Key takeaways: IP spoofing |
|
On the morning of April 18, 2025, the owner of a gaming site woke up to a nightmare: Someone was spoofing his site IP address. Despite no actual compromise, his IP address was now implicated in DDoS (distributed denial of service) attacks against several reputable universities and cloud providers.
Many of the institutions sent abuse complaints to his hosting provider and AbuseIPDB, a public database where people report malicious IPs. Upon checking the AbuseIPDB platform, he found no less than 97 reports from 59 sysadmins, all reporting traffic that didn’t exist (at least not from his server).
This was a classic real-world example of IP spoofing, where attackers disguise malicious traffic to appear as if it’s coming from an innocent source IP. If you’re wondering how this type of attack works and if it’s still happening in 2025, we break it down for you below.
What is IP spoofing and how does it work?
Quite simply, IP spoofing works by faking where data is really coming from.
It’s where attackers change the “from” IP address in data packet headers to make malicious traffic appear as if it came from a trusted source. This makes it harder for IT teams to trace attacks back to the real culprits.
But what are packet headers? These are simply pieces of information attached to every chunk of data sent across the internet.
Think of packet headers like labels, where every piece of data contains info like source IP address (who sent it), destination IP address (who should receive it), and technical details like TTL (time-to-live) and fragmentation instructions.
TTL instructs routers to discard packets after a certain time, which prevents endless looping in case of routing errors.
And fragmentation instructions are critical when a packet is too large to travel through a network path. They tell the receiving server how many fragments of a packet there are and where each fragment fits, so the entire packet can be reassembled once all the pieces arrive.
In IP spoofing attacks, threat actors first scan the target network to identify open ports, active IP addresses, and typical traffic patterns. An open port, for instance, is like an unlocked door, allowing attackers to send packets with spoofed IP addresses through that port.
Because the port is “open” and listening, it will accept the packet thinking it’s from a trusted source. This technique is often leveraged in DDoS attacks, where the attackers send a flood of spoofed packets to overwhelm the target network’s open ports. It’s, unfortunately, a very effective way for attackers to bring down entire networks.
And that’s not all.
RDP (Remote Desktop Protocol) ports, which grant access to Windows workstations and servers, can be weaponized not only for DDoS attacks but also for intercepting communications and deploying ransomware. Here’s how:
- DDoS attacks: Attackers can abuse open RDP ports (port 3389) to launch powerful reflection/amplification DDoS attacks with an amplification ratio of 85.9:1. This can lead to full disruption of mission-critical remote-access services.
- Intercepting communications: Once they’re in, the attackers can intercept, manipulate, or redirect internal communications. This is your classic MitM (man-in-the-middle) attack.
- Deploying ransomware: The attackers can also move laterally within the network and plant ransomware on critical machines, enabling them to lock down systems until their demands for payment are met.
This makes securing RDP a critical priority, especially if you want to prevent DDoS, MitM, and ransomware attacks through this channel.
And you can do this easily by configuring LastPass Workstation FIDO2 MFA for RDP access. This ensures that even if an attacker tries to spoof an IP, they can’t access your accounts without the physical device tied to your FIDO2 MFA logins.
Next, let’s look at how common IP spoofing attacks really are today.
Is IP spoofing common?
Yes, IP spoofing is very much a live threat in 2025.
At the beginning of this article, we talked about a real-world example of IP spoofing.
The gaming site owner’s experience shows IP spoofing isn’t some theoretical concern. Despite new security advances, it remains a dangerous tool in the attacker’s arsenal.
While AbuseIPDB eventually put the site owner’s IP address on a spoof protection “whitelist,” signaling he may be the victim of IP spoofing, it did little to address the damage to the site’s reputation.
So, due to concerns about service disruptions and the negative impact on user trust, he switched to a different hosting provider, quickly rebuilt the site infrastructure, and updated DNS records to point to the new IP address.
Today, the CAIDA Spoofer Project plays a crucial role in shining a light on the problem of IP spoofing.
Here's how it works. The CAIDA Spoofer Project actively measures the implementation of SAV (Source Address Validation) by networks across 220 countries.
SAV techniques (like BCP 38 and BCP 84) are designed to mitigate IP spoofing by filtering packets with forged IP source addresses at the ingress (entry) and egress (exit) points of a network.
Here's what CAIDA’s research reveals:
- Between 82.69% and 97.83% of CAIDA monitoring locations worldwide have observed at least one traceable route containing Bogon IP addresses.
- Bogon addresses are IPs that should never appear on the internet. They’re either invalid, reserved for private use, or unassigned, which means attackers can weaponize them to hide their identities or bypass filters.
- Over seven (7) years, more than 14,000 unique autonomous systems (ASes) were found transiting Bogon addresses.
- Alarmingly, 62.67% of the ASes transiting Bogon packets marked them as non-spoofable, which reveals Bogon packets are often dismissed as a minor issue, rather than being treated as a critical security vulnerability.
In summary, CAIDA research highlights the incomplete deployment of SAV across the world, which means millions of users remain exposed to IP spoofing risks.
