Nowadays, network security is becoming more and more important. It should not only prevent malicious users from phishing attacks, but also prevent them from doing illegal activities with overflow tools or IP spoofing. If they are successful, the cost of the enterprise will be great.

As an enterprise network management or personal user, it is better to defend itself against IP spoofing principles.

IP brief introduction

　　普通用戶在網(wǎng)絡協(xié)議中最常用到的要數(shù)TCP/IP協(xié)議和UDP協(xié)議，兩者都是通過IP層交換數(shù)據(jù)包來進行規(guī)則通信，而IP在網(wǎng)絡層中占據(jù)生要地位是不容替代的，其接收由最低層（網(wǎng)絡接口層如以太網(wǎng)設備驅動程序）發(fā)來的數(shù)據(jù)包，并把該數(shù)據(jù)包轉發(fā)到更高層---TCP或UDP層，或者將接收到的TCP或UDP層的數(shù)據(jù)包傳送到更低層，不區(qū)分數(shù)據(jù)包發(fā)送的先后順序，不檢查數(shù)據(jù)包的完整性，雖然IP確認中包含一個IP source routing，但此選項是為了測試而存在，可以用來指定發(fā)送它的主機的地址（源地址）和接收它的主機的地址（目的地址），此點造成了被惡意用戶用來欺騙系統(tǒng)進行平常被禁止的連接，使許多依靠IP源地址做確認的服務產(chǎn)生問題，并且很容易讓惡意用戶利用虛假數(shù)據(jù)包對其進行欺騙式入侵，因此IP數(shù)據(jù)包是不可靠的，是對信任關系的一種破壞。

IP spoofing process

IP deception is composed of several processes. When a malicious user selects a remote target trust host, its trust mechanism is put into full play under the circumstances of sufficient control, so that the target machine loses its ability to work and extracts the TCP serial number issued by the target to guess the serial number of the data. After successful, it starts to disguise the trusted remote computer, and establishes the connection based on the address verification. Once the connection is successful, the malicious user will replace the role of the trusted host, and use the relevant commands to place the backdoor program to carry out a series of malicious actions.

Untrusted hosts find that the TCP SYN drowns in the network is to use the client to send the SYN request to the server, and the server returns a SYN/ACK signal. Once the data exceeds the SYN request upper limit in the TCP processing module, the request for data connection beyond the queue length will be rejected. At this point, the malicious user will send a large number of legitimate virtual IP addresses to the TCP port of the target by using this characteristic, and the target machine responds to the signal immediately, but the signal can not connect to the host. At this point, the IP packet is notified that the attacked host TCP can not arrive, but the host TCP layer considers that the network connection is temporarily wrong, and attempts to connect again until it is sure that it can not connect. For

At this point, the IP deception won time to make malicious users use the IP address to cheat.