Tech Off Thread

5 posts

IP spoofing in VSTS team edition for Testers

Back to Forum: Tech Off
  • starborn

    can anybody explain me as to how IP spoofing is handled in VSTS 2008 team edition for testers???

  • tgraupmann

    starborn wrote:
    

    can anybody explain me as to how IP spoofing is handled in VSTS 2008 team edition for testers???



    The process is actually quite simple.

    I'll give you a few hints and maybe you can figure it out...

    1) How many free CGI or Php web hosts are out there?
    There are thousands of free hosting sites out on the web. Think of sites like Geocities. You can make a free web page with a few ads on it. Every single free web host gives you a way to commit IP spoofing fraud.

    2) How easy is it to get an AOL dial-up evaluation?
    The best part of AOL dialup CDs are being anonymous. You'll find each time you connect via dialup that you get a new IP. You'll find that each IP is recycled nationally across the USA making discounting anything you do with generating fraud queries, impressions, or clicks hard to detect.

    3) Do you know how to solve for encoded url parameters in Php or CGI?
    The idea of a web proxy is not new. Anytime you setup a router you've done it. So when you setup your free homepage, why not use it like a web proxy. Just build a php or cgi page that makes a web request from the server. Like any good programmer, you need to make your home page modular. So why not make the URL that your homepage fetches into a url parameter. Your home page solves for the URL parameter and browses any URL you want.

    Combine all three and you have a way to make untracable ip spoofing fraud. You browse under the mask of AOL. You generate web requests from any part of the world you choose to setup your "homepage". And you make money. In the words of SouthPark... Step 1 (planning) Step 2 (...) Step 3 ($$$Profit$$$).

    So where does the profit come from. Start from the easiest place, online advertising. You'll find clicking links can make 0.50 or more using Google Ad Sense.

    I give you this information freely, because you are a tester. And you need to bring up new ideas and ways to prevent these kinds of fraud which are so easy to commit.

    When you detect this kind of fraud, you have about a day to track it down. First you identify the bad ip address. Then you supena the ISP. You get their records and see the request originated from AOL. You supena AOL and find out that some unknown AOL caller used an eval CD to make the request. Checking phone records, you find the call originated from a public telephone, or library. Even still investigation could take longer.

    Anyway, easy to do, hard to track down...

  • tgraupmann

    Another note, how hard is it to find a crook that would do something like this?
    http://www.engadget.com/2007/11/22/xbox-360-returned-critical-components-not-included/

    I don't know, they seem to be everywhere.

  • tgraupmann

    In Visual Studio you could do all this using a UnitTest created by test case manager.

    In your test case, issue a WebRequest.Create(...) call to your proxy web server and that should spoof the IP.

  • tgraupmann

    I haven't seen a way that you can do IP spoofing from a single machine.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.