DEV Community

Cover image for IP Info was a mistake, and how digging for the source of the problem is tricky
Voltra
Voltra

Posted on

IP Info was a mistake, and how digging for the source of the problem is tricky

#security #ip

IP Info is the list of information that is publicly available from just having your IP Address (whether that be IPv4 or IPv6).

Some businesses even use that as their source of income (which I'm pretty sure is illegal).

So what can you get from an IP Address? Well just about any of the following:

  • Hostname
  • City
  • Potentially inaccurate zipcode
  • Region/State
  • Country code
  • (I hope inaccurate) latitude and longitude
  • Timezone
  • ASN info
  • Internet Service Provider info
  • Security info (such as whether you're using a VPN, Tor, a proxy, a relay, or if you're hosting a server)
  • Abuse contact info

If you ask me, none of that should be available. Or at the very least, not freely available to literally anyone.

The question that naturally comes to mind is: Why the hell is this even available in the first place?

Well, it's a bit complicated. The RFC 791: IP Protocol doesn't mention any of it. Neither does RFC 997: Internet Numbers, nor RFC 1519: CIDR, nor RFC 1531: DCHP, nor RFC 903: RARP, nor RFC 2460: IPv6.

Clearly, it's absolutely not needed for the Internet Protocol (and related stuff) to be functional.

So what's going on?

I found RFC 8805: A format for self-published geo-location feeds which explains that at least Google (sigh... not again) accepts such a format. Thus IP prefixes can have geolocation baked in those lists. But that's from 2020.

There was an abandoned RFC 1876: Location within DNS that the Investigating the Imprecision of IP Block-Based Geolocation research paper cites, and tells you that alternatives "had" to be used. So it's not in there.

What's the need?

The "need", at least as expressed in RFC 8805, is to be able to better serve content to end users. I mean sure, but that only requires one or max two pieces of info: the country and the region/state. Why the hell is the rest available? Why is it freely and openly available!?

A glimpse at the source?

Turns out that the research paper cited above has one interesting reference: An investigation of geographic mapping techniques for internet hosts.

This 2001 paper doesn't talk about how things have been done, but how things could be done. And once again, it's a case of scientists asking themselves whether they could, before asking themselves whether they should.

You think this is bad? Well I'll give you this treat for you to check out on your free time. The only thing I'll tell you is that it's from 2023...

What did we learn?

The Internet Protocol has been plagued by a lack of security that even IPSec cannot help and fix. Scientists have been very eager to help anyone get more and more information about you from simply an IP Address. Why? I guess we'll never know (spoiler: it's greed or scientific stupidity).

A simple number, used to help in information exchange, now allows people to passively get information about you. A 32 bit number, now gives you access to bytes upon bytes of data on someone.

That there is a lot of unnecessary endangerment, that should have been trivially avoided. Could there be a legal case to be made? I'd like for that to be true. If even scientists are eager to give out your privacy for free, only that could potentially fix the issue (along with making it "more" illegal I guess).

My recommendations?

  1. Never share your IP Address (duh)
  2. Never (accidentally) expose your IP Address (e.g. using any kind of P2P or direct connections)
  3. Use any masking tool at your disposal (e.g. VPN, Proxy, etc...)
  4. Tell your friends, family, etc.

Top comments (2)

Collapse
 
jonte_holmgren_af5f124c97 profile image
Jonte Holmgren

Cute panic post, but this is just pure techno-paranoia.

Let’s get facts straight: an IPv4 address is a routing number, not a warrant. Yes, public IPv4s are trivially discoverable (ZMap/masscan can sweep most of the routable space in minutes).

Saying “scientists want to give out your privacy for free” sounds dramatic, but it’s mostly engineers trying to solve content delivery, diagnostics, and legal/abuse workloads. There’s a business model there, certainly, but there’s also utility: geolocation helps serve the right language, CDN edge routing, and fraud detection. Meanwhile, VPN companies, privacy startups, and fearmongers have a strong incentive to make everyone think IPs are some kind of secret key to your life. They benefit from the paranoia.

For the record my public ipv4 is 5.150.205.63 and my ipv6 prefix is 2600:70ff:b034::/48

Some comments may only be visible to logged-in visitors. Sign in to view all comments.