Static IP vs Dynamic: Best security for family.

I know static is favourable and often seen as a premium feature, but I have some concerns over being allocated a static IP address if I move to my chosen ISP.

I'm hoping it's my limited knowledge that leads to my concerns.

Currently, as far as I know, our IP is dynamic and changes every now and again and this seems like a good idea. When my teenage children go online the IP address isn't always the same as it was a while back and the same goes for when my wife or I use the internet.

I use the connection for VOIP and do some work from home inc ftp uploads, my wife also works from home at times and uses remote access.

Another concern is the static IP remaining the same for years. So when sites get hacked, and usernames and passwords distributed such as collection#1 and exploit (both of which one of my old email addresses appeared) then I assume the IP could also be included in the data. With a static IP, this IP could be used to search for other matches, effectively patching together pieces of personal data to fill in the blanks or passwords from data linked to the static IP. Although I am very secure with details and passwords, the rest of the family is not.

I want to move to the ISP, so can anyone assure me I am entirely wrong and a static IP poses no risk to security or my children being targeted somehow from the persistent static IP address?

I think you are right, a static IP isn't as good for privacy as a dynamic one.

I have a static IP myself and am aware of possible issues.
A VPN is one way to avoid privacy problems, but not ideal.

Website owners that monitor things can easier identify visitors who have a static IP.
I also notice that my IP has been mapped by (some not all) geo location companies to my location which I'm not happy with.

I'll be interested in people's responses in case others have some good tips...

If a static IP address is to be considered not good for privacy, then so must dynamic IP addresses since these often remain the same for a number of days which if you have someone profiling you is enough to figure things out.

If someone is hacking you, then static or dynamic makes no difference, since they probably have something that calls home and tells them your IP address i.e. malware

The question is less about static versus dynamic, but how to protect and use the Internet leaving minimal footprint.

I'm not sure I agree with that...

Days (or each time your router connects) against 'forever' is slightly different!

A static IP address comes with a (very minor) privacy concern. In theory it allows sites to track your family around the internet. In practice that's not how anyone does that because it has too many flaws (principally that multiple people are sharing the address, some devices can be used away from your LAN and people often use computers at different locations (eg; home and work)). If someone wants to track you around the internet they'll use cookies or attempt to install malware onto your device(s). Tracking someone by IP address is, frankly, dumb.

As far as security is concerned there are far more important things to worry about and probably no significant impact anyway. Attackers don't target IP addresses unless the attack is personal or professional (eg;attacking a company or government institution). And anyway dynamic addresses don't change very often - sometimes only two or three times a year.

The only real issue with a static IP address is that some sites ban users based on IP address so you might find that one member of your household being naughty means that you all lose access to a site. That's pretty unusual though and frankly if any member of your household triggers that kind of response you should sort them out before worrying about your IP address.

But if you don't run a home server you don't need a static IP address so you might as well not bother with it. Most ISPs charge extra for them anyway.

Edited by Andrue (Tue 12-Mar-19 20:18:42)

In reply to a post by Andrue:

But if you don't run a home server you don't need a static IP address so you might as well not bother with it. Most ISPs charge extra for them anyway.

Zen connections come as standard with a static IP address at no charge - even on a one month contract.

You're right about cookies being the tracking method of choice though - which is why I block all cookies by default and only enable them on sites that actually need them to function

Device profiling is also used effectively for profiling users - for a while now since it got better and people block cookies. IPs can be so transient on mobile devices hopping on and off different providers.

Static IPs are useful for web, ftp, or other type of hosting roles since they are consistently reachable through a particular IP address. But this is also one of the reasons why web, ftp, and other hosts are vulnerable to attack--because they are consistently reachable. A dynamic IP does offer some protection when the IP changes since an attacker can no longer reach their target.

But this being said, most attacks these days are designed to compromise equipment so that the equipment will 'phone home' to the attacker--and this works with either static or dynamic IPs.

My rule of thumb is to only have a static if I absolutely need it. Otherwise, I even use dynamic IPs for ipsec vpn tunnels.

Hi

Static or dynamic doesn't matter, with dynamic IPs often sticking for days and days, some people have reported their dynamic IP never changing.

If you are using the Internet you need to accept you have no or little privacy, but that is how life is these days. I bet you go shopping using the same debit/credit card, get you groceries using your loyalty card etc, what do you think is happening with that information?

The ISP is already logging what websites you visit and they don't lose track of you if your IP address changes.

To stop your family being at risk from unsavoury people on the net has to start inside your own home with education and supervision.

Regards

Phil

Thanks for all the replies,

Some great answers and debate giving me extra information to consider.

If you are on dynamic IP how do you know what the previous user of the IP was up to? You may get attacked because of that. At least with a fixed IP you know the history. My opinion is that a dynamic IP gives a false sense of security.

The main reason I paid PlusNet £5 for a static IP address was to use the BQM to monitor my internet quality and latency - the benefit more than outweighs any increased security risk for me.

I have a number of static IPs, and a number of dynamic IPs. I have a quality firewall, and log port probes and exploit attempts. There is no difference between the static and dynamic addresses - both are targeted.
Get a good router/firewall, close all unnecessary ports, and use OpenDNS or similar that allow you to block accidental accesses to known bad sites.
Assuming a dynamic IP address is safer is no better than wearing a tin-foil hat.

In reply to a post by sheephouse:

I have a number of static IPs, and a number of dynamic IPs. I have a quality firewall, and log port probes and exploit attempts. There is no difference between the static and dynamic addresses - both are targeted.

What can open a static IP address to more attacks is if it's known to be hosting publicly visible services such as email and web servers. Once a service has been identified at a particular IP address, service specific attacks will be launched against that service. That's why it's good practice to implement an intrusion prevention system on servers running these services.

A frequently changing dynamic IP address hosting externally visible services and which uses a dynamic DNS service can also be subject to increased attack if the dynamic DNS hostname is known to the attacker.

In reply to a post by sheephouse:

I have a number of static IPs, and a number of dynamic IPs. I have a quality firewall, and log port probes and exploit attempts. There is no difference between the static and dynamic addresses - both are targeted.
Get a good router/firewall, close all unnecessary ports, and use OpenDNS or similar that allow you to block accidental accesses to known bad sites.
Assuming a dynamic IP address is safer is no better than wearing a tin-foil hat.

In fact dynamic IP addresses are more prone to problems as the person who had it last could have been infected with malware, a spammer, or otherwise under attack for some reason. Which means you will find yourself randomly blocked from some services or suffering a DoS.

With a static IP address you can build a level of trust in that IP address so that you never suffer these issues or can request reevaluation if you do.

So ultimately I would argue the benefits of a static IP far outweigh the drawbacks.

Dynamic IPs aren't always so "dynamic". I've been with Virgin since 2012, with a dynamic IP that has changed ONCE in that 6 year period, even after periods of the router being turned off, or faults that caused/required disconnections. If your connection is stable, don't take it on gospel that your IP will change every time you personally disconnect/reconnect or if a fault or other action causes a disconnection/reconnection of your broadband.

In reply to a post by brookheather:

The main reason I paid PlusNet £5 for a static IP address was to use the BQM to monitor my internet quality and latency - the benefit more than outweighs any increased security risk for me.

For those in a similar position, the BQM has supported hostnames for a while now so a dynamic IP with a dynamic DNS service would mean paying for a static from any provider shouldn't really be needed any longer [for BQM].

Matt