Spam Web Address Has Me Confused!

[Noise]

Warning - The Link Below is NSFW!

It's the old goatse.cx web page. I'm sure most of you have seen this, but that doesn't make it less disgusting.

I've had users who have been tricked in to clicking the following URL:

http://1096965168/

It's doesn't look like a valid link, and indeed it shouldn't be. But the link works! WHY? And how do I disable url's like this from getting resolved?

As an experiment I tried pinging the "address" and it resolved!

ping 1096965168
Pinging 65.98.92.48 with 32 bytes of data:
Reply from 65.98.92.48: bytes=32 time=113ms TTL=51
Reply from 65.98.92.48: bytes=32 time=112ms TTL=51
Reply from 65.98.92.48: bytes=32 time=112ms TTL=51
Reply from 65.98.92.48: bytes=32 time=112ms TTL=51
Ping statistics for 65.98.92.48:
	Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
	Minimum = 112ms, Maximum = 113ms, Average = 112ms

I've never seen anything like this before, I'm at a loss as to why this "address" is resolving. It's not a valid DNS name or a valid IP Address. It just doesn't make sense. This was tested on Windows XP using Firefox 3.

[CoffeeFiend]

I'm at a loss as to why this "address" is resolving. It's not a valid DNS name or a valid IP Address

It's a perfectly fine IP address. IPv4 addresses are a 32 bit number, it just happens you're used to the "easier to read" way of displaying it, split in 4 bytes with dots between them, but that's just a representation of it.

You can convert it back easily:

If you take the offending IP: 65.98.92.48 (most significant byte at the left to least significant byte to the right)

65 * 2^24 + 98 * 2^16 + 92 * 2^8 + 48 = 1096965168

Or if you find that easier:

take 65 * 256, we got 16640;

add 98 multiply by 256 again, we got 4284928;

add 92, multiply by 256 again, we got 1096965120;

add 48, and we have 1096965168 again.

A lot of programs accept IPs entered in both forms. For example, http://1089055075/ will bring you straight to Google (everybody has that number memorized, right?)

[Noise]

Thanks for that excellent explanation carhak!

But you got to be kidding me! What possible use can this be except for people in the black-hat community?

Does anyone know if this can be disabled via group policies or registry settings in Windows XP/Vista?

[CoffeeFiend]

Possible use? Well, same as entering the IP in the other format... It's just an alternate way to represent an IP. It's not frequently used by most people though, as it's easier to remember IPs ranges for various networks with separated bytes (e.g. a /24 starting at 192.168.1.0 instead of starting at 3232235776...) You now also have IPv6 equivalent addresses too, assuming your network supports it (very few ISPs support that right now, most people resort to using tunnels for this)

As for disabling it, there is no way that I know of (just like you can't disable the notation with 4 bytes and dots).