Is IP spoofing illegal?
IP spoofing itself isn’t illegal, especially when used in penetration testing and ethical security research:
- Security researchers simulate IP spoofing attacks to test how well networks resist DDoS amplification attacks that rely on forged IP addresses.
- Engineers evaluate how load balancers and firewalls handle malformed packets, so they can improve defenses like SAV and anti-spoofing filters.
- Researchers also simulate IP spoofing and ARP spoofing to see how they’re used to exploit trust assumptions in TCP/IP and facilitate MiTM (man-in-the-middle) attacks. In a safe, controlled environment, researchers can determine how effective network responses are and build stronger defenses.
That said, IP spoofing without consent (even for ethical research) is illegal. Penetration testers and security researchers must obtain explicit consent for all spoofing experiments.
How to detect IP spoofing: How do you spoof an IP address?
If you’ve ever asked, “Can someone spoof my IP address, "the answer is yes; someone can absolutely spoof your IP address.
Here’s how it’s done:
- First, the attacker uses packet sniffing tools to identify key information about your network, like active IP addresses, existing TCP connections, and TCP sequence numbers.
- TCP sequence numbers are unique 32-bit numbers assigned to each byte of data sent over a TCP connection.
- Knowing TCP sequence information is crucial because TCP expects packets to arrive in order and with valid sequence numbers. The TCP connection will reject spoofed packets that fall outside the window of valid sequence numbers.
- By sniffing packets, the attacker can get the details they need to make spoofed packets appear credible.
- After capturing the details, the attackers use specialized IP spoofing tools to craft the spoofed packets.
- Finally, the attacker transmits these crafted packets to your network. Without the proper defenses, your network will accept them as if they were from a trusted source.
This brings us to an important question.
What can someone do with your IP address?
Your IP address indicates what city you’re in. It can give attackers a starting point for figuring out where you actually live. Once they have your location info, they can scrape social media to gather more details like hobbies, daily routines, and travel plans.
With this intel, they can plan armed robberies, stalking, targeted social engineering, or DDoS attacks to disrupt your entire life.
They can also use your IP to hide their crimes, leaving you as the prime suspect instead of the victim.
And if the attackers sell your IP address on the Dark Web, threat actors who buy it can use your IP for illegal activities, potentially framing you for crimes you didn’t commit.
You can keep your information safe with LastPass Dark Web Monitoring:
- It alerts you if your info is found on the Dark Web, so you can quickly update your credentials to prevent identity theft and fraud. Real-time alerts also help you meet regulatory requirements for breach notification timelines, such as those mandated by HIPAA, GDPR, or CCPA.
- You get visibility into potential threats tied to your identity and organization, improving your overall security posture.
- With 24/7 monitoring, you can align with frameworks like NIST and ISO 27001, which require continuous monitoring of risks and security controls. Get Dark Web Monitoring free with any LastPass trial.
How to prevent IP spoofing: Best tools to defend against IP spoofing in 2025
If you’ve ever wondered what defenses actually hold up against IP spoofing, this is for you. We’ve boiled down the critical tools below in one concise, easy-to-read table. You’ll see the leading options, what they do, and who they’re for.
Strategy or technique |
How to implement |
What they do |
Who they’re for |
BCP 38 (ingress filtering) & BCP 84 (egress filtering) |
URPF (Unicast Reverse Path Forwarding) to enforce SAV (Source Address Validation) |
-Used in routers to filter traffic based on source IP at network edges |
Businesses, ISPs, large consumer networks |
IPsec |
-consumer-friendly IPsec VPN: CyberGhost, ExpressVPN, and Surfshark -professional-grade IPsec stack with broad protocol support for high-performance gateways: Rambus Classic IPsec Toolkit
-Enterprise VPN client with IPsec and SSL support: Fortinet FortiClient
-VPN client for mobile users and businesses needing secure remote access: WatchGuard IPsec Mobile VPN client
*Please note: The above recommendations are not a substitute for professional advice. Be sure to perform due diligence and consult with security professionals to deploy the right solutions for your specific needs and risk profiles. * |
-Secures IP communications by encrypting and authenticating IP packets
-complements ingress and egress filtering
-drops packets without valid cryptographic credentials, which involves IKE (Internet Key Exchange) authentication and PKI (Public Key Infrastructure) when certificate validation is required |
Consumers (IPsec VPNs) and businesses |
WAF (web application firewall) |
AWS WAF, Cloudflare WAF |
-defends against application-layer DDoS attacks when spoofed IPs are involved
-Applies session-based rate limiting, behavioral anomaly detection, and X-Forwarded-For (XFF) header validation to stop injection of fake IPs |
Mainly businesses hosting web applications; not typical for consumers |
FIDO2 MFA |
Get it through a LastPass free trial
|
-provides strong authentication to prevent unauthorized access |
Consumers and businesses |
24/7 Dark Web Monitoring |
Get it through a LastPass free trial
|
-provides real-time alerts of exposed credentials
-prompts password updates
-prevents unauthorized access from attackers using spoofed IPs and compromised login info |
Consumers and businesses |
Related articles
- Email Spoofing: What Hackers Hope You Miss in 2025
- DNS Spoofing Attacks in 2025
- What Is ARP Spoofing, and Why Should You Care?
