Recently, I saw icanhazip.com pop up in my pFsense firewall logs. It was immediately blocked but the name piqued my interest, so I did a little digging which revealed an interesting backstory.

It’s owned by Cloudflare:

spoiler

spoiler

…but it hasn’t always been theirs: icanhazip: How a simple IP address tool survived a deluge of users. Pretty interesting, at least to me as I have never encountered it before.

I have it still blocked as nothing I’m doing seems hampered by blocking icanhazip.com’s ip range. Anyone else ever encounter icanhazip.com?

I think I found the source of the icanhazip.com block. From the Github Issues page:

2025-03-27 17:00:02] production.ERROR: Failed to fetch external IP address. [“cURL error 60: SSL: no alternative certificate subject name matches target hostname ‘icanhazip.com’ (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://icanhazip.com/%E2%80%9D]

ETA: Solved

I think I found the source of the icanhazip.com block. From the Github Issues page:

2025-03-27 17:00:02] production.ERROR: Failed to fetch external IP address. [“cURL error 60: SSL: no alternative certificate subject name matches target hostname ‘icanhazip.com’ (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://icanhazip.com/”]

  • hexagonwin@lemmy.today
    link
    fedilink
    English
    arrow-up
    22
    ·
    3 days ago

    i always use curl icanhazip.com for checking my external IP… iirc some “IoT” devices also use it for some reason

    • irmadlad@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      3 days ago

      some “IoT” devices also use it for some reason

      I haven’t conducted a thorough investigation, but the last container I added was SpeedTest Tracker and I am assuming that it’s using icanhazip.com and ifconfig.co to determine the best test servers based on my locale. I chose my own servers when I set it up. For the time being, I have both blocked and nothing seems to complain. SpeedTest Tracker still crons ever hour with success.

  • ramielrowe@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    3 days ago

    I actually worked with Major back when he initially created icanhazip.com. It’s still my go-to for resolving my public IP for scripts that need it. (IE. hand rolled DNS for my home lab k8s cluster).

    • irmadlad@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      3 days ago

      Interestingly enough, ifconfig.co shows up too. I knew about ifconfig.co tho. Since the last container I added was SpeedTest Tracker to replace OpenSpeedTest, and that’s about the time icanhazip.com showed up, I am assuming SpeedTest Tracker is using both ifconfig.co and icanhazip.com to determine the local external IP and the closest test servers to it. The request is originating from the LAN. However, I selected my own servers I wanted to use based on my locale, so blocking either hasn’t stopped SpeedTest Tracker from doing it’s tests on an hourly basis.

  • non_burglar@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    3 days ago

    The back story of icanhazip is OK, but I want to know where you picked it up in your logs… Incoming on edge? Something in your network dialing out?

    • irmadlad@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      3 days ago

      Suricata picked it up on the LAN side. I haven’t done an in depth review, but I am suspecting that SpeedTest Tracker is using icanhazip.com and ifconfig.co to check my ip and find the most appropriate test server. It’s on the list tho. For now I have them blocked and nothing seems to complain about it. I chose my own servers.

      • non_burglar@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 days ago

        Could be.

        Speedtest (the ookla one) uses a bunch of traceroute and compares hops to pick a peering point, but they display your public IP on the test page and probably use some icanhzip or other service to know that. It should come as no surprise to you that most north American ISPs pay Ookla to prefer peering points in which they have a heavy presence.

        Icanhazip is an older service, I’m surprised cloudflare didn’t just kill it, they built their own when they were standing up 1.1.1.1.

        Could also be some other tooling on your lan built before the Claude days.

  • Deebster@infosec.pub
    link
    fedilink
    English
    arrow-up
    8
    ·
    3 days ago

    I must have been a very early user if only went live in 2009! It’s a great resource that’s always fast and optimally concise.

    I didn’t know this backstory though, thanks for sharing.

  • Th4tGuyII@fedia.io
    link
    fedilink
    arrow-up
    5
    ·
    3 days ago

    Wow, today I learned. That’s a rather interesting story.

    A bit of a sad ending, but a perfect example of why we can’t have nice things - someone will always find a way to abuse it.

    • irmadlad@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 days ago

      The thought just struck me that there may be who knows how many of these out in the wild. Little ‘touch stones’ that people use across a global internet.