Hi guys. I need some expert advice as this isn't my area...

Let's say a third party wants to do a very convincing job of using bots to make it appear that real users are navigating an ecommerce site. So that would mean spoofing IPs of real users and ensuring navigation patterns resemble that of real users. The obvious problem is the bidirectional issue with IP spoofing, i.e. the spoofer sends requests, but won't get a response. For example, if the spoofer wants to post forms, e.g. add to basket, they're working blind.

So, to deal with this, could the spoofer initially hit the page / add to basket / etc from a non-spoofed IP address and note the response. They then do the same thing from the spoofed IPs and ensure it matches what happened on the non-spoofed one. They could then do this multiple times from multiple spoofed IPs and it would look convincing in the server logs. They would presumably need to re-hit the page from the non-spoofed IP every now and then to ensure nothing has changed.

Is this approach plausible to make the bot more convincing or have I missed something that would preclude this, e.g. protocol handshaking issues?

BTW, I'm asking this because I'm fairly sure based on our stats that we're being intermittently hit by bots that are spoofing IPs and simulating user behaviour.