Skip to content

Is 127.0.0.1 the only loopback address?

Short answer

No. The whole 127.0.0.0/8 range is reserved for loopback, so 127.0.0.2, 127.1.1.1, and so on all resolve to the local host. This matters for SSRF and allow-list bypasses — an attacker may use 127.0.0.2 or other encodings to dodge a naive 'block 127.0.0.1' check — and for binding multiple local services. (In IPv6, loopback is the single address ::1.)

Almost everyone types 127.0.0.1 so often that they assume it's the only loopback address. It isn't, and that assumption is exactly the kind of gap that turns a weak SSRF filter into a real vulnerability.

The whole /8 loops back

RFC 1122 reserves the entire 127.0.0.0/8 block — every address from 127.0.0.1 to 127.255.255.254 — for loopback. So 127.0.0.2, 127.1.1.1, and 127.42.42.42 all send traffic right back to the local host without ever touching the wire. The kernel never routes 127.x off the machine. That's roughly 16 million loopback addresses, not one.

Why a pentester cares

This is a staple of SSRF and allow-list bypass work. A naive defense that only blocks the literal string 127.0.0.1 (or localhost) is trivially evaded: an attacker reaches the same local services via 127.0.0.2, or via alternative encodings of 127.0.0.1 — decimal 2130706433, octal 0177.0.0.1, hex 0x7f.0.0.1, the zero-padded form, or even DNS names that resolve to a 127.x address. The correct mitigation resolves the host and checks whether the resolved IP falls inside reserved ranges, not a string match.

Practical uses, too

The wide range is genuinely useful: you can bind many local services to distinct loopback addresses (e.g. 127.0.0.2:80 and 127.0.0.3:80) to avoid port collisions during development.

The IPv6 contrast

IPv6 is stricter: loopback is the single address ::1 (the /128 ::1/128), with no equivalent of the giant 127/8 block. Mentioning this shows breadth.

Why the distractors are tempting

"Every other 127.x is public" and "the rest is multicast" both restate the single-address myth with invented detail. "Loopback is really 0.0.0.0" confuses the unspecified/"all interfaces" address with loopback.

What interviewers want

A clear "no — all of 127.0.0.0/8," and ideally the security punchline: never blocklist a single loopback literal; resolve and range-check instead.

Likely follow-ups

  • Show me three ways to write '127.0.0.1' that defeat a naive string blocklist.
  • Why is blocking just '127.0.0.1' insufficient to stop SSRF to localhost?
  • What is the IPv6 loopback, and how does its size compare to 127.0.0.0/8?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.