A variation of the spoofing attack that circumvents ingress filtering involves the use of an external collaborator. In this variation of the attack, the attacker is again eavesdropping on the wireless LAN lurking for DNS requests, but instead of sending the spoofed response from the wireless LAN, signals another host on the Internet to send a spoofed response to the victim. Being able to eavesdrop is crucial, as it allows the attacker to relay the needed DNS identifier and port number information to the remote collaborator.
There are two constraints for the attacker that make this attack more difficult. First, the remote collaborator needs to be able to send packets with the source IP spoofed. Unfortunately, a recent study [18] shows that spoofing is still possible on more than 30% of hosts due to the limited use of source filtering. Second, the remote collaborator needs to send the spoofed DNS response before the legitimate DNS response arrives. Thus, the attacker would need to locate a collaborator that is closer by in terms of round-trip times.