Editing IP address spoofing (section)

==Defense against spoofing attacks==
[[Packet filtering]] is one defense against IP [[spoofing attack]]s. The gateway to a network usually performs [[ingress filtering]], which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally, the gateway would also perform [[egress filtering]] on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines. An [[intrusion detection system]] (IDS) is a common use of packet filtering, which has been used to secure the environments for sharing data over network and host-based IDS approaches.<ref>{{Cite web |date=2023-04-19 |title=What is an Intrusion Detection System (IDS)? {{!}} IBM |url=https://www.ibm.com/topics/intrusion-detection-system |access-date=2024-11-04 |website=www.ibm.com |language=en}}</ref>

It is also recommended to design network protocols and services so that they do not rely on the source IP address for authentication.

===Upper layers===
Some [[upper layer protocol]]s have their own defense against IP spoofing attacks. For example, [[Transmission Control Protocol]] (TCP) uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.