'Dodgy' IP addresses.

[Infrasonic]

Just as an FYI really.

I just had to turn my phone off and on again as a certain high street banks website decided my IP address wasn't trustworthy (it worked fine with another bank two minutes previously).
They are using this lot for their security screening...https://www.brightcloud.com/

All works fine now as I got assigned a new IP address when I switched my phone back on , but the advice given by the bank was the 'fill in this form and get your address unblocked' route, which is time consuming and can sometimes take ages to resolve. I've suggested they update their help pages with the simpler options...(Their twitter help service was pretty quick to respond though to give them credit, definitely preferable to phoning helplines).

If you have trouble logging in to any websites check the full URL to see if there are any error codes, in this case ErrorPage=EP83

Most domestic ISP's use dynamic IP addresses by default (unless you specifically want a fixed one, which is typically a request+fee or a 'business' account feature) so turning the modem/router off for a few minutes will normally get you another dynamic IP address. If not you'll have to contact your ISP and get them to sort it out for you.
If you've got a NAS/server/IP security cameras et al on the end you can use dynamic DNS (DDNS) services (often free for limited use accounts) with dynamic IP addresses, so a fixed IP address isn't essential.
If that's all gobbledygook there's a simple explainer here...https://www.youtube.com/watch?v=rOLGvZagdC0

HTH

I

[Lootman]

Most domestic ISP's use dynamic IP addresses by default (unless you specifically want a fixed one, which is typically a request+fee or a 'business' account feature) so turning the modem/router off for a few minutes will normally get you another dynamic IP address. If not you'll have to contact your ISP and get them to sort it out for you.

My domestic IP address is static, by default and with no fee.

It's actually handy as various online financial accounts I use expect to see that IP address whenever I log in, and invoke a second level of security if it is different e.g. by sending a code to my phone. So I like having a static IP.

Whilst if I wish to appear to be seen as being somewhere else then I invoke a VPN to fool the host site into thinking I am wherever I wish. I suspect it may be known proxy servers that cause the problem you cite, ironically. Businesses can buy lists of such proxies if they don't like people to use them, although I'm not sure how successful such blocking attempts are. I sometimes encounter what you experienced but usually switching to another IP fixes it.

[UncleEbenezer]

I just had to turn my phone off and on again as a certain high street banks website decided my IP address wasn't trustworthy (it worked fine with another bank two minutes previously).
I

That looks broken to me.

They should know about dynamic IP addresses. They might reasonably block a dynamic IP address (as with any other IP) if they detect an attack. But in the dynamic case, that needs to be time-limited. They can of course re-block (perhaps on a lower threshold) if the attack resumes, but in general, it shouldn't affect you as a regular end-user.

Unless you had only recently turned the phone on and acquired the address at the time?

[PhaseThree]

This sounds strange to me.
If you are using the mobile network to connect to the world you are hidden behind a carrier grade NAT (CGN) system. The IP address the outside world sees is shared amoungst hunderds of users on the same mobile network (A similar system is used for VPNs). The IP address your phone is in possesion of is local to the network and not propagated. If your bank is blocking a CGN IP address it has serious issues.

[bungeejumper]

I just had to turn my phone off and on again as a certain high street banks website decided my IP address wasn't trustworthy (it worked fine with another bank two minutes previously)

My Lloyds account locked me out this morning for half an hour - it repeatedly wouldn't recognise my username or password, and when I tried to reset the password the site just hung. (Twice.)

Then, as quickly as it had happened, the problem suddenly went away. Coincidence?

BJ

[Infrasonic]

I just had to turn my phone off and on again as a certain high street banks website decided my IP address wasn't trustworthy (it worked fine with another bank two minutes previously)

My Lloyds account locked me out this morning for half an hour - it repeatedly wouldn't recognise my username or password, and when I tried to reset the password the site just hung. (Twice.)

Then, as quickly as it had happened, the problem suddenly went away. Coincidence?

BJ

No this is not even getting to the login stage, it hangs as a blank page with the error code in the URL.

It's an ISP IP blacklist issue, if the ISP's (Three in this case) were more on it in getting WAN side IP's delisted (having resolved whatever the issue was) it would be less of a problem.
In the five years I've had this phone on Three this is still only about the fourth time I've ever had to do it, so not really worth worrying about.

I had it a couple of times with BT when I had ADSL too, switched the router off and on, new IP, problem solved.

It's entirely dependent on the 'security' service being used for monitoring and how high their thresholds are set.
You'll see those Cloudflare alerts every now and again causing access issues for similar reasons, especially if there's been a recent spate of DDoS attacks and Cloudflare turn the wick up.
Configuration issues can get blacklisted, it's not necessarily client level malware/spam/phishing et al (although it could be...).

You can get real time monitoring for all this stuff, I've got my domain email monitored for free via...https://mxtoolbox.com/NetworkTools.aspx
When I've checked previously for IP blacklisting issues it's normally spammers having had that IP (or block) before affecting its reputation.

