How realistic is it to spoof a specific UDP IP address?

Question

Let's say that I'm a malicious user Bob and I have found a vulnerability in an application that will allow me to impersonate another user, Alice. Alice is connected to 'X' server with her IP address (1.2.3.4) and local port (1234).

Through some means, I have managed to obtain both Alice's IP address and the local socket she is connected through (1.2.3.4:1234). Given this information, how feasible is it to construct a spoofed UDP packet and have it be successfully routed to server 'X', without it being dropped?

It is trivial if the provider allows it, is this a homework question? — rook, Mar 28 '17 at 00:09
@Travinsky, What do you mean that alice is connected? UDP is connectionless. — Pacerier, Oct 23 '17 at 19:10

score 4 · Answer 1 · answered Mar 28 '17 at 00:18

An important thing to note here is that you are not strictly connected to a server with UDP in the same way as TCP, as UDP involves no handshake process. That said, there could be some sort of handshake included into the server's own logic.

As suggested by commenters in this question some ISPs, switches and routing devices do feature source checking so while it is definitely theoretically possible, your actual mileage may vary.

1

I think 75% ISP blocks it. – Pacerier Oct 23 '17 at 19:13

score 4 · Answer 2 · answered Mar 28 '17 at 01:18

Removing ourselves from something like the internet where we are bound by what rules an ISP would use, a typical network would not be able to distinguish between false UDP and true UDP.

Think of UDP like a child yelling for their mom in a crowded supermarket. The child can yell and mom might or might not hear, but the child is going to keep yelling since they don't know if mom heard it. As a parent, you'll be able to differentiate your child from someone else's, but there are times when some other kid sounds just like yours. You could easily mistaken the yell of one child for yours. Since you and are child are separated, you don't have a 'handshake' to establish the child and mother in one conversation, it's just noise.

Since UDP is effectively just putting data on wire, there is nothing stopping you from spoofing the traffic -- you won't get a response back, but you can make the application think Alice is doing the talking.

In a real world, you have multiple layers of stuff which could easily identify that you're trying to send spoofed traffic and just drop it before it leaves your network segment.

How realistic is it to spoof a specific UDP IP address?

2 Answers2