DEV Community

Cover image for ICMP Spoofing with Scapy: Responding to Pings as a Fake IP
Artur
Artur

Posted on

ICMP Spoofing with Scapy: Responding to Pings as a Fake IP

#cybersecurity #network #beginners #python

Spoofing is a commonly used technique in cyberattacks, especially in scenarios like email spoofing, SMS spoofing, and ARP poisoning. In this article, I’ll share a small lab I built using Scapy to explore spoofing at a lower level: the network layer, using ICMP packets.

The core idea is simple:
When a host sends a ping to a nonexistent IP address, the script intercepts the ICMP Echo Request and replies as if it were the intended destination.

Core Concepts

Before diving into the code, let’s briefly go over the key concepts used in this project:

ARP Spoofing

  • This technique involves tricking a host’s ARP table by claiming that a specific IP is associated with the attacker’s MAC address. As a result, all traffic to that IP gets redirected to the attacker.

ICMP Spoofing

  • Once ARP poisoning is successful, ICMP packets (ping requests) will reach the attacker. The attacker can then respond with spoofed ICMP Echo Replies, pretending to be the targeted IP.

You can find the full source code on GitHub: ICMP-Spoof

Interesting Details

Using icmp[icmptype]=8 as a BPF Filter

This BPF filter captures only ICMP Echo Requests (ping). It avoids processing unrelated ICMP messages, like Echo Replies or Destination Unreachables.

Alternative filters include:

icmp — all ICMP packets

icmp[icmptype]=0 — only Echo Replies

icmp[icmptype]=8 — only Echo Requests
Enter fullscreen mode Exit fullscreen mode

Using the ARP Destination IP as ICMP Source

Our attacker doesn’t know in advance which IP will be pinged. Instead, the script listens for ARP requests and captures the IP the victim is trying to reach:

ip_src = pkt[ARP].psrc

Then it sends an ARP reply claiming to own that IP and saves it. When the ICMP Echo Request arrives, the script responds using that IP as the source.

This dynamic behavior makes the tool useful for demonstrating spoofing against arbitrary targets.

Setting Up the Lab

To test this safely, use two virtual machines connected via an internal or bridged network in VirtualBox, VMware, or similar hypervisor.

Example setup:
Create an attacker machine with some IP like 10.9.0.10 and runs the script with another machine, the victim with IP 10.9.0.1 and run ping 10.9.0.99

This IP does not exist, but the script will respond as if it does.

What I Learn

Although this lab is simple, it reveals several fundamental insights about how real-world networks behave:

  • A hands-on understanding of low-level packet structures and protocols
  • How ARP caches can be manipulated through spoofed replies
  • The stateless nature of ICMP and its trust in source IPs
  • How systems and routers react to unexpected traffic, including ICMP Redirects and Host Unreachables

Top comments (0)