Department of Electronics & Communication Engineering

The National Institute of Engineering

(An Autonomous Institute under VTU, Belagavi)
Mysuru – 570 008

COURSE PROJECT REPORT

(EC6C03)

[IP SPOOFING AND DETECTION]

Submitted to the partial fulfillment for the completion of experiential learning.

Submitted by:

SURYA C URS 4NI20EC115

NEERAJ M GOWDA 4NI20EC071

SHARANU HIREMATH 4NI20EC099

MURALI KRISHNA V HEGDE 4NI20EC068

VI Semester B.E

Under the supervision of:

Dr. Vijay B.T.
Assistant Professor,
NIE, Mysuru.

2022-23
ABSTRACT

The project aims to explore IP spoofing techniques using the Scapy

library and detect such spoofed packets using machine learning,
specifically Logistic Regression. IP spoofing refers to the act of
manipulating the source IP address in network packets to deceive or hide
the true origin of the communication. This project investigates both the
offensive aspect of IP spoofing and the defensive aspect of detecting and
mitigating spoofed packets. In the offensive part, the Scapy library is
utilized to develop a tool that allows for the generation and sending of IP
spoofed packets. Various spoofing scenarios are examined, including
Denial of Service (DoS) attacks, Distributed Denial of Service (DDoS)
attacks, and Man-in-the-Middle attacks. The tool provides flexibility in
customizing the packet headers to mimic different sources, destinations,
and protocols. By combining offensive and defensive aspects, this project
provides a comprehensive understanding of IP spoofing techniques and
their potential impact on network security. It demonstrates the practical
implementation of IP spoofing using Scapy and explores the effectiveness
of machine learning algorithms in detecting spoofed packets. The results
of the project contribute to the ongoing efforts in enhancing network
security by raising awareness about the vulnerabilities associated with IP
spoofing and proposing machine learning-based solutions for
detection and mitigation.
IP SPOOFING USING SCAPY:
• IP Spoofing is one of the method in which DDoS attack can be done.
• DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack"
and it is a cybercrime in which the attacker floods a server with
internet traffic to prevent users from accessing connected online
services and sites.
• IP spoofing is the creation of Internet Protocol packets with a false
source IP address, for the purpose of impersonating another
computing system.
• IP spoofing can be used for both legitimate and malicious purposes.
Legitimate uses include certain network testing scenarios, where the
goal is to examine the behaviour of a network under
specific conditions.
• Man-in-the-Middle Attacks: Attackers can spoof their IP address to
intercept network traffic between two parties, allowing them to
eavesdrop on the communication or modify the data exchanged.
• Evasion of Access Controls: By spoofing a trusted IP address, an
attacker can bypass access controls that rely on IP-based
authentication or authorization mechanisms.
• IP spoofing is generally considered a malicious activity when used
to deceive, disrupt, or exploit computer networks and systems.
Engaging in IP spoofing with malicious intent is illegal in many
jurisdictions and can result in criminal charges.
 • Scapy is a powerful interactive packet manipulation libary written
in Python. Scapy is able to forge or decode packets of a wide number
of protocols, send them on the wire, capture them, match requests
and replies, and much more.

Sending IP packets using scapy

 Here, we are sending the packets named ‘X’. It contains many

features such as Time to Live(TTL),Source address(x.src),
Destination address(x.dst),And the protocol used TCP ,loading some
message in the packet and still around 23 features are present.
 The main use of scapy is to produce multiple fake IP addresses in
one device and send it one destination, at the receiver feels that the
packets coming are from different devices.
 Sending so many packets leads to receiver overwhelmed and stops
processing the requests sent, whereas the server goes down.
WIRESHARK:

