How reliable is IP ownership information?
I have interactive firewalls like OpenSnitch running on most of my desktop OS's. I like to see what is going on with my machines' network connections to learn about networking, infosec, and to have have some peace of mind.
Example workflow:
- Get a firewall notification of a new incoming connection to some process running on my machine
- If no DNS entry exists and only the IP address is provided, then I google the IP
- I find something like https://ipinfo.io/74.125.20.189
- I make a decision as to whether allow/deny based on the ownership info which I found in step 3.
Aside from trusting the particular site presenting the ownership info, how reliable is this information regarding IP ownership?
For example, if an IP came back as "Google" could it really be a GCP instance running a command and control server?
Another example, I know that large corps own big blocks of IPv4, but they must lease these IP's out to whomever, right? I imagine there is some wild-west market for these with little accountability?
Are either of these scenarios realistic? If so, is my entire workflow for "do I trust this IP" pointless?
edit: btw, I used to catch and deny incoming connections from *.ru to the Windows legacy Skype client all the time. I cannot think of any non-evil reason why that should have been happening. That particular series of events is what really validated me doing this. If you can think of a non-evil reason for any incoming connections to skype from *.ru, please let me know.
Yes.
Consider your threat model. If something on your computer is making an outgoing network request to somewhere that you don't trust, is the problem actually that the network request was going somewhere bad, or that you have malicious software on your computer?
If the latter (bad software), then blocking network requests by hand is unlikely to help you much – you will slip up at some point, and then the malware will be able to upload your secret files, or its owner will be able to access your computer, or whatever, and the malware is probably doing something nasty already.
If the former (good software connecting somewhere bad), then what do you do? Personally I would reevaluate my trust in the software making the connection, unless e.g. multiple pieces of software were involved, at which point I would suspect a problem somewhere else (e.g. malicious DNS server).
All this is only considering outbound connections, by the way; blocking all inbound connections by default is a sensible idea.
fwiw, I'm no security expert, and I wrote this on my phone over the course of a couple of minutes, so I may very well be wrong about any number of things.
An invitation to consider what threat one is hoping to mitigate with a given action is almost never wasted. If the firewall is already nice enough to be flagging which processes are using the network then you have no more work to do other than investigate either the traffic or the software, but networks these days are far to dynamic to be whitelisting addresses by hand.