LEGACY: CAIDA IP Spoofer report

LAST UPDATED:  2021-06-07

LEGACY REPORT

Report discontinued. Replaced by: by IP Spoofer Events Report.

This report intends to provide a current view of ingress/egress filtering and susceptibility to IP source packet forging (spoofing) on a given network.

This report is based on the CAIDA (Center for Applied Internet Data Analysis)  Spoofer project. The CAIDA Spoofer project periodically tests a network’s ability to both send and receive packets with forged source IP addresses (spoofed packets) in support of reporting on best current practice source address validation – BCP38.

The methodology behind the Spoofer project results in a CAIDA initiated test for spoofing in the form of probed packets sent to test the ability of a given IPv4 or IPv6 address / node to send/receive spoofed packets.  Each node in the below report has been identified as having sent or received spoofed packets. Each is mapped to a CIDR and autonomous system i.e. different Internet service providers.

While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we received reports on a daily basis (ie. participating in the CAIDA project).

Feedback, comments and bug fixes are always welcome both to Shadowserver  and to CAIDA (by contacting spoofer-info@caida.org). This also includes the option of direct participation in the project through the downloading of client testing software to automatically contribute a report to the CAIDA database. For more details on direct participation as well as other questions, please see the CAIDA Spoofer project FAQ.

Please note this report will be replaced after 2021-06-01 by IP Spoofer Events Report.

Fields

  • timestamp
    Time that the spoofer test was conducted in UTC+0
  • ip
    IP of device successfully sending/receiving spoofed packets as a result of the CAIDA test (anonymized to network level, see CIDR field).
  • asn
    ASN - ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • hostname
    Reverse DNS name of the device in question
  • type
    IPv4 session
  • infection
    Will always be ip-spoofer
  • naics
    North American Industry Classification System Code for the IP
  • sic
    Standard Industrial Classification System Code for the IP
  • sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial Facilities, Information Technology
  • family
    Additional classification information (if available)
  • tag
    Additional classification information (if available)
  • public_source
    Source of the event, will always be CAIDA
  • network
    CIDR of the device IP successfully sending/receiving spoofed packets as a result of the CAIDA test
  • version
    IP version
  • type
    IPv4 session
  • routedspoof
    Received - Spoofed packet was received ; Blocked - Spoofed packet was not received, but unspoofed packet was ; Rewritten - Spoofed packet was received, but the source address was changed en route ; Unknown - Neither spoofed nor unspoofed packet was received
  • session
    NAT Session ID
  • nat
    Response involved NAT (True) / without NAT (False)

Sample

"timestamp","ip","asn","geo","region","city","hostname","type","infection","naics","sic","sector","family","tag","public_source","network","version","type","routedspoof","session","nat"
"2019-08-27 00:06:24","137.97.71.0",55836,"IN","KERALA","THRISSUR",,"Session","ip-spoofer",517312,0,"Information Technology",,,"caida","137.97.71.0/24","ipv4","Session","received",739969,"True"
"2019-08-27 01:19:47","103.95.33.0",136749,"MY","SELANGOR","SHAH ALAM",,"Session","ip-spoofer",541990,0,"Communications",,,"caida","103.95.33.0/24","ipv4","Session","received",739992,"True"
"2019-08-27 02:32:12","115.78.9.0",7552,"VN","HO CHI MINH","THANH PHO HO CHI MINH",,"Session","ip-spoofer",517312,0,"Communications",,,"caida","115.78.9.0/24","ipv4","Session","rewritten",740024,"True"
"2019-08-27 03:16:08","24.237.163.0",8047,"US","ALASKA","BETHEL","0-163-237-24.gci.net","Session","ip-spoofer",517919,737415,,,,"caida","24.237.163.0/24","ipv4","Session","received",740037,"False"
"2019-08-27 04:29:49","122.255.35.0",18001,,,,,"Session","ip-spoofer",,,,,,"caida","122.255.35.0/24","ipv4","Session","received",740057,"False"

Our 132 Report Types