Parallel spoofing for throughput increase


Because of changes in Linux kernel, particularly in netfilter/iptables, multispoof won't run on recent systems (see notes in requirements section).

It can be fixed, but probably won't be, as I don't have enough time. I'll welcome patches though.

What is multispoof?

Multispoof is an application, which exploits weak, address based authentication very frequently implemented by ISPs in Ethernet networks. In such networks customers are identified with IP-MAC address pairs, and only those paying ISP are granted access to the Internet.

Multispoof uses IP and MAC spoofing to impersonate legitimate customers. The idea is not new, but multispoof does it in a smart way. As it impersonates only inactive customers, there is no address conflicts. And using multiple addresses in parallel in combination with load balancing allows to achieve much higher transfer rates.

It could be compared with download accelerating software, because higher throughput is achieved with multiple transmissions. The difference is that multispoof operates on layers 2 and 3 of the OSI model. In contrast, download accelerator uses multiple TCP streams – the fourth layer of OSI model.

I've created multispoof as a software project for my M.Sc. thesis, so entire application (version 0.6.1) is documented quite precisely in there. If you read Polish, you can get my thesis in papers section on my page. I've spent entire chapter on spoofing detection and prevention techniques, so if you are an ISP, you may be interested too.


Multispoof was created to demonstrate the risk of using weak authentication methods, and is meant to be used for testing purposes. It is only a tool and you are responsible for its usage, especially for abuse of your ISP network.



The multispoof source code is released under GPLv2 license and can be downloaded from sourceforge project page. You will find there also livecd version – bootable Linux CDROM, which includes multispoof and download accelerator, ready to be used for some testing (livecd includes older 0.7.0 release).

Version history can be found in Changelog file.


In order to run multispoof you need:

Compilation process requires also:

Compilation and installation

You are advised to check multispoof tarball integrity against my gpg key, which can be downloaded from here. If the tarball and signature are in current working directory, issue:

   $ gpg --verify multispoof-*.tar.gz.asc

After positive verification, you can extract multispoof source distribution with:

   $ tar zxf multispoof-*.tar.gz

Then enter newly created directory and optionally alter instalation paths at the beginning of Makefile. If you want to link multispoof components with libpcap dynamically (you should do this if your distribution ships libpcap as a shared library like Debian 3.1) execute:

   $ make

Otherwise, you need to specify libpcap.a file to link statically with. For example on Redhat 9 it would be placed in /usr/lib/libpcap.a, so you should type:

   $ PCAP_STATIC=/usr/lib/libpcap.a make

After successful compilation, issue:

   $ su -c "make install"

Note that the installation is required for program to run correctly. You can uninstall it with:

   $ su -c "make uninstall"


Multispoof requires root provileges. Before running it you should kill DHCP client. Multispoof removes IP address from the network interface (it is reassigned on program termination). While operating, program requires no IP address set on network interface. The DHCP client could assign it, which is not desirable – and that's why it should be killed. Also, if you don't want to be caught easily by network administrator, you should change your IP and MAC addresses, because they are used for scanning.

Passing -h option to multispoof makes it show usage information. To launch the program and instruct it to use eth0 interface, invoke:

   # multispoof -i eth0

If everything is ok, you should see something like this:

   netdb: Listening on /tmp/multispoof.XX410BZG/socket
   rx (tapio): listening on eth0
   rx (deta): listening on eth0
   tapio: virtual interface: tap0
   tx (tapio): using device eth0
   tx (deta): using device eth0
   tx (scanarp): using device eth0
   cmac (unspoof): Using be:70:8d:4d:6a:a9 as default mac

After first run, multispoof starts learning network addresses and save them to its database file. This file is reused on consecutive runs, so gathered addresses are not lost after program termination. Multispoof uses only inactive addresses for spoofing, so it's best to leave it running for some time (for example one night). After that database should be filled with enough addresses, and hopefully some of them will be inactive. Remember, that multispoof's default behavior is waiting for 5 minutes before inactive address is to be used. So after launching of the program, there is at least that delay before Internet connection could be used.

Now launch your favorite p2p program or download accelerator and get some data really fast :) The more file chunks are downloaded in parallel, the higher throughput you get.

Before starting download, you should tune TCP settings in the kernel, particularly keep-alive options, for better resistance to transmission drops. It can be done with /proc files modification, or via sysctl utility.

