Ask HN: Got a /22, cool things to do with it?
Through some weird happenings I've recently got access to an /22 and its ASN. Now I'm looking for some fun things to do with it, things which are only possible with such a "large" number of IPs. Any suggestions?
92 comments
[ 2.2 ms ] story [ 188 ms ] threadI have a small ipv6 subnet I purchased for just this purpose. It was interesting setting everything up in multiple locations and seeing traffic routing around as I turned machines on and off.
I also set up my machines as a reverse proxy of a sort, a small fake CDN, and experimented with caching at different locations and moving content around.
I would have gotten a bit more serious about it, but I’m still on the waiting list for an ipv4 subnet after 2 years. And pretty sure it would be too expensive now. Would have to check though.
ASN:s are related to BGP, the Border Gateway Protocol, which is part of how the IP network is organized.
OP is saying that they have control of 1022 public IP addresses.
Oh, not that kind of .22. An IPv4 /22 is a network segment where the /22 stands for the number of bits used for the network address. Since an IPv4 address is 32 bits wide this leaves 10 bits which can be freely assigned by the address 'owner'. Those 10 bits (1024 addresses) can be used for individual hosts or the range can be further subdivided into smaller networks, e.g. 4 /24 networks.
This type of network address is called a Classless Inter Domain Routing (CIDR [1]) address, this in opposition to 'class A/B/C' addresses which identify networks in 8-bit steps. A class A network is a /8, class B a /16 and class C a /24.
[1] https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Then I realized it was probably some neteorking stuff
Is it common to purchase (to own, not "rent" as what you get from cloud platforms) single IP addresses? I thought they were always bought/sold in blocks.
And then be disappointed at how the Internet is actually so fragile based on a lot of wrong premises and hidden stuffs.
https://en.wikipedia.org/wiki/Tor_(network)
So far, the high profile busts involving Tor all involve some other weaker link in the chain, such as traffic analysis[0], a CI, a targeted sting operation. etc.
If this is the case and your hypothesis is true, then it appears to be unnecessary on their part, since all the folks they're prosecuting are those for whom other evidence is more readily available.
(Before someone replies with "parallel construction": the point of parallel construction is to use methods that are easy but illegal to obtain evidence that can be used to help find "legal" sources of evidence that would otherwise not be easy or feasible. That doesn't really apply here, where the illegal (or in this case, secretive) method is more work than the "official" method).
[0] e.g. that case a decade ago where a student called in a bomb threat using Tor, and the university was able to determine that exactly one person on campus was using Tor at that time - not by compromising Tor itself, but because Tor traffic is detectable by ISPs.
(If I recall, the Snowden files also contained a claim by NSA that they could not break Tor.)
After all, with a VPN you get to see source and destination IPs, username, e-mail, payment information, and maybe they even download your connection tool and run it as root.
If you control the exit nodes, you can snoop on the content, even if you don’t have the destination. The goal for governments isn’t catching crime, it’s spying on secrets. Same way WikiLeaks was supposedly started by snooping on Tor traffic.
Anyone browsing non-SSL sites through Tor is a fool, because malicious exit nodes are well known to exist, doing things like replacing bitcoin addresses in unencrypted web traffic. You don't need to be the NSA to benefit from doing that.
And, again assuming this is true, how would any other technology protect you better?
Especially people working at "a security firm" should know that security is not black and white, but has many dimensions to it.
And then, here we are talking about diversifying relay operations, so even if you believe the rest of the network to be totally compromised, it would still add some net benefit, no?
Governments also run a lot of relays and exit nodes for a similar reason. Not to make it easier for themselves to identify traffic. For no one actor to have a majority of nodes, which would make it a lot easier to identify traffic.
However, that will likely put that /22 on quite a number of blacklists out there for an indefinite period of time.
Other than honeypot stuff or more grey area things like botting/scanning having a zillion IPs really isn't super interesting unless you have customers for them, in my opinion.
If I were in your position I'd simply lease them out until I have a real use-case for the block. This can also carry reputational risks of course as well. IPXO is a market I've used in the past to accomplish this, although others do exist.
