Spoof IP address after a TCP handshake

Is it possible to spoof the IP once a TCP handshake was performed successfully?

No.

A TCP session is defined by four items:

  • Source IP address
  • Source IP port
  • Destination IP address
  • Destination port

This comes from RFC 793:

To provide for unique addresses within each TCP, we concatenate an internet address identifying the TCP with a port identifier to create a socket which will be unique throughout all networks connected together.

A connection is fully specified by the pair of sockets at the ends.

If you were to:

2) Use the session (with a different IP) and send a request

When you change any one of those four parameters, like the source IP, the new packet is no longer a part of that TCP session, and will not be "delivered" because it does not match the session definition. Instead, it'll be an out-of-state packet, and dropped or rejected.


As explained by the answer of gowenfawr you can not change the IP of a TCP session. However there are some options to have a TCP connection while spoofing the source IP.

All that IP-spoofing does is change the Source IP address of the packet you send. This is done on the routing (IP) layer of the network stack. The server will threat this spoofed packet as it would any packet, be it some packet of the handshake or some packet thereafter. It will reply to the source IP address, which when you spoofed it is likely not "owned" by you and thus you will not receive the response.

So how could you still receive a packet that is not addressed to you? A few options come to mind:

  • You are on an unprotected (or breached protection) wireless network and the addressee is located on this network as well. The addressee will ignore the packet but if you are listening to all packets on the network you will see the packet and thus be able to reply appropriately or use the replied information.

  • You have access to the addressee's machine, in this case you might as well send the packet from here instead of spoofing it.

  • You have access to some router along the path the packet will take, this would allow you to make the router send a duplicate to you. But it is not trivial to know which way a packet will travel.

Though theoretically possible changing the routing of the packet itself to make it be send to you is unfeasible in my opinion.

So the short answer is you will never be able to receive the reply of a IP-spoofed packet without some extra measures.