IP spoofing is the creation of network packets with a falsified source IP address, making them appear to originate from a different system. Attackers use this technique to bypass IP-based access controls, launch denial-of-service attacks, or impersonate trusted hosts. While raw IP spoofing has limitations in modern TCP connections, the concept extends to application-layer spoofing through manipulated HTTP headers.
How It Works
At the network level, an attacker crafts packets with a forged source IP address. This is straightforward for UDP-based protocols and connectionless communication since there is no handshake to validate the sender. For TCP connections, spoofing is harder because the three-way handshake requires receiving the server's response, which is sent to the forged address, not the attacker. However, in denial-of-service attacks, receiving the response is unnecessary. Amplification attacks send requests with the victim's spoofed IP to services that return large responses, flooding the victim with traffic.
In web application contexts, IP spoofing more commonly occurs through HTTP header manipulation. Applications that sit behind reverse proxies or load balancers often determine the client's IP from headers like X-Forwarded-For, X-Real-IP, or True-Client-IP. If the application trusts these headers without verifying they come from a legitimate proxy, an attacker can set X-Forwarded-For: 127.0.0.1 and bypass IP-based restrictions that only allow local access.
This affects rate limiting, geographic restrictions, IP-based authentication, and admin panel access controls. An application that restricts its admin interface to internal IP addresses becomes vulnerable when an attacker spoofs the forwarded-for header to an internal address, bypassing the restriction entirely.
Why It Matters
IP-based authentication and authorization are inherently weak because IP addresses can be spoofed or manipulated. Applications should never rely solely on IP address verification for security-critical decisions. When IP information is needed, the application must properly configure trusted proxy chains and validate that forwarded headers come only from known proxy servers.
Security assessments test IP-based controls by manipulating forwarding headers and evaluating whether the application correctly validates the source of IP information.
Need your application tested? Get in touch.