My public / external IP was briefly changed to that of other countries
October 31, 2024 8:05 AM Subscribe
I am in the USA, with fiber internet through Century Link. (It's pretty stable.) For reasons, I checked my external IP on my laptop. I clicked on the first site that came up and it gave me an IP from another country.
First, whatismyipaddress.com showed me an India IP - strange. Then, whatsmyip.org showed me a Toronto IP (75.166.5.97) - also strange
I then tried whatsmyip.org on my phone -- on the same home wifi. It gave me an IP address in my city. I tried whatsmyip.org on my laptop and it was the same IP. Now all sites give me the correct IP.
I did not have a VPN active. (I do have a corporate route-all VPN to company HQ in an EU country I occasionally use.)
Why would this happen? Is there something nefarious going on or are these sites occasionally unreliable?
First, whatismyipaddress.com showed me an India IP - strange. Then, whatsmyip.org showed me a Toronto IP (75.166.5.97) - also strange
I then tried whatsmyip.org on my phone -- on the same home wifi. It gave me an IP address in my city. I tried whatsmyip.org on my laptop and it was the same IP. Now all sites give me the correct IP.
I did not have a VPN active. (I do have a corporate route-all VPN to company HQ in an EU country I occasionally use.)
Why would this happen? Is there something nefarious going on or are these sites occasionally unreliable?
Since you didn't specify your operating system or web browser...
Just in case you are using Safari with iCloud Private Relay active - it will automatically provide a masked IP address that could be relatively local, or international depending on the configuration.
posted by rambling wanderlust at 9:21 AM on October 31
Just in case you are using Safari with iCloud Private Relay active - it will automatically provide a masked IP address that could be relatively local, or international depending on the configuration.
posted by rambling wanderlust at 9:21 AM on October 31
Response by poster: Sorry: Windows 11, Chrome (latest version). (Phone Android, also Chrome.)
posted by NailsTheCat at 9:26 AM on October 31
posted by NailsTheCat at 9:26 AM on October 31
IP geolocation is sometimes unreliable. There's no intrinsic connection between an IP address and geographic region. There are just big databases that map IP ranges to regions, and as IPv4 has become completely exhausted, subnets get sliced up into even smaller segments and sold off, and those databases become inaccurate.
posted by dis_integration at 10:40 AM on October 31
posted by dis_integration at 10:40 AM on October 31
I also have CenturyLink internet, and sometimes sites think I am in Dallas or Sacramento or Tucson (I am in Denver) - it might just be a then problem….
posted by heurtebise at 11:12 AM on October 31
posted by heurtebise at 11:12 AM on October 31
Best answer: It sounds like it but just to be sure, you saw a different IP all three times? It’s extraordinarily unlikely you would have different IPs (especially from the same device, but behind a home router, even from multiple devices) in the span of a few minutes. Especially not three different ones.
IP geolocation is not exactly perfect but the reported IP changing repeatedly like that is not normal. (This is assuming no modifications are being made at any point, e.g. VPN or proxy.) The site's server has to get an IP address from your connection with it or it doesn't know where to send the return data, and the site reports the IP address that it received from you. There's no reason the IP itself would change, especially on that type of connection, unless it literally was reassigned as you were doing this. But that type of connection usually has a fairly stable IP unless the modem or other connection device is rebooted/power-cycled, and even assuming it's more dynamic than that, it usually wouldn't change multiple times in the course of a few minutes.
And even with IP geolocation’s imperfections, for a major home/wired ISP in the US it usually is relatively correct--perhaps wrong to the degree of being at the ISP’s headquarters instead of your city, as I sometimes see, but usually not in different countries--as they own large blocks of them that don’t change often.
All of that said, the IP you said was reported by whatsmyip.org as being in Toronto is assigned to CenturyLink. I did look it up here to see what general location was being reported and they all say Colorado. whatsmyip.org also shows it as in Colorado. Not sure why the site reported Toronto for you and is saying Colorado now.
Something odd is going on with the IP changing but I wouldn't necessarily jump to it being malfeasance.
posted by tubedogg at 11:13 AM on October 31
IP geolocation is not exactly perfect but the reported IP changing repeatedly like that is not normal. (This is assuming no modifications are being made at any point, e.g. VPN or proxy.) The site's server has to get an IP address from your connection with it or it doesn't know where to send the return data, and the site reports the IP address that it received from you. There's no reason the IP itself would change, especially on that type of connection, unless it literally was reassigned as you were doing this. But that type of connection usually has a fairly stable IP unless the modem or other connection device is rebooted/power-cycled, and even assuming it's more dynamic than that, it usually wouldn't change multiple times in the course of a few minutes.
And even with IP geolocation’s imperfections, for a major home/wired ISP in the US it usually is relatively correct--perhaps wrong to the degree of being at the ISP’s headquarters instead of your city, as I sometimes see, but usually not in different countries--as they own large blocks of them that don’t change often.
All of that said, the IP you said was reported by whatsmyip.org as being in Toronto is assigned to CenturyLink. I did look it up here to see what general location was being reported and they all say Colorado. whatsmyip.org also shows it as in Colorado. Not sure why the site reported Toronto for you and is saying Colorado now.
