如何在Windows上篡改源IP地址
我们遇到一个测试场景,需要篡改Http请求的源IP地址来模拟来自不同国家的客户端。您知道对此有任何帮助的工具吗?
最后但并非最不重要的一点是,我们的网站是使用 ASP.NET 构建的。
谢谢。
We meet a testing scenario which needs to tamper with source IP address of a Http request to simulate clients coming from different countries. Do you know any tool help on this?
Last but not least, our web site is built with ASP.NET.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
在测试环境中通常并不困难。首先阅读关于虚拟网络的这个SO问题接口。
如果服务器和客户端位于同一台计算机上,您所要做的就是弄清楚如何让客户端软件绑定到虚拟接口。
例如,wget 具有 --bind-address 选项来指定要绑定到的本地地址。使用网络浏览器来做到这一点有点困难;您可能只需要在虚拟机中运行它。
如果您的服务器和客户端位于同一 LAN 上,则只需为路由器配置一些到客户端计算机的静态路由即可。在这种情况下,您可能不需要虚拟网络接口,只需为客户端计算机设置静态IP即可;只要网关设置正确,它就应该能够将数据包发送到服务器,并且只要路由设置正确,回复就应该找到返回客户端的路径。
如果客户端和服务器被互联网分开,那就更困难了。一种选择是在服务器上设置网络隧道端点并将其通过隧道传输到客户端计算机,客户端计算机“知道”它具有虚拟网络接口。
In a test environment it usually isn't difficult. First read this SO question about virtual network interfaces.
If the server and client are on the same machine, all you have to do is figure out how to get your client software to bind to your virtual interface.
wgetfor instance has the--bind-addressoption to specify which local address to bind to. Web browsers are a bit more difficult to do this with; you may need to just run it in a VM.If your server and client are on the same LAN, you just need to configure your router with some static routes to your client machine. In this case you probably don't need a virtual network interface, just set a static IP for your client machine; as long as the gateway is set up correctly it should be able to send packets to the server, and as long as the route is set up correctly the replies should find their way back to the client.
If the client and server are separated by an internet, it's rather more difficult. One option is to set up a network tunnel endpoint on the server and tunnel it to the client machine, which "knows" that it has the virtual network interface.
正如 ServerFault 问题“IP 地址是否容易伪造” 的回答中所述,您不能轻易地在需要双向通信的协议(例如 TCP)中伪造源地址。请注意,这种“双向通信”在数据包级别是必需的。您不能只是说“没问题,我想发送请求并忽略 HTTP 响应”。要建立 TCP 会话,您需要接收数据。最好的选择是使用代理服务器。
As noted in answers to the ServerFault question "Are IP addresses trivial to forge", you cannot easily forge source addresses in a protocol that required two way communication (e.g. TCP). Note that this "two way communication" is required at the packet level. You cannot just say "no problem, I want to send requests and ignore HTTP responses." To establish a TCP session, you need to receive data. Your best bet is to use a proxy server.
我不确定 IP 标准是否允许这样做,但如果您在实验室环境中工作,在测试期间不需要互联网连接,我可以看到它在以下情况下工作:
基本上,我会设置服务器的网络接口使用网络掩码
0.0.0.0并刷新路由表的其余部分。然后,只要使用网络掩码
0.0.0.0,您就可以将客户端计算机配置为采用任何 IP 地址。并且双向通信应该是可能的。但请耐心听我说。我还没有测试过这个,所以我可能是错的:-)
I am unsure if the IP standard allows for this, but if you are working in a Lab environment, where you don't need internet connectivity during the test, I can see it working under following circumstances:
Basically, I would set the server's network interface to use netmask
0.0.0.0and flush the rest of the routing table.Then you could configure a client machine to take on any IP address as long as you use netmask
0.0.0.0. And two-way communication should be possible.But please bear with me. I haven't tested this, so I could be wrong :-)
如果您有权访问基础设施,则可以在路由器上添加一个接口,然后在路由器上放置一条通往该网络的静态路由。
或者,您可以查看PBR(基于策略的路由)和在路由器上,您可以标记源数据包并动态更改源,这样您的服务器就会认为它们来自您希望它们来自的地方。
但您必须问自己为什么要查看来自不同国家/地区的数据包。一些国家有大量的代理服务器来过滤访问(“中国的防火墙”),因此上述测试并不能证明什么。
那么,最好的选择是使用代理服务器,或者如果您正在寻找长期解决方案,则设置一台服务器(虚拟服务器非常适合)并使用 RDP 进行测试。我确信您可以在某处租用虚拟服务器一两个月。
If you have access to your infrastructure, you can add an interface off the router and then place a static route on the router to that network.
Alternatively you can look into PBR (Policy Based Routing) and on the routers you can flag source packets and change the source on the fly, so your server will think they are coming from where you'd like them to come from.
But you have to ask yourself why do you want to see when packets come from different countries. Some countries have massive proxy servers that filter access ( "Great Firewall of China"), so the above tests will not prove much.
Your best bet then is using proxy servers or if your looking for a long term solution then setup a server (virtual is great for this) and use RDP for testing. I'm sure you can rent a virtual server somewhere for a month or two.
那是不可能的。因为当你伪造 IP 地址时,响应将永远不会返回,而这是 http 所必需的。
最好的方法是使用代理。另请参阅有关 serverfault 的此问题。
That's not possible. Because when you forge the ip address, the response is never going to come back, which is required for http.
The best way is to use proxies. See also this question on serverfault.
如果您更改源 IP 地址,则意味着来自您的 Web 服务器的流量将无法返回客户端。
您也许可以使用某种代理和/或地址转换过滤器来进行重新映射,同时仍然允许双向通信。
If you change your source IP address, that means no traffic from your web server will be able to reach back to the client.
You might be able to use some kind of proxy and/or address translation filter to do the remapping while still allowing two-way communication.