What is the Range of IP-Adresses (IP4) my Website Visitors will never have?

Question

when we read the ip address of the user using our website, which addresses will absolutely not turn up?

From this page: http://www.computerhope.com/jargon/i/ip.htm

class E ip addresses are Reserved for future use, or Research and Development Purposes.

I want to know when I get the ip address of the user (a normal non-hacking user) using my website (which is hosted over the net),

which ip address ranges will NEVER come up?

What's the purpose of this? Is it specifically to identify possible malicious requests? — Matt Peddlesden, Nov 10 '11 at 09:49

score 3 · Answer 1 · answered Aug 11 '11 at 05:55

The term is Bogon filtering

A bogon is a bogus IP address, and an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called the bogon space.

Bogons are not the same as reserved private address ranges, such as those in 10.0.0.0/8 and 192.168.0.0/16, which are reserved for private networks.1

Many ISPs and end-user firewalls filter and block bogons, because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration. Bogons can be filtered by using router ACLs, or by BGP blackholing.

score 2 · Answer 2 · answered Jul 07 '11 at 06:38

2

http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses has some others. In particular:

  127.* - loopback
  10.* - Class A private
  172.16.* - 172.31.* - Class B private
  192.168.* - Class C private
  255.255.255.255 - Broadcast

I also believe you will never see class D addresses

However, this doesn't account for IPV6, which i'm not as familiar with

answered Jul 07 '11 at 06:38

Jim Deville

304
2
5

Well, just because it is private does not mean it will never show up. – Jul 07 '11 at 06:44
fair point. If the site is hosted internally, any private address can show up, and if a (possibly malicious) user decides to hand craft packets, they can mess with the ip address and try to send whatever they want – Jim Deville Jul 07 '11 at 06:46
that's the whole point. if someone tries to craft ip which are supposed to be "reserved", then i will know straight away that the ip is crafted. hence this question – Jul 07 '11 at 07:40
well, someone altering his IP address will rather use a ordinary IP which will not raise suspicion. I don't think (s)he would use e.g. 127.0.0.1 in that case – Jul 07 '11 at 07:43
doesn't seem like that would help much given a user could still craft the packet to use a public ip instead of a known private ip – Jim Deville Jul 07 '11 at 07:43
Is it even possible to spoof 127.0.0.1? – JSWork Jul 07 '11 at 19:32

score 1 · Answer 3 · answered Nov 10 '11 at 09:51

1

Security angle:

The best assumption is that attackers could spoof any address, so you should blanket filter all the ones that should never come in through your perimeter. This would include the ones in James and Steve's answers, plus any others you can guarantee should never hit your outside interface.

Don't just assume they would require a valid address so they can receive response packets - they may not need to, depending on the type of attack.

answered Nov 10 '11 at 09:51

Rory Alsop

1,184
11
21

Absolutely. Syn-flood attacks, for example, purposely don't want to receive a response. That's part of how the attack works – Jim Deville Nov 18 '11 at 22:57

What is the Range of IP-Adresses (IP4) my Website Visitors will never have?

3 Answers3