I do think having a block of IPv4 and an ASN is definitely a nice strategic asset to keep around if at all financially viable to do so. The cost of ARIN/RIPE registration isn't crazy, but is more than an individual would typically want to carry. Leasing out your unused strategic asset to at least pay for itself until you might need it seems prudent to me.
FYI it is spelled Tor, not ToR and not TOR.
Either lease them or start a web hosting business.
People want to host Internet services from their homes. They don't have static IPs, and/or they don't want to open their home IP address directly to the public, for good reason.
You can setup some wireguard servers with static IPs. Then people can tunnel their services running at home through your servers. They avoid the cost of having to pay for cloud hosting, and you provide a shield so that they aren't exposed.
Obviously, the IP addresses on their own aren't enough to make this work. You're going to need some computing infrastructure. But you won't need lots of storage and compute. You'll mostly need bandwidth and networking equipment. The thing is, getting IP addresses is harder than getting hardware and bandwidth. You already did the hard part.
I don't accept the argument that by attempting to benefit the common good that one must be responsible for what happens or how that's used. Many items and actions of good will can be weaponized, in ways that the media finds odious like the things you mentioned, but nobody comes after the cell phone operators, the ISPs, they attack the weak link that cant afford representation in court - the solo and small operators. It's stupid and I'm surprised it fools the voter base in the current epoch.
And you will be the one that will have to deal with abuse complaints.
Thankfully we have common carrier protection laws that people can argue they're protected by or not.
Like, just look at Playit.gg, they have issues with both ip blacklists and domain blacklists (+ safe browsing warnings)
T-Mobile is a big one that apparently blocks their ip ranges.
My interpretation of what's been suggested is basically an ip you can port forward, as if you had a public ip.
For example, let's say you want to run a minecraft server for your friends from your home. You use this hypothetical service to get an ip you can use, and tunnel the needed ports in to your network (and ultimately, your minecraft server).
This couldn't be provided with a single ip, since at best that would limit you to selling off individual ports. The product becomes worthwhile if each customer has their own ip.
For tls1.2, that's usually routing based on server name identifier in the ClientHello and you can do it pretty trivially
For Minecraft.. you would probably need to write your own proxying logic. But as long as the protocol includes some info on what it's trying to connect to you could still do it.
Alternatively you could do it like the old quakeworld spectator proxies and just write a custom Minecraft server people connect to that then presents a menu in game to pick a server that it then connects to.
The fixed ip product more or less lets a user use it for anything they could with their own static ip.
The single ip product only allows the end user to use protocols for which you have built forwarding logic. For some, like sip or http, this would be simple, but for others you would need a much higher understanding of the application protocol.
One is a geeks Swiss army ip, the other is "now you can self host one of these 5 services, some or which might stop working if the application makes breaking changes."
So there is that possibility.
We always need more IPs. My direct email is julien at serpapi.com.
ARIN does not frown on this marketplace, in fact they encourage it and even endorse specific brokers.
https://www.arin.net/resources/fees/fee_schedule/
$48 x 1024 (IPv4 /22) = $49,152. For that transaction the ARIN fee is effectively 1%, considerably lower than the commissions charged by the brokers (which also comes out of the seller's proceeds).
The ARIN fee covers their staff time to review the transfer - specifically the history of the legal entities involved, which as anyone who has dealt with ARIN knows is extremely thorough.
With proxies and NAT I really can't think of a single thing I care about doing with tons of ips.. I feel uncreative here.
You could get into some form of webhosting but not everyone needs a public IP since apache/nginx proxy everything for wordpress and you'd just do hostname routing.
Selling the space either entirely or per block/IPs might be interesting since the price of IPs has gone way up.
Might be a stupid question and I could be way off base but worth asking.
Maybe something something anycast in general.
Also, you don't really need a /22 for it, but maybe you can collect data on how much of the internet can't connect to hosts on .0 or .255 addresses. (Some firewalls block access to those as a misguided attempt to reduce smurfing.)
I have some ideas for path mtu testing where you'd setup a different IP for each MTU from 576 to 1500. It's overkill, but you could do it with a /22.