IP headers contain a source address field that the sender fills out. Without cryptographic verification, routers blindly trust this field, allowing attackers to impersonate trusted internal systems or mask their origin.
Spoofing is trivial for stateless protocols like UDP or ICMP. For TCP, it's harder because the attacker cannot see the server's SYN-ACK response (it goes to the spoofed IP), making the three-way handshake difficult to complete without a MITM position.
💡 Pro-tip: Ingress filtering (BCP 38 / RFC 2827) at the ISP edge drops packets claiming to originate from internal IP blocks, effectively killing outbound spoofing.
# Scapy snippet to forge an ICMP packet
from scapy.all import *
send(IP(src='10.0.0.5', dst='192.168.1.10')/ICMP())This Python script uses Scapy to craft a packet with a forged source IP. If the local router lacks egress filtering, this packet will leave the network.
Strict and Loose Source Routing allowed the sender to dictate the exact path a packet must take through the internet. Attackers used this to bypass firewalls by forcing traffic through compromised intermediate routers.
⚠️ All modern routers drop IP Source Routing options by default. If you find it enabled on legacy hardware, disable it immediately, as it completely bypasses standard routing ACLs.
| Technique | Use Case | Modern Status |
|---|---|---|
| IP Spoofing | DDoS / Anonymity | Mitigated by BCP38 |
| Source Routing | Firewall Bypass | Deprecated / Blocked |
| Smurf Attack | Broadcast Amplification | Blocked by directed broadcast disable |
Verify exercises to earn ★ 140 XP and unlock next lab level.