I asked a client to send me the ip address of all of their locations so that I could block them from analytics.
Most of them are what I know as normal: 0.00.000.000
but some of them are coming to be kind of like this: 2001:500:f000:100:7000:40d0:3000:400c
They are all going to google and typing "whats my ip address" and sending me the results. Is the second example an ip address I can exclude? do I need to convert it some how?
Those are IPv6 addresses. What you're looking at inside the usual xxx.xxx.xxx.xxx format is IPv4.
These two formats of addressing are entirely incompatible with one another. They cannot be "converted", however when dealing with application layer systems they should/usually work in almost the exact same way. i.e. if you were to ban an IPv6 address, it would work in the same way as banning an IPv4.
There's a plethora of documentation available online about IPv6, and it's probably a bit out of scope for this site, so I hope that helps you figure it all out! Even if it is just a single piece of your puzzle :)
Related
Is it possible for someone to track a dynamic IP address, if so what would it take and how would it manifest?
Would the person doing so be able to log every change in your ip range and eventually end up with the whole set of ip's you are able to have?
Is it possible to make my dynamic ip change in a different pattern, say in a more extreme way, making it harder for someone to trace it as described above? Is it possible to encrypt it somehow, and also all other information such as hardware MAC's / Inet MAC etc. everything.
The answer is yes and no.
In most cases only your service provider (and law enforcement) will have a log of all IPs you had and start/end times of each lease. You basically can't do anything to prevent this because they need to be able to identify you as their customer with a valid contract. This is usually done via MAC address of CPE equipment you get from service provider or by some login credentials (for PPPoE for example). There is no such thing as encrypting the IP and changing your MAC address would not prevent service provider from identifying you. For someone else there is no reliable way to track you. The closest thing they can find is the scope (or scopes) from which dynamic IP addresses are issued.
At the other hand, when you mix the technology and psychology, every one of us leaves the unique fingerprint when browsing the web. If you examine the combination of software someone uses, their traffic patterns (amount of traffic, sites they visit, activity during the day), their behavior and style of writing, etc, you can not just link them to some IP address but make a distinction between different users behind the same IP address. Anyway collecting this data is really hard which makes it improbable, especially if we are talking about ordinary internet users.
I mean how can a mere website tell my I.P. address and the ports that are available to forward? For example what do I have to do in order to incorporate this kind of facility on my website?
A website must know what your IP address is, otherwise how else would it know where to send the data packets back to?
Also it does not know which ports "are available to forward". It only knows which port your request originates from (this port is random).
Your computer may be making many requests simultaneously from various programs, so knowing the correct IP address makes sure the data gets back to the right computer, and knowing the correct port makes sure it goes to the correct program (or more specifically, the correct process).
I'm working on a communication protocol that should support self configuration by broadcasting / multicasting the peers' address over the local network. The intuitive way would be to broadcast the address, but as it turns out, it's pretty hard to reliably figure out the local IP address of the current machine (depending on the configuration, you might get "127.0.0.1" or another useless address).
The alternative is to not include the host address in the broadcast message, but to have the receivers call recvfrom on their socket which not only returns the received data, but also the sender's address. As I see it, that call is available on both Unix and Windows (one of my requirements) and probably some more platforms. My question now is, are there situations where this might fail and recvfrom returns an unreachable or otherwise useless address?
If you limit this technique to only broadcast UDP, you should be fine. The only things that tend to mess with this are things like dual NAT or hairpin NAT. That's just not done with broadcasts that are local only anyway.
Any address is subject to becoming unreachable (and therefore useless by your definition) at any time. Your software should be prepared to deal with that.
You can reliably determine the system's IP addresses (note the plural, more on that in a minute) by enumerating the interfaces. How you do this will differ among platforms as there's nothing in a standard (e.g., POSIX) that specifies how it should be done. Many Unixy systems have a getifaddrs() call; Windows does something else. Either way, isolating that code should be easy.
Your software also shouldn't make the assumption that IP it comes across is "the" address. On a system with more than multiple interfaces (which is most of them if you count the loopback), routings may change or someone may want to run your protocol on a segment that isn't on the same interface as the default route.
If you're going to broadcast a message, you need to do it once on every interface which is up, loopbacks included, unless you're configured to do otherwise. The broadcast should also happen from each of those interfaces so it has the proper address. You can't assume that other hosts on the same segment as any interface know about any other interface or have a way to route to their addresses.
If your protocol is intended for use only on connected segments, throwing away data from non-connected subnets would be a reasonable thing to do.
(please redirect my question to relevant stack site, if I am in wrong place, however here I feel guaranteed to get help)
When playing with traceroute command I want to be sure I am not connecting to virtual host that may be dynamically mapped to a number of geographically dispersed servers(since it does not make much sense to track packets jumping from continents).
So more precisely with concrete example: how to prove with help of nslookup -querytype=NS google.com that google may redirect me to different servers across the world. I tried IPconfig locator for all values returned by nslookup, it always returns same location: California Mountain View.
It seems I don't understand something really important in here. Thanks.
update: tried nslook up from australian server, all the ip adresses still point to same location..
You cannot prove the location of any host. At the very best you can make an educated guess.
Geolocation databases are a big list of IP addresses and where the machines hosting those addresses are believed to be located. But they are just a guess and even the best of them are only 90% accurate to the state/regional level, meaning 10% of the addresses are someplace completely different. I use MaxMind because they have a fairly accurate free version and their commercial versions are not too expensive. They also have a free web-form where you can do 25 lookups per day.
