How IP addresses are spoofed
IP spoofing works by altering the source IP address in the header of an IP packet. This is done by using a packet-crafting tool to create a custom IP packet with a spoofed source IP address. Once the packet is sent, it appears as if it came from the spoofed IP address, allowing the attacker to attack services without much chance of identification.
This is possible because many networks do not verify the source address of outgoing traffic (filtering when implemented is known as "RPF" or Reverse Path Filtering). Because there are many (most) networks that do not implement this filtering is possible for spoofed traffic to arrive at yours/ours.
Can spoofed traffic be identified
There is no direct marker that can be used to identify spoofed traffic. However, there are some methods that can be used to identify spoofed traffic. We identify attacks that are spoofed in nature.
Amplified / Reflected attacks
Spoofing is a typical requirement to launch amplification or reflection attacks. The attacker sends a spoofed packet to a target, which then sends a response to the spoofed IP address. The attacker can then use the response to launch a DDoS attack.
An attack is reflected when a third parties reply is used to saturate the target. The third party replies becuase it beleives it has received a packet from the target. An attack is reflected when that reply is larger than the packet that was used to generate it. Insecure services responding with large responses to small queries can quickly generate many Tbps of traffic that can be serious enough to take offline transit providers.
Common examples of protocols used reflected attacks are: - TCP - DNS (Amplified) - NTP (Amplified) - SNMP (Amplified) - SSDP (Amplified) - Chargen (Amplified)
One side effect of reflection is that the third party is also under attack. They may contact the target network thinking they are under attack to attempt to bring and end to the traffic. Or otherwise take action themselves against the target network.
Mitigation limits for common amplification attacks are handled a bit differently. To keep services online we have configured most of our transits and peers to ratelimit certain common attacks based off the UDP port number. This allows you to receive many Tbps of amplified traffic at no additional cost.