 Wireshark is a popular open-source network protocol analyzer that

allows users to capture and analyze network traffic in real-time. It is
available for various operating systems, including Windows, macOS,
and Linux.
 Wireshark provides a graphical user interface (GUI) that facilitates
the inspection and interpretation of network packets.
 Packet Capture: Wireshark allows users to capture network traffic
from different interfaces, such as Ethernet, Wi-Fi, or loopback. It
supports live packet capturing as well as the ability to read packet
capture files from other tools.
 Protocol Analysis: Wireshark supports a wide range of network
protocols, including TCP/IP, HTTP, DNS, DHCP, and many more.
It can dissect and decode these protocols to provide detailed
information about the packets and their contents.
 Filtering and Search: Wireshark offers powerful filtering capabilities
to focus on specific packets of interest.
 Filters can be based on various criteria, such as IP address, port
number, protocol, or packet content. It also provides search
 functionality to locate specific packets or information within
the captured data.
 Packet Inspection and Reconstruction: Wireshark allows users to
inspect individual packets, view their headers and payloads, and
analyze the structure of different protocols. It can even reassemble
fragmented packets to provide a complete view of the network
communication.
 Statistics and Graphing: Wireshark provides statistical analysis
features, such as flow and endpoint statistics, to help identify patterns
and anomalies in network traffic. It can also generate graphs and
charts to visualize network behavior over time.
 Extensibility: Wireshark supports various plugins and
customizations, allowing users to extend its functionality or add
support for additional protocols.
IP SPOOFING DETECTION USING ML :
 IP spoofing refers to the practice of modifying or falsifying the
source IP address in network packets with the intent to deceive or
hide the identity of the sender. Machine learning (ML) techniques
can be utilized to detect IP spoofing attempts by analyzing network
traffic patterns and identifying suspicious or anomalous behavior.
Here's an approach for IP spoofing detection using ML:
 Dataset collection: Gather a labeled dataset consisting of network
traffic data, including legitimate and spoofed IP addresses. The
dataset should ideally contain a diverse range of network activities
and various types of spoofing attacks.

