IP spoofing is the attack used by hackers to steal a user's IP address. IP spoofing involves spoofing a Transmission Control Protocol (TCP) connection, since IP Addresses are passed within TCP packets. When two hosts want to establish a TCP session, they must synchronize their connection using a TCP mechanism called "3 way handshake". This mechanism is composed of three phases:
- The first packet, with flag SYN, is sent by the client to the server.
- The server responds with a SYN-ACK packet.
- Finally, the client sends an ACK packet to conclude the 3 way handshake.
From the output of this TCP connection, it's possible to see a couple of long numbers, the sequence number and the acknowledgment number. These values have a size of 32bit, and are randomly generated by modern operating systems every time a new connection is started. During the session, these numbers are incremented by the number of bytes transmitted. So, for example, if the client sends to the server 6 bytes of data, the acknowledge number (example – 1779314099) is calculated from the sequence number of the client, plus the number of bytes received (1779314093 + 6). On the other side, if now the client wants to send more data, it must use 1779314099 as a sequence number (the number that now the server expects).
IP Spoofing, in the past, was a suitable technique to impersonate a different IP address and defeat security systems (such as firewalls). With the randomization of session numbers, an attacker trying to conduct a remote IP Spoofing must predict the 32bit acknowledge number sent by the server in the middle of the 3 way handshake (the SYN-ACK packet). Assuming that the size of a minimal TCP ACK packet (to conclude the handshake) is 54 bytes, and that the number is (on average) predicted correctly after 2^34/2=2147483648 attempts, the total amount of data the attacker must send is 54*2147483648, which would be 108 Gigabytes of data.
This is clearly not feasible, considering that the server considers invalid the 3 way handshake after a short timeout. The only possible way, at present, to conduct an IP spoofing attack, is to have access to the sequence numbers sent by the legitimate client.