpoint the problem to a missing firewall rule isn't trivial. When we try to validate whether the customer defined the required firewall rule, we need the external entity (that we have no control on) to open a connection to the customer's IP, but the external entity will only do so following the successful completion of a handshake sequence that must be initiated by the customer (consider for example: XMPP Dial-Back mechanism), since this handshake by itself is prone to failures, you can see how reproducing the problem is a combursum process.

I started looking for a simple, independent, and reliable, troubleshooting procedure that would be able to give a clear-cut answer to whether or not the customer defined the firewall correctly.
Here's what I've concocted:

  1. Assume that the customer IP is and they were suppose to configure their firewall to allow incoming connections from

  2. I'll send a single TCP SYN packet (the 1st of the standard three messages TCP handshake) from my computer (say it's IP is, but I'll spoof the IP datagram's source address field to be instead of what normally should have been my actual machine address (

  3. I'll ask the customer to run a network sniffer on the IM Gateway machine. Waiting for the single packet to arrive at the destination socket.

  4. If the sniffer had recorded the incoming IP message, then it means that the firewall is setup correctly and the problem is else where.
    But, If the sniffer didn't record any incoming SYN packet, then we shell blame the firewall guys.

Pretty simple, eh? Now, in order to spoof the TCP SYN packet I needed a something that could generate and send raw IP packets, since you can't just fiddle with the source IP address if you choose to ride on the good'ol TCP/IP stack. I found this IP spoofing perl script on the net, and it does the job.

[caption id="attachment_103" align="alignnone" width="300" caption="Visualization of the various routes through a portion of the Internet. Took it from Wikipedia."]Visualization of the various routes through a portion of the Internet. Took it from Wikipedia.[/caption]

I did my first test on the office LAN, I sent a message from machine (IP to to machine claiming the message source was, it worked! Machine registered an incoming packet from
It seems that the office router went along with the scam, perhaps it thought that the machine switched IP it IP, or the DHCP server went crazy, or that it's ARP cache is just stall.

In the next test I tried sending the packet over the Internet, I tried sending a packet to my home computer from the office, with a source IP of some foreign entity, to my dismay, it never got to my home computer. Other IP variations didn't work either.
My guess is that some router along the way noticed that it's getting a packet with a source IP address that the part of the network it is looking can't can't possibly generate (imagine CIDR based ACLs), and that caused it to immediately drop the packet. This failure caused me to give up on the whole spoofing troubleshooting procedure idea.

Some thoughs about what I've seen:

  1. Evidently, It's quite trivial to spoofe IP addresses on a LAN.

  2. Spoofing  IP addresses over the Internet doesn't seem to be trivial.

  3. A side note: If the customer has a reverese proxy, or any form of entity that delegates TCP handshakes, deployed before the actual IM Gateway machine, then the procedure is not applicable, as the first TCP SYN message will never reach the IM Gateway machine.

  4. I would assume that the closer you inject the packet into the Internet backbone blood stream, the better the chances of not getting a rejection of the spoofed packet. The backbone routers communicate with many difference parts of the network, and might not have rational of where certain packates should be coming from or not.
    IP Packets tend to travel in different routes, making it harder to judge what IP CIDR is ligit from each fellow router.

  5. I'm guessing that the biggest problem for spoofing is the first or the second router (the ISP's), since the ISP knows exactly what is your assinged address. Thereby knowning that the packet is spoofed.

  6. If any one knows a better method of spoofing source IP, please step forward and share your secret :)


  1. Hey, link to that perl script doesn't seems to work, do you still have source, can you please send it to me?

  2. Sorry for your troubles. I Fixed it. Try now.
    The Apache web server was actually trying to execute the perl script instead of just fetching it. I can't really control it, as it something that the hosting service configures.

  3. Great artical , thanks

  4. im not aware of routers checking source ips.. it would require too much resources.. ip spoofing over the net is possible.. let me know any IP you want me to send spoofed packet to see if it reaches

  5. I'm not a hacker but isn't the fact that the server executes the script a security hole? :O

  6. BTW, i like the little icons showing the OS, country and browser.

  7. @Fillipe: Cool! I accept the challenge!

    I've enabled access logging for the next couple of days.
    Can you try to send a UDP Packet from the imaginary source IP of:
    Dest IP:
    Dest port: 12345

    Let's see what comes through...

  8. Thanks Mike,

    Not sure what server is running which script exactly? Can you clarify?
    The auto flags comes from the FireStat Wordpress plug-in. Try it out.

  9. sent..
    21:51:42.696373 IP > UDP, length 8
    21:51:42.696509 IP > UDP, length 8
    21:51:42.696658 IP > UDP, length 8
    21:51:42.696823 IP > UDP, length 8
    21:51:42.696978 IP > UDP, length 8
    21:51:42.697138 IP > UDP, length 8
    21:51:42.697284 IP > UDP, length 8
    21:51:42.697424 IP > UDP, length 8
    21:51:42.697575 IP > UDP, length 8
    21:51:42.697725 IP > UDP, length 8
    21:51:42.697875 IP > UDP, length 8
    21:51:42.698017 IP > UDP, length 8
    21:51:42.698168 IP > UDP, length 8
    21:51:42.698330 IP > UDP, length 8

  10. No. Nothing at my end :(
    Can you try to send from you're real IP address so we'll know there's nothing else in the way?

  11. [...] upon a time (Jan 2009) I’ve written this post, basically saying that you’re not likely to be able to spoof IP address over the Internet. [...]

  12. Is the way filipe used successful? I want to know how to implment it,can you mail me?

  13. Plz see this: