Recently, I saw icanhazip.com pop up in my pFsense firewall logs. It was immediately blocked but the name piqued my interest, so I did a little digging which revealed an interesting backstory.
It’s owned by Cloudflare:
spoiler
spoiler
…but it hasn’t always been theirs: icanhazip: How a simple IP address tool survived a deluge of users. Pretty interesting, at least to me as I have never encountered it before.
I have it still blocked as nothing I’m doing seems hampered by blocking icanhazip.com’s ip range. Anyone else ever encounter icanhazip.com?
i always use
curl icanhazip.comfor checking my external IP… iirc some “IoT” devices also use it for some reasonsome “IoT” devices also use it for some reason
I haven’t conducted a thorough investigation, but the last container I added was SpeedTest Tracker and I am assuming that it’s using icanhazip.com and ifconfig.co to determine the best test servers based on my locale. I chose my own servers when I set it up. For the time being, I have both blocked and nothing seems to complain. SpeedTest Tracker still crons ever hour with success.
The back story of icanhazip is OK, but I want to know where you picked it up in your logs… Incoming on edge? Something in your network dialing out?
Suricata picked it up on the LAN side. I haven’t done an in depth review, but I am suspecting that SpeedTest Tracker is using icanhazip.com and ifconfig.co to check my ip and find the most appropriate test server. It’s on the list tho. For now I have them blocked and nothing seems to complain about it. I chose my own servers.
Could be.
Speedtest (the ookla one) uses a bunch of traceroute and compares hops to pick a peering point, but they display your public IP on the test page and probably use some icanhzip or other service to know that. It should come as no surprise to you that most north American ISPs pay Ookla to prefer peering points in which they have a heavy presence.
Icanhazip is an older service, I’m surprised cloudflare didn’t just kill it, they built their own when they were standing up 1.1.1.1.
Could also be some other tooling on your lan built before the Claude days.
I actually worked with Major back when he initially created icanhazip.com. It’s still my go-to for resolving my public IP for scripts that need it. (IE. hand rolled DNS for my home lab k8s cluster).
Wow! It certainly a small world after all.
Wow, today I learned. That’s a rather interesting story.
A bit of a sad ending, but a perfect example of why we can’t have nice things - someone will always find a way to abuse it.
Lots of people use it, I recommend they try ifconfig.co - cleaner curl output.
Interestingly enough, ifconfig.co shows up too. I knew about ifconfig.co tho. Since the last container I added was SpeedTest Tracker to replace OpenSpeedTest, and that’s about the time icanhazip.com showed up, I am assuming SpeedTest Tracker is using both ifconfig.co and icanhazip.com to determine the
localexternal IP and the closest test servers to it. The request is originating from the LAN. However, I selected my own servers I wanted to use based on my locale, so blocking either hasn’t stopped SpeedTest Tracker from doing it’s tests on an hourly basis.
I must have been a very early user if only went live in 2009! It’s a great resource that’s always fast and optimally concise.
I didn’t know this backstory though, thanks for sharing.
Thanks for the post, was an interesting read
