35

The title says it all really. Say my IP address was 1.2.3.4 and I wanted to change or 'spoof' it so that its exactly 2.3.4.5, would this be possible or are there too many varying factors that need to be taken into account before getting a definitive answer?

Why you might ask?

Well I was in a store the other day and they had iPads around the room setup so that they were showing the store's online website. I went over and looked at one and noticed that what was showing on their in-store iPads was different to what I would see by simply connecting to their site via my phone (and yes, they were both the exact same link using the same exact browser, Safari).

This lead me to think that the only way they're able to do this is by either having the site detect the device's IP address and show specific (or exclusive) content on their homepage based on that, or by having the site detect that the device is using the stores WiFi (although I doubt this is possible, hence why I thought the IP route was more plausible).

So I was curious whether it'd be possible to spoof my device's IP to that of the stores' exact IP so that my device showed exactly what theirs did in regards to their website.

Feel free to discuss this, I know this is very very specific and with minimal details known, so I doubt there's a definitive solution...

Mark Omo
  • 103
  • 5
James
  • 453
  • 1
  • 4
  • 6
  • 68
    No, that's not how they're doing it. The in-store iPads are pointing at a Apple controlled DNS server that is providing a different address for the site than the one that is available to the public Internet. It may not ever be a routable address. [Best Buy got in trouble for this years ago](https://www.lawyersandsettlements.com/lawsuit/best-buy-website-scam.html) because they were using it to display higher prices in-store than on the public Internet version of the website. – Xander Jul 01 '19 at 12:40
  • @Xander I see, and is there any way to change my wifi's DNS server on my iPhone to the same one they use instore if I manage to find out theirs? Or would that not work - do I need to be connected to their store wifi (which in turns provides the DNS needed server) – James Jul 01 '19 at 14:30
  • 8
    Probably not. It's a network configuration setting and if you can't join to the network they're on (you probably won't be able to) you probably won't be able to access the DNS servers they're using either. – Xander Jul 01 '19 at 15:15
  • 30
    To add to the excellent answers, I believe the root of your confusion is based on you misunderstanding what the term "ip spoofing" actually means - it does NOT mean you can use a different IP. It merely refers to making packets you send LOOK LIKE they are coming from a different IP. But it's like sending letters with a fake return address - ip spoofing will not allow you to RECEIVE any content in response. So even if you were to perfectly spoof a store IP address, it would do you no good in this scenario. – Torque Jul 02 '19 at 07:34
  • 9
    "This lead me to think that the only way they're able to do this..."? Nope, they could also have a special "display device login page" that you don't know about, which puts a cookie on the device and allows other pages on the site to display different data for "logged-in" devices... – Chronocidal Jul 02 '19 at 08:17
  • 1
    "is there any way to change my wifi's DNS server on my iPhone to the same one they use instore if I manage to find out theirs?" probably both their DNS and their website are filtered to only internal (instore) IP traffic at firewall level. You should a) connect to the instore wifi. b) sniff DNS traffic c) visit the internal website. – bradbury9 Jul 02 '19 at 10:19
  • 6
    You can also "spoof" your street address by writing a wrong return address on a letter. But you will not receive the reply. – Tavian Barnes Jul 02 '19 at 17:41

5 Answers5

86

You can change your IP to whatever you want; that's trivial. But that will not work the way you want to.

Let's say the store's ISP is Apple Networks, and their IP range is 1.2.3.0 to 1.2.3.255. You note that and get home. Your home network is from Avocado Networks, and their IP range is 2.3.4.5. You change your IP to 1.2.3.123 and wait. Nothing happens. You cannot access any site. You are offline.

But why?

Routing.

Avocado Network tells the entire world they own the network 2.3.4.0, so when people want to reach anyone on that range, they send the packet to Avocado routers. They don't send any 1.2.3.0 packets to them, they send to Apple Networks routers as they are the ones advertising to the entire world their IP range. So your computer sits there, waiting for anything to come, and nothing happens.

If Avocado Networks employs Egress Filtering, your packets don't even leave their network. Their routers will say this is a packet coming from my network, but it says it's from Apple Networks' address space; it must be an error, so I will drop the package.

If they and nobody along the path uses Egress Filtering, your request for connection will reach pineapple.com, the site will respond as usual, but the response will be sent to Apple Networks routers, not Avocado networks. And either there will be nobody with 1.2.3.123 IP address to answer and the packet gets forgotten, or there will be an 1.2.3.123 there, and they will say sorry, I never heard from this connection before. Forget it. and that's that.

