Defanging IP Addresses 10[.]10.10.1

egrizzly · January 2021

There's a co-worker of mine that's paranoid about defanging IP addresses. That is, of course, writing them as 10[.]10.10.1 instead of 10.10.10.1 to prevent people from clicking on it in case the link is malicious.

Seriously, in my 20 years of IT I have never once seen an IP address that was clickable. Can anybody explain to me what rationale this practice stems from, or if it is even correct.

E Double U · January 2021

Might as well take it a step further with ten-dot-ten-dot-ten-dot-one.

egrizzly · January 2021

E Double U said:

Might as well take it a step further with ten-dot-ten-dot-ten-dot-one.

Very funny, lol

cyberguypr · January 2021

It's a known fact that the real pros go binary: 00001010.00001010.00001010.00001010

JDMurray · January 2021

When you say "paranoid about defanging", do you mean that your co-worker does or doesn't want the IP addresses to be sanitized?

Sanitizing IP addresses, email addresses, domains, and URLs is a way to keep from triggering a false alert on security devices (IDS/IPS, WAF, EDR, etc.) that are parsing for active, malicious content in emails and documents. Sanitation also prevents some IM clients (e.g., Slack) from automatically making URLs, domains, telephone numbers, and IP and email addresses into clickable links.

egrizzly · January 2021

Thanks for the insight @JDMurray . I guess it's done across the board. I had just been aware of this practice only with http links.

TechGromit · January 2021

Not sure what inserting the [ ] is suppose to do. After all any link can be edited to go anywhere you want. 10[.]10.10.1

LonerVamp · January 2021

It's possible someone wants to do this programmatically and as simply as possible. If we see http in a string, replace all . with [.]. That would pull IP addresses in as well.

That's me hunting for a reason, though. I can't say I ever see IP addresses ever turned into links, but you definitely could accidentally paste one into a browser address bar and it'll happily try.

Maybe some log parsers of network traffic do this.

I think it's a fine practice and is in line with being paranoid, especially if you handle live malware, live malicious files, live links, or addresses that may or may not be accidentally clicked.

That said, I think a bare IP address with no URL-signifying characters around it is better left untouched. I would think it adds far more annoyance and inefficiency to remove those extra characters than the value of any protection offered by having them.

yoba222 · January 2021

I defang. I assist in email phishing on occasion for a client. Their incident response system is crudely implemented and is partially email-based. Web-based email clients, Microsoft Word etc., they're all notorious at turning malicious/spam URLs into something to click that I'd rather nobody clicks on in the email CC chain. I usually just replace http with hxxp though.

egrizzly · January 2021

yoba222 said:

I defang. I assist in email phishing on occasion for a client. Their incident response system is crudely implemented and is partially email-based. Web-based email clients, Microsoft Word etc., they're all notorious at turning malicious/spam URLs into something to click that I'd rather nobody clicks on in the email CC chain. I usually just replace http with hxxp though.

Yoba this is specifically for defanging IP addresses (e.g. turning 10.1.1.1 into 10.[1].1.1). Have you seen or done this as common practice?

yoba222 · January 2021

Oh yeah look at that the IP not the URL. I can't say I've ever seen that, only something more like x,x,x,235 to avoid communicating sensitive IP addresses over email and tickets and what not.

Defanging IP Addresses 10[.]10.10.1

Comments