47

I work for a large-ish company (thousands of employees across multiple locations). I recently needed to know what the possible public IP addresses are, so that a vendor could identify us (presumably for their firewall).

The network guy I spoke with acted as if anyone knowing our range of public IP addresses is a significant security threat. A few of the IP addresses in that range are totally public, being resolved from our public web site domains. What is the real risk of having the whole world know all the possible IP addresses that you might have?

Adi
  • 43,808
  • 16
  • 135
  • 167
Abacus
  • 573
  • 1
  • 4
  • 6
  • Targeted attacks require knowldge of the IP address. But it depends on the system and the software implemented, for example, Knowing the ip address of a web server is not that critical or sensitive, but let's say your network has many softwares listening on its public ip address, and there are for example cameras connected to the internet, there's a big chance that i might be able to do harmful actions by using your IP address, i may scan, i may bruteforce, i may try exploits and send shellcodes, and if by any chance your network happens to run vulnerable softwares, i'll just get there. – EvilThinker Oct 10 '16 at 13:48

4 Answers4

55

Your public facing IP address is for most intents and purposes public information. No security should be dependent on it being private, however it's not something you want to wave around willy nilly necessarily (just like you wouldn't wave your home address around) but it also isn't something that is hard for someone to find with generally minimal effort if they know what they are doing.

If someone has a legit need for your IP address though, there is no reason that it should be a security red-flag. Your public IP address is disclosed to every system you talk to on the Internet by necessity.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • 5
    This. Posting your public IP on a message board might raise interest in trying to hack the computer or network behind it, but there's really no way to avoid *someone* else knowing about it (even if that person is the anonymous proxy gateway you route your traffic through). – KeithS May 01 '13 at 21:57
  • 12
    Any Hacker that cant find your public IP address, is a Hacker you don't knead to worry about. – John May 02 '13 at 00:44
  • 3
    @John Despite not being what you meant, your comment is exactly why I prefer the other answers. The less "hackers" to worry about the better for me as a sysadmin. By using a layer of obscurity on top of my security measures, I can shave more than half of the "hacking" attempts. My SNR would be higher; cleaner logs and a less stressed IDS. – Adi May 02 '13 at 02:38
41

Your network guy might have a good reason for not wanting to share the information you enquired about. You see, what you describe you asked him of is not the IP range (CIDR) your company has been assigned to, but actual list of individual live IPs within that ASN. Now, getting the CIDR range that your organisation was assigned to its ASN is relatively easy, provided you know of a single IP belonging to that organisation and then simply search through all the registered ASNs. Alternatively, even searching for organisation's name might yield relevant ASNs it uses - see for example my answer for the How to get info on company , company owned sites etc… question. Much of this data is public knowledge.

That said, I believe you would get a completely different response, if you asked him of the CIDR range your company was assigned to, which is hardly a secret but probably good enough to assign new rules to a firewall. Sharing actual list of live IPs is a different matter tho;

Imagine your company has a /24 range of public IP addresses (CIDR) assigned to its network (its ASN). That's only 256 IPs and quite common for smaller organisations. Now, let's assume your organisation really only uses half of these IPs, and the other IPs are dead. How could keeping this a secret serve your network guy? Let's assume an attacker wants to scan the CIDR range your organisation uses to collect server banners (software, hardware, operating system's identifying information or signatures) and enumerate live IPs. That's usually among the first steps an attacker would make. He'll go through the list of all IPs in your CIDR range, leaving fingerprints in access logs of various networking devices your network guy's setup. Your network guy can then easily determine what external IP was scanning your network's whole CIDR range worth of IP addresses (an attacker would scan all of them, including dead ones, while a legitimate user would only be accessing live ones) and promptly blacklist attackers IP to protect the network. Easy. If however the list of live IPs somehow became public (i.e. shared with an untrusted 3rd party), the chances an attacker creates this obvious attempt trail quickly diminish.

I think you should go back to your network guy and rather ask him for your public IP range next time. He shouldn't have much problems sharing that and is sufficient information 3rd parties need to know to whitelist your IPs, or otherwise identify access through them for other purposes, like e.g. automated client identification for extranet B2B services and alike.

Community
  • 1
TildalWave
  • 10,801
  • 11
  • 45
  • 84
  • 5
    If this was really his reason, shouldn't the *network guy* have known to just give the OP their CIDR range? I'm not a network guy, but I read the question as if he wants to know all possible addresses, which in my mind is certainly not limited to live addresses. Isn't CIDR == all the possible IP addresses that you might have? – Supr May 02 '13 at 07:34
  • @Supr - Purely semantically yes, but I see no other good reason for his denial, so contextually I'd have to say maybe, leaning towards no. I didn't claim it's necessarily so, tho. I just tried to provide one possible scenario while we're all merely speculating and discussing good practices and rules of thumbs. ;) – TildalWave May 02 '13 at 07:42
  • 3
    Alright ;) I commented because I got a feeling you were putting the "blame" on OP, implying that the OP doesn't know what he's talking about, that the *network guy* is always right and that the OP is at fault for not asking the right questions. But I understand now that you were just speaking hypothetically :) – Supr May 02 '13 at 07:56
  • 1
    Marked this one correct because it both answered the question, and provided what we *should* be able to give out - the range of addresses. – Abacus Oct 23 '13 at 20:42
  • 1
    Steve - this has not been 'modded' - it has been voted up by the community, and accepted as an answer by the OP. Arguing about it in comments is not useful. – Rory Alsop Jan 21 '15 at 21:37
  • I'm uncertain on the correctness on this response. Public IPs are **public** by definition. The complete IPv4 range is being scanned every day by a multitude of scanners (e.g. Shodan). Any user scanning your company's public IP addresses will just blend in the masses and a decent "attacker" would be using a public network or cloud service to hide his true origin anyway. I also know barely any *network guy* that would be continuously checking for inoffensive ICMP packets. - An important side-note is that this original answer was written in 2013. Opinions can change in 4 years. – BlueCacti Mar 19 '17 at 22:06
16

A public IP address is called a public IP address for a reason. Treat it like one.

Keeping the list of public IP addresses belonging to your company will make no difference to any sort of attacks, be it opportunistic or targeted. If your system is connected to the internet, it will be hammered on by automated scripts and malware out there. If an attacker is directing a targeted attack against your company's network, keeping that list of public IP addresses secret will not pose much of a barrier.

Don't rely on obscurity to protect your networks. Assume that every attacker knows that information and much more and work to protect your networks properly.

  • and if you have a public website that is hosted on your own server, then the attacker will know at least 1 IP in the range – ratchet freak May 01 '13 at 16:37
7

Knowing which IP exist at all in a network can be some valuable information for an attacker, if the organization owns a full range of IP addresses but actually uses only a few of them. The idea being that if there are 10000 addresses to choose from, but only 20 with actual machines behind them, the attacker may spend some time trying to reach inexistent machines.

Of course this is not a realistic scenario. It used to be true, when the range of possible IPv4 addresses was plentiful and any university or corporation could obtain a B class (with 65536 addresses). But not anymore. The End of Times is Nigh.

However, you could want to avoid attracting attention on your network. Competent attackers who target your network will learn your IP addresses. But there are also a lot of incompetent attackers, who can become a nuisance by their sheer numbers; some minute level of discretion can be sufficient to deter them. Not publishing your IP addresses is like not putting a bronze plaque at the entrance of your business headquarters.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475