How to Test ASP.NET Application That Depends on IP Address

Question

I have written an ASP.NET application, and in this application I log the request IP address. And I also serve different content according to different IP range.

My question is, in my limited test environment, I only have 5 machines, each machine has only 1 IP address, I want to test fully about the function of my IP address based ASP.NET, so in my situation how to create HTTP request which contains arbitrary IP address beyond the 5 IP address of my test machines?

Solution in .Net/C# is appreciated. But any existing tool is appreciated as well.

EDIT1: I am writing a school education web application which serve different content to student from different cities. Different cities have different classes/seminar/training and I want to display the most revelant content according to (proxy) address of the branch of the school in specific city.

Answer 1

One option is to change your logic to look at IP Address or the X-Forwarded-For header. This header is often used to indicate the originating IP address when a request goes through a proxy server. While yes you don't need to take into account proxies here but doing so will give you a very very easy way to test your logic.

I think this will be your quickest route rather then trying to spoof IP addresses.

Edit

        Uri uriObj = new Uri("http://localhost");
        HttpWebRequest request =
         (HttpWebRequest)WebRequest.CreateDefault(uriObj);

        request.Headers.Add("X-Forwarded-For", "125.125.125.125");

        WebResponse response = request.GetResponse();
        StreamReader reader = new StreamReader(response.GetResponseStream());
        Console.WriteLine(reader.ReadToEnd());

Edit

You need to change your server side logic to look like:

    string ip = Request.Headers.Get("X-Forwarded-For");
    if (string.IsNullOrEmpty(ip))
    {
        ip = Request.UserHostAddress;
    }

This basically says if the header is included then use that otherwise use the IP address they tell me. This way both your test code and real users will be picked up.

Answer 2

Perhaps you can test your logic by simply sending an http "referer" header. For example:

Dim request As System.Net.HttpWebRequest = System.Net.HttpWebRequest.Create("www.MySite.com")
request.Referer = "http://1.2.3.4"
Dim response As System.Net.HttpWebResponse = request.GetResponse()

Answer 3

ooops. wrong stuff

Answer 4

You should not depend on IP addresses. If one of your clients is behind any sort of proxy server or Network Address Transalation device, then they will not have the IP address range you expect. Even if your current network has no such devices, it makes little sense for your application to restrict the ways in which the network can change in the future.

You should use a real authentication mechanism to determine who your clients really are. IP addresses are explicitly not designed to identify computers.

---

EDIT in response to George's edit.

Your scenario is one in which you should definitely not depend on IP addresses. You want to depend on the IP address as a stand-in for the geographic location. That's just lazy design. The fact that IP addresses happen to have some indirect correspondence to geographic location is nothing more than an artifact of the process with which they are (currently) assigned.

Instead, if geographic location matters, then your clients should tell the server what their location is! Then it will always be accurate, even if the network changes.

Answer 5

Here at work we use virtual machines. You can have as many ips as you want. They are several products around. We mostly use http://www.virtualbox.org/ (its free...lol).

Just build one and then copy/paste. Configure the fixed ips. And thats it; you can even test all in the same physical pc!

Hope this help... :)

Answer 6

Set up your site on a lan, create virtual machines, and assign those machines different static IP addresses on the lan. Change the IP ranges in your app to those on the lan, make sure it works, then set the ranges to what you want in the production version of your app. You should have a development version of the site, and there's no reason that can't be on a lan.

Answer 7

Spoofing IP addresses is not possible (or at least not easy at all) in windows because of the raw socket limitations .. etc.

You might use hping tool under linux, or WinPcap library for windows to generate raw packets, but you gonna spend lots of time for nothing.

I guess the best way is to set the IPs of your 5 machines manually into different IPs (one from each range you use).

Answer 8

The IP comes from the TCP/IP headers, not the "real" body of the HTTP request. So it's non trivial to forge. But if you're on a LAN, you can just use static IPs to test.