Defanging IP Addresses 10[.]10.10.1
egrizzly
Member Posts: 533 ■■■■■□□□□□
There's a co-worker of mine that's paranoid about defanging IP addresses. That is, of course, writing them as 10[.]10.10.1 instead of 10.10.10.1 to prevent people from clicking on it in case the link is malicious.
Seriously, in my 20 years of IT I have never once seen an IP address that was clickable. Can anybody explain to me what rationale this practice stems from, or if it is even correct.
Seriously, in my 20 years of IT I have never once seen an IP address that was clickable. Can anybody explain to me what rationale this practice stems from, or if it is even correct.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Tagged:
Comments
-
E Double U Member Posts: 2,233 ■■■■■■■■■■Might as well take it a step further with ten-dot-ten-dot-ten-dot-one.Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
-
egrizzly Member Posts: 533 ■■■■■□□□□□E Double U said:Might as well take it a step further with ten-dot-ten-dot-ten-dot-one.
Very funny, lolB.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
cyberguypr Mod Posts: 6,928 ModIt's a known fact that the real pros go binary: 00001010.00001010.00001010.00001010
-
JDMurray Admin Posts: 13,090 AdminWhen you say "paranoid about defanging", do you mean that your co-worker does or doesn't want the IP addresses to be sanitized?Sanitizing IP addresses, email addresses, domains, and URLs is a way to keep from triggering a false alert on security devices (IDS/IPS, WAF, EDR, etc.) that are parsing for active, malicious content in emails and documents. Sanitation also prevents some IM clients (e.g., Slack) from automatically making URLs, domains, telephone numbers, and IP and email addresses into clickable links.
-
TechGromit Member Posts: 2,156 ■■■■■■■■■□Not sure what inserting the [ ] is suppose to do. After all any link can be edited to go anywhere you want. 10[.]10.10.1
Still searching for the corner in a round room. -
LonerVamp Member Posts: 518 ■■■■■■■■□□It's possible someone wants to do this programmatically and as simply as possible. If we see http in a string, replace all . with [.]. That would pull IP addresses in as well.That's me hunting for a reason, though. I can't say I ever see IP addresses ever turned into links, but you definitely could accidentally paste one into a browser address bar and it'll happily try.Maybe some log parsers of network traffic do this.I think it's a fine practice and is in line with being paranoid, especially if you handle live malware, live malicious files, live links, or addresses that may or may not be accidentally clicked.That said, I think a bare IP address with no URL-signifying characters around it is better left untouched. I would think it adds far more annoyance and inefficiency to remove those extra characters than the value of any protection offered by having them.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
yoba222 Member Posts: 1,237 ■■■■■■■■□□I defang. I assist in email phishing on occasion for a client. Their incident response system is crudely implemented and is partially email-based. Web-based email clients, Microsoft Word etc., they're all notorious at turning malicious/spam URLs into something to click that I'd rather nobody clicks on in the email CC chain. I usually just replace http with hxxp though.A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP -
egrizzly Member Posts: 533 ■■■■■□□□□□yoba222 said:I defang. I assist in email phishing on occasion for a client. Their incident response system is crudely implemented and is partially email-based. Web-based email clients, Microsoft Word etc., they're all notorious at turning malicious/spam URLs into something to click that I'd rather nobody clicks on in the email CC chain. I usually just replace http with hxxp though.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
-
yoba222 Member Posts: 1,237 ■■■■■■■■□□Oh yeah look at that the IP not the URL. I can't say I've ever seen that, only something more like x,x,x,235 to avoid communicating sensitive IP addresses over email and tickets and what not.A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP