Getting Paris Hilton’s old IP address
IP addresses may not be renewable resources. Over coffee one day, my colleague Andrew Binstock suggested a problem I hadn’t considered: Many applications and systems are hard-wire to access specific IP addresses, rather than fully qualified Unique Resource Identifiers (URIs). This, in turn, may be generating unwanted network or Internet traffic that probably can’t ever be stopped. (Andrew says that he, in turn, heard about this issue from InfoWorld’s Paul Venezia.)
I’ve seen examples of this myself, with applications and devices configured to send error logs via e-mail. In many of those cases, the app’s control panel has a space for the administrator to specify the dotted quad address (xxx.xxx.xxx.xxx) of the SMTP server. Months and years go by, and the SMTP server ain’t there no more. Meanwhile, the app is still trying to connect to it every day to it can transmit an error log that nobody even remembers any more.
This can be a problem with public and private IP address. Once upon a time, most those addresses were static. Nowadays, just about everything is be dynamic.
The benefit of using URIs, instead of hard-wired IP addresses is that it makes our networks and applications dynamic. That’s why best practices for doing Web services are to use URIs instead of IP addresses. But how many device still have control panels that require a hard-coded IP address for the SMTP server, or for other network resources? Far too many.
In the e-mail log example above, at least someone could track down and readily fix the problem. A bigger challenge is when developers hard-code IP addresses into applications’ source code. If the IP addresses are recycled, and nobody notices, someone’s getting unwanted traffic.
Andrew cited situations where a company is allocated a “fresh” IP address from an ISP, actives it – and then discovers that it’s being swamped by traffic sent to that IP address from some other service. This isn’t an intentional denial of service attack: the previous owner apparently wanted that traffic. However, it represents an unwanted nuisance and wastes bandwidth and CPU cycles.
It reminds me of when some person get new cell phone – with Paris Hilton’s old phone number, which some people still call. (See this Reuters story.) Or, when businesses who get assigned a “new” toll-free number (outside the U.S., often called a “free-phone” number), and the phone starts ringing off the hook… with people trying to reach that number’s previous owner. Sure, the phone numbers lay fallow for six months, but references to them live in printed brochures, databases, old magazine articles and even Web sites for years. How long do IP addresses lay fallow? I know of no policy or industry standard.
What can be done? Look back, nothing. Looking forward, we can set policies to discourage developers from hand-coding IP addresses into applications, even during the testing phases or for exception handling. It’s just not the right thing to do.