Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
State of IP Spoofing

You appear to be connecting from 54.80.102.170 which is in AS 14618.
We have no recent tests from your IP block, but other tests from that AS indicate that any spoofed packets we received are rewritten before arriving.

Summary:

These charts show spoofing results with different kinds of aggregation. They use only the most recent test from each client IP address, and only tests run within the last year. Because the large majority of tests occur from behind a NAT, the results are separated into tests with no NAT involved, and all tests (with and without NAT). Tests that couldn't evaluate whether spoofing or blocking occur are excluded.

The remaining tests are first aggregated in IP blocks (/24 for IPv4, and /40 for IPv6). Blocks in which all tested client addresses result in the same status are labeled as "spoofable" or "unspoofable", and blocks with conflicting results from different IP addresses are labeled "inconsistent".

A similar analysis is done on the AS level, but the "inconsistent" ASes are further subdivided into those with less than half their IP blocks considered spoofable (which are labeled "partly spoofable") and those with at least half spoofable (which are labeled "mostly spoofable").

StatusCount
Spoofable384
Inconsistent7
Blocked2228
StatusCount
Spoofable136
Mostly spoofable31
Partly spoofable35
Blocked394
StatusCount
Spoofable1411
Inconsistent7
NAT Blocked23806
Blocked2211
StatusCount
Spoofable458
Mostly spoofable17
Partly spoofable77
NAT Blocked1874
Blocked369
StatusCount
Spoofable160
Inconsistent45
Blocked1650
StatusCount
Spoofable105
Mostly spoofable18
Partly spoofable16
Blocked282
Summary of observed spoofing over last 6 months

These graphs plot the spoofability of the IP blocks and ASes that we have observed over the last 6 months, at a granularity of 1 day. In order to prevent visual clutter, all tests since 1 week before the specified date are included in the spoofability calculation, and all the "inconsistent" prefixes or ASes are considered to be "spoofable". Tests that couldn't evaluate whether spoofing or blocking occur are excluded.

See the graph for the lifetime of spoofer
IPv4 spoofing over time excluding NAT
IPv4 spoofing over time including NAT
IPv6 spoofing over time excluding NAT
Top Ten Spoofer Test Results (for the last year)
by ASNClient
IP blocks
Spoofing
IP blocks
816710583 (79.0%)
55740 (TATAINDICOM-IN)5151 (100.0%)
9116 (GOLDENLINES-ASN)7548 (64.0%)
37532 (ZAMREN)3429 (85.3%)
9318 (SKB-AS)37927 (7.1%)
45899 (VNPT-AS-VN)4427 (61.4%)
24560 (AIRTELBROADBAND-AS-AP)10426 (25.0%)
209 (CENTURYLINK-US-LEGACY-QWEST)25625 (9.8%)
37457 (Telkom-Internet)10622 (20.8%)
3549 (LVLT-3549)3920 (51.3%)
See more test results classified by AS
by CountryClient
IP blocks
Spoofing
IP blocks
usa (United States)6079294 (4.8%)
bra (Brazil)1295214 (16.5%)
ind (India)2088105 (5.0%)
kor (South Korea)123973 (5.9%)
isr (Israel)27461 (22.3%)
gbr (United Kingdom)170241 (2.4%)
can (Canada)85438 (4.4%)
ita (Italy)51437 (7.2%)
jpn (Japan)36337 (10.2%)
vnm (Vietnam)15133 (21.9%)
See more test results classified by country
Geographic Distribution:
We assess the geographic distribution of clients seen in the last year both to measure the extent of our testing coverage as well as to determine if any region of the world is more susceptible to spoofing. The value shown is the percentage of tested IP blocks (including those behind a NAT) that show any evidence of spoofing.
Source address filtering:
Each test run spoofs addresses from adjacent netblocks, beginning with a direct neighbor (IP address + 1) all the way to an adjacent /8. The following figure displays the granularity of source address filtering (typically employed by service providers) along paths tested in our study. If the filtering is occurring on a /8 boundary for instance, a client within that network is able to spoof 16,777,215 other addresses. Using the tracefilter mechanism, we measure filtering depth; where along the tested path (from each client to the server), filtering is employed. Depth represents the number of IP routers through which the client can spoof before being filtered.
Filtering Filtering
Attacks using randomly spoofed source IP addresses over time observed by the UCSD network telescope

These graphs plot the number of attacks that use randomly spoofed source IP addresses over time, as observed by the UCSD telescope. If the attacker chooses source IP addresses uniformly at random, the telescope will receive backscatter from denial of service attacks, which we can use to infer the attack volumes for each victim. We use IP geolocation to infer the locations of victim IP addresses. You can learn more about the methodology behind the telescope by reading the related paper, and obtain a more interactive view using the IODA view.

About:
This report, provided by CAIDA, intends to provide a current aggregate view of ingress and egress filtering and IP Spoofing on the Internet. While the data in this report is the most comprehensive of its type we are aware of, it is still an ongoing, incomplete project. The data here is representative only of the netblocks, addresses and autonomous systems (ASes) of clients from which we have received reports. The more client reports we receive the better - they increase our accuracy and coverage.

Download and run our testing software to automatically contribute a report to our database.

Feedback, comments and bug fixes welcome; contact spoofer-info at caida.org.

  Last Modified: