Through some weird happenings I've recently got access to an /22 and its ASN. Now I'm looking for some fun things to do with it, things which are only possible with such a "large" number of IPs. Any suggestions?
Realistically, you should sell it while it's valuable. Take a look at IPv6 adoption. I know, I know, "IPv6 will never be here blah blah blah", so the naysayers say, but look at what Google is getting now, for instance:
We're counting down the years before IPv6 will become the major protocol, after which, IPv4 addresses will slowly start to loose value.
"But it's only FAANG, noone else has IPv6!"
Just not the case anymore. But even if, most people don't care about anything else anyway.
I have a friend who helps to operate a university dorm network. Allegedly, he once removed an IPv4 address by mistake from one student's computer. He only heard about it half a year later, when the student casually mentioned that only Google, Facebook and other big sites seem to work. Apparently, if Google, Facebook, and the School's website works, it's acceptable to most (which is sad for different reasons, but that's not my point).
Anyway, that's still at least a few years away though, you can have some fun with it for now :)
> Allegedly, he once removed an IPv4 address by mistake from one student's computer. He only heard about it half a year later, when the student casually mentioned that only Google, Facebook and other big sites seem to work. Apparently, if Google, Facebook, and the School's website works, it's acceptable to most (which is sad for different reasons, but that's not my point).
The fact that the "sad part" is that the student only uses big tech websites and not that this netop was able to do something like this with no alerting or guardrails says a lot about HN's culture these days.
In general I wonder what kind of alerting these dorm ISPs run. Do they ever do reachability tests for devices on their network?
Some university networks are run tightly, others are rather loose when it comes to security, monitoring and debugging network cables that are syncing up at lower speeds. Really depends on who is staffing the IT team...
Many older universities give you a public IPv4 address with no NAT when you plug into a network port.
OP, one neat thing you should try is broadcasting a /25 through /29 and seeing which ISPs this is routable from (eg: Lumen (aka Centurylink/Quantum), Verizon, T-Mobile, AT&T, Comcast, etc). There are a number of blocks smaller than /24's being broadcast, and it would be quite interesting to see which ISPs are willing to route traffic to smaller blocks.
There's a management system that assigns IPs automatically, written in-house in the late 2000s, but yes, anything there can be manually overridden. He was probably diagnosing something earlier and forgot to clean up. Meanwhile, new students moved in I guess.
Missing IPv4 addresses are not reported as some systems are left IPv6-only intentionally. It's a dorm network, but it's sort-of a research project at the same time. It is also run by students themselves (there's a "student's union") and the school does not pay or maintain the dorm's infrastructure.
I know alerting is done for some things, but not for the individual student's machine. This is different for every dorm, but in this case, a wired symmetrical gigabit connection is provided to every member student, public IPv4 and IPv6 included. The only restriction is to not download torrents, besides that, pretty much anything can be arranged, including opening port 25, routing additional IPv6 prefixes, hosting...
It's a very free environment is what I'm getting at.
Good question! It's spiking up on weekends, the reason for that is that corporate networks are not as incentivized as large public ISPs to adopt IPv6.
They have a lot more customers and are more directly affected by IPv4 exhaustion, especially the mobile providers.
I'd guess work VPNs don't implement IPv6 (why would they, if they only need to share 1 IPv4), which results to home internet usage being higher on the weekends.
People want to host Internet services from their homes. They don't have static IPs, and/or they don't want to open their home IP address directly to the public, for good reason.
You can setup some wireguard servers with static IPs. Then people can tunnel their services running at home through your servers. They avoid the cost of having to pay for cloud hosting, and you provide a shield so that they aren't exposed.
Obviously, the IP addresses on their own aren't enough to make this work. You're going to need some computing infrastructure. But you won't need lots of storage and compute. You'll mostly need bandwidth and networking equipment. The thing is, getting IP addresses is harder than getting hardware and bandwidth. You already did the hard part.
You know, at some point, in the interest of a free internet we should consider whether penalizing the mostly-benevolent-cogs along the way is the right way to go about it. It's not like someone operating that service is specifically consenting to every packet that flows through them so it shouldn't be treated in a court room as if they gave their explicit blessing for whatever malfeasance came to happen.
I don't accept the argument that by attempting to benefit the common good that one must be responsible for what happens or how that's used. Many items and actions of good will can be weaponized, in ways that the media finds odious like the things you mentioned, but nobody comes after the cell phone operators, the ISPs, they attack the weak link that cant afford representation in court - the solo and small operators. It's stupid and I'm surprised it fools the voter base in the current epoch.
The moment you give someone an opportunity to create outbound connection to port 25 from your IP, you are certainly risking (well, guaranteeing) those IPs to be listed at various blocklists.
And you will be the one that will have to deal with abuse complaints.
My interpretation of what's been suggested is basically an ip you can port forward, as if you had a public ip.
For example, let's say you want to run a minecraft server for your friends from your home. You use this hypothetical service to get an ip you can use, and tunnel the needed ports in to your network (and ultimately, your minecraft server).
This couldn't be provided with a single ip, since at best that would limit you to selling off individual ports. The product becomes worthwhile if each customer has their own ip.
You can still do it off of one IP but it becomes more expensive as you now have to understand the protocol, and to route based on the handshake.
For tls1.2, that's usually routing based on server name identifier in the ClientHello and you can do it pretty trivially
For Minecraft.. you would probably need to write your own proxying logic. But as long as the protocol includes some info on what it's trying to connect to you could still do it.
Alternatively you could do it like the old quakeworld spectator proxies and just write a custom Minecraft server people connect to that then presents a menu in game to pick a server that it then connects to.
The fixed ip product more or less lets a user use it for anything they could with their own static ip.
The single ip product only allows the end user to use protocols for which you have built forwarding logic. For some, like sip or http, this would be simple, but for others you would need a much higher understanding of the application protocol.
One is a geeks Swiss army ip, the other is "now you can self host one of these 5 services, some or which might stop working if the application makes breaking changes."
That's a layer 7 proxy/router and would require a lot of application specific logic. If you want a static IP for your home network, you want it routed directly.
It is getting increasingly difficult for Tor exit operators to find ISPs that are willing to let the relays "poison" IP space. I know the torservers.net non-profit has a /22 that it manages and assigns to relay operators. If that's something you would like to support, the Tor community would surely appreciate it.
Aren't most of the Tor exit nodes widely thought to be run by government agencies? People thought that was true at a security firm I used to work at. I wouldn't be surprised if Tor was a honey pot designed to catch people doing nefarious things.
It's not. The entire purpose of Tor was for US spies overseas to be able to make anonymous secure communications. They opened it up to the rest of the world, because if the only people using Tor are US spies, it's pretty easy to tell what someone's using it for.
Governments also run a lot of relays and exit nodes for a similar reason. Not to make it easier for themselves to identify traffic. For no one actor to have a majority of nodes, which would make it a lot easier to identify traffic.
> I wouldn't be surprised if Tor was a honey pot designed to catch people doing nefarious things.
So far, the high profile busts involving Tor all involve some other weaker link in the chain, such as traffic analysis[0], a CI, a targeted sting operation. etc.
If this is the case and your hypothesis is true, then it appears to be unnecessary on their part, since all the folks they're prosecuting are those for whom other evidence is more readily available.
(Before someone replies with "parallel construction": the point of parallel construction is to use methods that are easy but illegal to obtain evidence that can be used to help find "legal" sources of evidence that would otherwise not be easy or feasible. That doesn't really apply here, where the illegal (or in this case, secretive) method is more work than the "official" method).
[0] e.g. that case a decade ago where a student called in a bomb threat using Tor, and the university was able to determine that exactly one person on campus was using Tor at that time - not by compromising Tor itself, but because Tor traffic is detectable by ISPs.
