Wow so this person has been running this site for so many years, paying bills, answering god knows how many idiots and even getting close to trouble with 3 letter agencies and senators for absolutely nothing.. hats off to you sir, any other person would have thrown in the towel a long time ago.
Also i feel little bad you didn't get any money out of it whether the site was designed to make money or not. It would have been a wonderful end to the story if you got something back for all the years of hardwork you put into running it. You do have my appreciation if that means anything though.
P.S. this story is very similar to rawgit which was a wonderful site but also fell prey to malware aholes.
> Also i feel little bad you didn't get any money out of I
Most likely it got them a much higher paying job than they would have otherwise gotten. Walking in and saying you single handedly run a site with billions of requests per day and petabytes of traffic will get you noticed.
I was using icanhazip to check if my Tor circuit was complete, and probably made 50-100 requests per week. The site was getting slow, and I thought it is just a random site that the author didn't really care too much.
I dropped my jaw when I read it was getting 30B req/day.
Thank you for running this site for so long, and thank you for keeping it up for free, and deciding to not monetize it.
I got a lot of mileage out of neverssl.com before somebody fixed the process to log into various "guest wifi" setups...ones that would intercept/redirect any http request.
I'm somewhat curious what fixed things, as I've not had to use neverssl.com for some time.
Reminds me of `echo $(dig @ns1.google.com o-o.myaddr.l.google.com TXT +short | tr -d \")`. I have no idea where this DNS query came from, because searching all of Google turns up nothing but https://github.com/GoogleCloudPlatform/cloud-self-test-kit/b..., which is never referenced by anyone. I had to track it down myself for a bootstrap.sh, but I don't like using undocumented sources for critical infrastructure.
My use case was needing to set the result of `hostname -f` in /etc/hosts in an automated fashion if a VPS provider didn't already add a line for the public Internet address in that file. You need to do this so that sendmail doesn't fail on `apt install` when it attempts to read your FQDN. So I couldn't use the NGINX example posted elsewhere here.
> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.
There is no singular thing called a "public Internet address". Imagine you're writing paper letters to someone. You write a letter, you put your own From address, you drop it in the slot. When the mailperson comes to collect the letter, they replace your mailing address with a special other codeword. And when they receive mail, they replace that codeword back with your original address. You would never know it was intercepted unless you asked around. There's no official protocol to ask for your codeword, it's just a trick the mail service does on your behalf.
Your home router does exactly this; it's known as "Network Address Translation", or NAT. It's not an official part of IPv4, and there's no protocol to ask what it is. Your computer thinks its local IP address (typically some variety of 192.168.0.1) is its real, public address, and your router does the swap behind your back.
> It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.
Because traditionally if you're doing things right, you're not using NAT, which is against IP specs and a nonstandard kludge. So you just take your socket and query its local endpoint address using getsockname and voila.
Chinese originated spam and abuse is so outrageously widespread, I don’t understand why there isn’t a conversation going on about cutting them off from the wider internet. They blocked most of it anyway.
It stands to reason that an especially large volume of abuse will originate from the most populous country in the world. I don't think that's a reason to cut them off from the global Internet. If it's true that their government is already oppressing their own people (I don't know what's truth and what's propaganda), then the rest of us shouldn't make it worse for those people by cutting off whatever outside connections they manage to have.
Also, I'm generally bothered by comments like this one that stir up the general human tendency toward xenophobia. We should be fighting that tendency within ourselves, not fighting the out group. Whichever group of people we want to demonize, we should remember that they're people just like us. We shouldn't punish the majority of them for what a minority are doing to us.
It's not even a new trend either. Back in 2003 when I worked at eBay and PayPal doing security, the bulk of the attempts came from China and Romania (Romania at the time had one ISP for the whole country that was fast but didn't care about abuse at all).
15+ or so years ago I worked in the NOC of the 3rd or so largest ISP in the US and a random network engineer did this one evening. We got a big influx of customers complaining about email not working to their family, etc, until I finally figured it out.
That network guy (classic long hair "security" guy) was a lazy asshole for doing it then and the internet needs to have the technology to deal with bad actors beyond AS/geo-level blocking now.
China currently makes some absurdly large percentage of the world's consumer goods, and the discussions about producing them are probably being had over the internet. Cut them off of the internet and we have to rebuild manufacturing capacity everywhere else.
Which might not be a bad thing overall, but it's sure not gonna make any transnational corporation's bottom line happy over the next few quarters, so they'll be waving a lot of money at politicians to make this not happen.
Thanks for all your hard work! icanhazip.com / icanhazptr.com have been incredibly useful.
Small feature request: back in the day {ipv4,ipv6}.{icanhazptr,icanhazip}.com only had A / AAAA records, but now it seems they have both and thus a simple "curl ipv4.icanhzptr.com" can also give me a v6 address (of course, "curl -4" works). Would Cloudfare be OK with separating them again?
I’ve seen packages that do ”internet-detection” by calling out to icanhazip.com, and I just thought that was so irresposnible. What if your package got popular, how much money are you costing the hoster? For services like this, people just don’t consider the fact that there’s someone on the other side.