   # sysctl -w net.ipv4.tcp_keepalive_intvl=5
   # sysctl -w net.ipv4.tcp_keepalive_probes=3
   # sysctl -w net.ipv4.tcp_keepalive_time=10
   # sysctl -w net.ipv4.tcp_syn_retries=0

You can put all of the above options in a file and load it using the -p switch. Note that keep-alive is an optional feature of TCP stack, and not all network applications are using it. Some of them implement keep-alive themselfes (ssh for example), other simply don't. For testing I've used prozilla download accelerator patched to enable keep-alive (well, the patch actually uncomments some code). The patch is against prozilla, and can be found in the multispoof tarball (prozilla- Bootable CDROM contains prozilla already patched.

Warning: provided sysctl settings are suitable for use when working with local machine. If you are running multispoof remotely, consider setting keepalive_time to a higher value. If you don't do this, you will probably experience frequent ssh disconnections.

Internal state monitoring

Collected addresses can be listed by connecting to multispoof address database through unix socket. You can do it with multispoof-dump tool:

   # multispoof-dump /tmp/multispoof.XX410BZG/socket 00:c0:df:ae:de:44 2 1122365430 disabled idle 00:30:4e:28:c0:fe 310 2 enabled idle 00:08:0d:c4:22:14 30 1122365430 disabled idle 00:30:84:42:b1:9c 41 1122365430 disabled idle 00:0a:cd:00:15:30 492 184 enabled idle

Assuming default value of -a option (300 seconds), addresses currently used for spoofing can be displayed with following pipeline:

   # multispoof-dump | awk '{if ($5 == "enabled" && $3 >= 300) print $0}' 00:30:4e:28:c3:22 310 2 enabled idle 00:0a:cd:00:15:30 492 184 enabled idle

To check if load balancing works correctly, you can run ping and use tcpdump to sniff its traffic:

   # tcpdump -eni eth0 icmp
   tcpdump: WARNING: eth0: no IPv4 address assigned
   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
   23:21:27.997833 00:20:ed:b6:78:43 > 00:20:af:c4:6f:e3, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo request seq 1
   23:21:28.039748 00:20:af:c4:6f:e3 > 00:20:ed:b6:78:43, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo reply seq 1
   23:21:28.992051 00:02:44:7b:09:11 > 00:20:af:c4:6f:e3, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo request seq 2
   23:21:29.036361 00:20:af:c4:6f:e3 > 00:02:44:7b:09:11, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo reply seq 2
   23:21:29.992307 00:20:ed:b6:78:43 > 00:20:af:c4:6f:e3, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo request seq 3
   23:21:30.046712 00:20:af:c4:6f:e3 > 00:20:ed:b6:78:43, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo reply seq 3
   23:21:30.994180 00:02:44:7b:09:11 > 00:20:af:c4:6f:e3, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo request seq 4
   23:21:31.098238 00:20:af:c4:6f:e3 > 00:02:44:7b:09:11, ethertype IPv4 \
    (0x0800), length 98: IP > icmp 64: \
    echo reply seq 4


There is a bug in connectivity testing. Sometimes DNS packets are dropped by multispoof, and user gets "dns problem" message. There is no fix yet (patches are welcomed!), but a workaround.

Edit access-test script, comment the code that resolves domain name and set HOST variable to the IP address of (for example).


  1. I get following error on multispoof compilation:

    rx.c:97: error: `PCAP_D_IN' undeclared (first use in this function)

    You need more recent libpcap. See requirements.

  2. When I run multispoof following message appears:

    multispoof: Your system doesn't support required iptables features.

    Well, it means your system doesn't support required iptables features. See requirements for details. Hint: Try to specify -v switch to see what features are missing.

  3. Does multispoof run on anything other than Linux?

    No. It requires Linux-specific kernel features. Of course it can be ported, but it isn't and probably won't be.

  4. Does multispoof work on cable/dial-up/dsl/whatever?

    Multispoof will do it's job on Ethernet-based, mac-spoofing-vulnerable networks only. Cable networks are protected against mac-spoofing, but if you want to learn about possible abuses in this type of networks type uncapping in google.

  5. Do you plan to make multispoof run on > 2.6.11 kernels? Could you add feature X?

    No, I don't plan to work on multispoof anymore.

  6. I don't know anything about networks and Linux. I just want to steal some bandwidth from my ISP. Make multispoof work for me!

    Sure, but first have a look here.

Author, contact

This software was written by me, PaweĊ‚ Pokrywka. You can find my email address as well as my gpg key at:

This project is hosted on