ipfuscator: Zero-Allocation IP Address Obfuscation in Go

Hook

An IPv4 address has over a dozen valid representations that browsers and HTTP clients will happily accept—and most security filters only check one or two of them.

Context

IP-based access controls are everywhere: rate limiters, geographic restrictions, allowlists, denylists, and Web Application Firewalls. Security researchers and penetration testers frequently need to verify whether these controls can be bypassed through alternative IP address representations. While 192.168.1.1 might be blocked, the same address as 0xC0A80101 (hexadecimal), 3232235777 (decimal), or 0300.0250.0001.0001 (octal) often slips through naive string-matching filters.

Traditional approaches to IP obfuscation involve one-off scripts, online converters, or manual calculation—all painfully slow for testing at scale. When you're scanning thousands of endpoints or fuzzing IP-based parameters in a web application, you need transformations that execute in nanoseconds without garbage collection pressure. The dwisiswant0/ipfuscator library solves this by providing a blazing-fast, zero-allocation toolkit for generating alternative IPv4 representations in Go, purpose-built for security tooling and high-throughput scenarios where performance actually matters.

Technical Insight

The architecture of ipfuscator centers on a simple but clever design: the Obfuscate struct wraps a net.IP object and pre-computes all numeric conversions during initialization. By converting the four octets to a single uint32 once, every subsequent transformation method operates on this cached value without additional parsing or allocation overhead. This is why benchmarks show ToDecimal() executing in just 26 nanoseconds—there's no conversion happening at call time, just formatting of an already-computed number.

Here's how you'd use the library to generate multiple representations of a target IP:

package main

import (
    "fmt"
    "github.com/dwisiswant0/ipfuscator"
)

func main() {
    ip, _ := ipfuscator.New("192.168.1.1")
    
    // Standard conversions
    fmt.Println(ip.ToDecimal())        // 3232235777
    fmt.Println(ip.ToHex())            // 0xC0A80101
    fmt.Println(ip.ToOctal())          // 0300.0250.0001.0001
    
    // Creative obfuscations
    fmt.Println(ip.ToCircledDigit())   // ①⑨②.①⑥⑧.①.①
    fmt.Println(ip.ToIPv6())           // ::ffff:192.168.1.1
    fmt.Println(ip.ToStrippedZero())   // 192.168.1.1 (leading zeros removed)
    
    // Random variants for fuzzing
    fmt.Println(ip.ToRandBase())       // Mix of decimal/hex/octal per octet
    fmt.Println(ip.ToRand8Bits())      // Random 8-bit integer combinations
}

The zero-allocation claim is validated through the pre-computation strategy. When you call ipfuscator.New(), the library parses the IP string once using the standard library's net.ParseIP(), then immediately converts it to a uint32 using bit-shifting operations: (a << 24) | (b << 16) | (c << 8) | d. Every transformation method then formats this single integer rather than repeatedly parsing octets. Methods like ToHex() use fmt.Sprintf("0x%X", o.dec) which leverages Go's optimized integer formatting.

The thread-safety promise comes from the immutable design—once an Obfuscate struct is created, all its fields are read-only. You can safely call transformation methods from multiple goroutines without locks because there's no shared mutable state. This makes ipfuscator ideal for concurrent web scanners where you might be testing thousands of IP representations across parallel workers.

The CLI tool adds practical value by supporting glob patterns for method selection. Running ipfuscator -i 192.168.1.1 -m 'To*' executes all transformation methods, while ipfuscator -i 192.168.1.1 -m 'ToHex,ToOctal' targets specific conversions. This glob matching is implemented using Go's path.Match() function, allowing shell-like wildcards that integrate naturally into penetration testing workflows where you're piping results through grep, curl, or custom scripts.

Gotcha

The library's name promises IP obfuscation, but it's really IPv4-only with a thin IPv6 wrapper. The ToIPv6() method simply embeds your IPv4 address in the ::ffff: prefix format—it doesn't provide obfuscation techniques for native IPv6 addresses like compressed notation manipulation, mixed case hex, or leading zero variations. If you're testing IPv6 infrastructure, you'll need a different tool.

More importantly, ipfuscator is a representation engine, not a bypass oracle. It generates alternative IP formats but provides zero guidance on which representations will actually bypass specific security controls. The fact that your target accepts 0xC0A80101 instead of 192.168.1.1 depends entirely on how that target parses IPs—some HTTP libraries normalize everything, some only handle dotted decimal, and some have quirky behavior with mixed bases. You're still responsible for testing which obfuscations work against your target. The library also includes random methods like ToRandBase() that produce non-deterministic output, which can complicate debugging when you're trying to reproduce a successful bypass. Consider seeding your own randomization or sticking to deterministic methods for reproducible security tests.

Verdict

Use ipfuscator if you're building security scanners, penetration testing tools, or fuzzing frameworks that need to generate IP address variations at high throughput with minimal overhead. It's particularly valuable when testing IP-based access controls, bypassing naive filters, or validating WAF rules. The zero-allocation design makes it the right choice for performance-critical paths where garbage collection pressure matters. Skip it if you need comprehensive IPv6 obfuscation capabilities, semantic validation of which formats will bypass specific targets, or if you're only doing occasional one-off conversions where standard library functions or online tools suffice. Also skip if you need formats beyond IP addresses—for URL or domain obfuscation, you'll need complementary tools.