Can you grab any IP address on the Internet?

On a personal network (LAN) one can simply grab an IP address. If you choose the same IP address as an existing client, you get problems. There are companies like IANA and ICANN that are in charge of IP address bulks and sells them. But what stops you from just grabbing a random IP address? Is this built on trust? What if somebody were to grab an IP address and conflicting would occur. Is there any way of tracing that IP address to the location of the server using it?

Are companies that actually maintain the physical internet cables checking whether or not the clients connecting are using bought IP address blocks?

Friend of Kim

Posted 11 years ago

Reputation: 1 301

Answers

114

There is nothing preventing you from attaching a box configured with someone else's IP address to the internet. However, this won't necessarily cause any issues for anyone else but yourself.

If you steal someone else's IP address outside of the subnet that you are physically connected to, the only thing you will accomplish is not being able to receive any traffic as any router, behaving properly, is going to route traffic to the real owner of this IP address. You might be able to advertise false routes to whatever edge router is upstream from you in the hopes that they would get propagated further in the hopes of getting traffic routed to you based on your stolen IP address, but any marginally competent ISP/upstream provider would never accept routes from its non-enterprise consumers. As far as enterprise customers/other ISPs go, they are bound by specific rules about what routes they can advertise and use with their transit provider or peer, which are monitored 24/7 by Network Operations and Control Teams. Most also have rules about what routes they will accept as valid depending on who advertised them. In short, stealing someone's IP address outside the subnet you are connected to does nothing unless you can also manipulate the upstream routing tables.

That aside if you were to steal an IP address of someone in your same subnet, you would disrupt traffic of both the person who owns it and yourself. With any managed switch or router this will raise alarms as there is a duplicate address on the network and will likely lead to your connection getting blocked in some way.

Fred Thomsen

Posted 11 years ago

Reputation: 1 307

@Fred, So just one AS can wreck havoc in the whole system? All we need is to bring a few HMG and grenades to the core AS do a simple hijacking and now the whole Internet is dead?

– Pacerier – 10 years ago

One thing you alluded to, but didn't explicitly mention, is that you cannot communicate with the real owner of the IP address, or perhaps the real owner of the whole subnet. – Michael Hampton – 11 years ago

3I'd precise "not being able to receive any traffic from the Internet" instead of "no traffic" (at all). [Exemple not in OP's idea:] There is (was?) some enterprises who thought it ok to use Internet adresses as their internal IPs, on their LAN(s)... And it "kind of" works (but is a horrible idea, and not to be reproduced). But they then wonder why they can't reach some sites (as, even using NATing on their Internet Gateway : any paquets destined to a host in the same range as their "internal" range will be sent by their LAN machines on their LAN, instead of to the gateway to be sent out ...) – Olivier Dulac – 11 years ago

@OlivierDulac It is not necessarily an issue, as long as you don't route/NAT to the internet, but use proxies. Takes a fair bit of very careful configuration but it is certainly possible. (In fact I work for a company that operates like this. Multinational with about 500.000 ip-devices.) – Tonny – 11 years ago

Do ISPs refuse traffic from clients that (pardon my terminology if incorrect) claim a static IP instead having received one via DHCP? – Dean MacGregor – 11 years ago

@Tonny: I was just restricting the "any traffic" a bit further. And I know solutions/workarounds exist, but still it's better to use a reserved class A (10.x/8, so more than 16 million adresses, or a subnet thereof if you need less [good to keep unused ranges for special cases]) than use a non-reserved range [where every of your local router's routing table will need to be carefully designed to distinghish local traffic from internet-facing ones. Some careful setup makes it "easy", most don't] – Olivier Dulac – 11 years ago

@OlivierDulac I don't consider it a good idea either, but for the moment we have to live with it. And we are migrating to a 10.0.0.0/8 but that is a slow progress thing. – Tonny – 11 years ago

120

Similar to mpez0's answer, but I like a good car analogy...

I'm choosing the UK for this, since that's where I live. Imagine you live in a world where people follow road signs without question, and you happen to live right up in the north of Scotland, about as far from London as you can without crossing water. You live in a small town, and one day you decide that you're going to rename your town 'London' since that will obviously have the effect of driving more trade and tourism to your town, right? You even go to the trouble of updating the local road signs to reflect the new name of your town.

What actually happens? Well, you get lots of people from surrounding villages visiting your town following the signs and wondering why they're not in London. But apart from that, nothing changes. Why?

Consider someone who lives in the middle of England. They know that London is in the south, so when they get on the road to go to London, they follow the signs that say 'THE SOUTH' and keep going until the signs get more specific. In other words, their roadsigns still point to the real London. Their 'routing tables' haven't changed. The fact that your town has decided to change its name to London is inconsequential to them. Their local routes are not nearly specific enough to notice the change.

If you decide to change your IP address, routers elsewhere will not suddenly become aware of this fact. The roadsigns will not change.

