Fake HTTP Get Requests

Question

Hello all

i have noticed certain sites which allows limited hit per IP so can i programatically make them feel that requests are not coming from the same IP ,

well i am not much sure abot HTTP packet, but can we specify it in header or somewhere to make them fool

here is the code for GET Request

public static String sendGetRequest(String endpoint, String requestParameters) {
        String result = null;
        if (endpoint.startsWith("http://")) {
// Send a GET request to the servlet
            try {
// Construct data
                StringBuffer data = new StringBuffer();

// Send data
                String urlStr = endpoint;
                if (requestParameters != null && requestParameters.length() > 0) {
                    urlStr += "?" + requestParameters;
                }
                URL url = new URL(urlStr);
                URLConnection conn = url.openConnection();

// Get the response
                BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
                StringBuffer sb = new StringBuffer();
                String line;
                while ((line = rd.readLine()) != null) {
                    sb.append(line);
                }
                rd.close();
                result = sb.toString();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return result;
    }

Answer 1

Firstly, I'd hope that any sites which are trying to do source throttling aren't going to trust some arbitrary header. The packet says where the response has to go back to - I'd hope that they'd throttle based on that.

Secondly, if a site doesn't want you to hit them repeatedly, don't you think it's rude of you to try to circumvent that? If I were a site owner and I noticed someone trying to do that, I'd probably blanket ban them if at all possible.

Answer 2

No, spoofing your IP is not something you can do in your HTTP headers.

Firstly, I'd suggest that whatever limit you're trying to get around - don't bother. It's there for a reason, and you'd probably be breaking someones terms of use for a service.

Secondly, if you're absolutely determined, I'd say the only way you'd be able to make it look like the request was coming from a different IP would be to actually make it come from a different IP - ie, by using a bunch of proxies.

Answer 3

No, sites that perform rate control based on source IP would be very naive if they implemented it using spoofable headers.

Answer 4

No, you can't do it progmatically, unless you are using some kind of proxy.

Normally the IP detection comes from the IP level, not from the HTTP header. If someone is detecting IP's through the header, well...it's wrong.

Answer 5

No, it isn't possible to fool such systems using just Http header change. A possible way to achieve your goal would be using Tor network.

Answer 6

I am guessing the filter is being applied at the IP packet level rather than at the higher level HTTP level. In this case Yes and No.

Yes - it is technically possible to spoof your IP address so the packets look like they've come from elsewhere.

No - in that it is unlikely to be useful. If you spoof the "from" address on the packets, then any replies from the machine you are connecting to will be lost as they try to route to the spoofed IP address. You'll get nothing back.

Answer 7

The "proper" way, if I can use that term for something unwholesome, to make sites think a different IP has made a request is to use a proxied connection. The site is probably actually checking the source IP address, which is not a property of the HTTP request. So, the response will be delivered to your "other" IP. You should look at ssh -D, or privoxy, or another piece of software to funnel all your traffic with the site through a remote intermediary.