How Spoofing Attacks Work: IP, Email, and DNS Spoofing Explained

What Is Spoofing in Cybersecurity?

In cybersecurity, spoofing refers to the act of falsifying identifying information to disguise the true origin of communications, impersonate a trusted entity, or manipulate routing decisions. A spoofer forges data that systems and users rely on to make trust decisions — making a malicious packet appear to come from a trusted server, making a phishing email appear to come from a legitimate sender, or making a malicious DNS response appear to be authentic. Spoofing attacks exploit the fundamental trust assumptions built into foundational internet protocols designed in an era when security was a secondary concern.

Spoofing is not a single attack but a class of deception techniques that underpin many other attack types: denial of service amplification attacks rely on IP spoofing; phishing campaigns rely on email spoofing; man-in-the-middle attacks rely on ARP or DNS spoofing. The Federal Trade Commission (FTC) received over 72,000 reports of impersonation fraud in 2022, with spoofed phone calls and emails among the primary methods.

Types of Spoofing Attacks

IP Spoofing

IP spoofing involves crafting packets with a forged source IP address. The IPv4 protocol has no built-in mechanism to verify that the source address in a packet header matches the actual originating host. Attackers use raw socket programming libraries to craft packets with any desired source IP.

IP spoofing serves several attack purposes:

• DDoS amplification attacks: The attacker sends requests to amplifier services (DNS resolvers, NTP servers, memcached servers) with the victim's IP address spoofed as the source. The amplifier sends its (often much larger) response to the victim. DNS amplification can achieve a 70× amplification factor; memcached amplification reached factors above 51,000× in the February 2018 GitHub DDoS (1.3 Tbps), the largest recorded DDoS attack at that time.
• Blind spoofing: Forging the source IP of TCP packets to bypass IP-based access controls (e.g., firewall rules allowing specific source IPs); attacker cannot receive the replies but can send crafted requests
• SYN flood amplification: Sending TCP SYN packets with spoofed source IPs exhausts server connection resources without completing the three-way handshake

Email Spoofing

Email spoofing forges the header fields of email messages to make them appear to originate from a trusted sender. The Simple Mail Transfer Protocol (SMTP) was designed without authentication — any mail server can claim to be sending on behalf of any domain. Key header fields that can be forged include From:, Reply-To:, and display names.

DNS Spoofing (DNS Cache Poisoning)

DNS spoofing poisons a DNS resolver's cache with forged resource records, causing the resolver to return incorrect IP addresses for domain name queries. This redirects victims to attacker-controlled servers hosting phishing sites, malware, or performing MITM interception — all without any indication to the victim beyond a potential certificate warning.

The classic DNS cache poisoning attack exploits the fact that DNS uses 16-bit transaction IDs. In the Kaminsky Attack (2008), security researcher Dan Kaminsky demonstrated that an attacker could flood a DNS resolver with forged responses using birthday-attack probability (racing to get a forged response accepted before the legitimate response arrives). Because DNS uses small transaction IDs and does not randomize source ports by default, forged responses could be accepted. The vulnerability was patched by implementing source port randomization (increasing guessing space from 2^16 to 2^32), and later by DNSSEC, which cryptographically signs DNS records.

ARP Spoofing

Address Resolution Protocol (ARP) maps IP addresses to MAC addresses on local networks. ARP has no authentication — any device can send unsolicited ARP replies claiming to be the owner of any IP address. Attackers exploit this to perform ARP cache poisoning: sending gratuitous ARP responses to hosts on the network claiming the attacker's MAC address corresponds to the gateway's IP address. Traffic intended for the gateway is redirected through the attacker's machine, enabling MITM interception of all local network traffic.

Caller ID Spoofing

Caller ID spoofing uses VoIP services to transmit any desired calling number, enabling scammers to impersonate banks, government agencies (IRS, Social Security Administration), or local numbers ("neighborhood spoofing") to increase answer rates. The STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted Information using toKENs) framework, mandated by the FCC for US voice carriers since 2021, provides cryptographic attestation of caller ID by the originating carrier, allowing downstream carriers to display attestation levels.

Defenses Against Spoofing

The prevalence of spoofing attacks reflects the mismatch between the internet's original design — an academic network built on trust — and its current deployment as critical infrastructure for global commerce, communications, and security. Retrofitting authentication onto foundational protocols is an ongoing process that, decades later, remains incomplete.