> So far, the high profile busts involving Tor all involve some other weaker link in the chain, such as traffic analysis[0], a CI, a targeted sting operation. etc.
(If I recall, the Snowden files also contained a claim by NSA that they could not break Tor.)
Assuming that was true - wouldn't it be much easier to simply remove their exit nodes, making Tor intolerably slow, let the users leave for alternatives like VPNs, and then just buy up some VPN providers through shell companies?
After all, with a VPN you get to see source and destination IPs, username, e-mail, payment information, and maybe they even download your connection tool and run it as root.
You assume that the same part of the government that runs it wants to stop crime.
If you control the exit nodes, you can snoop on the content, even if you don’t have the destination. The goal for governments isn’t catching crime, it’s spying on secrets. Same way WikiLeaks was supposedly started by snooping on Tor traffic.
The traffic is almost all SSL-encrypted, so all you get to snoop on is the fact that someone unknown is connecting to https://www.example.com
Anyone browsing non-SSL sites through Tor is a fool, because malicious exit nodes are well known to exist, doing things like replacing bitcoin addresses in unencrypted web traffic. You don't need to be the NSA to benefit from doing that.
Even if that were true, how would it work practically? For anyone who might be interested in identifying or tracking you, how would they "use Tor" to look up your identity? Over 200 countries, across all government agencies, and then including non-governmental actors? Maybe a Tor user isn't trying to protect from "the NSA" (or whoever you think is "running the Tor network")?
And, again assuming this is true, how would any other technology protect you better?
Especially people working at "a security firm" should know that security is not black and white, but has many dimensions to it.
And then, here we are talking about diversifying relay operations, so even if you believe the rest of the network to be totally compromised, it would still add some net benefit, no?
Others have already presented good reasons that's unlikely, but either way - and especially if that is the case, then all the more reason to add non government exit nodes.
I run a largeish Tor relay family on rented servers and have thought about running exits on my own "ISP" for quite some time. I already have an ASN and IPv6 addresses but Tor needs v4 and those are prohibitively expensive to buy and leasing is not possible because of the blacklist problematic. My email is in my profile if that is something you want to support and could spare a /24 of your assignment.
Depends on what you plan to do with it long term I think. If you have no plans to make it commercially viable, then I agree with the other poster who recommends using it as blocks friendly for ToR exit node operators and/or similar style services (e.g. public nitter instance). You could delegate /24's as-needed for individual sites. Exit node operators tend to be technically clueful, so they will understand what will need to be done to make this work.
However, that will likely put that /22 on quite a number of blacklists out there for an indefinite period of time.
Other than honeypot stuff or more grey area things like botting/scanning having a zillion IPs really isn't super interesting unless you have customers for them, in my opinion.
If I were in your position I'd simply lease them out until I have a real use-case for the block. This can also carry reputational risks of course as well. IPXO is a market I've used in the past to accomplish this, although others do exist.
I do think having a block of IPv4 and an ASN is definitely a nice strategic asset to keep around if at all financially viable to do so. The cost of ARIN/RIPE registration isn't crazy, but is more than an individual would typically want to carry. Leasing out your unused strategic asset to at least pay for itself until you might need it seems prudent to me.
Had a similar situation with a /16 at a research institution. Deployed non-interactive, multi-service sinkhole type honeypots across the entire /16 and collected a massive cache of data. A lot of fun developing something that could scale on that size of network. We used Go for the honeypots and Clickhouse to analyze the TBs of data.
I'm a former neteng and I'm having a really difficult time coming up with anything that is remotely interesting. I'm not going near running a Tor exit node.
With proxies and NAT I really can't think of a single thing I care about doing with tons of ips.. I feel uncreative here.
You could get into some form of webhosting but not everyone needs a public IP since apache/nginx proxy everything for wordpress and you'd just do hostname routing.