You can use tools like traceroute to see some of the machines between you and your destination. Sometimes they have geographic locations in their DNS names. Sometimes their IP addresses will be listed in Geolocation databases. However, not all routers respond, many segments are virtualized and so their hops/routers are invisible, and firewalls may block the trace before it completes.
DNS databases list the address of the organization who owns an address or domain. DNS names themselves can be anything anyone wants, so even they contain geolocation information, there is no reason to believe it is true. In particular, a router might have a DNS name indicating the destination its connecting to, or even the administrative office responsible for it, and not the physical location of the device itself.
The IP address you are talking to can forward anything it wants to anywhere else it wants and there's absolutely no way you can detect that. So you can only follow the trail up to a point.
To make a good guess for the location of a host, look-up its IP address in a geolocation database, then run a traceroute and look-up the IP address of the last router before the destination. That will get you as close as you can.
How can I detect if another host is using the same MAC address as the current host, e.g. because the other host is spoofing?
I'm working in an embedded environment, so looking for answers on a protocol level, rather than “use such and such a tool”.
Edit: RARP does not solve this problem. For RARP to get any reply at all, there has to be at least one host on the segment which supports RARP. Since RARP is obsolete, modern operating systems don't support it. Furthermore, all RARP can do is tell you your own IP address - the response won't be any different if there’s another host on the segment with the same MAC, unless that host has itself used a different IP address.
This question is too interesting to put down! After several false starts I started thinking about the essential components of the problem and scoured the RFCs for advice. I haven't found a definitive answer, but here's my thought process, in the hope that it helps:
The original question asks how to detect another device with your MAC address. Assuming you're on an IP network, what's required to accomplish this?
The passive method would be simply to listen to traffic and look for any packets that you didn't transmit but have your MAC address. This may or may not occur, so although it can tell you definitively if a duplicate exists, it cannot tell you definitively that it doesn't.
Any active method requires you to transmit a packet that forces an impostor to respond. This immediately eliminates any methods that depend on optional protocols.
If another device is spoofing you, it must (by definition) respond to packets with your MAC address as the destination. Otherwise it's snooping but not spoofing.
The solution should be independent of IP address and involve only the MAC address.
So the answer, it seems, would be to transmit either a broadcast (ethernet) packet or a packet with your MAC address as its destination, that requires a response. The monkeywrench is that an IP address is usually involved, and you don't know it.
What sort of protocol fits this description?
Easy Answer:
If your network supports BOOTP or DHCP, you're done, because this authoritatively binds a MAC address to an IP address. Send a BOOTP request, get an IP address, and try to talk to it. You may need to be creative to force the packet onto the wire and prevent yourself from responding (I'm thinking judicious use of iptables and NAT).
Not-so-easy Answers:
A protocol that's independent of IP: either one that doesn't use the IP layer, or one that allows broadcasts. None comes to mind.
Send any packet that would normally generate a response from you, prevent yourself from responding, and look for a response from another device. It would seem sensible to use your IP address as the destination, but I'm not convinced of that. Unfortunately, the details (and, therefore the answer) are left as an exercise for the OP ... but I hope the discussion was helpful.
I suspect the final solution will involve a combination of techniques, as no single approach seems to guarantee a dependable determination.
Some information is available at http://en.wikipedia.org/wiki/ARP_spoofing#Defenses
If all else fails, you may enjoy this: http://www.rfc-editor.org/rfc/rfc2321.txt
Please post a follow-up with your solution, as I'm sure it will be helpful to others. Good luck!
You could send an ARP request for each possible ip in the subnet.
Of course the source address of the ARP request must be ff:ff:ff:ff:ff:ff, otherwise you might not see the response.
I forged a packet like this with bittwiste and replayed it with PReplay and all the hosts on the network got the response. (I don't know if these forged ARP packets are legal or not... some OSes might ignore them)
Here is what the forged package looked like:
Here is what the reply looked like:
If you watch the responses and see your MAC address in one of the packets (in the red rectangle) , than someone has the same MAC address as you do...
Unfortuantely I couldn't test the theory fully because none of my (Windows) machines care about me trying to set the nic's MAC address...
Two hosts using same MAC address on a single network segment would probably make switches go nuts and you could probably detect it by having an extremely unreliable network connection (as the switches would send some portion of packets that belong to your host to the second one, depending on which one of you sent the last packet in their direction).
This is very late, and a non-answer, but I wanted to follow up with exactly what I did in case anyone else is interested.
I was working with some very weird embedded hardware that doesn’t have a MAC address assigned at manufacture. That means we needed to assign one in software.
The obvious solution is to have the user pick a MAC address that they know is available on their network, preferably from the locally-administered range, and that’s what I did. However, I wanted to pick a reasonably safe default, and also attempt to warn the user if a conflict occurred.
In the end I resorted to picking a random-ish default in the locally-administered range, chosen by making some hardware readings that have moderate entropy. I deliberately excluded the beginning and end of the range on the assumption that those are moderately more likely to be chosen manually. The chances are that there will only be one of these devices on any given network, and certainly less than 20, so the chances of a conflict are very low, albeit not as low as they could be due to the somewhat predictable random numbers.
Given the low chances of there being a problem, and despite the excellent answers above, I decided to dispense with the conflict detection and make do with a warning to the user to look out for MAC conflict problems.
If I did decide to implement conflict detection, then given that I control the whole network stack, I would probably look out for excessive unknown or missing packets, and then trigger a change of MAC address or warn the user when that happens.
Hopefully that will help someone else somewhere – but probably not!