The attacker is on a different subnet than the destionation host.
The attacker sends an IP packet with a source route specified in the IP header. This causes the destination host to send traffic back to the spoofed IP address via the route specified.