 Feature extraction: Extract relevant features from the network traffic

data. These features may include packet headers, timestamps,
protocol types, packet sizes, and statistical characteristics of the
network flows.
 Labeling and preprocessing: Assign labels to the dataset, indicating
whether each network flow is legitimate or spoofed. Preprocess the
data by normalizing or scaling the features, handling missing values,
and encoding categorical variables.
 Model selection: Choose an appropriate ML algorithm for IP
spoofing detection. Some common choices include decision trees,
random forests, support vector machines (SVM), or deep learning
models such as recurrent neural networks (RNN) or convolutional
neural networks (CNN).
 Training: Split the labeled dataset into training and validation sets.
Train the ML model on the training set, using the labeled data to learn
the patterns and characteristics of both legitimate and spoofed traffic.
 Model evaluation: Evaluate the trained model's performance using
the validation set. Common evaluation metrics include accuracy,
precision, recall, and F1-score. Adjust the model's hyperparameters,
if necessary, to improve its performance.
 Testing and deployment: Apply the trained model to new, unseen
network traffic data to detect IP spoofing attempts in real-time.
Monitor the network traffic continuously and classify each network
flow as legitimate or spoofed based on the model's predictions.
 Iteration and improvement: Monitor the model's performance over
time and collect feedback on misclassifications or false positives.
Continuously update and retrain the model using new data to
improve its accuracy and adapt to evolving IP spoofing techniques.
 It's important to note that ML-based IP spoofing detection is not
foolproof, as attackers can adapt and evolve their techniques to
bypass detection. Therefore, it's recommended to complement ML-
based approaches with other security measures, such as network
firewalls, intrusion detection systems (IDS), and network traffic
analysis tools, to strengthen overall network security.
ML CODE USING LOGISTIC REGRESSION ALGORITHM :
MODEL PERFORMANCE EVALUATION:
 When evaluating the performance of a logistic regression model for
IP spoofing detection, several metrics can be used to assess its
effectiveness. Here are some common evaluation metrics for binary
classification problems:
 Accuracy: It measures the overall correctness of the model's
predictions and is calculated as the ratio of correct predictions to the
total number of predictions. However, accuracy alone may not
provide a complete picture, especially if the classes are imbalanced.
 Precision: Precision represents the proportion of true positive
predictions out of all positive predictions (both true positives and
false positives). It measures the model's ability to correctly identify
IP spoofing instances while minimizing false positives.
 Recall (Sensitivity or True Positive Rate): Recall calculates the
proportion of true positive predictions out of all actual positive
instances. It quantifies the model's ability to identify IP spoofing
cases and is particularly useful when the focus is on minimizing
false negatives.
 F1-score: The F1-score is the harmonic mean of precision and recall.
It provides a balanced measure of the model's performance,
considering both false positives and false negatives. It is especially
useful when the classes are imbalanced.
 Receiver Operating Characteristic (ROC) curve: The ROC curve
plots the true positive rate (sensitivity) against the false positive rate
(1 - specificity) at various classification thresholds. It provides
insights into the trade-off between sensitivity and specificity and
allows for the selection of an appropriate threshold based on the
desired balance.
 Area Under the ROC Curve (AUC-ROC): AUC-ROC represents the
overall performance of the model across various classification
thresholds. It provides a single metric to evaluate the model's
discrimination ability. Higher AUC-ROC values indicate
better performance.
 When evaluating the logistic regression model for IP spoofing
detection, it's recommended to consider multiple metrics to gain a
comprehensive understanding of its performance. The choice of
evaluation metrics should be based on the specific goals and
requirements of the application
 An accuracy of 70.16 % is achieved for a test data which is 25% of
the dataset. The accuracy can be further increased by the following:
 Using more no. of training examples.
 Using more complex algorithms like Decision Trees, Random
Forests, XGBoost etc.
 Feature Engineering, such that important features like src, dst,
Protocol, pktrate, pktperflow etc. have more weights.
CONCLUSION:
In this project, we explored the detection of IP spoofing using Scapy,
a powerful Python library for network packet manipulation, along with
machine learning techniques, specifically logistic regression. We began by
discussing IP spoofing, which involves falsifying the source IP address in
network packets to deceive or hide the identity of the sender. This
malicious activity poses a significant security threat to networks and can
lead to various attacks, such as denial of service (DoS) and man-in-the-
middle (MitM) attacks. To detect IP spoofing, we utilized Scapy to capture
and analyze network traffic data. Scapy allowed us to inspect packet
headers, extract relevant information, and identify patterns or anomalies
associated with spoofed IP addresses. Furthermore, we employed machine
learning, specifically logistic regression, to develop a detection model.
Logistic regression is a widely used classification algorithm that can
handle binary classification problems effectively. By training the model
on labeled data consisting of legitimate and spoofed IP addresses, we
leveraged the power of machine learning to learn patterns and
characteristics associated with IP spoofing.
Evaluation of the logistic regression model was performed using various
metrics, including accuracy, precision, recall, F1-score, ROC curve, and
AUC-ROC. These metrics provided a comprehensive assessment of the
model's performance in terms of its ability to correctly classify IP traffic
as legitimate or spoofed. The results of our evaluation demonstrated that
the logistic regression model achieved promising performance in detecting
IP spoofing. The accuracy, precision, recall, and F1-score of the model
were found to be satisfactory, indicating its effectiveness in identifying
spoofed IP addresses while minimizing false positives and false negatives.
Additionally, the ROC curve analysis and AUC-ROC score confirmed the
model's discrimination ability across different classification thresholds,
further validating its performance. Overall, the combination of Scapy for
network traffic analysis and logistic regression for machine learning-based
detection proved to be a promising approach for IP spoofing detection.
This method can enhance network security by providing real-time
identification of potential spoofed IP addresses and assisting in mitigating
the associated risks. It is important to note that IP spoofing techniques can
evolve, and attackers may attempt to bypass detection mechanisms.
Therefore, continuous monitoring, updating the detection model with new
data, and incorporating additional security measures are recommended to
maintain effective IP spoofing detection in the face of evolving threats.