IP, MAC and Home Security: Concepts, Functionality and Vulnerabilities

This article explains what IP and MAC addresses are, their differences, how they interact with the router, the IPv4/IPv6 differences, and why IPv6 was created. It also covers DHCP, NAT, DNS, and the most common home vulnerabilities. Finally, it shows what can be done with a home's public IP and how to mitigate the risks.

1) What is an IP address?

An IP address identifies an interface on a network. It routes packets between devices and networks. There are two main families: IPv4 (e.g. 192.168.1.10) and IPv6 (e.g. 2001:0db8::1).

2) What is a MAC address?

The MAC address (Media Access Control) is a physical identifier assigned to a network interface by the manufacturer. It has a hexadecimal format and operates at the link layer (layer 2). Example: 00:1A:2B:3C:4D:5E.

3) How do IP and MAC interact with the router?

• Within the same LAN: when A wants to send data to B, it uses ARP (Address Resolution Protocol) to resolve the MAC associated with the destination IP (IPv4 only).
• In routing: IP packets travel at layer 3; each hop uses MAC addresses at layer 2 to deliver the frame to the next router/gateway.
• The router acts as the gateway. If the destination IP is outside the LAN, the packet is sent to the router, which forwards it toward its destination.

4) IPv4 vs IPv6 and why IPv6 was created

IPv4 uses 32 bits and allows ~4.3 billion addresses. It wasn’t designed for today’s Internet scale. With the massive growth of devices, public addresses ran out.

IPv6 uses 128 bits, vastly increasing address space and adding improvements: autoconfiguration (SLAAC), better multicast handling, and simplified headers for some options. IPv6 was created to solve IPv4 exhaustion and enable Internet growth.

5) DHCP (What it is and how it works)

DHCP (Dynamic Host Configuration Protocol) automates IP configuration: IP address, mask, gateway, and DNS. Basic flow:

1. DHCPDISCOVER: client searches for a DHCP server.
2. DHCPOFFER: server proposes an IP and parameters.
3. DHCPREQUEST: client requests the offered configuration.
4. DHCPACK: server confirms and leases the IP for a period of time.

6) NAT (Network Address Translation)

NAT translates private addresses (e.g. 192.168.x.x) to a single public address. At home, the router’s NAT function allows many devices to share one public IP. Common types: SNAT, DNAT, and PAT (Port Address Translation).

7) DNS (Domain Name System)

DNS resolves names to IPs. When you type example.com, the resolver queries recursive and authoritative servers until it gets the IP. DNS is essential because it turns human-readable names into machine-usable addresses.

8) Common home vulnerabilities

List of frequent weaknesses and why they matter.

• Weak or WEP Wi-Fi password. Allows easy access to the local network.
• Outdated router firmware. Risks: backdoors, known exploitable flaws.
• Insecure IoT devices. Cameras, printers, TVs with default credentials or exposed services.
• UPnP enabled. May open ports automatically and expose services without control.
• Exposed services (SSH, RDP) without protection. Weak credentials allow remote access.
• Phishing and reused credentials. A successful phishing attack can open internal doors.
• Lack of segmentation. If IoT and PCs share the same VLAN, a compromised IoT device can attack valuable systems.

9) What can someone do with a home’s public IP?

Having the public IP alone isn’t enough to compromise anything. But it enables several actions if other weaknesses exist:

• Port scanning to detect exposed services (telnet, ssh, rdp, home web servers).
• Brute-force attacks on services with weak credentials.
• Exploitation of known vulnerabilities in outdated services.
• Access to misconfigured devices (e.g., cameras with open admin panels and weak passwords).
• Data exfiltration if the attacker gains access to a host or NAS on the internal network.
• DDoS attacks targeting the public IP to make the connection unusable.
• Reconnaissance/tracking and activity correlation. The public IP reveals the ISP and roughly the household connection.

10) Practical mitigation measures

• Change default router credentials. Use long, unique passwords.
• Update firmware and devices regularly.
• Disable UPnP if not needed and check open ports on the router.
• Segment the network: create VLANs or guest networks for IoT.
• Enable WPA2/WPA3 and strong Wi-Fi passwords.
• Configure the router to limit remote access and use VPNs for external access.
• Enable multi-factor authentication (MFA) on supported services.
• Use secure DNS resolvers (e.g., threat-filtering resolvers) and check logs for suspicious activity.

Conclusion

IP and MAC are distinct parts of the network puzzle. DHCP, NAT, and DNS make home connectivity possible. IPv6 was created to overcome IPv4’s limitations. At home, vulnerabilities often stem from poor configuration and outdated devices. With a public IP as a starting point, an attacker can find services and, if flaws exist, escalate to real compromises. Defense is practical: update, segment, harden, and monitor.