There’s no place like 127.0.0.1 — a guide to IP address security

Petr Gazarov
6 min readFeb 22, 2017

--

IP addresses operate behind the scenes, but they’re an integral part of everything you do online.

An IP address is an identification code for any device connected to a network using Internet Protocol. These aren’t much different from a physical address where you mail letters.

Let’s explore how these work, and what you need to know about them to stay safe out on the open internet.

How does your computer get an IP address?

Your local internet provider (e.g. Verizon) gets a block of IP addresses for its use from a regional internet registry, and registries receive their blocks of IP addresses to use from an organization called IANA.

This hierarchical scheme ensures that all public IP addresses in use are unique.

But not every device ends up with a unique IP address. If you check your public IP address on laptop and cellphone, connected to the same wifi network, you almost certainly will see the same number.

How does this happen?

Think of an IP address as a reference. There is the global (public) scope, but then there are also local (private) scopes.

Your wifi is one of those private scopes that manages a local network, assigning local IP addresses to your laptop and your roommate’s xbox. Usually it is a number like 192.168.1.x, which is not directly reachable from the Internet.

On a larger scale, your internet provider may also manage your router’s connection within a private network.

When you request Facebook’s page, the return IP address of your request may change a couple times before reaching Facebook’s server. Of course, all of this routing happens really fast.

How does the router know which device on your wifi to send the data back to if it has one public IP address?

To put it simply, the request also contains other data such as a unique source port number.

That data is used to determine which device the response is sent to.

Can I get a permanent IP address for my device?

Sort of.

You can rent a static IP address from your internet provider, which would be fixed to your device.

You would normally only want one if you are running a server and want people on the internet to reliably access your server.

This would be provider-specific arrangement, however, so don’t expect to be able to switch providers and keep your IP address.

Interestingly, and for much of the same reasons, purchasing an IP address is much harder, and I found this post that explains why excellently.

Will we run out of available IP addresses?

We’re going to be okay with the IPv6 protocol for a long time.

While the legacy IPv4 protocol uses 32 bits numerical identifiers, making up the familiar 12-digit pattern (omitting leading zeros after dot separators):

74.191.152.63

the more modern IPv6 protocol uses 128 bits numerical identifiers with 32 hexadecimal digits:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

That’s 340,282,366,920,938,463,463,374,607,431,768,211,456 possible unique IP addresses (minus some reserved ranges).

Oh, and here’s how to pronounce this number, in case you want to impress your friends 😀.

What’s different with 127.0.0.1?

The landmark 127.0.0.1 is a reserved IPv4 address that a computer uses to refer to itself.

This request never goes out to the Internet, and instead is routed back to the listening port of your device.

Hence it’s like “home” in the vast world of WWW.

It’s unclear why 127 was chosen, but it all happened a long time ago.

In fact, IPv4 network standards allocate the entire 127 block for loophole addresses and (with a little configuration) you can use any of the other 16,777,213 addresses (between 127.0.0.1 and 127.255.255.254) to refer to your own machine.

Is there a map of currently used IP addresses per location?

There is a beautiful visualization of the global IPv4 space:

It’s an impressive map, made possible by the ZMap Internet scanner.

ZMap parallelizes as many requests as the network bandwidth allows, which enables it to hit up to 1.4M addresses per second.

This way, all of the 3.7B IPv4 addresses currently in use can be scanned in under 1 hour. Read more about ZMap.

The IPv6 space is generally considered too large to scan in any reasonable amount of time, thus the above method works only with IPv4 (which is still the most commonly used standard).

Can you use IP addresses directly in the browser?

Most browsers will understand IP addresses just fine, and that will actually save them a trip to the DNS (although it gives only small benefits due to browser caching).

This tactic may not work with some websites, however, due to use of name-based hosting. This is when multiple websites are hosted on a single IP address, and the final routing happens on the basis of the requested domain name.

To test IP in the browser on a mac, open your terminal and enter:

ping google.com

Then take the IP address from the first line and enter it into your browser.

How to conceal your IP address, AKA how to stream US HBO on vacation in Thailand?

“This content is not available from your location”

Ugh! Don’t despair, there is a fix — VPN, which is a service that routes your requests through its servers, giving all your traffic the IP addresses of those servers.

Using a VPN, you can change your public IP address (and hence your perceived location).

Both iOS and Android provide built-in support for VPN, and you won’t have to hack anything in order to get it to work.

VPNs are also great for your online security — they offer additional encryption for your traffic. If you don’t already, you should consider using a VPN.

How does IP blocking work?

Blocking requests from a set of IP addresses is a straight-forward engineering task.

There are several common reasons why website administrators choose to do it.

  • Security

If the request is coming from a part of the world that has seen a spike in fraudulent activity, a security engineer may consider shutting those IPs down, in order to reduce chance of fraudulent requests.

One example is Nigerian IP addresses, which have gotten famous for a high ratio of fraudulent requests.

As a result, many sites choose to block entire ranges coming from Nigeria.

In some cases, an IP address can also be checked as part of authentication to a secure remote server, in order to limit the chance of unauthorized communication with the server.

  • Business

As Apple or HBO, I would like to sell my online services for different prices in different countries, or restrict certain product to only some of the countries.

Thus, IP address is heavily relied upon for location detection.

As Facebook, I’m giving away internet access in Africa for free, and in return I would like users to only be able to access facebook.com using the complimentary connection (no freebies, sorry 😞).

IP addresses are used to control access to the Internet.

  • Censorship

We all know about Chinese Internet censorship. There is plenty of censorship here in the US as well.

For example, your kids high school, a local library, or a business that blacklists certain websites on its internal networks.

Is IP the only way to track online activity?

Nope. Business tracking such as ads and customer authentication usually use cookies, which are identifiers set in your browser by the websites you visit.

Unlike IP addresses, cookies will stay with you until you clear them out, they expire, or their creator website removes them.

That’s it! I hope you had fun reading 😊

Resources:

ZMap homepage

Cool map-driven history of internet

A cool map of all 5 regional internet registries around the world

A handy website that provides lists of IP addresses per country

--

--