Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Is is possible to spoof a requesting IP address using perl? I am seeing some funky entries in my log files and suspect it's one script at work but the suspect log entries are coming from several different IPs. Thanks in advance!

Replies are listed 'Best First'.
Re: Spoofing an IP using perl?
by Limbic~Region (Chancellor) on Sep 24, 2003 at 17:03 UTC
    Anonymous Monk,
    Since it doesn't sound like you want to know how to do it and more "is it possible" I am inclined to answer. There are many reasons lots of IP addresses could look like they are coming from the same one or the reverse, one IP could look like it is coming in as many. In fact, lots of large corporations and government agencies use proxies for this very purpose.

    TCP connections are a two way street. Spoofing an IP address means making it look like those packets are coming from somewhere they are not. There isn't any point in spoofing an IP address if you need to see the packets coming back - since they are going to that other IP (you are working blind). And if that other IP responds back with a RST packet as it might do - you've been had.

    You can use several tools such as whois to find out who the IP addresses are registered to. The IPs may all be affected with a virus that is designed to harvest passwords or something. And finally, yes - Perl could be used to create an IP spoofing tool though a lot of factors mentioned above would have to be considered.

    Cheers - L~R

Re: Spoofing an IP using perl?
by moxliukas (Curate) on Sep 25, 2003 at 06:49 UTC

    I don't know what kind of logs you are looking at, but my snort logs also seemed very strange to me recently. It appeared that strange things were coming from IPs that are near our IP range. The reason for this was MSBlaster and Nachi worm activity, though at first instance I also thought that someone was spoofing an IP address on some subnet (it is relatively easy to spoof an IP in you subnet as promiscious mode ethernet cards will pick up every packet). So basically what I am trying to say is that strange logs don't neccessarilly come from spoofed IPs -- worms and viruses are more often to blame.

      It is possible. You can Try it using Net::RawIP module in perl.
Re: Spoofing an IP using perl?
by jacques (Priest) on Sep 24, 2003 at 18:17 UTC
    Doesn't Java have a special class for IP spoofing? Those evil Sun engineers are never up to any good . . .
Re: Spoofing an IP using perl?
by DeLos (Acolyte) on May 18, 2005 at 03:16 UTC
    I would like to open this up some more. I tried working with ip aliases, but thats not doing the trick. I am actually looking to test an anti-abuse system, so One of the tests I need ot telnet to the remote machine from the local machine, but i need to use multiple Ips. is this possible?