53

I need to make a request with a spoofed IP address for testing purposes. What's the easiest way to do this?

jonderry
  • 23,013
  • 32
  • 104
  • 171

3 Answers3

84

For my own purposes, changing the HTTP header was enough, via the following:

curl --header "X-Forwarded-For: 1.2.3.4" "http://www.foobar.com"
jonderry
  • 23,013
  • 32
  • 104
  • 171
  • from where is this set ?, using browser console ? – HybrisHelp Jan 09 '14 at 12:07
  • 1
    @ankit337 curl is a command line tool and nothing to do with a web browser, see http://curl.haxx.se/ – Luke Cousins Mar 15 '14 at 19:04
  • I don't think this is guaranteed to work in all environments. For one thing, the Play! framework ignores this header from all origins other than localhost unless explicitly configured otherwise: https://www.playframework.com/documentation/2.3.3/api/java/play/mvc/Http.RequestHeader.html#remoteAddress() – Coder Guy Nov 03 '14 at 18:25
  • 6
    That's clever but isn't at the network layer the question implies. It looks like this tricks the recipient into thinking there's a proxy but that shouldn't affect the frame's source IP. This answer elaborates the same thing differently: http://stackoverflow.com/questions/16910280/curl-with-spoof-ip-address . To spoof as the question asks, you have to build the packet, which is why most tools that do this need raw sockets; if you said more specifically what you're trying to do/trick, it would help this question (and its points) apart from the other one. – ǝɲǝɲbρɯͽ Mar 29 '15 at 17:05
  • @user2506891 I only have wine to test that on, but it looks like it's just designed to be a git shell? In order of complexity, I might try win-bash, then cygwin, then a Linux virtualbox... http://win-bash.sourceforge.net/ (cygwin: https://www.cygwin.com/) – ǝɲǝɲbρɯͽ Mar 29 '15 at 17:12
  • 1
    This depends of the setup of the Proxy which is between the client and the web service. For example, on Nginx, using `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;` it works perfectly due to what is delivered by the embedded variable `$proxy_add...`, but the same does not apply when using `$remote_addr`, according to my experiments. Worth to mention this list of embedded variables supported by NGINX and the meaning of each one of them: nginx.org/en/docs/varindex.html Also, `X-Forwarded-For` keeps track of the hops who conducted the request, separating addresses by comas. – ivanleoncz Aug 09 '18 at 23:36
  • The spoofed IP will appear in apache logs as "for x.x.x.x" but it won't be used by apache in the "Require not ip" directives. – xtian Apr 05 '23 at 11:25
46

You can't.

In general, spoofing IP addresses for TCP is remarkably difficult. Unless you have control of a router quite near your target or near the IP you're spoofing, consider it impossible.

The reply packets need a path back to you in order to complete even the three-way handshake. The most reliable way to do this is to have control over a router in the most common pathway between your target and your spoofed IP address: this would let you capture packets between the target and the spoofed address and forward them on to you.

You could also try injecting bogus BGP route advertisements, but doing so would doubtless be noticed and cost you dearly when your peers drop you completely.

sarnold
  • 102,305
  • 22
  • 181
  • 238
  • 24
    This is the correct answer to the question he asked, but not the correct answer to the question he meant to ask. :D @sarnold – Jay Jan 10 '14 at 03:10
  • 1
    What if you don't need to receive a answer at all? Like a API that only respond to specific IPs but you don't need a answer – Freedo Dec 15 '19 at 03:45
  • @Freedo, as Jacob and many others have pointed out, the *reason* why you're trying to do something is important; I probably would not have given this answer today. You'd be best served to ask a new question with a good description of what you're trying to accomplish. Just a quick nitpick here though: getting an answer back is different from TCP requiring bidirectional communication before the recipient can even begin reading data from the connection initiator. Maybe the answer is to use UDP instead, maybe not. It'd be best to ask a new question. – sarnold Dec 17 '19 at 03:45
8

Can I make libcurl fake or hide my real IP address?

No. libcurl operates on a higher level. Besides, faking IP address would imply sending IP packet with a made-up source address, and then you normally get a problem with receiving the packet sent back as they would then not be routed to you!

If you use a proxy to access remote sites, the sites will not see your local IP address but instead the address of the proxy.

Also note that on many networks NATs or other IP-munging techniques are used that makes you see and use a different IP address locally than what the remote server will see you coming from.

armandino
  • 17,625
  • 17
  • 69
  • 81