[HN Gopher] Ask HN: Got a /22, cool things to do with it?
___________________________________________________________________
Ask HN: Got a /22, cool things to do with it?
Through some weird happenings I've recently got access to an /22
and its ASN. Now I'm looking for some fun things to do with it,
things which are only possible with such a "large" number of IPs.
Any suggestions?
Author : dosguy42
Score : 69 points
Date : 2024-01-12 13:07 UTC (9 hours ago)
| zeroclicks wrote:
| Lease them through an IPv4 broker. The going price for a /22 is
| about $120 per month.
| pyvpx wrote:
| you're likely thinking of a /24 at that price. most /22 leases
| (1024 contiguous addresses) is in the neighborhood of 500/m
| (eur, usd, chf...)
| hendi_ wrote:
| If learning is "fun" for you, you can play around with BGP and
| build your own global CDN with Anycast.
| uxp8u61q wrote:
| Unless you actually have several machines spread around the
| globe, you're not building a "global" CDN.
| dan353hehe wrote:
| Well if it's for learning, you can rent vms from hosting
| providers. That's a fairly inexpensive way to learn about BGP
| with a global "toy" CDN.
|
| I have a small ipv6 subnet I purchased for just this purpose.
| It was interesting setting everything up in multiple
| locations and seeing traffic routing around as I turned
| machines on and off.
|
| I also set up my machines as a reverse proxy of a sort, a
| small fake CDN, and experimented with caching at different
| locations and moving content around.
|
| I would have gotten a bit more serious about it, but I'm
| still on the waiting list for an ipv4 subnet after 2 years.
| And pretty sure it would be too expensive now. Would have to
| check though.
| alexw1 wrote:
| Had a similar situation with a /16 at a research institution.
| Deployed non-interactive, multi-service sinkhole type honeypots
| across the entire /16 and collected a massive cache of data. A
| lot of fun developing something that could scale on that size of
| network. We used Go for the honeypots and Clickhouse to analyze
| the TBs of data.
| runjake wrote:
| Can you elaborate on the honeypots a bit more? What honeypot
| software did you use? Which services were most popular and
| effective?
| brianzelip wrote:
| What are /22 and ASN?
| marginalia_nu wrote:
| IP Subnet with IIRC 1024 IPs, and Autonomous System Number
| respectively.
|
| ASN:s are related to BGP, the Border Gateway Protocol, which is
| part of how the IP network is organized.
| tgv wrote:
| To explain a bit more: the first 22 bits (of the 32 bit IPv4
| address) are fixed, so there are 10 free bits = 1024
| addresses.
| geocrasher wrote:
| This is a fantastic, simple explanation of subnetting and
| CIDR notation. Well done.
| poxrud wrote:
| It's a way to represent a range of IP addresses. Using CIDR
| notation. https://en.wikipedia.org/wiki/Classless_Inter-
| Domain_Routing
|
| OP is saying that they have control of 1022 public IP
| addresses.
| the_third_wave wrote:
| .22s are light calibre weapons good for plinking and vermin...
|
| Oh, not that kind of .22. An IPv4 /22 is a network segment
| where the /22 stands for the number of bits used for the
| network address. Since an IPv4 address is 32 bits wide this
| leaves 10 bits which can be freely assigned by the address
| 'owner'. Those 10 bits (1024 addresses) can be used for
| individual hosts or the range can be further subdivided into
| smaller networks, e.g. 4 /24 networks.
|
| This type of network address is called a Classless Inter Domain
| Routing (CIDR [1]) address, this in opposition to 'class A/B/C'
| addresses which identify networks in 8-bit steps. A class A
| network is a /8, class B a /16 and class C a /24.
|
| [1] https://en.wikipedia.org/wiki/Classless_Inter-
| Domain_Routing
| thedynamicduo wrote:
| Thanks, that was a really good explanation.
| thsksbd wrote:
| I thought he meant .22 for a moment but asked myself: "of all
| the places to ask what to do with a case of ammo, why all
| HN?".
|
| Then I realized it was probably some neteorking stuff
| paxys wrote:
| Normally when you buy a static IPv4 address you get a single
| "1.2.3.4". OP is basically saying they have access to something
| like "1.2.[0-3].[0-255]". /22 is a fancy way of describing that
| kind of slice in CIDR notation. So they have 256*4=1024 IP
| addresses in total.
| iFreilicht wrote:
| I think it's 1022, as the first and last one in the block are
| the gateway and broadcast address, right?