To achieve what you want, you must connect a system to the store network, make it work as a proxy, and forward packets from your home to that system, and then that system will access pineapple.com site on your behalf and send you the response.

jwodder
  • 166
  • 1
  • 6
ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • So, would it be bad if someone pretended to be you? (E.g. a DDOS attack through many responses) or is that a non-issue in practice? – Dennis Jaheruddin Jul 02 '19 at 09:41
  • 10
    @DennisJaheruddin when getting hit by a DDOS, I don't think anyone believes the source IP to be accurate, so it shouldn't harm you, the real IP holder. That said, with some protocols it can be used to attack you indirectly: the attacker sends a packet saying "I'm 1.2.3.123, what's the answer to foo?" to some DNS server, which then sends the reply to 1.2.3.123. If that reply is bigger than the original request, it's called an amplification attack, since the victim will get hit with more traffic than the attacker can send, thanks to the DNS server inadvertently helping them. – André Paramés Jul 02 '19 at 09:55
  • 9
    It might be useful to note that BGP hijacking does allow you to spoof your IP for a fraction of the greater internet. Of course, BGP hijacking is a little more complex than running a few `ifconfig` commands, and it will get you in heaps of trouble, especially if you succeed... – forest Jul 03 '19 at 06:48
  • @forest: *In principle*, BGP hijacking should not be possible unless you are a nation-state actor, an ISP, or your ISP is incompetent. Unfortunately, the latter is depressingly common. In fact, a lot of BGP "hijacking" incidents aren't even deliberate, they're just "ISP A accidentally sent a ridiculous BGP route to ISP B, and then ISP B believed them even though the data was obviously bad." – Kevin Jul 04 '19 at 16:18
14

You can spoof your IP to whatever you want it to be. Pick a number, any number! However, you can't use it to trick a HTTP server into believing your are someone you are not. The TCP handshake protects against IP spoofing. So no luck there.

Anyways, my guess is that the webpage that is shown on the devices isn't discriminating based on IP. Sounds more practical to do it based on the network the devices are connected too, or with the help of some other little secret flag not visible in the URL.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • I did not know this.How does it protect against ip spoofing? – yeah_well Jul 01 '19 at 11:54
  • 5
    @VipulNair Don't remember the details, but: Client sends SYN with spoofed IP. The server sends SYN-ACK to the spoofed IP, so the client never recieves it. Because of that the client does not know what the correct ACK message would be. – Anders Jul 01 '19 at 11:57
  • I see... I might as well give it a try since I'm pretty interested regardless. Are there any tools/tutorials or programs out there for spoofing to any IP? I couldn't find much after a quick search. – James Jul 01 '19 at 11:58
  • 12
    @james there is no point to it.You wont be served a webpage at all. – yeah_well Jul 01 '19 at 12:04
  • 5
    ThoriumBR's answer explains the details of why it won't work very clearly. – Barmar Jul 02 '19 at 00:00
  • 3
    @Anders it's because the spoofer would need to match the same seq number of the spoofed ip holder, and that means guessing correctly a 32 bit number the first time – sox with Monica Jul 02 '19 at 13:53
9

Practically yes, you can spoof it but it won't help in too many situations.

The IP protocol specifies that each IP packet must have a header which contains the IP address of the source of the packet. The source IP address is normally the address that the packet was sent from, but the sender's address in the header can be altered so that to the recipient it appears that the packet came from another source.

Although this is possible it would have very limited use since if you used another number in that header, all replies towards the sent packets would go towards that fake-IP specified.

If your objective is to DoS (flood the target with an overwhelming volume of traffic) then such a manipulation is useful, but if you intent to have some legitimate traffic between target and altered IP it won't work.

