MEDIUM: IP Spoofer Events Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SECURITY LEVEL: MEDIUM

This report intends to provide a current view of ingress/egress filtering and susceptibility to IP source packet forging (spoofing) on a given network.

This report is currently based on the CAIDA (Center for Applied Internet Data Analysis)  Spoofer project. The CAIDA Spoofer project periodically tests a network’s ability to both send and receive packets with forged source IP addresses (spoofed packets) in support of reporting on best current practice source address validation – BCP38.

The methodology behind the Spoofer project results in a CAIDA initiated test for spoofing in the form of probed packets sent to test the ability of a given IPv4 or IPv6 address / node to send/receive spoofed packets.  Each node in the below report has been identified as having sent or received spoofed packets. Each is mapped to a CIDR and autonomous system i.e. different Internet service providers.

While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we received reports on a daily basis (ie. participating in the CAIDA project).

Feedback, comments and bug fixes are always welcome both to Shadowserver  and to CAIDA (by contacting spoofer-info@caida.org). This also includes the option of direct participation in the project through the downloading of client testing software to automatically contribute a report to the CAIDA database. For more details on direct participation as well as other questions, please see the CAIDA Spoofer project FAQ.

Severity levels are described here.

Filename: event4_ip_spoofer

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • network
    CIDR of the device IP successfully sending/receiving spoofed packets as a result of the CAIDA test
  • routedspoof
    Received - Spoofed packet was received ; Blocked - Spoofed packet was not received, but unspoofed packet was ; Rewritten - Spoofed packet was received, but the source address was changed en route ; Unknown - Neither spoofed nor unspoofed packet was received
  • session
    NAT Session ID
  • nat
    Response involved NAT (True) / without NAT (False)

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","network","routedspoof","session","nat"
"2010-02-10 00:00:00",tcp,192.168.0.1,,64512,ZZ,Region,City,node01.example.com,0,,,,,medium,172.16.0.1,,65534,ZZ,Region,City,node01.example.net,0,,,ip-spoofer,,,,ipv4,,192.168.0.0/24,blocked,1677082,True
"2010-02-10 00:00:01",tcp,192.168.0.2,,64512,ZZ,Region,City,node02.example.com,0,,,,,medium,172.16.0.2,,65534,ZZ,Region,City,node02.example.net,0,,,ip-spoofer,,,,ipv4,,192.168.0.0/24,received,1677091,True
"2010-02-10 00:00:02",tcp,192.168.0.3,,64512,ZZ,Region,City,node03.example.com,0,,,,,medium,172.16.0.3,,65534,ZZ,Region,City,node03.example.net,0,,,ip-spoofer,,,,ipv4,,192.168.0.0/24,rewritten,1677095,True

Our 132 Report Types