| paxys wrote:
| That's the recommendation, yes, but even then all 1024 are
| in your control and you can do whatever you want with them.
| diggan wrote:
| > Normally when you buy a static IPv4 address you get a
| single "1.2.3.4"
|
| Is it common to purchase (to own, not "rent" as what you get
| from cloud platforms) single IP addresses? I thought they
| were always bought/sold in blocks.
| paxys wrote:
| I should have said lease instead of buy, yes.
| kdklol wrote:
| No, in general, the smallest block of IPv6 addresses you
| can "own" is /24. You have to pay yearly fees to your RIR
| (Regional Internet Registry) as an ANS (Autonomous system).
| Think of it as owning land and paying a land tax.
| stevefan1999 wrote:
| Try running MetalLB on it. And use it to deploy load balancers
| based on BGP.
|
| And then be disappointed at how the Internet is actually so
| fragile based on a lot of wrong premises and hidden stuffs.
| rendx wrote:
| It is getting increasingly difficult for Tor exit operators to
| find ISPs that are willing to let the relays "poison" IP space. I
| know the torservers.net non-profit has a /22 that it manages and
| assigns to relay operators. If that's something you would like to
| support, the Tor community would surely appreciate it.
| bauruine wrote:
| I run a largeish Tor relay family on rented servers and have
| thought about running exits on my own "ISP" for quite some
| time. I already have an ASN and IPv6 addresses but Tor needs v4
| and those are prohibitively expensive to buy and leasing is not
| possible because of the blacklist problematic. My email is in
| my profile if that is something you want to support and could
| spare a /24 of your assignment.
| andy_ppp wrote:
| Aren't most of the Tor exit nodes widely thought to be run by
| government agencies? People thought that was true at a security
| firm I used to work at. I wouldn't be surprised if Tor was a
| honey pot designed to catch people doing nefarious things.
| dylan604 wrote:
| do you not know why Tor was actually created?
|
| https://en.wikipedia.org/wiki/Tor_(network)
| chimeracoder wrote:
| > I wouldn't be surprised if Tor was a honey pot designed to
| catch people doing nefarious things.
|
| So far, the high profile busts involving Tor all involve some
| other weaker link in the chain, such as traffic analysis[0],
| a CI, a targeted sting operation. etc.
|
| If this is the case and your hypothesis is true, then it
| appears to be unnecessary on their part, since all the folks
| they're prosecuting are those for whom other evidence is more
| readily available.
|
| (Before someone replies with "parallel construction": the
| point of parallel construction is to use methods that are
| easy but illegal to obtain evidence that can be used to help
| find "legal" sources of evidence that would otherwise not be
| easy or feasible. That doesn't really apply here, where the
| illegal (or in this case, secretive) method is _more_ work
| than the "official" method).
|
| [0] e.g. that case a decade ago where a student called in a
| bomb threat using Tor, and the university was able to
| determine that exactly one person on campus was using Tor at
| that time - not by compromising Tor itself, but because Tor
| traffic is detectable by ISPs.
| cjbprime wrote:
| > So far, the high profile busts involving Tor all involve
| some other weaker link in the chain, such as traffic
| analysis[0], a CI, a targeted sting operation. etc.
|
| (If I recall, the Snowden files also contained a claim by
| NSA that they could not break Tor.)
| michaelt wrote:
| Assuming that was true - wouldn't it be much easier to simply
| remove their exit nodes, making Tor intolerably slow, let the
| users leave for alternatives like VPNs, and then just buy up
| some VPN providers through shell companies?
|
| After all, with a VPN you get to see source _and_ destination
| IPs, username, e-mail, payment information, and maybe they
| even download your connection tool and run it as root.
| rendx wrote:
| Even if that were true, how would it work practically? For
| anyone who might be interested in identifying or tracking
| you, how would they "use Tor" to look up your identity? Over
| 200 countries, across all government agencies, and then
| including non-governmental actors? Maybe a Tor user isn't
| trying to protect from "the NSA" (or whoever you think is
| "running the Tor network")?
|
| And, again assuming this is true, how would any other
| technology protect you better?
|
| Especially people working at "a security firm" should know
| that security is not black and white, but has many dimensions
| to it.
|
| And then, here we are talking about diversifying relay
| operations, so even if you believe the rest of the network to
| be totally compromised, it would still add some net benefit,
| no?
