devc1 wrote:
Because it remembered me of a guy I knew in the past who was scamming people's paypal's and he asked me about this IP thing (to logging in paypal with the scammed guy's IP and skip mobile check) and I thought this was impossible or it needs some special router, and he said that he was monthly paying a website to do that for him.
Well, you will not be able to create a TCP connection by spoofing the source IP address.
When you send an IP packet to some destination, nobody cares about the source address field. Only at the destination, that field is used to return the response. So then the source becomes the destination. But of course, the spoofed address is not equal to your actual address (or else there would be no point), and so the return route will be different, and the response will come to a different machine. In case of TCP, if you send a SYN packet with a spoofed source address, the server will answer with its SYN-ACK to the spoofed address, which is not in the right state at that point and will answer with RST. That won't really do any harm.
What your friend did more likely comes down to guessing the correct cookie for the PayPal login. You see, PayPal is a web service, and on the web, you are logged in to a site if you have the right cookie to be logged in. So if I can guess your cookie, I can take over your session. Maybe your friend found a way to guess those.
With source IP spoofing, there are two things you definitely can do: For one, there is SYN flooding. That means sending out an infinite series of SYN packets with a random source IP address to some destination. When the server receives a SYN packet, it has to allocate a bit of memory to handle the incoming connection. This flood exhausts the resources for that (any finite limit can be exceeded) and thus causes the server to be unreachable. And the random source IP addresses mean that no firewall along the way can filter out these packets and still allow legitimate packets through. Workaround here: Syncookies.
For two, you can attack another site with UDP services that return larger responses than requests (e.g. DNSSEC). Then you can just keep sending the same request to some server with a spoofed source IP address, and it keeps sending its larger responses to the spoofed address, thus taking up that other address's bandwidth. This can also cause denial of service. The target of the attack cannot filter out the unwanted packets, since by the time they reach the firewall, the damage has already been done.