A spoofed DoS attack is a process in which one host (usually a server or router) sends a flood of network traffic to another host. By flooding the network connection, the target machine is unable to process legitimate requests for data, hence the name "denial of service."
DoS attacks often render the target machine useless because the host's connection, CPU, or memory are unable to handle the heavy load of data that is received. The term "spoofed" simply means that the origin host (or source creating the DoS) lies to the target machine about its identity. This makes blocking the attack very difficult.
All "spoofed" packets contain headers with a different IP address or hostname.
Remember that TCP/IP wasn't designed with security in mind, and, because of this, the target machine believes everything contained in the packet header.
This results in confusion by the target as to where the flood of traffic came from. Attacks from one address can be dropped by a firewall.
A smart software firewall can even detect a flood of packets from one source and automatically begin dropping them.
When the source sends spoofed packets from a different source each time, the firewall has no choice but to process the data because it can't distinguish legitimate packets from DoS packets. This makes it impossible to block without blocking all traffic.
Blocking all traffic also means blocking legitimate requests for data. This type of attack is more exhausting to the target machine and is arguably the strongest type of DoS attack.
A spoofed DDoS attack is even worse because there is usually much more bandwidth involved. With a few thousand hosts sending spoofed packets, filtering or blocking is virtually impossible.
