Friday, October 2, 2015

How Do Attackers Spoof IP Address by Changing Source IP Address of Outgoing Packets

In one of my last articles, I explained, what is IP Address Spoofing. (What is IP Address Spoofing Attack ?  IP Address Spoofing attack )

In fact, in almost all cyber attacks, the attacker spoofs his IP address so that it becomes very difficult to catch the attacker.

But how do the attackers do that? How can they change IP address of outgoing IP packets?

Well, in this article, I am going to show you that. And again, I will show the methods for Ubuntu, because I use Ubuntu for experiments.

So, let's start.

I think, by now we all know about how to set Linux firewalls using iptables (How to configure Linux Firewalls using iptables ? how to set Linux firewalls using iptables.)

The firewalls (What is firewall ? firewalls) mainly, inspect all incoming and outgoing IP packets and accept or reject them based on some predefined rules.

In fact, using Linux iptables, we can easily change source IP of our outgoing packets. Iptables give us this option because it is very useful for network testing and diagnostics and security penetration testing.

We need to execute a single command, with root permissions, to do that.

# sudo iptables -t nat -A POSTROUTING -p icmp -j SNAT --to-source

This rule says, for packets using ICMP protocol, the source IP address will be changed to This rule will be applied to outgoing packets, after they have completed the routing procedures in the machine and is about to be sent outside.

Now, before executing the command, I had seen all the IP addresses present in my local network using the command 'arp-scan'.

# sudo arp-scan -interface=eth1 --localnet
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts ( 48:8f:b3:63:20:a5 (Unknown) 07:63:97:c8:f1:c5 (Unknown) 00:1f:3a:bc:7b:58 Pr_Bc cf:4b:63:7f:04:84 (Unknown) cd:c5:eb:68:22:4b (Unknown)
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.289 seconds (198.60 hosts/sec). 5 responded

So, here the IP address does not exist.

Now, I open the machine and type:

# ping

Can you guess what should be the outcome of this ping?

No reply. Because this IP address does not exist at all. So, the destination machine, with IP address will receive the ping message and make an ARP query to find out what is the hardware MAC address of this IP. But, the machine will not get any reply and won't be able to respond to the ping's. As a result, the source machine, with IP address, will get no reply at all.

Let's do something different now. Let's delete this iptables rule and execute some different commands.

# sudo iptables -t nat -D POSTROUTING -p icmp -j SNAT --to-source
# sudo iptables -t nat -A POSTROUTING -p icmp -j SNAT --to-source, we have deleted the previous rule from the machine with IP address and added a new rule, so that, the source IP address of all outgoing ICMP packets are now

Now, I would execute the ping command in the machine, where I have changed the iptables rules.

# ping

Will we get any reply now?

Well, no. Because we have pinged the machine with a forged IP address. But the machine does not know that the source IP address of the packets are forged. So, it will send replies to

In fact, if I do the same steps from multiple machines and change the source IP address of all outgoing ICMP packets to and ping different machines, all the machines will send replies to and will eat up all its bandwidth, causing a Denial of Service or DoS attack for the machine Does it remind us of Ping Flood ? (What is Ping Flood ? Ping Flood)

Now, the most vital question will come to our mind,

Is it possible to know from the machine that the ping messages it received were spoofed ones?

Let's try.

We would open Wireshark from a terminal.

# sudo wireshark

A window will appear similar to the below one.

Click on the interface you want to listen. In my case, it is eth1. And then, click on any ICMP message coming from

If we click on Ethernet II, we see, source MAC address is 00:1f:3a:bc:7b:58. 

But from the 'arp-scan' output, we saw, the machine with IP address has MAC address cf:4b:63:7f:04:84, which is an anomaly.

You can confirm the same with tcpdump also.

So, if the attacker forges the source IP address of his packets to contain the IP address of some machine within the victim's local network, then the victim can verify and find that out. 

But if it is not within the local network, then it is very difficult to find that out. Configuring a strong firewalls is always the best option.

So, in this article, I wanted to show you how IP address spoofing can be done easily. If you think it has helped you anywhere in thinking about safeguarding your system, I think my job is done.

So, stay safe, stay protected!

1 comment: