Defanging IP Addresses 10[.]10.10.1

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
There's a co-worker of mine that's paranoid about defanging IP addresses.  That is, of course, writing them as 10[.]10.10.1 instead of 10.10.10.1 to prevent people from clicking on it in case the link is malicious.

Seriously, in my 20 years of IT I have never once seen an IP address that was clickable.  Can anybody explain to me what rationale this practice stems from, or if it is even correct.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • E Double UE Double U Member Posts: 2,233 ■■■■■■■■■■
    Might as well take it a step further with ten-dot-ten-dot-ten-dot-one.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    Might as well take it a step further with ten-dot-ten-dot-ten-dot-one.

    Very funny, lol
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    It's a known fact that the real pros go binary:  00001010.00001010.00001010.00001010  :D

  • JDMurrayJDMurray Admin Posts: 13,090 Admin
    edited January 2021
    When you say "paranoid about defanging", do you mean that your co-worker does or doesn't want the IP addresses to be sanitized?

    Sanitizing IP addresses, email addresses, domains, and URLs is a way to keep from triggering a false alert on security devices (IDS/IPS, WAF, EDR, etc.) that are parsing for active, malicious content in emails and documents. Sanitation also prevents some IM clients (e.g., Slack) from automatically making URLs, domains, telephone numbers, and IP and email addresses into clickable links.


  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    Thanks for the insight @JDMurray .  I guess it's done across the board.  I had just been aware of this practice only with http links.

    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    Not sure what inserting the [  ] is suppose to do. After all any link can be edited to go anywhere you want.  10[.]10.10.1




    Still searching for the corner in a round room.
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    It's possible someone wants to do this programmatically and as simply as possible. If we see http in a string, replace all . with [.]. That would pull IP addresses in as well.

    That's me hunting for a reason, though. I can't say I ever see IP addresses ever turned into links, but you definitely could accidentally paste one into a browser address bar and it'll happily try.

    Maybe some log parsers of network traffic do this.

    I think it's a fine practice and is in line with being paranoid, especially if you handle live malware, live malicious files, live links, or addresses that may or may not be accidentally clicked.

    That said, I think a bare IP address with no URL-signifying characters around it is better left untouched. I would think it adds far more annoyance and inefficiency to remove those extra characters than the value of any protection offered by having them.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    I defang. I assist in email phishing on occasion for a client. Their incident response system is crudely implemented and is partially email-based. Web-based email clients, Microsoft Word etc., they're all notorious at turning malicious/spam URLs into something to click that I'd rather nobody clicks on in the email CC chain. I usually just replace http with hxxp though.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    yoba222 said:
    I defang. I assist in email phishing on occasion for a client. Their incident response system is crudely implemented and is partially email-based. Web-based email clients, Microsoft Word etc., they're all notorious at turning malicious/spam URLs into something to click that I'd rather nobody clicks on in the email CC chain. I usually just replace http with hxxp though.
    Yoba this is specifically for defanging IP addresses (e.g. turning 10.1.1.1 into 10.[1].1.1).  Have you seen or done this as common practice?
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    Oh yeah look at that the IP not the URL. I can't say I've ever seen that, only something more like x,x,x,235 to avoid communicating sensitive IP addresses over email and tickets and what not.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
Sign In or Register to comment.