Chris McKeown

Posted 11 years ago

Reputation: 971

@Chris, Regarding "Well, you get lots of people from surrounding villages visiting your town following the signs and wondering why they're not in London.", how would they know? Assuming I'm evil Bob and I've phished London, how would they know? – Pacerier – 10 years ago

13This is a really good comparison. – Friend of Kim – 11 years ago

Speaking of being confused by signs, I don't know if the U.K. is like this, but in the U.S. it isn't uncommon to have a sign prior to turning onto a highway advertising a city hundreds of miles away. When I was a kid I found this confusing, as one might be in Scotland and getting on the highway expecting London to be the next town over... – Michael – 11 years ago

@Michael In the UK, on the other hand, it is not uncommon to see signs that actually do say, simply, "The South".

– E.P. – 11 years ago

@Michael See this question and its answers at Travel.SE.

– gerrit – 11 years ago

2There's also the notion of a default route on road signs: "All directions" or "Other directions". Once in France we found a crossing which had both signs, but pointing in different directions ;) – MSalters – 11 years ago

FWIW https://en.wikipedia.org/wiki/Control_city has an interesting discussion of the use of "control cities" on road signage

– nohat – 11 years ago

Consider the analogy of your house address. One day you decide to change your address from "123 First Street" to "1600 Pennsylvania Avenue". What difference does it make outside your own property lines? None - because the rest of the world still behaves as if the physical location of your house didn't change, the name of your street didn't change, the city name didn't change, the zip code didn't change... you get the idea.

Mail, packages, and so on will be "routed" to your house based on its location in the address network of your community. The number of your house (computer), by itself, is only the last and final stop (network hop). Everything along the way has to agree, has to synchronize, and you only control the very end of the path.

You can number your house (or computer) anything you want, but for your network traffic to continue to flow you must do so in sync with your environment. To change your house address, you would have to change its number, AND get the bureaucracy to change the name of your street, AND change the name of your city, AND your zip code. Likewise, to change your IP address to something outside your allocated block, you would have to change its number, AND get your upstream provider to change your allocated block, AND change their routers to route that block to you, AND advertise that via BGP to their routing peers.

In both cases you are synchronizing your change with the outside world so the outside world knows how to find you. Otherwise, the effect is that network traffic can't find you anymore - and the only entity affected by your change of address is you. Which, architecturally speaking, is a good thing!

AndroidNewbie

Posted 11 years ago

Reputation: 311

A given ISP could assign any address to any client. However, addresses are only useful in that they can have packets routed between them and other addresses. An ISP that's assigning addresses outside the range assigned by ICANN will either not get packets routed to/from that address or will cause routing errors elsewhere on the Internet. This is the sort of thing that happens when some of the national Internet censors or filters go awry, or sometimes when top level ISPs misconfigure their routing information.

So, yes, you could set up an internal server with the same addresses as Google.com, army.mod.uk, etc. But you probably wouldn't get packets that were intended for those hosts, at least not from outside your routing scheme.

mpez0

Posted 11 years ago

Reputation: 2 578

If you are a ISP you can steal whole IP-Ranges. The Providers and big company's and the like have so called Autonomous Systemss identified by "AS" and a 16-bit integer value. This systems communicate with other systems. They need a protocol to tell the other systems which IPs they own and what other AS they are connected to, and also some "cost" for the connection. Between AS, this is usually BGP.

Problem is, this is still mostly based on trust. If some provider announces that he now owns the IP-Space of Google and the cost is very low, all the other systems send traffic for google to this provider. This has been done, e.g. with Youtube in an attempt by Pakistanian officials to block it in Pakistan. There is still no real technical solution. This basically still works. Most providers switched from an automatic to an semi-automatic process, where they define some criteria on route changes announced by other providers when they have to be checked by an human. But the internet is just too big to check it all. So they have rules like "if the AS did something bad before, check manually".

So no, you as normal person cannot steal a IP. But if you a large enough provider, you can steal whole IP ranges for at least hours, if not days. If you just do this for very small subnets and try to reroute the traffic to the real target, you might even get away with a man in he middle attack without anyone ever noticing.

There is of course also a wikipedia article!

If you want to play around, a good start is the bgp info tool by hurricane electric. There is also a graphical tool. You can enter the AS-Number of your provider that the he site tells you there and view what peerings your provider uses.

Josef says Reinstate Monica

Posted 11 years ago

Reputation: 1 230

"Could the ISP handle out ISP's it hasn't bought?"

Communication basically happens like this: PC to target machine (either a router or directly to the target - determined by the sending machine through a comparison of its IP address and it's subnet mask; if the target is not on the same subnet it is sent to the router for routing).

If a router receives a packet for routing it makes a similar decision based on all subnets it is directly connected too. It chooses which subnet to send the packet onwards through it's "routing table." Note: The routing table on the client machine was used in the first step - try CMD:"Route Print" on Windows.

