Flashes of Panic

(The answer is most likely “Yes,” but read on.)

I’ve started getting site traffic reports with the hosts “resolved.” (Before, I was just getting IP numbers, which I either recognized—65.96.x.x is probably someone on a Comcast cable modem, for example, and I recognize the IP of our gateway here at work—or would look up if they were large enough, using dig.) Some of the host names attached to the IP addresses are self-explanatory, like crawl10.googlebot.com or the cable-modem hosts with the IP number in the host name.

The thing that really alarmed me was an address like this (and I’ve mangled it, because it’s our home gateway, but the format is the same): h004087c63b0f.ne.client2.attbi.com.

The reason this is a little spooky is, if you strip off the h and format it slightly differently, say as 00 40 87 c6 3b 0f, well, it looks an awful lot like a MAC (hardware) address (six octets of 0 to 255, represented in hex,) possibly that of our router. I’m not going to dig too deeply into the mechanics of network addressing here, but the MAC address is the way Comcast actually recognizes that router, when it maps an IP address to it and routes internet traffic for it. It’s “burned” in to the hardware of that router.

(In theory, every network port on earth has a unique MAC hard-wired on it at manufacturing time. That’s a lot of MAC addresses, but 256⁶ is 2⁴⁸, if I’ve got my math right, which is, roughly speaking, enough number-space to assign a MAC address to every grain of sand on Popham Beach. It can be remarkably handy to identify an otherwise unmarked piece of hardware by checking the manufacturer who assigned the MAC address.)

I’m not a believer in the idea that security-by-obscurity solves everything, but it seems to me that exposing the mapping of hostname -> IP number -> MAC address like that is a little spooky and perhaps dangerous, much like using Social Security numbers as driver’s license numbers is. It spreads the information a bit too widely, and (I think) exposes the router to too many extra issues, like IP hijacking and packet spoofing. As noted above, it can be used to identify the manufacturer and possibly the hardware in use, helping the bad guy identify which exploits to try. MAC addressing is more a local network thing than a wider-internet issue—it’s too close to the bottom of the stack of network protocols—but on the local network it can really jack things up. Sure, those things could happen anyway, but why make it so easy?

Outrage moderation: it might not be the MAC address at all, it might just be an arbitrary hexadecimal number in the range 000000000000 to ffffffffffff. Or it could be Comcast getting warmed up for IPv6, which I understand uses 48-bit addressing instead of the 32-bit addressing used in IPv4.

Now playing: Page One from Between 10th And 11th by The Charlatans