What is IP spoofing?

攻击中经常用到带有伪造源地址的欺骗性 IP 数据包,其目的在于规避检测。

学习目标

阅读本文后,您将能够:

  • 定义 IP 欺骗
  • 描述如何在 DDoS 攻击中利用 IP 欺骗
  • 描述防范 IP 欺骗的方法

复制文章链接

什么是 IP 欺骗?

IP 欺骗是指创建源地址经过修改的 Internet 协议 (IP) 数据包,目的要么是隐藏发送方的身份,要么是冒充其他计算机系统,或者两者兼具。恶意用户往往采用这项技术对目标设备或周边基础设施发动 DDoS 攻击

发送和接收 IP 数据包既是联网计算机与其他设备开展通信的主要途径,又是现代 Internet 的基础。所有 IP 数据包都包含标头,标头位于数据包主体之前,其中包含大量重要路由信息,包括源地址。在常规数据包中,源 IP 地址是指数据包发送方的地址。如果数据包遭到冒用,势必会伪造源地址。

IP 欺骗 DDoS 攻击

IP 欺骗好比攻击者将数据包发送给返回地址错误的用户。如果该用户在收到数据包后想要阻止发送方发送数据包,那么阻止伪造地址发出的所有数据包将无济于事,因为返回地址很容易更改。由此推断,如果接收方希望对返回地址做出响应,响应数据包也无法送达真实发送方。数据包地址能被伪造成为一个核心漏洞,很多 DDoS 攻击都利用了这个漏洞。

DDoS 攻击通常会利用欺骗技术,其目的在于用流量击垮目标,同时掩饰恶意来源的身份并规避缓解措施。如果源 IP 地址经过篡改并采用连续随机模式,那么恶意请求很难阻止。另外,采用 IP 欺骗技术后,执法部门和网络安全团队很难追踪到攻击行为人。

Spoofing is also used to masquerade as another device so that responses are sent to that targeted device instead. Volumetric attacks such as NTP Amplification and DNS amplification make use of this vulnerability. The ability to modify the source IP is inherent to the design of TCP/IP, making it an ongoing security concern.

哪怕并非用于发动 DDoS 攻击,也可以实施欺骗技术,伪装成其他设备,从而逃避身份验证并获取或“劫持”用户的会话。

如何防范 IP 欺骗(数据包过滤)

While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a network. A very common defense against spoofing is ingress filtering, outlined in BCP38 (a Best Common Practice document). Ingress filtering is a form of packet filtering usually implemented on a network edge device which examines incoming IP packets and looks at their source headers. If the source headers on those packets don’t match their origin or they otherwise look fishy, the packets are rejected. Some networks will also implement egress filtering, which looks at IP packets exiting the network, ensuring that those packets have legitimate source headers to prevent someone within the network from launching an outbound malicious attack using IP spoofing.