| lozf wrote:
| Others have already presented good reasons that's unlikely,
| but either way - and especially if that is the case, then all
| the more reason to add non government exit nodes.
| joecot wrote:
| It's not. The entire purpose of Tor was for US spies overseas
| to be able to make anonymous secure communications. They
| opened it up to the rest of the world, because if the only
| people using Tor are US spies, it's pretty easy to tell what
| someone's using it for.
|
| Governments also run a lot of relays and exit nodes for a
| similar reason. Not to make it easier for themselves to
| identify traffic. For no one actor to have a majority of
| nodes, which would make it a lot easier to identify traffic.
| kazanz wrote:
| If you can think of more fun things to do with cash, I'll buy
| them from you.
| johnklos wrote:
| You answered what OP can do with them, but you didn't answer
| what cool things can be done with them.
| bhaney wrote:
| Making $30k isn't cool?
| phil21 wrote:
| Depends on what you plan to do with it long term I think. If you
| have no plans to make it commercially viable, then I agree with
| the other poster who recommends using it as blocks friendly for
| ToR exit node operators and/or similar style services (e.g.
| public nitter instance). You could delegate /24's as-needed for
| individual sites. Exit node operators tend to be technically
| clueful, so they will understand what will need to be done to
| make this work.
|
| However, that will likely put that /22 on quite a number of
| blacklists out there for an indefinite period of time.
|
| Other than honeypot stuff or more grey area things like
| botting/scanning having a zillion IPs really isn't super
| interesting unless you have customers for them, in my opinion.
|
| If I were in your position I'd simply lease them out until I have
| a real use-case for the block. This can also carry reputational
| risks of course as well. IPXO is a market I've used in the past
| to accomplish this, although others do exist.
|
| I do think having a block of IPv4 and an ASN is definitely a nice
| strategic asset to keep around if at all financially viable to do
| so. The cost of ARIN/RIPE registration isn't crazy, but is more
| than an individual would typically want to carry. Leasing out
| your unused strategic asset to at least pay for itself until you
| might need it seems prudent to me.
| forward1 wrote:
| > ToR exit node
|
| FYI it is spelled Tor, not ToR and not TOR.
| panarky wrote:
| Onion is the most salient part of the name so I propose
| "tOr".
| dorianmariefr wrote:
| Do `traceroute6 cv6.poinsignon.org` but with IPv4?
| dorianmariefr wrote:
| I gives this for reference: traceroute6 to
| cv6.poinsignon.org (2001:bc8:3eff:c0::ff) from
| 2a01:e34:ec68:5f30:6ce3:1ef7:b198:a396, 64 hops max, 28 byte
| packets 1 2a01:e34:ec68:5f30::1 2.320 ms 2.028 ms
| 1.642 ms 2 * * * 3 * * * 4 * * *
| 5 2001:bc8:0:2::11 4.029 ms 4.608 ms 4.318 ms 6 *
| 2001:bc8:0:2::20 5.587 ms 2001:bc8:0:2::26 4.422
| ms 7 2001:bc8:400:1::8e 4.689 ms
| 2001:bc8:400:100::cb 4.666 ms 4.945 ms 8
| 2001:bc8:400:1::13e 1017.472 ms * 813.992 ms 9
| hello 3.597 ms 3.785 ms 3.915 ms 10
| my.name.is.louis.poinsignon 3.914 ms 3.750 ms 4.083 ms
| 11 i.am.a.network.and.systems.engineer 5.913 ms 4.322 ms
| 3.886 ms 12 this.is.my.resume.over.traceroute 3.832
| ms 3.833 ms 3.860 ms 13 o---experience---o 3.275 ms
| 4.009 ms 3.529 ms 14 2021.apple.engineer.sf.usa
| 3.496 ms 4.197 ms 6.186 ms 15
| 2018.cloudflare.engineer.sf.usa 4.406 ms 3.754 ms 4.213 ms
| 16 2017.cloudflare.engineer.london.uk 3.704 ms 3.594 ms
| 5.262 ms 17 2016.cloudflare.engineer.intern.sf.usa
| 3.950 ms 4.165 ms 4.197 ms 18 o---education---o
| 14.514 ms 5.284 ms 5.510 ms 19
| 2015-2016.drexeluni.exchange.ce.philadelphia.usa 5.520 ms
| 4.718 ms 3.956 ms 20 2011-2016.utt.master.ce.france
| 3.853 ms 4.164 ms 4.386 ms 21 o---skills---o 3.928
| ms 4.617 ms 5.827 ms 22 golang.c.python 3.833 ms
| 4.415 ms 3.647 ms 23
| networks.linux.automation.kafka.clickhouse.kubernetes 4.706 ms
| 31.174 ms 5.454 ms 24 statistics.maths 4.595 ms
| 3.685 ms 3.952 ms 25 o---various---o 3.988 ms 5.320
| ms 17.645 ms 26 swimming.karate.piano 4.509 ms
| 4.844 ms 6.080 ms 27 o---contact---o 12.460 ms
| 4.527 ms 3.768 ms 28 mail.jobs.at.poinsignon.org
| 6.822 ms 3.953 ms 3.670 ms 29 * * * 30 * *
| * 31 * * * 32 * * * 33 * * *
| 34 * * * 35 * * * 36 * *
| kdklol wrote:
| That's the most expensive resume you could probably have! I
| don't have access to a whole /22, but I'm now tempted to do
| this at a smaller scale, thanks for the idea!
