As stated by beaucoup de others, IP headers are trivial to forge, as long as one ne care about receiving a response. Ceci est why it is mostly seen avec UDP, as TCP requires a 3-way handshake. One notable exception is le SYN flood, qui uses TCP et attempts to tie up resources on a receiving host; again, as le replies are discarded, le source address does pas matter.
A particularly nasty side-effect of le ability of attackers to spoof source addresses is a backscatter attack. Il y a an excellent description here, mais briefly, it is le inverse of a traditional DDoS attack:
Gain control of a botnet.
Configure tous votre nodes to use le same source IP address for malicious packets. This IP address will be votre eventual victim.
Send packets depuis tous of votre controlled nodes to various addresses across le internet, targeting ports that generally are pas open, ou connecting to valid ports (TCP/80) claiming to be part of an déjà existing transaction.
In soit of le cases mentioned in (3), beaucoup de hosts will respond avec an ICMP unreachable ou a TCP reset, targeted at le source address of le malicious packet. The attacker now has potentially thousands of uncompromised machines on le network performing a DDoS attack on his/her chosen victim, tous through le use of a spoofed source IP address.
In terms of mitigation, this risk is really one that seulement ISPs (and particularly ISPs providing customer access, plutôt than transit) can address. Il y a two main methods of doing this:
-
Ingress filtering - ensuring packets coming in to votre network are sourced depuis address ranges that live on le far side of le incoming interface. Many router vendors implement features such as unicast reverse path forwarding, qui use le router's routing et forwarding tables to verify that le suivant hop of le source address of an incoming packet is le incoming interface. Ceci est best performed at le premier layer 3 hop in le network (i.e. votre par défaut gateway.)
-
Egress filtering - ensuring that packets leaving votre network seulement source depuis address ranges you own. Ceci est le natural complement to ingress filtering, et is essentially part of being a 'good neighbor'; ensuring that even si votre network is compromised by malicious traffic, that traffic is pas forwarded to networks you peer with.
Both of these techniques are le plus effective et easily implemented quand done so in 'edge' ou 'access' networks, où clients interface avec le provider. Implementing ingress/egress filtering ci-dessus le access layer becomes more difficult, due to le complexities of multiple paths et asymmetric routing.
J'ai seen these techniques (particularly ingress filtering) used to great effect within an enterprise network. Perhaps someone avec more service provider experience can give more insight into le challenges of deploying ingress/egress filtering on le internet at large. I imagine hardware/firmware support to be a big challenge, as well as being unable to force upstream providers in autre countries to implement similaire policies...
