|
tdurd
Anon
2011-Mar-30 6:48 pm
Why is my first hop to a DoD assigned IP address?Sorry for the embellished title. I wasn't sure what to use.
Today, while I was troubleshooting a remote assistance connection issues with someone I know, I noticed the first hop in a tracert is to the 7.0.0.0/8 network (DoD DNIC). The second is to the 69.63.240.0/20 network (Rogers). Does anyone know what the deal is with Rogers Canada's network design?
The person I was helping has a SMC8014WG network device supplied by Rogers. The SMC device has a LAN IP of 192.168.0.1. The SMC device also listed a WAN IP and WAN Gateway address, but I didn't write them down (66.x.x.x IIRC).
As far as tracert is concerned, their LAN gateway (192.168.0.1), the WAN IP and the WAN Gateway on the SMC device are all one hop from their computer. None of them show up in a normal tracert (ex: tracert google.ca).
It acts as if their machine is connected via VPN to, and routing all traffic via, the 7.0.0.0/8 network, but, AFAIK, it's not. Unfortunately, I didn't think to look at the routing table since they wanted help with something that wasn't network related and I didn't want to waste their time.
They had a virtual network adapter that was somehow related to IPV6 (disappeared when IPV6 was disabled) and looked like it was installed against their WiFi adapter. IIRC it was named Teredo Tunneling Pseudo Interface. Windows remote assistance complained about not having a public IPV4 address until they disabled their WiFi adapter. Their WiFi NIC and wired NIC were both connected to the same LAN, so it doesn't make sense that disabling their WiFi NIC would change anything significant, does it?
I haven't looked at IPV6 at all and am not familiar with how it would get integrated with an IPV4 network. Does Rogers have some kind of hybrid IPV4 / IPV6 network that would make things look weird to someone who is only used to IPV4?
Also, why would an IP address from an IP block that is assigned to the DoD show up anywhere in Rogers' network design?
I'm five nines sure this person is not a spy. |
|
|
Nap
Anon
2011-Mar-30 7:16 pm
Check this other thread, you're not alone: » [Extreme Plus] Frequent, intermittent disconnections in Torontonap. P.S. Maybe DOD is spying on your friend, not the other way round? Just kidding. Take care. Lol. |
|
|
bigggbrutha to tdurd
Anon
2011-Mar-30 7:30 pm
to tdurd
» www.google.com/webhp#scl ··· 0f8b4ab9Lots of speculative information on Google. Lots of people noticing DoD port scans after leaving political comments to certain sites. Firewalls are your friend. Disabling the back door to a ISP supplied router/modem is good to do. Either someone is spoofing DoD's IP range or there is a little black box at the ISP, recording all the traffic on that connection. I've said too much. Keep safe Citizen. |
|
sbrook Mod join:2001-12-14 Ottawa |
to tdurd
This is far more likely to be some mistake by a network engineer who put an ip of 7.4.16.1 instead of 10.4.16.1 onto that CMTS router.
Normally on Rogers, the first hop (after any router(s) you have) is the CMTS and that's assigned a 10.*.*.* non-routable address.
Somebody should be dragged over the coals for this one. Your first hop wouldn't be outside Rogers network. So, conspiracy theorists ... take your tinfoil hats off ... this is just plain stupidity. |
|
|
tdurd
Anon
2011-Mar-30 8:43 pm
Yeah. The 10 and the 7 are like right next to each other on the keyboard In this case, neither the LAN gateway nor the WAN gateway showed up in a tracert. It behaved exactly as if the machine were part of a VPN with an alternate default route that funneled all traffic over the VPN gateway. The weird IP was quite literally hop #1. If traffic were hitting the LAN gateway, then a weird IP, then a Rogers IP, I'd chalk it up to a typo. As far as an IPV4 networking goes, it sure looked like traffic from their machine was being passed over an alternate route. I'm not a tinfoil hat conspiracy theorist and I should be able to get another look at their machine later tonight. I'll have a look at their routing table(s) and see what the deal is. I mainly wanted to know if Rogers has some wonky VPN(ish) setup for their home broadband subscribers. |
|
tdurd |
tdurd to sbrook
Anon
2011-Mar-30 8:57 pm
to sbrook