| zamadatix wrote:
| A lot of people here are assuming ownership but your post says
| "access". Can you clarify if this is a /22 you have rights to
| manage through something like an employer or a /22 you have full
| personal ownership of?
| myself248 wrote:
| Run a whole whack of ArchiveTeam warrior clients. :)
| dearroy wrote:
| Which RIR?
|
| Either lease them or start a web hosting business.
| Apreche wrote:
| Setup a competitor to Cloudflare tunnel.
|
| People want to host Internet services from their homes. They
| don't have static IPs, and/or they don't want to open their home
| IP address directly to the public, for good reason.
|
| You can setup some wireguard servers with static IPs. Then people
| can tunnel their services running at home through your servers.
| They avoid the cost of having to pay for cloud hosting, and you
| provide a shield so that they aren't exposed.
|
| Obviously, the IP addresses on their own aren't enough to make
| this work. You're going to need some computing infrastructure.
| But you won't need lots of storage and compute. You'll mostly
| need bandwidth and networking equipment. The thing is, getting IP
| addresses is harder than getting hardware and bandwidth. You
| already did the hard part.
| westhanover wrote:
| The hard part is when all of the malware c&c and CP is now
| being served from your network.
| lagniappe wrote:
| You know, at some point, in the interest of a free internet
| we should consider whether penalizing the mostly-benevolent-
| cogs along the way is the right way to go about it. It's not
| like someone operating that service is specifically
| consenting to every packet that flows through them so it
| shouldn't be treated in a court room as if they gave their
| explicit blessing for whatever malfeasance came to happen.
|
| I don't accept the argument that by attempting to benefit the
| common good that one must be responsible for what happens or
| how that's used. Many items and actions of good will can be
| weaponized, in ways that the media finds odious like the
| things you mentioned, but nobody comes after the cell phone
| operators, the ISPs, they attack the weak link that cant
| afford representation in court - the solo and small
| operators. It's stupid and I'm surprised it fools the voter
| base in the current epoch.
| jve wrote:
| The moment you give someone an opportunity to create
| outbound connection to port 25 from your IP, you are
| certainly risking (well, guaranteeing) those IPs to be
| listed at various blocklists.
|
| And you will be the one that will have to deal with abuse
| complaints.
| cdchn wrote:
| Unfortunately its intractable to separate oblivious rubes
| from willing accomplices.
|
| Thankfully we have common carrier protection laws that
| people can argue they're protected by or not.
| paxys wrote:
| Why would you need unique IPs for this? This entire setup can
| work perfectly fine with a single public IP address if needed.
| gertrunde wrote:
| I'm not sure of the going rate for such things currently, but a
| year or two back it was approximately $10k per /24.
|
| So there is that possibility.
| hartator wrote:
| We can always buy it or rent it from you. :)
|
| We always need more IPs. My direct email is julien at
| serpapi.com.
| kloch wrote:
| If you don't have a good use for them then you can sell them.
| There is a market for IPv4 and 3,4,5-digit ASN's.
|
| ARIN does not frown on this marketplace, in fact they encourage
| it and even endorse specific brokers.
| lowpro wrote:
| Note they have a new fee schedule, this would cost $500 in the
| fee to sell, and IPs are going for $48-$52 right now:
|
| https://www.arin.net/resources/fees/fee_schedule/
| kloch wrote:
| In case anyone is confused, the $500 ARIN fee is per
| transaction, not per IP.
