They could use a proxy to "spoof" their IP. But there is no known way
they could use IP spoofing to use any old IP address, as the voting
app runs via HTTP, which runs over TCP, which requires a full
connection, and the known spoofing attacks on TCP are blind, e.g. you
can send but not receive data. So HTTP would not work over blind TCP
I think that if one vote, or any small number of votes were allowed
per IP, the attack would have been much more difficult, as there
simply are not tens of thousands of readily available proxies, unless
these people have access to a big botnet.
A downside to one vote per IP is that AOL and some organizations place
their outgoing web traffic behind one or a small pool of IP addresses.
So these users wouldn't have been able to vote.
> A downside to one vote per IP is that AOL and some organizations place their outgoing web traffic behind one or a small pool of IP addresses. So these users wouldn't have been able to vote.
That would not have been such a big problem. But be sure to play 'dead man' and maintain the illusion that every vote counts.
Even more devious would be accepting the unwelcome votes, but also reversing each one of them after a random time has passed. This way the attackers get the see illusion, that their attacks succeed, but are fought back (or drown out in counter-votes from real people) only a few hours later.
This would potential block voters from DSL and cable modem accounts who use a small pool of shared IPs via dynamic reallocation. This would also mess up office networks using NAT. Both these effects would seriously bias any poll...