The dangers of public IPs
Credit to Author: Ilja Shatilin| Date: Fri, 23 Nov 2018 12:01:17 +0000
Almost every ISP offers an option to use a public IP address. Other names are “static IP,” “Internet-routable IP,” and sometimes “real IP.” Some people buy this option having a specific purpose in mind, some opt in just for the sake of it. However, public IP addresses can pose numerous risks. To find out what they’re all about, who might need them, and what the dangers are, read on.
What’s an IP address, and how does it work?
If you want to send a friend a postcard, you need to know their address. Without it, the postcard won’t be delivered. The Internet is roughly the same. All online actions, from checking mail to watching cat videos, require data to be exchanged between your device and the host servers, and each participant in the process must have its own address.
For example, to open a page in a browser, your computer must contact the server at its address, and the server sends the page back using the computer’s address. The request and response are both transmitted by means of packets containing the addresses of the sender and recipient, just like with snail mail. Such addresses are called IP addresses, and they are written in the form of four numbers from 0 to 255, separated by decimal points: for example, 92.162.36.203. This yields a total of just over 4 billion possible combinations, far fewer than the number of devices connected to the Internet.
To remap and preserve IP addresses, NAT (network address translation) was conceived. Simply put, it works as follows: ISPs use one external public IP address for all of their subscribers, assigning internal private ones to each of them.
It’s analogous to an old office phone system (or some still in use), with all calls from outside coming to one external number, and employee phones using additional, internal numbers. The internal numbers weren’t reachable directly from outside; you’d ring a general number and a secretary would put you through.
The role of secretary in this case is performed by NAT. On receiving a packet for an external server, it notes which device sent it (so as to know where to send the response) and substitutes the device’s address with its own, which is common to all, before forwarding the packet. Accordingly, on receiving the response packet initially sent to the common address, NAT inserts into it the address in the provider’s internal network, and the “letter” wends its way to the device to which it is actually addressed.
The NAT mechanism can be nested — for example, your home Wi-Fi router, itself subject to the provider’s NAT, creates a local network with its own private IP addresses and then redirects to your devices packets sent to and from the provider’s network. Everything would seem to be fine, so why the need for static IP address?
NAT works great just as long as all connections are initiated from the internal network — in other words, when it is you opening sites, downloading files, and watching videos. But when it comes to connecting to your device from the Internet, NAT is not up to the job. Packets arriving at the provider’s public IP address will go precisely nowhere, because they are not a response to anyone’s internal request, and their target destination is unknown.
So, when access to your network is needed from the outside, the solution is to use a public IP address. In our company telephone analogy, it’s a direct-dial number rather than the general switchboard.
Why bother with public IP?
Using a public IP address can be useful if, say, you want to access files on your home computer when at work or visiting friends, instead of storing them in the cloud.
Static IP addresses are also very popular with gamers, who use them to set up their own servers — with their own rules, mods, and maps — for multiplayer games and invite friends to join in. Also, a public IP address is needed for streaming games from a remote device such as an Xbox, PlayStation, or gaming PC to a laptop when playing away from home.
Sometimes, a public IP address is required to operate video surveillance and other security systems, or smart home solutions, but that applies primarily to outdated ones. Most modern systems are cloud-based. This means registering your home devices on a special trusted server, whereupon all commands you send go to the server, not directly to the devices. The devices then periodically “poke” the server to see if it has any commands for them. With this approach, a static IP is not required; NAT knows where to return the packets at all stages. Not only that, this server can be used to receive information from devices and manage them from anywhere in the world.
What’s dangerous about public IPs?
The main risk of using a public IP address is the same as the advantage: It allows anyone, anywhere to connect to your device directly from the Internet — and that includes cybercriminals. As they say, when you connect to the Internet, the Internet connects to you, in this case — directly. By exploiting various vulnerabilities, cybercriminals can get their hands on your files and steal confidential information to sell or for blackmail.
What’s more, attackers can change your Internet access settings, for example, forcing the router to feed you phishing websites where they can pinch your login credentials.
How do hackers know who to attack? For a start, there exist publicly available Internet services that regularly scan all IP addresses for vulnerabilities, making thousands of devices with exploitable bugs just a couple of clicks away. If cybercriminals want to get hold of not just anybody’s, but specifically your IP, they can do it when you use Skype, for example. Even when just visiting websites, your address is visible.
Incidentally, your real IP address can be used not only to hack into your home network, but also to carry out a DDoS attack, by bombarding you with packets from different devices simultaneously and overloading your Internet channel and router. Your ISP is protected against this — are you? Such attacks are often carried out against gamers and streamers, for example, to knock an opponent out of the competition by sabotaging their Internet connection.
How to stay protected
The best way to stay protected is, of course, not to use a public IP address at all, especially if you are not sure that you need it. Don’t be fooled by ISP ads, however persuasive they may be.
But if you are sure that static IP is for you, you have to work harder on your protection. The first step is to change the default password on the router. This won’t guard against hackers exploiting vulnerabilities in a particular model, but it will save you from less-skilled attackers. It’s a good idea to use a router model with as few hacker-friendly bugs as possible, but for that you have to do some research, rummaging around online for the latest information.
Router firmware should be regularly updated; updates generally fix errors found in earlier versions. And it should go without saying that all built-in protection tools should be turned on — what you’ll find in SOHO routers are not the most effective solutions, but they’re still better than nothing.
On top of that, a VPN is recommended to keep your public IP address hidden wherever you are browsing. When it’s active, the VPN server address will be displayed instead.
Finally, don’t go without security solutions on your computers and mobile devices. These days, they not only catch malware, but also protect against other kinds of attacks, such as redirection to malicious sites or the injection of malvertising — if your router is hacked, these are the attacks most likely to occur.