Subscribe to
NSLog(); Header Image

$500 (or more) Cocoa Project

A project I'm working on needs a small piece of software, and I'm a tad too busy at the moment to write it myself. The software, which should run on Mac OS X 10.3/10.4 and which should ideally have a Cocoa UI, has a few simple requirements. At its core, it's a method for testing server statistics software.

  1. Randomly per time frame, in seconds (customizable with high/low ) "visit" a web page and randomly follow links matching (for or against) a list of sub-paths (i.e. "cgi-bin"). Regular expressions would be overkill here - a simple "string contains" is all that's needed.
  2. Each visit should spoof a different (random) IP.
  3. The number of links followed should be random within a customizable high/low range. So one time, the app would "visit" one page, the next time it might visit five, following four links.
  4. The app should randomly choose from a set of four or five common browser user agents.
  5. The app should keep a log of some sort, probably plain text.

I realize that the IP spoofing is the toughest part of the app, but it's been done before. Content doesn't even need to be downloaded so long as your typical server stats software logs the visit properly and in such a way that it looks like a normal visit from a browser. Proxies are a potentially though far less desirable solution if spoofing cannot be done.

Anyone wishing to develop the app should contact me via AIM ("iacas"). The author will retain rights to the code, and I'll be using it only internally - it will not be repurposed and sold or any such thing.

If the $500 is low, there's room to go to $1500, but clearly the lower bidders have a better shot at the job.

6 Responses to "$500 (or more) Cocoa Project"

  1. This sounds cool. I could do everything but the IP nevermind ;). I think I'll do it for practice anyway.

  2. Someone violated the "or risk deletion" policy by leaving a fake name and email, but they raised the point that such an app could be used to raise Google AdWords income and other such things. Clearly, an application such as this could be used to do such things. However, such activity is also illegal and very much against AdWords' terms of service. It's really that simple.

  3. I am uniquely interested in how you plan to spoof 3-way TCP handshakes. This is not raw packet crafting where you can pack the source IP address and fire and forget, you actually have to be at the receiving end of the SYN/ACK.

    If you look at nmap which is an example of "using random IPs" (with your own as well I might add), a stealth SYN scan (half-open / incomplete three way handshake) is being used

    Spoofing doesn't make sense here. You could use a dynamic proxy setup similar to NetShade or tor+privoxy.


  4. Mark's right .. IP spoofing and TCP don't really mix. TCP uses a "3-way handshake" for establishing connection which requires that you be able to receive a packet from the server. If you spoof your source address, how are you going to get that packet?

    Here's how it works:

    You send a packet with the SYN bit set and an initial sequence number S1 (a random integer)The server either ignores you or responds with a packet with the SYN and ACK bits set, and its own initial sequence number S2 (a different random integer). It also sends its "acknowledgment number" as S1.You send with a packet with its ACK bit set, and the number S2 in the "acknowledgment number" field (and S1+1 in your sequence number field). Note that you have no way of knowing what S2 is if you didn't receive the packet in step 2. If you get this number wrong (ie. guess) then the server will ignore you.

    Note that the use of a random sequence number was not originally a security measure .. it was a way to make sure old packets from an old connection wouldn't be mistakenly interpreted as packets from the current connection. But it has a side effect of making IP spoofing difficult.

    See this page for a better explanation of the three-way handshake and sequence numbers

    I'm pretty sure that the TCP spec does allow you to include data in the first packet. But the receiving end won't actually pass that data up to an application until after the three-way handshake completes, so you can't use that to spoof connections to an HTTP server.

    If you could guess the initial sequence number used by the server, then you could spoof connections. Older TCP implementations used a timer to set the ISN, so those could be attacked. (You'd connect, get an ISN for a legit connection, disconnect, then use your knowledge of the timer to predict the ISN for a spoofed connection.) Newer implementations use random numbers in order to prevent spoofing.

  5. Hi Erik,

    in fact, from what I know about how IP works, you can't really spoof the IP address in TCP communication. The only way how to do what you want is running this kind of app on the same network as the web server. Then app can spoof it's IP and can also catch answers (if the network is not switched, which usually is these days).

    The easiest setup is to configure the webserver machine to use the app-machine as default router. As you say you need it only for testing purposes, such setup should be OK.

    Anyway, I'd be interested what software do you want to test, because web-statistics software usually works with logfiles, so real trafic is not required, only a logfile which can easily be generated. Anyway, why Cocoa app, some hacky-perl-script should do the same thing (for less money).

  6. Cocoa because the front end is easy. If the back end is Perl, so be it.

    And the IP address need not be purely spoofed, but merely spoofed enough to look real to the web server (Apache or IIS). If that's done via a list of proxies or any other methods, that's fine. Content doesn't need to be downloaded.

    I know how TCP works. I also know this has been done before (not always legally, I also realize).