Selling the space either entirely or per block/IPs might be interesting since the price of IPs has gone way up.
A lot of people here are assuming ownership but your post says "access". Can you clarify if this is a /22 you have rights to manage through something like an employer or a /22 you have full personal ownership of?
Maybe this can be a better (crowdfunded) open dyndns network?
Eversince dyndns got bought all similar services went to shit, and people that want to self host are very limited in their options...and most public hosting providers oblige to DMCA bogus spam way too often, so a lot of valueable knowledge has been lost over the last years of carrier-grade NAT rollouts.
This might be a nice way to counteract this, and have a community of self hosted blogs or similar. Could use user subdomains, so reverse proxies and letsencrypt is easier to setup (and potentially integrated in the public suffix list) and could focus on maybe ssh and https only as protocols/ports.
Well if it’s for learning, you can rent vms from hosting providers. That’s a fairly inexpensive way to learn about BGP with a global “toy” CDN.
I have a small ipv6 subnet I purchased for just this purpose. It was interesting setting everything up in multiple locations and seeing traffic routing around as I turned machines on and off.
I also set up my machines as a reverse proxy of a sort, a small fake CDN, and experimented with caching at different locations and moving content around.
I would have gotten a bit more serious about it, but I’m still on the waiting list for an ipv4 subnet after 2 years. And pretty sure it would be too expensive now. Would have to check though.
Normally when you buy a static IPv4 address you get a single "1.2.3.4". OP is basically saying they have access to something like "1.2.[0-3].[0-255]". /22 is a fancy way of describing that kind of slice in CIDR notation. So they have 256*4=1024 IP addresses in total.
> Normally when you buy a static IPv4 address you get a single "1.2.3.4"
Is it common to purchase (to own, not "rent" as what you get from cloud platforms) single IP addresses? I thought they were always bought/sold in blocks.
No, in general, the smallest block of IPv6 addresses you can "own" is /24. You have to pay yearly fees to your RIR (Regional Internet Registry) as an ANS (Autonomous system). Think of it as owning land and paying a land tax.
.22s are light calibre weapons good for plinking and vermin...
Oh, not that kind of .22. An IPv4 /22 is a network segment where the /22 stands for the number of bits used for the network address. Since an IPv4 address is 32 bits wide this leaves 10 bits which can be freely assigned by the address 'owner'. Those 10 bits (1024 addresses) can be used for individual hosts or the range can be further subdivided into smaller networks, e.g. 4 /24 networks.
This type of network address is called a Classless Inter Domain Routing (CIDR [1]) address, this in opposition to 'class A/B/C' addresses which identify networks in 8-bit steps. A class A network is a /8, class B a /16 and class C a /24.
Boring, but at my last company, we got a /22 so we could run authoritative DNS on four separate /24s.
Maybe something something anycast in general.
Also, you don't really need a /22 for it, but maybe you can collect data on how much of the internet can't connect to hosts on .0 or .255 addresses. (Some firewalls block access to those as a misguided attempt to reduce smurfing.)
I have some ideas for path mtu testing where you'd setup a different IP for each MTU from 576 to 1500. It's overkill, but you could do it with a /22.
There is no consumer/hobbyist use case for an entire subnet worth of IPs. I can guarantee that whatever you want to do (and whatever people here are suggesting) can be achieved with a single public address. If you actually own this range, and don't have founding a networking company on your bucket list, your best bet is to sell it (can get something like $35K for it right now).
Networking isn’t my thing but could this be used to create a VPN in order to federate a bunch of servers? I’m thinking something like Tilde servers that would benefit from running on their own subnet along with other trusted servers so they could provide services similar to the way they worked on the early net e.g. email, news, finger, etc?
Might be a stupid question and I could be way off base but worth asking.
In case anyone is confused, the $500 ARIN fee is per transaction, not per IP.
