← Lessons

quiz vs the machine

Gold1440

Networking

IP Spoofing Prevention

Stopping packets that lie about where they came from.

5 min read · core · beat Gold to climb

Forged Source Addresses

IP spoofing is forging the source address of a packet. Because routers forward based on destination, a lying source field often travels freely. Spoofing enables reflection attacks, hides attackers, and can bypass naive address based trust.

Ingress And Egress Filtering

The most effective fix is filtering near the edge.

  • Egress filtering means a network only lets out packets whose source belongs to its own address ranges.
  • Ingress filtering means a provider drops incoming packets that claim a source which could not legitimately come from that direction.

If every network filtered its outbound traffic, most spoofing would vanish. The challenge is that it protects others, not the filtering network itself, so adoption lags.

Reverse Path Checks

Routers can automate this with a reverse path forwarding check.

  • For an arriving packet, the router asks whether it would route a reply back out the same interface the packet came in on.
  • If not, the source is suspicious and the packet is dropped.

Why Trust By Address Is Weak

Because addresses can be forged, never grant access purely on source IP. Use cryptographic authentication so a forged address alone proves nothing.

Key idea

IP spoofing forges source addresses, and the strongest defenses are egress and ingress filtering plus reverse path checks at network edges, while cryptographic authentication removes any reliance on address based trust.

Check yourself

Answer to earn rating on the learn ladder.

1. What is egress filtering?

2. How does a reverse path forwarding check spot spoofing?

3. Why is source IP a weak basis for trust?