Imagine a user has an ip of 22.214.171.124
The server the user intends to connect to has an ip of 126.96.36.199
An attacker has a machine with a promiscuous network card on the user’s local network.
The attacker also has a server on a seperate network with ip 188.8.131.52
The user sends a request to 184.108.40.206, which the attacker had DDOS’d. As such, 220.127.116.11 will not respond.
The attacker’s machine on the user’s local network sniffs the request and sends it to the 18.104.22.168; 22.214.171.124 is set up to take this information to form a request to 126.96.36.199 where it spoofs the IP of 188.8.131.52 and has all the required TCP Sequencing information to form a request that looks real.
When the user sends another request, it is once again sniffed by the attacker’s local machine and sent to 184.108.40.206 which can then send another false request. The cycle continues.
Since 220.127.116.11 appears to be 18.104.22.168 and since 22.214.171.124 is NOT located on the user’s local network, the user’s firewall is unable to detect any foul play.
I’m assuming that this type of attack is not actually possible and that somewhere there is a misconception on my part about how networking works. Why would an attack like this not be possible?