[Lootman]

They should know about dynamic IP addresses. They might reasonably block a dynamic IP address (as with any other IP) if they detect an attack.

A host cannot detect whether an IP address is dynamic or static. It is just a string of numbers to them, which they either like or dislike.

[UncleEbenezer]

They should know about dynamic IP addresses. They might reasonably block a dynamic IP address (as with any other IP) if they detect an attack.

A host cannot detect whether an IP address is dynamic or static. It is just a string of numbers to them, which they either like or dislike.

A database of IP allocations may be less than comprehensive, but can tell you Range [foo] is addresses allocated dynamically by [ISP/telco] to customers.

Some such databases have been widely used for decades, for example in spam-fighting.

[Lootman]

They should know about dynamic IP addresses. They might reasonably block a dynamic IP address (as with any other IP) if they detect an attack.

A host cannot detect whether an IP address is dynamic or static. It is just a string of numbers to them, which they either like or dislike.

A database of IP allocations may be less than comprehensive, but can tell you Range [foo] is addresses allocated dynamically by [ISP/telco] to customers.

Some such databases have been widely used for decades, for example in spam-fighting.

You may be right but as a matter of common everyday usage, I can usually get the outcome I want by swapping in and out different IP addresses.

[Infrasonic]

Some such databases have been widely used for decades, for example in spam-fighting.

The last time I checked Spamhaus I think they were into the billions on their database.

[PhaseThree]

Let me try and explain my previous post a little more:-

If you are using a mobile network you do not have a unique IP address as far as the wider world is concerned -You have a unique IP/PORT combination. Your bank may be receiving multiple simultaneous requests from the same IP address but as they all use differing ports everything routes to its intended location. The problem comes when some in mobile phone land starts using the mobile network to do something the bank doesn't approve of (spamming for instance). If the bank is dumb it blocks the IP address, if it wants to keep customers it blocks the IP/PORT combination assuming this combination is relatively stable. Unfortunately this is not necessarily the case and some carriers seems to dynamically reassign ports on a very frequent basis.

More info here
https://en.wikipedia.org/wiki/Carrier-grade_NAT

Specifically
"In cases of banning traffic based on IP addresses, the system might block the traffic of a spamming user by banning the user's IP address. If that user happens to be behind carrier-grade NAT, other users sharing the same public address with the spammer will be mistakenly blocked.[6] This can create serious problems for forum and wiki administrators attempting to address disruptive actions from a single user sharing an IP address with legitimate users"

My experience of all this comes from trying to set up a DDNS system across the Three mobile network (impossible).

[Infrasonic]

Let me try and explain my previous post a little more:-

If you are using a mobile network you do not have a unique IP address as far as the wider world is concerned -You have a unique IP/PORT combination. Your bank may be receiving multiple simultaneous requests from the same IP address but as they all use differing ports everything routes to its intended location. The problem comes when some in mobile phone land starts using the mobile network to do something the bank doesn't approve of (spamming for instance). If the bank is dumb it blocks the IP address, if it wants to keep customers it blocks the IP/PORT combination assuming this combination is relatively stable. Unfortunately this is not necessarily the case and some carriers seems to dynamically reassign ports on a very frequent basis.

More info here
https://en.wikipedia.org/wiki/Carrier-grade_NAT

Specifically
"In cases of banning traffic based on IP addresses, the system might block the traffic of a spamming user by banning the user's IP address. If that user happens to be behind carrier-grade NAT, other users sharing the same public address with the spammer will be mistakenly blocked.[6] This can create serious problems for forum and wiki administrators attempting to address disruptive actions from a single user sharing an IP address with legitimate users"

My experience of all this comes from trying to set up a DDNS system across the Three mobile network (impossible).

Thanks for the further clarification PT, I understood what you meant from your first post, I think the issue with Three is just that, the multitude of users sharing an address. I've noticed that I've had clean IP addresses in the past that have then started to appear on the blacklists. Generally it hasn't caused issues, but occasionally (like today) it does.

The Three/DDNS issue isn't something I'd thought about so thanks for the heads up on that.

[UncleEbenezer]

Let me try and explain my previous post a little more:-

If you are using a mobile network you do not have a unique IP address as far as the wider world is concerned

Your previous post seemed clear enough. But I don't believe it's true.

A mobile network might put you behind NAT, but that would be a matter of that network's configuration. I certainly don't get that as an EE customer, and I don't *think* I get it with O2 (though my usage on O2 wouldn't necessarily have confirmed it one way or the other).

[Infrasonic]

Don't know how up to date this is...https://www.3grouterstore.co.uk/3G/3_Mobile.html

In order to connect to the 3mobile network for ddns we recommend using the APN setting of 3internet which should bypass the NAT services and enable you to use DynDNS services for remote access.

[PhaseThree]

Let me try and explain my previous post a little more:-

If you are using a mobile network you do not have a unique IP address as far as the wider world is concerned

Your previous post seemed clear enough. But I don't believe it's true.

