Whenever I see someone on the internet ask the question, "Can someone find out my IP Address from my tweets/my tumblr/facebook posts/whatever else", the response I always see is, "Who cares! An IP Address doesn't even tell anyone anything! It's just a ruse, a scare tactic, people are so stupid to worry about it!"

I've seen how much information a skilled hacker can get once they trace back from an ip address and even for the average person, simply having a general vicinity of where someone is from or being able to show the ip address linked to an anonymous posting as identical to something posted under someone's real world info can be enough to fuel a fire.

I personally was being harassed online by someone where it was common knowledge that she lived in a very remote part of Wyoming. We had a traffic tracker on my website which included a breakdown of visitors by ip address and then more detailed information attached to the ip address (location, time visited, pages visited, etc).

Even though it's not enough to prove definitively that it was this person, everyone thought it was an awful coincidence that the same ip address listed as being from that very same small area of Wyoming kept popping up at the very same times when the woman was visiting the site to harass me. Especially since it was the only ip address tied to Wyoming. It was enough to have the ip banned.

Also, in the case of a static ip address, it seems it can be even worse. Example, a friend of mine was being stalked by someone. She used to post to her journal from her office. Her company's office had a static ip address.

Her stalker was able to get her ip address from her journal posts somehow and unlike a dynamic ip address, when he looked up the info on the static one it gave, it showed all of the company's information, including the street address of the building. He showed up there one day and security had to be called to have him removed.

My question, then, is whether or not the real "ruse" is saying that no one can get any meaningful information from an ip address and the fact that people are constantly being told not to worry about it when they should at least know how people can get their ip address if at all when on the web?

As people who work with security issues and/or programming with security in mind, do you personally feel that the privacy of someone's ip address should be a concern when building sites or do you guys agree that it's nothing worth worrying about?

  • 349
  • 3
  • 3
  • Thanks so much for all of the info and feedback on the matter everyone, especially as far as differences between the privacy issues and the security of the system itself! – Anon Jan 16 '13 at 19:37
  • 9
    Worrying about having your machine hacked because someone might have your IP address is like worrying about having your house broken into because your street address is listed on mail you've sent to other people. It's a necessary requirement for the system to function. – Stephen Touset Jan 18 '13 at 02:48
  • 1
    @StephenTouset that's really not the issue the OP was talking about, though, was it? They were talking about the issue of an anonymous person being able to find you, the corporeal person, more easily if sites like social media sites are careless with your IP address. With physical mail, you don't typically go around posting it on bulletin boards at the mall. You send it to a business entity or an individual person you know or have reason to interact. For a stalker to get hold of that would require stealing mail along the way or from the destination. You're comparing apples and oranges. – Craig Tullis Jan 04 '15 at 21:20

8 Answers8


Revealing your IP address doesn't compromise the security of your machine. If an attack on your machine is untargetted (i.e. the attacker just wants to use it to send spam or fishing emails, or as a proxy for targetted attacks), your machine will be scanned at random, not based on the IP address that may be posted in a forum. If the attack is targetted, the person conducting the attack will usually know enough about you to find out your IP address anyway, the real security comes from not having a vulnerable machine.

On the other hand, revealing your IP address compromises your privacy. It usually reveals what general geographic area you are accessing the Internet from, and who your Internet provider is; depending on your Internet provider, it may be possible to locate you quite precisely. It may also be possible to correlate your IP address with one online identity with your IP address with another online identity. So it's often not something you want to publish to the whole world.

Any computer you directly connect to knows your IP address by construction. As a website designer, treat IP addresses the same way you'd treat any other private data such as name, age, gender, street address, telephone number, ... Do not expose them to anyone who isn't a site administrator. Remember that webserver logs will usually contain IP addresses for every request, so protect the logs like you protect your user database.

Note however that it often isn't difficult to obtain someone's IP address online. All you have to do is host an image on a server that you control (costs <$10/month), and arrange for the person to browse that image in their browser. The IP address of everyone who viewed the image will be in the server logs.

This is why email programs usually require you to confirm whether you want to view an image, and one of the reasons why many social sites require all images to be uploaded to their own servers.

As a user, if you're really worried about revealing your identity, use a proxy. You trade privacy for bandwidth and latency, as well as privacy (the proxy knows what sites you've visited). You can go further and use Tor, which is a “split” proxy where different entities get to know your IP address (the entry node) and what site you're visiting (the exit node); you trade more bandwidth and latency for a bigger privacy gain.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179

It's equivalent to security through obscurity. If you rely on being secure by not revealing your IP address, you are in big trouble. When securing your machine you must assume that the attacker already knows the IP address, since one way or another it's fairly easy to get... You leak it like crazy, every time you connect to a website, every time you send an email, every time you send or receive a file, etc.

With that being said, in practice giving it out to everyone freely isn't the best idea.. But do not let this make you believe that you are secure simply because no one knows your IP address.

