# IP Spoofing

IP spoofing refers to the creation of IP packets with a forged source IP address.

* To hide the identity of the sender or impersonate another network system.
* Spoofing IP datagrams is a well-known problem.
* Most spoofing is done for illegitimate purposes.

<figure><img src="https://1919807373-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKwrEaJP2cLc3Ipsnkpus%2Fuploads%2FCT3xlVPP1T10ruEfJnfR%2Fa.png?alt=media&#x26;token=4fdbc4e4-0f79-4fa4-9bb3-eb26a2eaaf89" alt=""><figcaption></figcaption></figure>

## Preventing IP Spoofing at Layer 3

<figure><img src="https://1919807373-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKwrEaJP2cLc3Ipsnkpus%2Fuploads%2Fck8IxTI3QIcoHdfyBx8b%2Fa.png?alt=media&#x26;token=3c697f0f-c527-41c5-a626-cc3a6c7024d0" alt=""><figcaption></figcaption></figure>

Deny external traffic with:

* IP source equal to protected network IP ranges.
* IP source is equal to private addresses.
* Multicast destinations.

Reverse Path Verification.

* Deny traffic where the source IP network is not reachable using the interface where the packet arrived.

## Preventing IP Spoofing at Layer 2

<figure><img src="https://1919807373-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKwrEaJP2cLc3Ipsnkpus%2Fuploads%2FKzMUGPtaeGME2pyjlJd7%2Fa.png?alt=media&#x26;token=b04d56d3-4384-40e8-bd48-38012e0bdad3" alt=""><figcaption></figcaption></figure>

To prevent IP spoofing attacks by restricting IP traffic on untrusted Layer 2 ports to clients with an assigned IP address.

Works by filtering IP traffic with a source IP address other than that assigned via Dynamic Host Configuration Protocol (DHCP) or static configuration on the untrusted Layer 2 ports.

Works in combination with the DHCP and is enabled on untrusted Layer 2 ports.