Many big companies which use hosting from e.g. Akamai,
often use several different IP addresses for one single hostname,
for an automatic, dynamic load-balancing.
What I have noticed recently, is that those IP addresses are often not picked “randomly”,
instead, they follow a certain pattern:
E.g. the hostname “ocsp.verisign.com”, it corresponds to a lot of different IP addresses,
in the 23.0.0.0 - 23.15.255.255 range (23.0.0.0/12),
the 23.32.0.0 - 23.63.255.255 range (23.32.0.0/11),
or the 23.64.0.0. - 23.67.255.255 range (23.64.0.0/14)
(these are Akamai ranges)
- but they all have one thing in common:
the last octet is always 27…;
23.4.187.27
23.5.251.27
23.37.139.27
23.44.155.27
23.50.91.27
23.52.91.27
23.54.139.27
are those listed by Robtex a.t.m., and
23.43.139.27
23.46.123.27
23.51.123.27
23.52.27.27
are some that, a program that I have, tried to connect to over a 15-minute period.
When viewing these in hexadecimal form, it becomes apparent that
it’s not only the 4th octet, but also the last half of the 3rd octet that are equal:
17 04B B1B
17 05F B1B
17 258 B1B
17 2C9 B1B
17 325 B1B
17 345 B1B
17 368 B1B
17 2B8 B1B
17 2E7 B1B
17 337 B1B
17 341 B1B
So the hexadecimal pattern for “ocsp.verisign.com” is clearly
“17 xxx B1B”
Another example is the “csc3-2010-crl.verisign.com” hostname;
- it has also a lot of different IP addresses, all with the 4th octet being “163”,
or - when viewed in hexadecimal and also taking the last half of the 3rd octet into account,
has a hexadecimal pattern that equals “17 xxx 5A3”
In both examples, the “xxx” is in either of the “000 - 0FF”, “200 - 3FF” or “400 - 43F” ranges.
I like to create very precise rules for Comodo Firewall.
If I know that a program should only connect to certain IP addresses,
I’ll try, as best as I can, to create “Allow…” rules for only those IP addresses.
However…
…all netmasks that I have seen, have all the 1’s at the left side,
and all the 0’s at the right side, when viewed in binary form.
Like
255.255.0.0 (1111 1111 1111 1111 0000 0000 0000 0000)
255.240.0.0 (1111 1111 1111 0000 0000 0000 0000 0000)
etc.
A netmask with the 0’s in the middle - that is e.g like this:
255.224.15.255 (1111 1111 1110 0000 0000 1111 1111 1111)
…is this valid?
Because, purely mathematically speaking, this entry…
IP address: 23.32.11.27
Netmask: 255.224.15.255
…should - IIAC - give me exactly those 512 (32 * 16) different IP addresses in the second “200 - 3FF” range; namely
23.32.11.27
23.32.27.27
23.32.43.27
23.32.59.27
23.32.75.27
23.32.91.27
23.32.107.27
23.32.123.27
23.32.139.27
23.32.155.27
23.32.171.27
23.32.187.27
23.32.203.27
23.32.219.27
23.32.235.27
23.32.251.27
23.33.11.27
23.33.27.27
…
…
23.63.235.27
23.63.251.27
But, whenever I try to enter such a netmask in those “online subnet calculators”
they always comes up with an “invalid netmask” error.
And unfortunately, while Comodo Firewall / CIS v5.12.256249.2599
does indeed accept it, when inputting this as a new Network Zone;
…the parser / translator screws up, and it ends up being converted into
a plain “from ip StartAddr - to ip EndAddr” range instead,
as one can see when looking at the exported configuration file:
So my question is then…
…is possible for the developers to change something in the code,
so that it’s also possible to enter netmasks such as “255.224.15.255”
The parser would then have to translate this into a lot of single, separate IP addresses.
Also, there should be built-in a kind of block, like, maximum… 4096…? separate addresses per entry,
so that one could not crash the program because one entered a mask that would
make Comodo try to create, like, several millions of separate IP addresses
(e.g. using a netmask like “0.0.0.3” or something stupid.)