A mobile network might put you behind NAT, but that would be a matter of that network's configuration. I certainly don't get that as an EE customer, and I don't *think* I get it with O2 (though my usage on O2 wouldn't necessarily have confirmed it one way or the other).

Convieniently I'm currently running across the EE network (no wifi)
My phone tells me that my IP address is 192.0.0.4. According to IPV4 specifications the range 192.0.0.0 to 192.0.0.255 is "private network" and is used for local communications within a private network and is therefore unroutable.
If I open a web browser on the phone and go to grc.com (Shields Up!) it tells me my public IP address is 213.205.241.70, so something in the EE network has performed IP translation.
Checking this public IP address shows it is part of a block assigned to EE (213.2015.214.*), this is entirely consistant with CGN, which EE is reported as using.

[PhaseThree]

Don't know how up to date this is...https://www.3grouterstore.co.uk/3G/3_Mobile.html

In order to connect to the 3mobile network for ddns we recommend using the APN setting of 3internet which should bypass the NAT services and enable you to use DynDNS services for remote access.

Thanks for that - unfortunately (!!) i'm on the Three 4G service as 3G is not fast enough at my location. The same site says

2. DYNDNS (DYNAMIC DNS) / DDNS)

Many 3G and 4G router users would like to use DYNDNS to access their routers because this means they can take advantage of low cost data plans direct from the main UK mobile networks - however most mobile networks now use CG NAT (Carrier Grade NAT) to provide IP addresses which means that the WAN IP address allocated to the router is a PRIVATE IP address on the mobile operators internal network so the Public IP address that you might see when you visit http://www.showmyip.co.uk will be one of the mobile networks public IP addresses but the mobile operator will have hundreds of devices using each public IP address which is why you will be unable to connect to your device. You can research this further by searching the internet for "4G CGNAT".

THE MAIN 4G NETWORKS DO NOT PROVIDE SINGLE PUBLIC IP ADDRESSES WHICH MEANS DYNDNS WILL NOT WORK

ONLY THREE MOBILE PROVIDE PUBLIC IP ADDRESSES BUT ONLY ON THEIR 3G CONNECTIONS AND THIS IS NOT A GUARANTEED SERVICE


Unfortunately this is a killer for my application.

[Infrasonic]

^^ I'm on 4G (unlimited ) as well, so that's a bit of a b*gger!
That site still lists T-mobile and Orange (and not EE) so I wasn't sure of how up to date it was...

At least the clean IP going dirty via the blacklists makes sense now.

[PhaseThree]

^^ I'm on 4G (unlimited ) as well, so that's a bit of a b*gger!
That site still lists T-mobile and Orange (and not EE) so I wasn't sure of how up to date it was...

At least the clean IP going dirty via the blacklists makes sense now.

I was hoping that security concerns were going to kill the practice. The EuroPlod are understandably down on the whole idea.
(https://www.europol.europa.eu/newsroom/ ... ity-online)

Hopefully the whole mess disappears if/when IPV6 takes over.

[Infrasonic]

^^ I'm on 4G (unlimited ) as well, so that's a bit of a b*gger!
That site still lists T-mobile and Orange (and not EE) so I wasn't sure of how up to date it was...

At least the clean IP going dirty via the blacklists makes sense now.

I was hoping that security concerns were going to kill the practice. The EuroPlod are understandably down on the whole idea.
(https://www.europol.europa.eu/newsroom/ ... ity-online)

Hopefully the whole mess disappears if/when IPV6 takes over.

Aah yes of course, the IPv4 issue hadn't occurred to me, it all makes more sense now.

Edit: As an aside, the mention of Estonia in that link, it's a great place for an e business, a friend is registered there for his internet business...https://e-estonia.com/solutions/busines ... -register/

[UncleEbenezer]

Let me try and explain my previous post a little more:-

If you are using a mobile network you do not have a unique IP address as far as the wider world is concerned

Your previous post seemed clear enough. But I don't believe it's true.

A mobile network might put you behind NAT, but that would be a matter of that network's configuration. I certainly don't get that as an EE customer, and I don't *think* I get it with O2 (though my usage on O2 wouldn't necessarily have confirmed it one way or the other).

Convieniently I'm currently running across the EE network (no wifi)
My phone tells me that my IP address is 192.0.0.4.

Are you sure? 192.0.0/24 is actually "IETF Protocol Assignments", which would suggest what's being reported as in that range is something other than a normal IP address. 192.168.0.4 should be "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion" (which is a new one on me). It's not NAT as such, though it might be something similar. It's 192.168/16 (in the 192.x range) that's allocated to NAT - and used by most home routers I've encountered.

Maybe you and I are on different configurations, perhaps associated with different deals?

I was hoping that security concerns were going to kill the practice. The EuroPlod are understandably down on the whole idea.

Indeed. I kind-of thought that was an argument that had played out last century over AOL's (in)famous NAT gateway.