What is IP spoofing?

帶有偽造來源位址的冒用 IP 封包通常會在攻擊中用來避免偵測。

學習目標

閱讀本文後,您將能夠:

  • 定義 IP 詐騙
  • 描述 DDoS 攻擊中是如何使用 IP 詐騙的
  • 描述一種抵禦 IP 詐騙的方式

複製文章連結

什麼是 IP 詐騙?

IP 詐騙是建立帶有已修改來源位址的網際網路通訊協定 (IP) 封包,以便隱藏傳送者的身分,或模仿另一個電腦系統,或同時實現兩個目標。惡意攻擊者通常會用該技術來叫用針對目標裝置或周圍基礎結構的 DDoS 攻擊

傳送和接收 IP 封包是連網電腦和其他裝置通訊的主要方式,也構成了現代網際網路的基礎。所有 IP 封包均包含一個位於封包主體之前的標頭且包含重要路由資訊,包括來源位址。在正常的封包中,來源 IP 位址是封包傳送者的位址。如果封包被冒用,來源位址將被偽造。

IP 詐騙 DDoS 攻擊

IP 詐騙類似於攻擊者向某人傳送列出錯誤返回位址的封包。如果收到封包的人想要阻止傳送者傳送封包,封鎖所有來自偽造位址的封包將於事無補,因為返回位址很容易更改。與此相關的是,如果接收者想要回應返回地址,他們的回應包將前往真正傳送者之外的其他地方。冒用封包位址的能力是許多 DDoS 攻擊利用的核心漏洞。

DDoS 攻擊通常會利用電子詐騙,以流量攻擊目標,同時用惡意來源隱瞞身分,從而阻止緩解措施。如果來源 IP 位址被偽造並持續隨機化,就很難封鎖惡意請求。IP 詐騙也使執法機關和網路安全性團隊很難追蹤攻擊的犯罪者。

Spoofing is also used to masquerade as another device so that responses are sent to that targeted device instead. Volumetric attacks such as NTP Amplification and DNS amplification make use of this vulnerability. The ability to modify the source IP is inherent to the design of TCP/IP, making it an ongoing security concern.

電子詐騙與 DDoS 攻擊無關,其目的也可以是偽裝成另一種裝置,以便迴避身分驗證並獲取使用者工作階段存取權或「劫持」使用者工作階段。

如何抵禦 IP 詐騙 (封包過濾)

While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a network. A very common defense against spoofing is ingress filtering, outlined in BCP38 (a Best Common Practice document). Ingress filtering is a form of packet filtering usually implemented on a network edge device which examines incoming IP packets and looks at their source headers. If the source headers on those packets don’t match their origin or they otherwise look fishy, the packets are rejected. Some networks will also implement egress filtering, which looks at IP packets exiting the network, ensuring that those packets have legitimate source headers to prevent someone within the network from launching an outbound malicious attack using IP spoofing.