Xpoofer — Global IP Spoofing Measurement
A large-scale, active, remote measurement study that maps IP source address spoofing across the Internet at unprecedented scale. We scanned the entire active IPv4 space and found 5,662 unique autonomous systems capable of launching spoofed-source attacks — 9× more than previously known.
🌐 Internet-wide Scan
Spoofing ASes
—
Total unique autonomous systems
Inter-AS Spoofing
—
Can spoof cross-network source IPs
Intra-AS Spoofing
—
Can spoof within-network source IPs
Vulnerable /24s
—
Prefix-level spoofable blocks
Countries Affected
—
Global coverage
Spoofing Capability by AS
Top 15 Countries by Spoofable ASes
Measurement History
Total TF Count Across Scan Rounds
Global Risk Map
Risk score by country — based on spoofing capability and TF density (hover to explore, scroll to zoom)
⚠️
99.3% of Request-Path TFs have no effective egress filtering.
Over half (56.7%) can perform unrestricted /0 IP spoofing — any source address in the Internet.
These vulnerabilities stem from a wholesale absence of BCP 38, not minor misconfigurations.
Explore the Data
Spoofing Capability Analysis
High-resolution characterization of IP spoofing vulnerability: capability depth, bit-position probing, and per-AS consistency.
🚨
99.3% of Request-Path TFs are not restricted by any effective egress filtering.
56.7% can spoof any source IP (/0 granularity). The remaining 42.6% can spoof large /1–/8 blocks.
Fine-grained /24 filtering is nearly absent.
Spoofable Prefix Range — Request-Path TFs
Spoofable Prefix Range — Response-Path TFs
Subnet Relationship Distribution
Where are spoofed TF pairs relative to each other?
Capability Histogram — Request-Path TFs (bucketed)
🔬
We probe each TF with 32 packets, flipping one bit of the source IP at a time. A successful probe means the network allows that specific spoofed address to exit.
Bits 1–2 have lower success (56.7%, 68.7%) — suggesting some bogon/large-block filtering. Bits 3–32 achieve 81–96% success, revealing the near-complete absence of prefix filtering.
Spoofing Success Rate by Bit Position (1=most significant)
Prefix Length Distribution of Discovered TF Networks
📐
62.9% of ASes (1,130/1,795) have perfectly uniform spoofing policy across all their TFs — strongly suggesting network-wide configuration, not isolated misconfigurations. Of these, 803 ASes allow full /0 arbitrary spoofing.
AS Spoofing Consistency — TF Count vs Policy Variance
AS Risk Distribution by Capability
Comparison with Prior Work
Xpoofer identifies more vulnerable networks than previous measurement methods and extends the state of the art in spoofing capability granularity and AS-internal analysis.
CAIDA Spoofer — ASes
1,482
From long-term volunteer project
Xpoofer — ASes
5,662
Active remote measurement
Multiplier
9×
More spoofing-capable ASes found
⚠️
484 ASes that CAIDA reported as non-spoofing were found spoofable by Xpoofer,
with 7,113 additional /24 blocks. China alone: Xpoofer found 2,249 spoofable blocks vs only 18 in CAIDA.
This reveals a systematic measurement gap from sparse volunteer coverage.
AS-Level: Xpoofer /24 Blocks vs CAIDA /24 Blocks
Country-Level: Xpoofer vs CAIDA Spoofable /24 Blocks
📐
Three systems have used DNS Transparent Forwarders as a measurement platform.
DNSROUTE++ (CoNEXT'21) characterized TF topology but did not audit spoofing capability.
OSAVRoute (NDSS'26) introduced active spoofing detection and blocking-depth localization.
Xpoofer adds bit-level granularity, behavioral taxonomy, and AS-internal policy analysis.
Feature Comparison — TF-based Remote Measurement
| Dimension | DNSROUTE++ | OSAVRoute | Xpoofer |
|---|---|---|---|
| TF discovery / path analysis | ✓ | ✓ | ✓ |
| AS-boundary classification | ✓ | ✓ | ✓ |
| Active spoofing-capability audit | — | ✓ | ✓ |
| Reported scale | 563k TFs | 3,310 ASes | 3,311 / 3,075 ASes |
| Inter-AS spoofing count | not reported | 3,310 ASes | 3,311 ASes |
| Intra-AS spoofing count | not reported | not reported | 3,075 ASes |
| Granularity resolution | — | prefix-level | bit-level |
| Blocking-depth localization | — | ✓ | — |
| Request-/Response-Path taxonomy | — | — | ✓ |
| AS-internal consistency analysis | — | — | ✓ |
Spoofing-Capable ASes by Method (DNSROUTE++ does not audit spoofing)
MANRS Audit
Measuring the gap between security commitments and operational reality for MANRS (Mutually Agreed Norms for Routing Security) members.
🛡️
Nearly 20% of ASes certified for full anti-spoofing (Action 2) still have detectable TFs.
Self-attestation is insufficient. Continuous, independent, active verification is essential.
Action 1 Members
1,397
Committed to route filtering
Action 1: Still Spoofing
219
15.7% of Action 1 members
TFs in Action 1 ASes
12,773
Spoofable forwarders
Full SAV (Action 2): Failing
43 / 216
20% of certified anti-spoof members
Top Action 1 Members with Spoofing TFs
Geographic Distribution — Non-Compliant Action 1 Members
Action 2 (Full SAV) Members with Detected TFs
| ASN | AS Name | Country | TF Count |
|---|
Longitudinal Trends
Tracking the global IP spoofing landscape across measurement rounds. Future scans will be added here as analysis completes.
ℹ️
Three scan rounds have been conducted: March 15 and June 21, 2025, and March 8, 2026.
Full analysis is currently available for the June 2025 round.
The chart below shows total TF counts for all rounds; detailed metrics will populate as each round is analyzed.
Total TF Count Across Scan Rounds
Scan Round Summary
| Round | Scan Date | Total TFs | Open TFs | Spoofing ASes | Vulnerable /24s | Full Analysis |
|---|