Requesting "yoursite.tld/ip" will then return your IP address. I set up something like this on all my servers and recommend that others do the same. It's easy to do the same for Apache and Caddy configs. That should help spread the load.
I'm curious as to what other overused utilities can be trivially done with pure server configs.
I feel the same about dependency steps in CI, without a cache or any similar structure. Package repos like Rubygems, NPM and PyPi get utterly rinsed by the continual downloading and redownloading of stuff the client should have already stored.
The article was about abusive floods accounting for 90% of the traffic. The author was happy with legitimate use cases like packages doing detection, contrary to your comment.
I used to use this site until I found https://checkip.amazonaws.com/. Switched because I wasn't sure who was behind icanhazip.com and it's tough to beat AWS. Glad to hear that it will likely be maintained for awhile longer!
Truly selfless service.
It cost him many thousands in money and tens of thousands in time.
And :
"If you’re curious, Cloudflare did pay me for the site. We made a deal for them to pay me $8.03; the cost of the domain registration. The goal was never to make money from the site (although I did get about $75 in total donations from 2009 to 2021). The goal was to provide a service to the internet. Cloudflare has helped me do that and they will continue to do it as the new owners and operators of icanhazip.com."
BTW, speaking as a nerd, he has the best formatted resume that I have ever seen !
This kind of service is exactly what STUN servers are made for. Designed to be used with webrtc, but it works perfectly alright by itself.
There are a plethora of unauthenticated STUN servers around, and while there's still room for abuse, the protocol is a bit more lightweight than full-blown http requests, and faster, too!
I've dabbled with doing this on my own, but I've found `myip` to do the job nicely and without hassle:
Had the pleasure of working with Major at Rackspace; his professionalism, ethics, and quality of person always impressed me and inspired me to be a better version of myself every day. This move is a very mature decision; one that was probably bittersweet. Kudos Major on taking a step forward and putting the stewardship where it belongs.
I've been using ipinfo.io for several years -- checking a dynamic ip address every 10 minutes. My thanks for supplying this service! Is there a reason to change over to icanhazip ?
I feel like in theory google should be returning this site, instead of the ad-filled sites when one searches "my ip address." But it always seems like Google heavily over-values the domain name and search term matches.
The "first result" in a Google query for "my ip" and other combinations is a box with your public IP. There's no reason to click in any of the ad-filled sites anymore.
I run a very simple, completely free API service as well. Currently using Google Cloud Run, handling a constant 10 rps for ~$8/mo. Pretty happy with it. I could probably cost optimize more. I sure hope I never have to deal with 30 billion requests per day, though. I'm sure my patience would run thin as well. Thank you to the author for running this site for so many years!
For those behind a home router an alternative is to use UPNP, e.g., through the miniupnpc package on Debian which ships the `/usr/bin/external-ip` script that postprocesses the `upnpc -s` output.
[+] [-] superasn|4 years ago|reply
Also i feel little bad you didn't get any money out of it whether the site was designed to make money or not. It would have been a wonderful end to the story if you got something back for all the years of hardwork you put into running it. You do have my appreciation if that means anything though.
P.S. this story is very similar to rawgit which was a wonderful site but also fell prey to malware aholes.
[+] [-] jedberg|4 years ago|reply
Most likely it got them a much higher paying job than they would have otherwise gotten. Walking in and saying you single handedly run a site with billions of requests per day and petabytes of traffic will get you noticed.
[+] [-] FabHK|4 years ago|reply
[+] [-] Ayesh|4 years ago|reply
I dropped my jaw when I read it was getting 30B req/day.
Thank you for running this site for so long, and thank you for keeping it up for free, and deciding to not monetize it.
[+] [-] tyingq|4 years ago|reply
I'm somewhat curious what fixed things, as I've not had to use neverssl.com for some time.
[+] [-] andrewmcwatters|4 years ago|reply
My use case was needing to set the result of `hostname -f` in /etc/hosts in an automated fashion if a VPS provider didn't already add a line for the public Internet address in that file. You need to do this so that sendmail doesn't fail on `apt install` when it attempts to read your FQDN. So I couldn't use the NGINX example posted elsewhere here.
It seems like https://checkip.amazonaws.com/ is much more "reliable" in that it is publicly documented at https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/s....
To anyone who needs to read this: please don't use "services" like icanhazip for your provisioning. Even my examples above are bad.
It does strike me as weird that there is seemingly no POSIX-compliant way to get your public Internet address, from my readings.
Edit: Oh goodness... even Amazon's documentation recommends using Google's undocumented DNS query.[1]
[1]: https://aws.amazon.com/premiumsupport/knowledge-center/route...
[+] [-] quesera|4 years ago|reply
It is not possible to know your public IP address, except by fetching the information from a known entity on the public network.
And in some scenarios, your public IP will change frequently. There is no guarantee that it will be consistent across multiple requests.
