15

This is a corollary to the question Why don't ISPs filter on source address to prevent spoofing?.

Are there valid reasons to spoof an address?

Community
  • 1
Steve
  • 15,215
  • 3
  • 38
  • 66
  • 1
    I would take a look at the question what-security-risks-does-ip-spoofing-bring . I feel these questions are very similar, if not duplicate? – Chris Dale Dec 09 '10 at 15:37
  • I think this question is different than your question. At first glance I only see risks; I'd like to know how a Corporate IT environment can benefit from IP address spoofing. Link: http://security.stackexchange.com/questions/1009/what-security-risks-does-ip-spoofing-bring – makerofthings7 Dec 09 '10 at 15:40
  • 2
    The two could easily meet in the middle, but the origins are different enough that the answers could be interesting. – Scott Pack Dec 09 '10 at 15:51

3 Answers3

7

I found an article here which describes some legit examples for spoofing IP:

  • In mobile IP environments, where a roaming host must use a "home" IP address in a foreign network (ref. C. Perkins, "IP Mobility Support for IPv4)
  • virtual private networks that set the host IP to an address local to the organization's network
Chris Dale
  • 16,149
  • 10
  • 57
  • 97
  • 1
    I updated the answer and added the old as a comment :) – Chris Dale Dec 09 '10 at 15:49
  • 2
    I don't see enough real-world justification for spoofing yet, and still don't think the need outweighs the risks involved. I hope more people post more details on how an application uses spoofing, and why those relying apps can't be upgraded to use something higher in the OSI stack. – makerofthings7 Dec 09 '10 at 23:56
  • which VPN do that? – curiousguy Jun 25 '12 at 19:38
  • If I'm not mistaken, listening for and responding to Anycast addresses might be considered spoofing as it appears that an otherwise unique address is present on two sides of a router – freddyb Oct 05 '12 at 20:06
5

Mobile IP networks are not really a justification for spoofing. RFC 2344 Reverse Tunneling provides an answer to allow Mobile IP to work with ingress filtering / antispoofing protection.

I'm not sure of current recommendations but old (2000) RFCs like RFC 3013 ISP recommendations recommend ingress and egress filtering to stop spoofing.

I don't think there is a real legitimate reason for spoofing on the public internet. Occasionally, private intranets might have a reason, just like they have a reason to do arp-proxying (a router masquerades as a host and forwards the packets) sometimes.

Bradley Kreider
  • 6,182
  • 2
  • 24
  • 36
  • "_Mobile IP networks are not really a justification for spoofing. RFC 2344 Reverse Tunneling provides an answer to allow Mobile IP to work with ingress filtering / antispoofing protection._" An answer for antispoofing hardly make spoofing not justified. – curiousguy Jun 25 '12 at 19:40
  • Huh? Mobile IP was put forth as a justification for spoofing, but the justification doesn't exist because there are ways to do mobile IP without spoofing. – Bradley Kreider Jun 27 '12 at 19:42
  • "_Mobile IP was put forth as a justification for spoofing_" yes, and it is a valid justification. "_there are ways to do mobile IP without spoofing_" so? – curiousguy Jun 27 '12 at 19:43
  • What are you confused about? – Bradley Kreider Jun 27 '12 at 19:48
  • What constitutes a "justification" for something? – curiousguy Jun 27 '12 at 20:19
  • I will answer myself: **a justification is a legitimate reason to do something.** A legitimate reason is one that serves a legitimate goal. **Mobility is a legitimate goal**, so "spoofing" (not really spoofing actually, since this is really our IP address) for mobility **is a legitimate reason**. IOW it makes "IP spoofing" legitimate. **The fact that mobility can be done by other means is not relevant in any way as we try to determine if "spoofing" is legitimate.** – curiousguy Jun 29 '12 at 15:58
  • @curiousguy - once again: please refrain from being deliberately argumentative or abusive. If you continue there are various penalties which will be applied, including timeouts. – Rory Alsop Jun 29 '12 at 18:35
  • @RoryAlsop I was just explaining my reasoning. I assure you I am not "deliberately abusive", but I "deliberately" try to bring arguments. Lately, *others* have sent me abusive comments, and I have **tried** to reply calmly, but it's difficult to find the right tone. – curiousguy Jun 29 '12 at 19:06
  • Okay - in general what the mods try to do it just get rid of comments or bits of comments which seem to be deliberately trolling or argumentative, or are abusive, so you will see I have been selectively editing and deleting comments in this and other comment threads. Basically, comments in Stack Exchange aren't a place to have conversations - they are solely for clarifications. All conversations should be held in chat – Rory Alsop Jun 29 '12 at 20:07
2

One possible usage scenario is a corporate internet filtering environment which is not configured inline (that is between the internet and users) but monitors traffic off a network SPAN/TAP.

In this scenario, when a user visits a site the web filtering environment has listed on a block list, the web filtering application may spoof the source IP of the web server and send a TCP reset packet back to the client, web server, or both, to kill the connection.

Websense web filtering products can operate in this way, for example.

lew
  • 1,536
  • 8
  • 11
  • oh. That's pretty nasty. I can see people just constantly hitting refresh and being frustrated as to why the internet doesn't work. – Bradley Kreider Jun 27 '12 at 19:43
  • Typically you would only block certain sites, otherwise you would just block web access for those users completely on a firewall/router. Most web filtering products will serve a block page as well, so the user gets some feedback. Also, if it only sends the RST back to the user, you should be able to drop those packets using a host-based firewall which can bypass the block. – lew Jun 28 '12 at 06:20