You can't always completely stop IP spoofing
IP networks are vulnerable to some degree...
You need to know what to do to make IP spoofing more difficult, less likely or not possible in some situations (that actually matter). Below is a nice list I found on a a simple website. The site also explains the basic concepts for IP spoofing to better help you understand what you're up against.
http://www.computerworld.com/article/2546050/network-security/the-top-five-ways-to-prevent-ip-spoofing.html
- Use authentication based on key exchange between the machines on
your network; something like IPsec will significantly cut down on
the risk of spoofing.
- Use an access control list to deny private IP addresses on your
downstream interface.
- Implement filtering of both inbound and outbound traffic.
- Configure your routers and switches if they support such
configuration, to reject packets originating from outside your local
network that claim to originate from within.
- Enable encryption sessions on your router so that trusted hosts that
are outside your network can securely communicate with your local
hosts.
I believe list item number 1 is essential for strong security. Basically don't trust things based on IP, so it doesn't matter if it's spoofed or not. Use good encryption with key exchanges to verify identify of machines if you have any concern.
A great example of a way to trust systems only on key exchange is OpenVPN
- The server has a key, that the client can verify
- The client gets a key that the server can verify, encrypted with a password
- If either system gets something wrong, there will be no trust (tunnel)