Don't host on a .255 IP address

Photo by Mathyas Kurmann on Unsplash.

Most of the websites that I build at work are for internal use, but last year I created a site with a public audience. Everything was going well post-launch until I received a handful of reports from users who couldn't access the site. They tried clearing cookies, switching browsers, switching computers, and resetting modems, but nothing worked. Visiting any page on the site would result in an error like

Internet Explorer cannot display the webpage

or

Unable to connect

They could view other sites hosted on my network, but nothing hosted on the same server as this public site. The PHP and server logs recorded nothing unusual. What was happening?

Lucky for me, this public site hosts content that our users really want to access. Otherwise countless people would have failed to reach the site but moved on without reporting it. For every user who contacted me, I would collect some basic information, ask them to attempt some tests, then apologize for the problems and suggest they use the Internet at somewhere like Starbucks.

After much frustration, I remembered that when the server was deployed months before, it was assigned an odd IP address. Its public IP address ended in .255. If you're familiar with networking, you recognize that an IP address ending in .255 is traditionally the broadcast address of a \24 network (#.#.#.0 - #.#.#.255). The broadcast address has special meaning within the network and is never assigned to any clients. But evidently this server is not on a \24 network because the .255 address worked fine, so I let it go.

I researched online and found some reports (but not many) to corroborate this problem with .255 IP addresses. Continuing with this hunch, the server farm administrators assigned an additional IP address to the server which didn't end in .0 or .255. I moved the website to the new IP address and, after the DNS change propagated, the problem was fixed. To date, no more users have reported problems accessing the site.

My testing suggests that the problem lies with the user's Internet Service Provider (ISP). Because a .255 IP address is normally significant, some ISPs may block outbound traffic to those addresses to prevent smurf attacks. While everyone agrees that this is a crude method, some ISPs clearly still use it.

If you don't want to ban a percentage of users from accessing your site, be sure you don't have public content hosted on a .255 IP address.

Drew

Drew

Hi! I'm Drew, the Wimpy Programmer. I'm a software developer and formerly a Windows server administrator. I use this blog to share my mistakes and ideas.