|
| $48 x 1024 (IPv4 /22) = $49,152. For that transaction the
| ARIN fee is effectively 1%, considerably lower than the
| commissions charged by the brokers (which also comes out of
| the seller's proceeds).
|
| The ARIN fee covers their staff time to review the transfer -
| specifically the history of the legal entities involved,
| which as anyone who has dealt with ARIN knows is extremely
| thorough.
| swozey wrote:
| I'm a former neteng and I'm having a really difficult time coming
| up with anything that is remotely interesting. I'm not going near
| running a Tor exit node.
|
| With proxies and NAT I really can't think of a single thing I
| care about doing with tons of ips.. I feel uncreative here.
|
| You could get into some form of webhosting but not everyone needs
| a public IP since apache/nginx proxy everything for wordpress and
| you'd just do hostname routing.
|
| Selling the space either entirely or per block/IPs might be
| interesting since the price of IPs has gone way up.
| ollybee wrote:
| Aa awful of a lot of people _think_ they need dedicated public
| IP's for their hosting though.
| toddm wrote:
| Take it into the woods and shoot at tin cans and watermelons.
| throwaway_08932 wrote:
| I'm glad someone else thought this!
| paxys wrote:
| What does "got access to" mean exactly? Do you own it
| permanently? Or just have it to play around with? For how long?
| throwuwu wrote:
| Networking isn't my thing but could this be used to create a VPN
| in order to federate a bunch of servers? I'm thinking something
| like Tilde servers that would benefit from running on their own
| subnet along with other trusted servers so they could provide
| services similar to the way they worked on the early net e.g.
| email, news, finger, etc?
|
| Might be a stupid question and I could be way off base but worth
| asking.
| mikey_p wrote:
| Are there non-profits that could benefit from these? Something
| like Wikipedia or Internet Archive?
| toast0 wrote:
| Boring, but at my last company, we got a /22 so we could run
| authoritative DNS on four separate /24s.
|
| Maybe something something anycast in general.
|
| Also, you don't really need a /22 for it, but maybe you can
| collect data on how much of the internet can't connect to hosts
| on .0 or .255 addresses. (Some firewalls block access to those as
| a misguided attempt to reduce smurfing.)
|
| I have some ideas for path mtu testing where you'd setup a
| different IP for each MTU from 576 to 1500. It's overkill, but
| you could do it with a /22.
| paxys wrote:
| There is no consumer/hobbyist use case for an entire subnet worth
| of IPs. I can guarantee that whatever you want to do (and
| whatever people here are suggesting) can be achieved with a
| single public address. If you actually own this range, and don't
| have founding a networking company on your bucket list, your best
| bet is to sell it (can get something like $35K for it right now).
| costco wrote:
| https://www.ipxo.com/
| kdklol wrote:
| Realistically, you should sell it while it's valuable. Take a
| look at IPv6 adoption. I know, I know, "IPv6 will never be here
| blah blah blah", so the naysayers say, but look at what Google is
| getting now, for instance:
|
| https://www.google.com/intl/en/ipv6/statistics.html
|
| We're counting down the years before IPv6 will become the major
| protocol, after which, IPv4 addresses will slowly start to loose
| value.
|
| "But it's only FAANG, noone else has IPv6!" Just not the case
| anymore. But even if, most people don't care about anything else
| anyway. I have a friend who helps to operate a university dorm
| network. Allegedly, he once removed an IPv4 address by mistake
| from one student's computer. He only heard about it half a year
| later, when the student casually mentioned that only Google,
| Facebook and other big sites seem to work. Apparently, if Google,
| Facebook, and the School's website works, it's acceptable to most
| (which is sad for different reasons, but that's not my point).
|
| Anyway, that's still at least a few years away though, you can
| have some fun with it for now :)
| cookiengineer wrote:
| Maybe this can be a better (crowdfunded) open dyndns network?
|
| Eversince dyndns got bought all similar services went to shit,
| and people that want to self host are very limited in their
| options...and most public hosting providers oblige to DMCA bogus
| spam way too often, so a lot of valueable knowledge has been lost
| over the last years of carrier-grade NAT rollouts.
|
| This might be a nice way to counteract this, and have a community
| of self hosted blogs or similar. Could use user subdomains, so
| reverse proxies and letsencrypt is easier to setup (and
| potentially integrated in the public suffix list) and could focus
| on maybe ssh and https only as protocols/ports.
___________________________________________________________________
(page generated 2024-01-12 23:01 UTC)