Something odd is going on with the IP changing but I wouldn't necessarily jump to it being malfeasance.
posted by tubedogg at 11:13 AM on October 31
Best answer: Whois records indicate that 75.166.5.97 is part of a block of approximately 1M IP addresses administered by CenturyLink. A typical home internet connection has a dynamic IP (meaning that the ISP is allowed to assign it a different IP at different points in time). Usually this assigned IP is "sticky" in the sense that if your house has IP X right now, and you reset your connection/router, the ISP hardware that doles out IPs will remember it had X and give it X again if it's still available. Which is usually the case over short periods of time, but nothing is set in stone.
So, your question is really two questions:
(1) Q: Is it a sign of trouble that my IP changed? A: No, your IP may be reassigned. Unless you paid extra to have a static IP (the alternative to dynamic; an IP that is reserved for your use as long as you pay your bill). However, over short time periods, I would expect your IP to stay relatively stable. If you reset your modem 5 times in a row right now and check to see what IP you get, I'd not be surprised if it's the same one 5x in a row.
(2) Q: What's up with geolocation? Why do I get different results? A: Well, if your IP changed that would be one possible explanation, though probably not the only one. If I geolocate another randomly-chosen IP from that CenturyLink block, I currently get Plymouth, MN, USA. That block is a million IPs wide, it's not surprising that different parts of it geolocate to different places. Another confounding factor is that geolocation databases change over time, and different ones may give different answers for the same IP. They're educated guesses, not a regulated system like physical addresses.
Lastly I'd say that typical internet nefariousness usually revolves around modifying the IP on the opposite end of a connection from your own. For example, if I send you an email with a phishing link in it, usually the aim is to trick you into visiting a fake site that I control, and that process begins with getting your computer to talk to an IP that I own. I can't think of an obvious way that altering your home IP (while still maintaining internet connectivity) would benefit an attacker much. I guess if you were using a connection without end-to-end security (e.g., http not https), and they were able to manipulate your IP so that your connection traverses a hostile node they could execute a man-in-the-middle attack, but that seems... tricky to pull off. As an attack vector it's esoteric and most internet bad actors aren't going to bother reaching for such high-hanging fruit.
TLDR: I wouldn't worry.
posted by axiom at 1:12 PM on October 31
So, your question is really two questions:
(1) Q: Is it a sign of trouble that my IP changed? A: No, your IP may be reassigned. Unless you paid extra to have a static IP (the alternative to dynamic; an IP that is reserved for your use as long as you pay your bill). However, over short time periods, I would expect your IP to stay relatively stable. If you reset your modem 5 times in a row right now and check to see what IP you get, I'd not be surprised if it's the same one 5x in a row.
(2) Q: What's up with geolocation? Why do I get different results? A: Well, if your IP changed that would be one possible explanation, though probably not the only one. If I geolocate another randomly-chosen IP from that CenturyLink block, I currently get Plymouth, MN, USA. That block is a million IPs wide, it's not surprising that different parts of it geolocate to different places. Another confounding factor is that geolocation databases change over time, and different ones may give different answers for the same IP. They're educated guesses, not a regulated system like physical addresses.
Lastly I'd say that typical internet nefariousness usually revolves around modifying the IP on the opposite end of a connection from your own. For example, if I send you an email with a phishing link in it, usually the aim is to trick you into visiting a fake site that I control, and that process begins with getting your computer to talk to an IP that I own. I can't think of an obvious way that altering your home IP (while still maintaining internet connectivity) would benefit an attacker much. I guess if you were using a connection without end-to-end security (e.g., http not https), and they were able to manipulate your IP so that your connection traverses a hostile node they could execute a man-in-the-middle attack, but that seems... tricky to pull off. As an attack vector it's esoteric and most internet bad actors aren't going to bother reaching for such high-hanging fruit.
TLDR: I wouldn't worry.
posted by axiom at 1:12 PM on October 31
Response by poster: Thanks for all the helpful responses. And yes, to be clear: since I'm not paying for a static IP (although I'm thinking about it), I expect my external IP to change as often as my ISP needs it to.
I had always expected however, wrongly it would appear, that whenever it changed it would be to an IP that broadly reflected my location (CO). To see IP addresses that are geolocated to a different continent and country was quite a surprise. (Unfortunately, I didn't copy the Indian IP before I refreshed. It would have been interesting to see whether that too was within a CenturyLink range also.)
I was worried my machine had malware that was somehow spoofing an IP to allow it to match some target's whitelist. axiom, your explanation makes much more sense.
posted by NailsTheCat at 1:46 PM on October 31
I had always expected however, wrongly it would appear, that whenever it changed it would be to an IP that broadly reflected my location (CO). To see IP addresses that are geolocated to a different continent and country was quite a surprise. (Unfortunately, I didn't copy the Indian IP before I refreshed. It would have been interesting to see whether that too was within a CenturyLink range also.)
I was worried my machine had malware that was somehow spoofing an IP to allow it to match some target's whitelist. axiom, your explanation makes much more sense.
posted by NailsTheCat at 1:46 PM on October 31
« Older Can a nonprofit org award a scholarships to a... | Advice on a garbage man Trump Halloween costume. Newer »
You are not logged in, either login or create an account to post comments
Our IP's (which don't change, we've got static from our ISP) often bounce between our nation and Jamaica and/or Bahamas because other IPs in those ranges are sometimes used within those countries by parent/sister companies to our Telco, and I guess the sites that keep tabs make generalized assumptions.
From what I can see Century Link has been directly allocated 20 million IP addresses, plus whatever they get through Lumen, who seems to offer them worldwide transit-- doesn't take much to make a mistake because a route has temporarily changed etc.
posted by Static Vagabond at 8:27 AM on October 31