Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
State of IP Spoofing


These charts show spoofing results with different kinds of aggregation. They use only the most recent test from each client IP address, and only tests run within the last year. Because the large majority of tests occur from behind a NAT, the results are separated into tests with no NAT involved, and all tests (with and without NAT). Tests that couldn't evaluate whether spoofing or blocking occur are excluded.

The remaining tests are first aggregated in IP blocks (/24 for IPv4, and /40 for IPv6). Blocks in which all tested client addresses result in the same status are labeled as "spoofable" or "unspoofable", and blocks with conflicting results from different IP addresses are labeled "inconsistent".

A similar analysis is done on the AS level, but the "inconsistent" ASes are further subdivided into those with less than half their IP blocks considered spoofable (which are labeled "partly spoofable") and those with at least half spoofable (which are labeled "mostly spoofable").

Mostly spoofable29
Partly spoofable27
NAT Blocked25318
Mostly spoofable17
Partly spoofable63
NAT Blocked1956
Mostly spoofable10
Partly spoofable11
Spoofing over last 6 months

These graphs plot the spoofability of IP blocks and ASes for the last 6 months, at a granularity of 1 day. In order to prevent visual clutter, all tests since 1 week before the specified date are included in the spoofability calculation, and all the "inconsistent" prefixes or ASes are considered to be "spoofable". Tests that couldn't evaluate whether spoofing or blocking occur are excluded.

See the graph for the lifetime of spoofer
IPv4 spoofing over time excluding NAT
IPv4 spoofing over time including NAT
IPv6 spoofing over time excluding NAT
Top Ten Spoofer Test Results
by ASNClient
IP blocks
IP blocks
55740 (TATAINDICOM-IN)209209 (100.0%)
816710491 (87.5%)
45899 (VNPT-AS-VN)7655 (72.4%)
24560 (AIRTELBROADBAND-AS-AP)17449 (28.2%)
37457 (Telkom-Internet)9645 (46.9%)
5650 (FRONTIER-FRTR)26043 (16.5%)
9116 (GOLDENLINES-ASN)8942 (47.2%)
36992 (ETISALAT-MISR)12540 (32.0%)
5384 (EMIRATES-INTERNET)9130 (33.0%)
37532 (ZAMREN)3529 (82.9%)
See more test results classified by AS
by CountryClient
IP blocks
IP blocks
usa (United States)6862359 (5.2%)
ind (India)2592302 (11.7%)
bra (Brazil)817132 (16.2%)
kor (South Korea)170872 (4.2%)
vnm (Vietnam)25071 (28.4%)
zaf (South Africa)25856 (21.7%)
isr (Israel)29155 (18.9%)
gbr (United Kingdom)183454 (2.9%)
egy (Egypt)27344 (16.1%)
aus (Australia)81037 (4.6%)
See more test results classified by country
Geographic Distribution:
We assess the geographic distribution of clients in our dataset both to measure the extent of our testing coverage as well as to determine if any region of the world is more susceptible to spoofing. The value shown is the percentage of tested IP blocks (including those behind a NAT) that show any evidence of spoofing.
Source address filtering:
Each test run spoofs addresses from adjacent netblocks, beginning with a direct neighbor (IP address + 1) all the way to an adjacent /8. The following figure displays the granularity of source address filtering (typically employed by service providers) along paths tested in our study. If the filtering is occurring on a /8 boundary for instance, a client within that network is able to spoof 16,777,215 other addresses. Using the tracefilter mechanism, we measure filtering depth; where along the tested path (from each client to the server), filtering is employed. Depth represents the number of IP routers through which the client can spoof before being filtered.
Filtering Filtering
Attacks using randomly spoofed source IP addresses over time observed by the UCSD network telescope

These graphs plot the number of attacks that use randomly spoofed source IP addresses over time, as observed by the UCSD telescope. If the attacker chooses source IP addresses uniformly at random, the telescope will receive backscatter from denial of service attacks, which we can use to infer the attack volumes for each victim. We use IP geolocation to infer the locations of victim IP addresses. You can learn more about the methodology behind the telescope by reading the related paper, and obtain a more interactive view using the IODA view.

This report, provided by CAIDA, intends to provide a current aggregate view of ingress and egress filtering and IP Spoofing on the Internet. While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we have received reports. The more client reports we receive the better - they increase our accuracy and coverage.

Download and run our testing software to automatically contribute a report to our database.

Feedback, comments and bug fixes welcome; contact spoofer-info at

  Last Modified: