Do all organisations "broadcast" their IP range?

Sorry if wrong forum, wasn't sure where best to ask this:

At my place of work we are engaging a company who say they can tell us the name of EVERY organisation that visits our website for sales leads etc. Not talking about completing form submissions or anything like that, but only via IP addresses/ranges and whatever other trickery they can employ.

Is this really possible from a technical standpoint? I know lots of larger/public organisations "broadcast" their IP ranges as it were so its relatively easy to tell when they have visited but what about smaller business etc that just have a typical £50/month business broadband package with BT or whoever...can all of these companies be identified and named when visiting our website as this company seems to be claiming? Wouldn't we just see a load of ISP/host names rather than the actual companies looking at our website?

I'd question the claim that they could identify every organisation. I might accept that they could identify most of them but I'd be surprised if they could ID more than 75%.

I can tell you that I'd be very, very unhappy if I received a communication from a company just because I happened to hit their website. If a company is offering a service I want then I'll contact them. I dislike marketing and especially detest spam. Any company that pursues me out of the blue will get put on the block list PDQ.

Edited by Andrue (Wed 09-Jun-21 20:43:50)

I think having access to cookies of the visitors would help too.

Thanks
Dan

What’s the name of the company?

In reply to a post by office123:

At my place of work we are engaging a company who say they can tell us the name of EVERY organisation that visits our website for sales leads etc.

And there are companies working on defending against acts such as this.

All IP address ranges are assigned by central IP management organisations. There is a worldwide register of who each IP address/range is assigned to. The register used to be freely available via whois services but is now redacted from public access because of GDPR (this was how they protected individuals registering domains). They still may not be able to identify everyone as people could be using VPNs or web proxies to mask their IP address or they could be using IP addresses owned by their ISP (as would be the case for most consumer connections) or the IP address could be owned by a parent company.

Assuming the company has access to the unredacted databases then yes they could see who every IP address is registered to.

However, be careful using this data for direct marketing as you need to make sure you are complying with GDPR and either have consent or can show "legitimate interests" - if you can't show either of these then you could be in trouble with the ICO.

I wonder if they simply ask for or gain access to all cookies, and analyse them? It can't be too difficult to accumulate a database of those encountered, many of them easily identified from their content.

That's similar to what I was thinking.

Thanks
Dan

In reply to a post by Pheasant:

What’s the name of the company?

I'm hearing these claims via a colleague rather than from horses mouth so I wont say for now but there seems to be quite a few companies offering this type of service it seems.

In reply to a post by pluralist:

I wonder if they simply ask for or gain access to all cookies, and analyse them?

That would be a ridiculous thing for a web browser to permit.

In reply to a post by ian72:

could be using IP addresses owned by their ISP

This is the bit I'm most curious about. If a company visited our website but they are smaller and only had a standard cheap business broadband connection then surely their name is not listed in a publicly accessible database of IPs?

In reply to a post by ian72:

However, be careful using this data for direct marketing as you need to make sure you are complying with GDPR and either have consent or can show "legitimate interests" - if you can't show either of these then you could be in trouble with the ICO.

To be fair I think my company would mostly be using this data for analysis purposes rather than actually making contact with visitors.

Yes, I agree. We do not expect browsers to allow it. That doesn't mean to say the file system is inviolable. Also, it's easy to find in what subdirectory any particular browser stores its cookies.

Edited by pluralist (Thu 10-Jun-21 15:18:13)

Many companies have their own static IP addresses for their Internet connection. A lot of small companies may have this just via their ISP in which case there would be no simple way to link this back (via whois database or indeed cookies) but if they for whatever reason have registered their own static IP address space then this would be available. Potentially if a company was publishing a web server on an ISP supplied static IP then that could be used to link back to the company but the chain of information starts getting more complex.

In reply to a post by ian72:

Many companies have their own static IP addresses for their Internet connection.

I was thinking this research company is going to pick up a lot of "Virgin Media Business" and "BTnet" and the other corporate ISPs. My corporate has just an IP, no DNS name, and the IP resolves back to our network supplier.

Garbage In - Garbage Out. ??

All IP addresses are governed by regional internet registries (RIRs), in Europe it is called RIPE. There's ARIN, APNIC and others too.

RIRs are responsible for issuing IP blocks to organisations, and also AS (Autonomous System) numbers as well. This is a public database, and you can see all of BT's IP blocks here https://bgp.he.net/AS2856#_prefixes for example. This shows RIPE has issued BT with AS# 2856 and all the IP blocks underneath it. Central routers use something called Border Gateway Protocol (BGP), which is a protocol that allows routers to communicate with eachother and update and 'broadcast' routing tables. This is what happens in places like LINX and usually any end point of any network when it meets another one. It's not broadcast to everyone, just those the ISP 'peers' with (ie an approved neighbourly network). And so as your packet hops along the internet it gets transferred between these routers all talking to each other and thus a connection is made. It's how the Internet works.

That data is all gathered by companies like MaxMind (https://www.maxmind.com/en/geoip2-databases), which publish both free and paid databases gathering all this information, plus other sources to be able to tell more information, location being the most valuable, on an IP address. The company you're engaging with is likely using this (or a similar) database.