Logo

State of IP Spoofing

Summary:

These charts show spoofing results with different kinds of aggregation. They use only the most recent test from each client IP address, and only tests run within the last year. Because the large majority of tests occur from behind a NAT, the results are separated into tests with no NAT involved, and all tests (with and without NAT). Tests that couldn't evaluate whether spoofing or blocking occur are excluded.

The remaining tests are first aggregated in IP blocks (/24 for IPv4, and /40 for IPv6). Blocks in which all tested client addresses result in the same status are labeled as "spoofable" or "unspoofable", and blocks with conflicting results from different IP addresses are labeled "inconsistent".

A similar analysis is done on the AS level, but the "inconsistent" ASes are further subdivided into those with less than half their IP blocks considered spoofable (which are labeled "partly spoofable") and those with at least half spoofable (which are labeled "mostly spoofable").

StatusCount
Spoofable259
Inconsistent1
Blocked1165
StatusCount
Spoofable150
Mostly spoofable20
Partly spoofable36
Blocked527
StatusCount
Spoofable1257
Inconsistent1
NAT Blocked9272
Blocked1155
StatusCount
Spoofable465
Mostly spoofable23
Partly spoofable63
NAT Blocked1143
Blocked493
StatusCount
Spoofable308
Inconsistent39
Blocked1446
StatusCount
Spoofable198
Mostly spoofable32
Partly spoofable24
Blocked503
Summary of observed spoofing over last 6 months

These graphs plot the spoofability of the IP blocks and ASes that we have observed over the last 6 months, at a granularity of 1 day. In order to prevent visual clutter, all tests since 1 week before the specified date are included in the spoofability calculation, and all the "inconsistent" prefixes or ASes are considered to be "spoofable". Tests that couldn't evaluate whether spoofing or blocking occur are excluded.

See the graph for the lifetime of spoofer
IPv4 spoofing over time excluding NAT
IPv4 spoofing over time including NAT
IPv6 spoofing over time excluding NAT
Top Ten Spoofer Test Results (for the last year)
by ASNClient
IP blocks
Spoofing
IP blocks
24560 (AIRTELBROADBAND-AS-AP)236228 (96.6%)
8452 (TE-AS)5236 (69.2%)
741820330 (14.8%)
73035628 (50.0%)
23969 (TOT-NET)3327 (81.8%)
209 (CENTURYLINK-US-LEGACY-QWEST)7720 (26.0%)
3462 (HINET)4915 (30.6%)
2626751413 (92.9%)
7713 (telkomnet-as-ap)1513 (86.7%)
286681312 (92.3%)
See more test results classified by AS
by CountryClient
IP blocks
Spoofing
IP blocks
bra (Brazil)1971417 (21.2%)
ind (India)551247 (44.8%)
usa (United States)2028120 (5.9%)
arg (Argentina)18639 (21.0%)
tha (Thailand)10838 (35.2%)
chl (Chile)36736 (9.8%)
egy (Egypt)7636 (47.4%)
nld (Netherlands)35034 (9.7%)
idn (Indonesia)6030 (50.0%)
zaf (South Africa)18725 (13.4%)
See more test results classified by country
Geographic Distribution:
We assess the geographic distribution of clients seen in the last year both to measure the extent of our testing coverage as well as to determine if any region of the world is more susceptible to spoofing. The value shown is the percentage of tested IP blocks (including those behind a NAT) that show any evidence of spoofing.
Source address filtering:
Each test run spoofs addresses from adjacent netblocks, beginning with a direct neighbor (IP address + 1) all the way to an adjacent /8. The following figure displays the granularity of source address filtering (typically employed by service providers) along paths tested in our study. If the filtering is occurring on a /8 boundary for instance, a client within that network is able to spoof 16,777,215 other addresses. Using the tracefilter mechanism, we measure filtering depth; where along the tested path (from each client to the server), filtering is employed. Depth represents the number of IP routers through which the client can spoof before being filtered.
Filtering Filtering
About:
This report, provided by CAIDA, intends to provide a current aggregate view of ingress and egress filtering and IP Spoofing on the Internet. While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we have received reports. The more client reports we receive the better - they increase our accuracy and coverage.

Download and run our testing software to automatically contribute a report to our database.

Feedback, comments and bug fixes welcome; contact spoofer-info at caida.org.

Last Modified