About spoofing

When the DDoS topic is brought up, it’s almost always that the spoofing subject is brought up as well.
In this post I will try to answer a few questions about Spoofing and DDoS attacks that are performed via spoofing.

First of all, what is spoofing?

Spoofing is the act of modifying the IP header of a sent packet. Means that a server can send a packet with an IP Address that does not belong to the server or the network in which the server is operating in.

How is spoofing used in DDoS attacks?

In the last 2 years we’ve seen an increasing usage of IP header modification in DDoS attack instead of floods that were performed via Botnets or shells. These DDoS attacks use certain UDP based services (such as DNS, NTP, SMTP, SSDP, MSSQL etc) to “amplify” the attack. The packets (ddos flood) are sent to IP addresses with the specific UDP based service opened over its dedicated port using the IP source of the actual target, causing the servers to reply (usually with a bigger response size) to the victim instead of the server that actually performs the attack.

How to spoof?

Most servers do not have the IP header modification feature available which means that the server is forced by the firewall or the network to send the packets with its real IP address. If the server is forced to do that, there is nothing that can be down (software-wise) to change it.

Can I protect my servers against spoofed attacks?
In the firewall level, there is nothing specific that you can do against spoofed attacks that are amplified on the UDP protocol. If you are not using the UDP protocol, I would suggest you to completely disable any inbound traffic. If you do need the UDP protocol, you might want to limit connections per IP but overall other than a good hardware to filter traffic. There is no much in your hands.

Leave a Reply

Your email address will not be published. Required fields are marked *