$48 x 1024 (IPv4 /22) = $49,152. For that transaction the ARIN fee is effectively 1%, considerably lower than the commissions charged by the brokers (which also comes out of the seller's proceeds).
The ARIN fee covers their staff time to review the transfer - specifically the history of the legal entities involved, which as anyone who has dealt with ARIN knows is extremely thorough.
traceroute6 to cv6.poinsignon.org (2001:bc8:3eff:c0::ff) from 2a01:e34:ec68:5f30:6ce3:1ef7:b198:a396, 64 hops max, 28 byte packets
1 2a01:e34:ec68:5f30::1 2.320 ms 2.028 ms 1.642 ms
2 * * *
3 * * *
4 * * *
5 2001:bc8:0:2::11 4.029 ms 4.608 ms 4.318 ms
6 *
2001:bc8:0:2::20 5.587 ms
2001:bc8:0:2::26 4.422 ms
7 2001:bc8:400:1::8e 4.689 ms
2001:bc8:400:100::cb 4.666 ms 4.945 ms
8 2001:bc8:400:1::13e 1017.472 ms * 813.992 ms
9 hello 3.597 ms 3.785 ms 3.915 ms
10 my.name.is.louis.poinsignon 3.914 ms 3.750 ms 4.083 ms
11 i.am.a.network.and.systems.engineer 5.913 ms 4.322 ms 3.886 ms
12 this.is.my.resume.over.traceroute 3.832 ms 3.833 ms 3.860 ms
13 o---experience---o 3.275 ms 4.009 ms 3.529 ms
14 2021.apple.engineer.sf.usa 3.496 ms 4.197 ms 6.186 ms
15 2018.cloudflare.engineer.sf.usa 4.406 ms 3.754 ms 4.213 ms
16 2017.cloudflare.engineer.london.uk 3.704 ms 3.594 ms 5.262 ms
17 2016.cloudflare.engineer.intern.sf.usa 3.950 ms 4.165 ms 4.197 ms
18 o---education---o 14.514 ms 5.284 ms 5.510 ms
19 2015-2016.drexeluni.exchange.ce.philadelphia.usa 5.520 ms 4.718 ms 3.956 ms
20 2011-2016.utt.master.ce.france 3.853 ms 4.164 ms 4.386 ms
21 o---skills---o 3.928 ms 4.617 ms 5.827 ms
22 golang.c.python 3.833 ms 4.415 ms 3.647 ms
23 networks.linux.automation.kafka.clickhouse.kubernetes 4.706 ms 31.174 ms 5.454 ms
24 statistics.maths 4.595 ms 3.685 ms 3.952 ms
25 o---various---o 3.988 ms 5.320 ms 17.645 ms
26 swimming.karate.piano 4.509 ms 4.844 ms 6.080 ms
27 o---contact---o 12.460 ms 4.527 ms 3.768 ms
28 mail.jobs.at.poinsignon.org 6.822 ms 3.953 ms 3.670 ms
29 * * *
30 * * *
31 * * *
32 * * *
33 * * *
34 * * *
35 * * *
36 * *
That's the most expensive resume you could probably have! I don't have access to a whole /22, but I'm now tempted to do this at a smaller scale, thanks for the idea!
https://www.google.com/intl/en/ipv6/statistics.html
We're counting down the years before IPv6 will become the major protocol, after which, IPv4 addresses will slowly start to loose value.
"But it's only FAANG, noone else has IPv6!" Just not the case anymore. But even if, most people don't care about anything else anyway. I have a friend who helps to operate a university dorm network. Allegedly, he once removed an IPv4 address by mistake from one student's computer. He only heard about it half a year later, when the student casually mentioned that only Google, Facebook and other big sites seem to work. Apparently, if Google, Facebook, and the School's website works, it's acceptable to most (which is sad for different reasons, but that's not my point).
Anyway, that's still at least a few years away though, you can have some fun with it for now :)