Andreas Bonini
  • 591
  • 1
  • 4
  • 10
  • *"every time you send an email"* Gmail doesn't hand out my IP (at least if you're using the web interface). I remember Yahoo used to do it, which is one of the reasons why I stopped using it. – Null Jan 15 '13 at 23:21
  • Yes, but as a gmail user, a big brother organization known as Google has all your e-mails. – Kaz Jan 16 '13 at 02:13
  • 1
    @Null - Google forwards the sender's ip address with the email header if you use anything except your browser to send the email. – Ramhound Jan 17 '13 at 17:05
  • @Ramhound Yes, I imagined that would be the case. But isn't that a technical issue? – Null Jan 17 '13 at 19:52
  • The OP wasn't really talking about securing the machine. The issue at hand is privacy, and protection from some wack job (for instance) seeing something that intrigues them on social media then using the IP address to track down the corporeal human being who posted it. – Craig Tullis Jan 04 '15 at 21:23

When building a web site or web service, all data collected through the process of doing business should be considered sensitive. Data has value. Sometimes, it may not be obvious who will find it valuable or why or even how it may be used to realise that value. This difficulty in assessing value means the only safe approach is to take a default position of restricting access and then only making it available after an informed and considered assessment of the risks and benefits. The same holds for providing personal data. People should not just give personal details away to anyone who asks. When someone asks for personal details, we should question why they are asking for it and whether providing such information has sufficient personal benefit to justify giving it. We also need to verify the person asking for the information is actually who they claim to be. It never ceases to amaze me how much information someone is willing to give someone ovver the phone just because that person claims to be from some authority or conducting some survey etc.

Unfortunately, interacting with people and services on the internet requires that you provide a certain amount of information and in reality, you have little control over how those you interact with use that information. If you want to interact with people via email, you have to provide them with your address. If you want your data to be routed through the network, you have to have a unique IP address and you have to make it available. However, there are things you can do to reduce the amount of information which can be easily identified with you or your user profile. The problem is that in many cases, breaking this connection comes at the cost of convenience.

For example, if you are worried about your IP address appearing on a web site you like to visit, you might be able to protect yourself by using a web proxy. Unfortunately, using a proxy may decrease data throughput, making accessing the site slower or perhaps it won't work correctly because the site uses additional non-standard protocols for side-band communications etc. If your worried about your IP address appearing in e-mail headers, you can use a web based mail solution such as gmail. You can even use email relay solutions that can hide your true email address or allow you to appear with a certain amount of annonymity. However, such things take time and effort to setup and will likely delay sending and reciving of messages. Whether this inconvenience is worth the benefit will depend on the individual.

Often when somone states that knowledge of an IP address is not and issue and just forget about it, they are really only considering the technical aspects of security and not considering privcay and personal security. On the other hand, we should not become too paranoid about who can find out what IP address we are using. In some individual cases, such information may be an issue, but for the majority of us and for a majority of the time, this information is not a big issue. In fact, I would be far more concerned about mobile devices with geo-location facilities enabled and software which is constantly uploading details of where they are to social services like facebook, twitter or g+. People should also evaluate the value of using web based services and sites with a view to what information they are making available to others. For example, I would not use a web site which publicised information about me or my posts, such as my IP address if that information is unnecessary. We need to take some responsability for what information we allow to 'get out there' by being more proactive in making decisions regarding the services we use. If you don't like the privacy policy of a site or service, don't use them and tell them why you won't use them. Don't just accept it and simply adopt a victim mentality as that is what we will end up becoming if we allow it.

Tim X
  • 3,242
  • 13
  • 13

Your IP is like your phone number without the option of caller ID blocking. You can't talk to anyone without the communication using it. It isn't a terribly hard thing to find and doesn't really offer any security by itself. Does it make it minorly more difficult to attack you if your IP is unknown, sure, but it should be assumed that a bad guy will know your IP since it is pretty effectively public information.

The key important thing is that you should have a good firewall preventing any one you aren't talking to from getting on to your network. Most consumer routers do a pretty good job of this as long as the firewall is turned on.

If the IP is not being spoofed and/or relayed through a VPN, then it will provide reliable information about the ISP and general area of the person using it, but that isn't really that helpful of information for an attack.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110

An IP address is a piece of information. Like other pieces of information on its own it is not that big of a deal. However, if multiple pieces of information are pieced together, they can be used in more 'elaborate' means. I say elaborate because its not always nefarious. For example, if you knew my IP address you could determine that I am most likely in the US and thus should not have access to Digital Media that is Restricted to the UK. Also, you can determine that an IP address range is one used by a group of hackers and block all traffic. You could also determine that my IP address is located in Chicago and refer me to restaurants in my local area.

In terms of why people are sometimes paranoid about others obtaining there IP addresses ... it is much like other means of contact. If someone where to write your phone number in a bathroom of a bar ... you would most likely get a few drunken phone calls. If you post your email address on a public website ... your going to get a lot of unsolicited email. An IP address is much like a phone number or an email ... pretty much everyone online has one ... and while all of these means of contact can be used for useful means ... they can also be used to annoy you or even cause you harm (phishing email or scam phone call for example).