[+] [-] Jasper_|4 years ago|reply
There is no singular thing called a "public Internet address". Imagine you're writing paper letters to someone. You write a letter, you put your own From address, you drop it in the slot. When the mailperson comes to collect the letter, they replace your mailing address with a special other codeword. And when they receive mail, they replace that codeword back with your original address. You would never know it was intercepted unless you asked around. There's no official protocol to ask for your codeword, it's just a trick the mail service does on your behalf.
Your home router does exactly this; it's known as "Network Address Translation", or NAT. It's not an official part of IPv4, and there's no protocol to ask what it is. Your computer thinks its local IP address (typically some variety of 192.168.0.1) is its real, public address, and your router does the swap behind your back.
[+] [-] fulafel|4 years ago|reply
Because traditionally if you're doing things right, you're not using NAT, which is against IP specs and a nonstandard kludge. So you just take your socket and query its local endpoint address using getsockname and voila.
[+] [-] thatjamesdude|4 years ago|reply
Genuinely asking because I've always used the query
to resolve the public IP my ISP has assigned me so I can update my homelab's IP.I use Route53 and I either completely missed the checkip link or they simply don't mention it
[+] [-] luckman212|4 years ago|reply
dig... | tr... works fine without it.
also, `dig -4 ... ` to get your IPv4 address, for us dual-stacked folks. Otherwise it returns your V6 address by default.
[+] [-] gnopgnip|4 years ago|reply
[+] [-] toxik|4 years ago|reply
[+] [-] mwcampbell|4 years ago|reply
Also, I'm generally bothered by comments like this one that stir up the general human tendency toward xenophobia. We should be fighting that tendency within ourselves, not fighting the out group. Whichever group of people we want to demonize, we should remember that they're people just like us. We shouldn't punish the majority of them for what a minority are doing to us.
[+] [-] jmartrican|4 years ago|reply
[+] [-] jedberg|4 years ago|reply
[+] [-] liveoneggs|4 years ago|reply
That network guy (classic long hair "security" guy) was a lazy asshole for doing it then and the internet needs to have the technology to deal with bad actors beyond AS/geo-level blocking now.
[+] [-] wyager|4 years ago|reply
[+] [-] egypturnash|4 years ago|reply
Which might not be a bad thing overall, but it's sure not gonna make any transnational corporation's bottom line happy over the next few quarters, so they'll be waving a lot of money at politicians to make this not happen.
[+] [-] croes|4 years ago|reply
[+] [-] madars|4 years ago|reply
Small feature request: back in the day {ipv4,ipv6}.{icanhazptr,icanhazip}.com only had A / AAAA records, but now it seems they have both and thus a simple "curl ipv4.icanhzptr.com" can also give me a v6 address (of course, "curl -4" works). Would Cloudfare be OK with separating them again?
[+] [-] tomschlick|4 years ago|reply
[+] [-] Tijdreiziger|4 years ago|reply
Cool, I didn't know about that one.
[+] [-] OskarS|4 years ago|reply
[+] [-] Seirdy|4 years ago|reply
I'm curious as to what other overused utilities can be trivially done with pure server configs.
[+] [-] ljm|4 years ago|reply
[+] [-] kortilla|4 years ago|reply
[+] [-] ColdHeat|4 years ago|reply
[+] [-] madars|4 years ago|reply
[+] [-] epse|4 years ago|reply
[+] [-] Ice_cream_suit|4 years ago|reply
And :
"If you’re curious, Cloudflare did pay me for the site. We made a deal for them to pay me $8.03; the cost of the domain registration. The goal was never to make money from the site (although I did get about $75 in total donations from 2009 to 2021). The goal was to provide a service to the internet. Cloudflare has helped me do that and they will continue to do it as the new owners and operators of icanhazip.com."
BTW, speaking as a nerd, he has the best formatted resume that I have ever seen !
See: https://majorhayden.com/
[+] [-] mjsir911|4 years ago|reply
There are a plethora of unauthenticated STUN servers around, and while there's still room for abuse, the protocol is a bit more lightweight than full-blown http requests, and faster, too!
I've dabbled with doing this on my own, but I've found `myip` to do the job nicely and without hassle:
https://github.com/Snawoot/myip
[+] [-] politelemon|4 years ago|reply
http://manpages.ubuntu.com/manpages/bionic/man1/stun.1.html
[+] [-] yakubin|4 years ago|reply
[1]: <https://news.ycombinator.com/item?id=26634476>
[+] [-] gamedna|4 years ago|reply
[+] [-] coderholic|4 years ago|reply
[+] [-] CliffStoll|4 years ago|reply
[+] [-] chrischen|4 years ago|reply
[+] [-] slig|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] KirillPanov|4 years ago|reply
Glad it will live on!
[+] [-] leesalminen|4 years ago|reply
[+] [-] Klasiaster|4 years ago|reply
[+] [-] zie|4 years ago|reply
[+] [-] asdfaoeu|4 years ago|reply
[+] [-] delduca|4 years ago|reply
[+] [-] c7DJTLrn|4 years ago|reply
[+] [-] sneak|4 years ago|reply
[+] [-] blibble|4 years ago|reply
they'll soon learn
[+] [-] thegeekbin|4 years ago|reply