At the last router in the process, the one with the target IP address on one of it's attached subnets, the router sends directly to the host via it's MAC address (possibly after RARP usage).

So, IP addresses are used to route between the routers and the routers have some way of knowing how to route based on limited sets of information. The routers share information dynamically about route changes (network subnet availability), but "they can do so in an authenticated way." I cannot comment on if authentication is enforced.

If an ISP 'releases' IP addresses to hosts via DHCP or any other means then the route table data must exist for successful two way communication. It would be trivial to identify a rogue ISP. Even if there was a trust approach happening at different levels censoring routing updates from the ISP would still be trivial.

Martin O'Keefe

Posted 11 years ago

Reputation: 51

IP address registration is regulated on a local network by some kind of router. With DHCP, a computer asks if for a IP address from the router and is assigned one. But once you want to leave your local network, your IP is assigned by your ISP. There are ways to spoof the IP address a packet is coming from, but as soon as it reaches one of the ISP's routers, the IP address is replaced with its own. The only thing that stays the same is the MAC address, which too can be spoofed. But since your IP address is replaced at the first router, it limits what you can do.

To give you a short answer, the ISP designates everything on a pipe to be associated with it's registered IP address. It's kind of like me telling you to pick a card and there is only one card. Local and Public IP addresses are completely separate.

For more info you can check this out http://en.wikipedia.org/wiki/IP_address_spoofing

Fallen

Posted 11 years ago

Reputation: 79

@MSalters, FriendOfKim is saying what if you are the evil ISP? – Pacerier – 10 years ago

Wasn't responding to @FriendOfKim, but in short: such ISP's would suddenly find themselves isolated from the rest of the Internet. Nobody would connect to them. Since that's a death penalty to an ISP, they play by the rules. – MSalters – 10 years ago

1Thank you for a good reply. However, I'm not thinking about me changing the IP on my private network. I'm talking about companies connecting directly to the internet, like for example internet server companies. To continue your example. Could the ISP start handing out IPs it hasn't bought? – Friend of Kim – 11 years ago

I believe, at the highest ISP teir, this system is built on trust. But I'm not sure. Here's some more info: http://en.wikipedia.org/wiki/Tier_1_network , http://en.wikipedia.org/wiki/Talk%3AList_of_tier_1_internet_service_providers

– Fallen – 11 years ago

5This answer is wrong on a few points. It is assuming that everyone uses NAT, which isn't the case. It's conflating NAT and routing. And the statement about keeping the MAC address whilst discarding the source IP address is pretty much the opposite of what happens when a packet traverses a gateway. – JdeBP – 11 years ago

NAT is involved in my answer, but even without NAT it wouldn't change the fact that the IP address assigned by the ISP would replace the IP in the packets. Unless the ISPs take it on good faith that the IPs are correct and don't modify them. – Fallen – 11 years ago

@Fallen: Mine checks IP addresses, but doesn't touch them at all. Either the IP address is wrong and the packet is dropped, or it's passed on. I personally don't know many ISP's which rewrite IP's, but I understand this is more common in Asia (lack of IPv4 addresses) – MSalters – 11 years ago

You can "use" any IP address for the packets you send out, but the limitation is actually about packets that you'll receive.

"Buying" an IP address range means that a bunch of other people will configure their routers so that packets sent to that IP address range get forwarded a step closer to you, eventually reaching a device that you yourself control. It's all about maintaining a lot of routing tables with a lists saying (a bit simplified) "xxx.yyy.. get sent to the left, xxx.zzz.. get sent to the right".

"Simply grabbing" an arbitrary address will result that if you want to contact www.google.com, you'll send an initial packet to them, but the response packet will get forwarded to the actual intended owner as properly configured, and you won't see it. If you grabbed an address belonging to your neighbour at the same ISP, then the ISP's router nearest to you will be configured to send all such messages to your neighbour, and not you. If you grabbed a random address, then most likely it would be sent to another corner of the world, and the reply wouldn't even get close to your ISP.

It's just as with postal mail, if you live in Pyongyang but want to start receiving mail addressed to "1600 Pennsylvania Ave NW, Washington, DC 20500, United States", then you'd have to convince (at least one of) postal services between the sender and address owner to send such messages your way. This is possible if all the senders are in an internal company network; but that probably wasn't the question.

Peteris

Posted 11 years ago

Reputation: 148

The Dynamic Host Configuration Protocol (DHCP) function of the router an individual is connected to allocates an IP address within a specific range. You can't just ask for a specific IP address. As far as I know an individual can't "spoof" an IP address.

Peter Fowler

Posted 11 years ago

Reputation: 174

@Peter, He's asking what if you are the DHCP. – Pacerier – 10 years ago

1actually, you can ask for a specific address via DHCP. It's up to the server whether it wishes to agree to your request, however. – BRPocock – 11 years ago