Ok, so if someone has your IP what can they really do with it? Well, If I am doing research on an IP (for example if I see it in my server logs and want to know more information about it) the first thing I can do is google it ... I can find out what ISP the person is using an make an approximate guess of where about the person is located. The next thing I could do is run a port scan of the IP address to see if any ports are open. Depending on what I find, I might be able to access there HTTP, HTTPS, Telnet, FTP, SSH, RAS, VPN, VNC based upon which ports are open.

So lets move this to a real life scenario ... I am playing a video game and am asked to get on some type of voice chat. I connect to someone's server and they make a note of my IP address when I log in. This person may do a port scan and find that I am using Skype. They might also know a vulnerability of Skype that can cause my computer to crash. Later on, this person may go up against me in the video game, and decided that they can obtain an easy win by using this exploit against my IP.

So to answer your question, yes in the grand scheme of things there is not a whole lot someone can do if they get your IP address. However, its not something you want to broadcast to everyone you see because in the wrong hands given the right setting someone can use it against you.

It is also worth noting that an IP address can be 'faked' by using a proxy server or a VPN ... for example I use a SSH tunnel for my web traffic. So while I said previously that I am in Chicago ... if you looked up my IP from this post it would claim that I made it from Seattle.

  • 7,517
  • 2
  • 20
  • 40

In spite of the anecdotes you mentioned where privacy was obviously an issue, there are very solid technical reasons for a seeming indifference in response to concerns about revealing your IP address. Perhaps most important; unlike a name, age, street address or psych eval, an IP address is inherently non-personal. It is a number, it identifies a host on a network and it has very little to do with actual human beings. I for one don't really worry about chunks of silicon and their right to privacy.

Unfortunately, as for nearly all data, IP addresses can become sensitive when combined with other information. Your ISP probably has a database of IPs and to what router they were assigned at what time, as well as contact information of the client for whom that router was installed. Websites may link logged in accounts with IPs the pages were accessed from and subsequently with a user profile where the visitor lists his hobbies. Clearly, this could be threatening to a person's privacy, but it is not information for 'skilled hackers' to uncover per se. If you can't trust someone to keep your private data safe, you strive to avoid them from tieing your IP to your name by withholding the latter, not the first.

Let's take a look at a phone number: +39 333 4567890. In itself, not very sensitive information. It appears to be an Italian mobile phone, but we all knew those existed and we all could have guessed this is a number someone might have, as did I. It only becomes sensitive when tied to a person. So in the interest of privacy, we can opt out of being listed in the phone book, hide caller ID and not hand out our phone number to anyone, but then of course, no one would be able to call us.

This goes for IP addresses as well. If you keep it a secret, it can't be used. Everything you do on the internet reveals your IP in the same way that a letter correspondence reveals your street address. Knowing how to reach the other end of the line is an essential part of communication. Your IP address is public, so you should treat it as such. By attempting to obscure it, you are protecting just the wrong data. Moreover, the misconception that this may be effective is potentially far more harmful than hiding your IP can make up for.

So yes, people can find out your IP address and you can't prevent this, so you might as well not bother to worry or try. Instead of hiding your IP, you should be making sure that it does indeed not tell anyone anything.

Marcks Thomas
  • 346
  • 1
  • 6

You can discover a LOT of information about the machine at the other end of an IP address.

IP addresses can be geo-located to some degree. You described finding a street address, which is simply a matter of doing a reverse lookup, and then doing a WHOIS against the domain name to get contact information.

So yes, some individuals should be concerned, depending on what they are doing online.

  • 9,303
  • 3
  • 33
  • 54
  • 3
    Most IPs can't be tracked down to a street level. At most they can be tracked to an ISP level. In the case of a college this might be close for comfort, but short of a court order, it's going to be very hard to identify someone from their IP if they have a proper firewall. – AJ Henderson Jan 15 '13 at 21:46
  • Anon appears to describe a static IP assigned to a web server. I described how WHOIS data (if it contains real contact details) from a domain registrar can indeed give away a street address, name, and phone number. It *is* correct to say that most individuals will not be vulnerable to this level of information disclosure. It is also correct to say that that still leaves many tens of thousands of people who *are* vulnerable. – scuzzy-delta Jan 16 '13 at 00:53
  • 1
    true, but that's kind of like saying that listing your phone number in the yellow pages makes you vulnerable. It's still a voluntary disclosure that people know is going to happen when they put up a site and setup their domain. The original question seemed to be talking about user's IPs since he was talking about tracking a visitor to a website, but he did mention he has a website too, so I suppose it is worth answering the question from both angles and clarifying the difference between them. – AJ Henderson Jan 16 '13 at 14:04

Knowing your IP address would allow attackers to establish DoS attack against your network which leads to prevent the users to surf the internet. It usually launched against companies and organizations but possible to be launched against normal users.