Cybersecurity

The IP Address ownership Dilemma

Leon SCOTT

2 min read
The IP Address ownership Dilemma
Photo by Jordan Harrison / Unsplash

This problem must be universal.

If you own a good firewall (no that is not one from your ISP), and it has an egress firewall as well as the usual incoming firewall you may have wondered why certain communications are being blocked when the IP address is actually native to your own country.

Don't worry you are not alone. I have pondered this problem many times. For example I block certain countries whether in or out. I found numerous guides on this from professionals in the cybersecurity field.

But where do you draw the line. For example, I have records in my logs for IP addresses that resolve to unknown hosts in Melbourne that are reportedly owned by an Asian corporation. So, these get blocked because I have blocked said country.

The problem is that depending on whose database you use you may end up with different results as apparently this is not an exact science. It requires a rather extensive use of mathematics and servers dotted around the world who using ping requests to work out the rough location of the exit node (the IP address you are seeing in your logs - the origin may actually be somewhere else entirely), based on known variables, and the knowledge of the infrastructure that connects them.

I have a reference for this somewhere in my extensive catalogue of research material. Yes, I oversimplified the above paragraph.

So having looked at my firewall logs I can basically take the location for a pinch of you know what. The country nearly always resolves to the owner of the IP block no matter its actual geographic location, and the maker of the firewall and the database it uses to resolve IP addresses to a country of origin.

The fact of the matter is if you are not using some sort of traffic signature that looks at a flow, determines what it is up to your firewall is not doing its job.

Gone are the days of just looking at who owns the IP address, although one does not resolve to a fully qualified domain name is of concern. You would assume that an application on your device would use a FQDN, or at least I do.

Even my gateway resolves to a FQDN. So, you will excuse me but anything that doesn't is of concern.

Rather interesting problem. No wonder there is a good deal of denial going on by each party (the accuser and the accused).

#enoughsaid