A good legit use of such a thing would be to test how a website handles multiple users before a go-live situation. Tools like HP LoadRunner and WebLOAD use such a technique.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • My intentions are certainly **not** to DoS them but for my objective (which is seeing ip-specific content on a website) would what you have just explained work? – James Jul 01 '19 at 11:20
  • If you do such alteration, communication with the target website would no longer work. – Overmind Jul 01 '19 at 11:25
  • I see... I might as well give it a try since I'm pretty interested regardless. Are there any tools/tutorials or programs out there that would get this completed? I couldn't find much after a quick search – James Jul 01 '19 at 11:28
  • 2
    This answer could be improved by adding some information about ARP spoofing, which might in some situations allow an attacker to trick routers into giving them responses intended for a different IP than their own. Even though it rarely works on the Internet nowadays (but it might work on a store WiFi). – Philipp Jul 01 '19 at 12:20
2

The title says it all really. Say my IP address was 1.2.3.4 and I wanted to change or 'spoof' it so that its exactly 2.3.4.5, would this be possible or are there too many varying factors that need to be taken into account before getting a definitive answer

YES AND NO.

Firstly there are two ip addresses

  1. Private ip.
  2. Public ip.

Your private ip could be anything you want that is in the standardised address range.It is used to uniquely identify you on a network

Your public ip cannot be changed into anything.Private ip is alloted rather.Since private ip can be used to uniquely identify you on a Internet If you could change it into whatever you want there would be a lot of confusion on the internet But you can change your public ip(Not into whatever you want tho like 2.2.2.2)

yeah_well
  • 3,699
  • 1
  • 13
  • 30
  • Yep I'm familiar with proxies and VPNs etc etc, but as you pointed out I cannot use those tools to change to a specific IP address which kind of defeats the purpose of it for what I want to use it for above at least... – James Jul 01 '19 at 10:52
  • You will have to proxy your traffic through their network for the task.But why you would do such a thing is beyond me.Also your assumption that they are getting served different website content according to their IP address "might" be completely wrong – yeah_well Jul 01 '19 at 10:56
  • I thought I was wrong but I actually asked a staff member and they said it was through their WiFi or IP (they didn't know which one though), which prompted my whole curiosity towards it – James Jul 01 '19 at 11:13
2

As others have said, Yes, you can declare your IP address to be anything you like, But No, the rest of the internet will not talk to you.

This would essentially be akin to replacing the numbers on your house from "123 Real Avenue" to "321 Fake Street" - the mailman isn't going to start delivering you someone else's mail, because regardless of what it says on your door, the house is physically on "Real Avenue".

However, I wanted to suggest some other possible methods by which the behaviour you're seeing could be accomplished without having a table of "special IP addresses":

  1. A unique (or shared) token stored in a cookie.

    When a browser visits a site, it checks for any cookies the site has given it in the past, sees if any are not expired, and sends those cookies with the request. These cookies can contain any amount of information about the client device, including "I'm an Apple Store display model".

  2. A simple HTTP header which identifies the device.

    When visiting any page on the internet, your browser sends and receives some data that's not immediately visible to you. This data is contained in the HTTP headers, and can contain nearly anything. For example, one common header defines the type of the payload (i.e. text/html, application/json, etc.). Apple's servers could check for some specific non-standard header (such as I-AM-DISPLAY-IPAD), and send different content back to the client when this is detected.

  3. An Authorization token which uniquely identifies the device.

    If security was a concern, they might instead use a unique cryptographically generated token which identifies the device as authentic. In addition to some secret data that makes it virtually impossible to spoof, this token can encode some other identifying properties of the device, making the token useless to any other device, even if you had a perfect copy.

  4. The network may be using a man-in-the-middle to inject the extra content.

    While man-in-the-middle attacks are generally negative, it is not uncommon (though generally frowned upon) for ISPs or routers to inject some javascript inside of a non-secured page that you visit. There could be such a device on the network between the iPads and the internet, which is injecting the extra content only for devices which reach the site through that specific network.

  5. The network may be using a customized DNS record.

    The first thing that happens when you try to visit xyz.com is that your browser/device contacts a Domain-Name System server to find out where xyz.com actually lives on the internet. While the site you visit on your device may have the same URL, the display devices could have a different IP address mapped to that URL, and go to a completely different server.

  6. Related to above, the network may not be on the broader internet at all.

    The entire display device network may actually be part of a VPN (Virtual Private Network) that connects to some other set of servers that are not exposed to the internet at large. A proxy server within the VPN could forward requests to external sites so the device appears to be connected directly to the internet, but is in fact inside a massive walled garden.

Please keep in mind this list is far from exhaustive! These are just ideas which I would start to investigate if I wanted to set up such a site which served different content to a select set of controlled devices.

In conclusion, there's a lot going on under the hood of the internet, and you should never get too attached to any one idea about how something works.

Community
  • 1
Tim
  • 121
  • 3