This should not happen, BUT we have observed a few private IP addresses being used by visitors to our site.

An IP address is considered private if the IP number falls within one of the IP address ranges reserved for private uses by Internet standards groups. The following  private IP address ranges exist:

These private IP addresses are (normally) used on local networks which includes homes, schools business LANs etc.  Devices with private IP addresses cannot (should not be possible to) connect directly to the Internet. Similarly devices outside of the local network cannot (should not be able to) connect directly to a device with a private IP.  Typically access to such devices are brokered by a router or similar device that supports Network Address Translation (NAT).  NAT effectively hides the private IP numbers but can selectively transfer messages to these devices, affording a layer of security to the local network.

Standards groups created the private IP addressing to prevent a shortage of public IP addresses available to Internet service providers and subscribers.

So given that these private IP addresses should not be visible on the Internet, how is it possible therefore for our site to have recorded access from devices with addresses in the 10.x.x.x and 192.168.x.x ranges? 

One can always block these devices from access to web pages by including the private address ranges within ‘blocked’ ranges, using commonly available tools available upon the web, but it still doesn’t explain how there are visible in the first place! If in doubt it is possibly wise to block them as a matter of course for a site on the Internet. Remember if the site is on a ‘local’ LAN that blocking them is not an option.

One wonders if there is a connection with the implementation of IP v6, and whether somehow these address ranges are getting through.  Alternatively perhaps a particular NAT provisioning mechanism is faulty?  Another possibility is that  dubious entities are using them to ‘mask’ their activities.  We are led to the latter possibility since the 10.x.x.x devices were attempting access to our site ‘back end’.

Despite some extensive searching we do not currently know the source of these connections, which raises a few possibly serious security concerns. We will continue our investigations.