I probably should have been more clear that I don't think it's likely someone is spying on my friend. If their machine were connected to an alternate network via VPN and having traffic routed via the VPN gateway, the first hop off the network would show as the internal IP of the VPN gateway, not an external, world rout-able IP. A VPN like setup is, AFAIK, the only way your first hop can be anything other than your LAN gateway IP. In the case of a VPN, their would have to be some kind of virtual NIC in use. There wasn't. It might be possible for someone to be bridged onto your LAN (via the gateway device). Then it would be possible to change the routing table on network connected devices (aka your computer) and route traffic via a different gateway. However, if anyone had the means to get bridged onto your LAN via the gateway device, they wouldn't need to screw around with stupid tricks since they could divert your traffic from a point that would make it impossible for you to detect. The only way someone could be spying on my friend would be if they had physical access to the house and were able to bridge onto the LAN + change the routing table on their PC. And that's just a little too tinfoil hatty for me |
|
|
Nap
Anon
2011-Mar-30 9:56 pm
said by tdurd :I probably should have been more clear that I don't think it's likely someone is spying on my friend. So the DoD squad is at your house and kindly asked you to post a "forget it guys it was just a joke" message? Let's thicken the plot. Any Samsung laptop near you? » yro.slashdot.org/story/1 ··· -LaptopsThere's someone at my door, I'll be back in a minute.... Nap. |
|
kliles join:2007-06-26 Mississauga, ON |
kliles
Member
2011-Mar-31 11:22 am
said by Nap :said by tdurd :I probably should have been more clear that I don't think it's likely someone is spying on my friend. So the DoD squad is at your house and kindly asked you to post a "forget it guys it was just a joke" message? Let's thicken the plot. Any Samsung laptop near you? » yro.slashdot.org/story/1 ··· -LaptopsThere's someone at my door, I'll be back in a minute.... Nap. The Samsung laptop key logger was a false positive from the AV software the "researcher" was using... see: Samsung Laptops do not have a keylogger (and it was our fault): » sunbeltblog.blogspot.com ··· ger.html |
|
|
tdurd to tdurd
Anon
2011-Mar-31 6:31 pm
to tdurd
Ok. I got another look at this machine and it defies my understanding of networking. Hopefully someone here knows more than me. I'll post the info I think is important below. I've obfuscated the first couple hops of the tracerts and WAN IPs, but kept all IPs in the same CIDR range (as listed by ARIN). NIC Info: A single, wired NIC. Everything else disabled.
NIC Settings: IPV6 is disabled.
NIC IPV4 Settings: DHCP
Network info: LAN IP: 192.168.0.10
LAN GW: 192.168.0.1
WAN IP: 99.224.0.1
WAN GW: 99.224.0.2
WHATS MY IP: 99.224.0.1
ipconfig /all Windows IP Configuration
Host Name . . . . . . . . . . . . : User-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : phub.net.cable.rogers.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : phub.net.cable.rogers.com
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : [removed]
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : [removed]
Lease Expires . . . . . . . . . . : [removed]
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.phub.net.cable.rogers.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : phub.net.cable.rogers.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : [removed]
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : [removed]
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : [removed] (Preferred)
Link-local IPv6 Address . . . . . : [removed] (Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
route print IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.10 276
192.168.0.10 255.255.255.255 On-link 192.168.0.10 276
192.168.0.255 255.255.255.255 On-link 192.168.0.10 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.10 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.10 276
===========================================================================
Persistent Routes:
None
tracert google.ca
Tracing route to google.ca [74.125.225.20]
over a maximum of 30 hops:
1 8 ms 11 ms 7 ms 7.0.0.1
2 8 ms 13 ms 9 ms 69.63.240.1
3 10 ms 12 ms 9 ms 69.63.240.2
4 27 ms 26 ms 31 ms 69.63.240.3
5 26 ms 27 ms 40 ms 74.125.49.229
6 27 ms 35 ms 27 ms 72.14.238.232
7 62 ms 50 ms 41 ms 216.239.46.217
8 54 ms 42 ms 44 ms 64.233.174.173
9 41 ms 41 ms 42 ms 74.125.225.20
Trace complete.
tracert facebook.com
Tracing route to facebook.com [69.63.189.16]
over a maximum of 30 hops:
1 131 ms 21 ms 7 ms 7.0.0.1
2 20 ms 9 ms 7 ms 69.63.240.1
3 11 ms 12 ms 10 ms 69.63.240.2
4 28 ms 26 ms 48 ms 69.63.240.3
5 25 ms 27 ms 26 ms xe-1-1-0.br01.lga1.tfbnw.net [198.32.118.27]
6 28 ms 28 ms 52 ms xe-4-3-0.bb01.iad1.tfbnw.net [204.15.20.128]
7 30 ms 28 ms 28 ms ae1.dr03.ash2.tfbnw.net [204.15.21.95]
8 28 ms 28 ms 28 ms po1016.csw01b.ash2.tfbnw.net [74.119.76.117]
9 29 ms 28 ms 28 ms www-11-01-ash2.facebook.com [69.63.189.16]
Trace complete.
Why aren't the first two hops 192.168.0.1 and 99.224.0.2 ? |
|
sbrook Mod join:2001-12-14 Ottawa |
sbrook
Mod
2011-Mar-31 7:49 pm
Good question as to why the first hop isn't 192.168.0.1 BUT that said, some routers don't actually report themselves in a tracert.