FAQs about IP spoofing
What is the difference between IP spoofing and session hijacking?
IP spoofing enables session hijacking in some scenarios. Take, for example, legacy systems that use IP addresses to authenticate users. This means an attacker who manages to spoof someone’s IP address can hijack their session to perform unauthorized actions.
Modern protections like MFA, HTTPS, and session tokens make this type of session hijacking harder, but it’s worth noting the attack surface has shifted. Instead of just hijacking sessions, IP spoofing campaigns are increasingly being leveraged for credential stealing. A layered defense includes the use of:
- Zero Trust principles, where every access request is continuously earned
- Token binding, where each session is tied to unique tokens
- Strong endpoint security, where every endpoint device is hardened
- LastPass FIDO2 MFA, where every login demands cryptographic proof only your device can provide
- LastPass Saas Monitoring, where every app login is secured
- LastPass SaaS Protect, where every high-risk request is blocked
What is the difference between a sniffer and a spoofer?
A sniffer is used to monitor and capture data packets. It’s a largely passive process, as it doesn’t involve altering the data. Meanwhile, a spoofer introduces fake traffic into a network by sending through crafted packets with forged source IP addresses. Unlike sniffing, spoofing is an active process aimed at gaining unauthorized access or disrupting operations.
How do IP grabbers work?
IP grabbers are tools that “grab” or capture your IP address. Although IP grabbers can be used for benign purposes like gaining insight into user behavior, they can also be weaponized by threat actors. Once attackers have your IP, they can use specialized tools to track that IP’s journey across the web, logging your interactions with different sites. With this intel, they can craft more credible phishing attacks to target you.
Do VPNs mask your IP?
Yes, VPNs can mask or hide your IP. They do this by routing your traffic through a VPN server, which replaces your IP address with that of the server.
This process makes it seem as if your online activities are originating from the VPN server’s location rather than yours. Thus, it hides your browsing history from your ISP and other parties.
A VPN also has other benefits like allowing safe browsing on public Wi-Fi, access to geo-based content, and the ability to bypass regional censorship and location-based price discrimination.
What is an IP scrambler?
An IP scrambler, which randomizes your IP address with each connection, technically doesn’t exist. This is because a valid, recognizable IP is required to interact with platforms across the web.
However, modern versions of “IP scramblers” exist in the form of VPNs and proxies. ISP proxies and residential proxies are two types of proxies.
ISP proxies operate by routing your traffic through an IP provided by your ISP. These proxies offer high speeds and stable sessions. Meanwhile, residential proxies route your traffic through the IP of a residential user.
Since residential proxy providers typically offer millions of residential IP addresses, you get both stealth and a high degree of anonymity with this type of proxy. Ultimately, residential proxies are the preferred choice for performing market research and accessing geo-restricted content.
Today, you can stay ahead of IP spoofing and protect what matters most: Catch exposed credentials with our premier Dark Web Monitoring services and enjoy Secure Access with FIDO2 MFA, free with a LastPass Premium or Business trial (no credit card required).
Type of account |
Who it’s for |
Free trial? |
Premium |
For personal use across devices |
Yes, get it here |
Families |
For parents, kids, roommates, friends, and whoever else you call family (6 Premium accounts) |
Yes, get it here |
Teams |
For your small business or startup |
Yes, get it here |
Business |
For small or medium-sized businesses |
Yes, get it here |
Business Max |
Advanced protection and secure access for any business |
Yes, get it here |
LastPass is so easy to use I have my elderly parents using it successfully. I like that for most Android Apps and desktop websites, LastPass can auto-fill with ease. I've been with this product for years now and had no issues or breaches that affected me in any way (Shandy O, computer specialist and verified G2 reviewer).
I appreciate how user-friendly and convenient LastPass is! It makes it so much easier to manage and secure all my passwords in one place, without having to remember every login. Plus, the browser extension and mobile app work seamlessly, so I always have access to my information wherever I need it. I also like how LastPass helps with generating strong passwords, giving me peace of mind that my accounts are safe. Overall, it’s a tool that makes digital life more secure and efficient! (Krishen B, Director of small business and verified G2 reviewer)
Sources:
https://voxelmanip.se/2025/04/28/post-mortem-the-2025-04-18-ip-spoofing-attack/
https://networklessons.com/cisco/ccna-routing-switching-icnd1-100-105/ipv4-packet-header
https://nmap.org/book/man-bypass-firewalls-ids.html
https://www.okta.com/identity-101/ip-spoofing/
https://www.portnox.com/cybersecurity-101/what-is-ip-spoofing/
https://cert.europa.eu/publications/security-advisories/2021-005/
https://spoofer.caida.org/summary.php
https://www.security.org/vpn/what-can-someone-do-with-your-ip/
https://www.geeksforgeeks.org/ethical-hacking/session-hijacking/
https://www.proofpoint.com/us/threat-reference/session-hijacking