The next hop should be the CMTS (aka the UBR). The CMTS has two IP addresses ... a routable address that is the default gateway address, and a non-routable address that is used internally within Rogers network to access the CMTS and your modem.
So, in fact 7.0.0.1 and 99.224.0.2 are probably one and the same. |
|
pwnagePowdered Toast Man Premium Member join:2004-03-20 ComeByChance |
to tdurd
rogers is converting all 10. IP's to 7. |
|
sbrook Mod join:2001-12-14 Ottawa 1 edit |
sbrook
Mod
2011-Mar-31 8:59 pm
Unless they've been added to the non-routable address list, somebody should slap them over the knuckles!
It appears that 7.0.0.0/16 has not actually been allocated although it's IANA reserved.
But unless Rogers is firewalling 7.0.0.0/16 it could case some interesting messes. |
|
|
tdurd to sbrook
Anon
2011-Mar-31 10:49 pm
to sbrook
sbrook: That is exactly what it is. I didn't realized there was more than one IP aliased to that particular interface. So, to recap:
- the LAN gateway doesn't report itself in a tracert - the WAN gateway gets misreported with an internal (Rogers) IP in the 7.0.0.0/8 range
I can confirm that you are correct with near certainty. Although I can't ping 7.0.0.1, I can ping 99.224.0.2. The latency is basically an exact match to what I'm seeing using tracert (usually ~8ms, yet inconsistent into the 125ms+ range). I'm satisfied they're the same physical interface.
It would also explain why the guy in that other thread was seeing a 7.0.0.0/8 IP as his second hop.
Now for the million dollar question. How does a Canadian communications company like Rogers build an internal management network using the public IP space allocated to the US DoD without anyone in the company raising an objection? There are more WTFs with that idea than you can shake a stick at.
For the record, the IP I was seeing was not even close to the one in that other thread, but still on the 7.0.0.0/8 network which is why I'm assuming Rogers uses 7.0.0.0/8 for more than the odd typo. |
|
tdurd |
tdurd to pwnage
Anon
2011-Mar-31 10:49 pm
to pwnage
said by pwnage:rogers is converting all 10. IP's to 7. Are they mad? said by sbrook:It appears that 7.0.0.0/16 has not actually been allocated although it's IANA reserved. Am I looking in the wrong place? » whois.arin.net/rest/net/ ··· -0-1/pft |
|
sbrook Mod join:2001-12-14 Ottawa
1 recommendation |
Well, I've found out a bit more ...
Parts of that 7.*.*.* are non-routed (note not non-routable!) DoD keep them reserved behind their firewalls, so they aren't really in the "publicly addressable" IP address space. You can't get a routing to DoD machines in that address space.
Rumour has it that Rogers ran out of non-routable IP address space! (Rogers, unlike the American ISPs) run a unified network rather than a geographically segregated network which means that each non-routable IP address is unique in its entire geography, so they can run out!
Rumour also has it that they went to IANA and DoD and got permission to use the non-routed parts of the 7.* address space if it's not routed out of Rogers networks.
Sketchy but until IP V6 comes along, all kinds of bandaid solutions are coming along to problems like this. |
|
JAC70 join:2008-10-20 canada |
JAC70
Member
2011-Apr-1 9:21 am
Heheh...the poll starts now as to how long it takes Rogers to screw this up and break the internet. |
|
|
tdurd to sbrook
Anon
2011-Apr-1 2:32 pm
to sbrook
said by sbrook:Rumour also has it that they went to IANA and DoD and got permission to use the non-routed parts of the 7.* address space if it's not routed out of Rogers networks. That's like borrowing a strangers video camera to film yourself banging a hooker. There are plenty of things that can go wrong with a plan like that. What happens when something goes wrong and information starts leaking off the network? It gets routed straight to the US DoD. said by sbrook:Sketchy but until IP V6 comes along, all kinds of bandaid solutions are coming along to problems like this. If Comcast is down in the US, standing on a street corner and begging for spare IPV4 addresses for an internal network, I'll be very surprised if consumers see IPV6 in the next decade. |
|
sbrook Mod join:2001-12-14 Ottawa |
to tdurd
I tend to agree. Probably what's happened is all the wireless devices have been put on NAT to local addresses so as to avoid the IPV4 crunch ... and hey presto they hit the nonroutable crunch instead!!! |
|
|
tdurd to tdurd
Anon
2011-Apr-1 2:46 pm
to tdurd
*Rogers, not Comcast. Sorry. |
|
elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in |
to tdurd
It gets better, my iPhone has a 25.x ip, which is odd, since the last time I jailbroke the phone it had a natted address.
Anyways, curiosity gets the best of me and I found out the 25.x IPspace belongs to the UK Ministry of Defence.
What's even odder, is I went to Speedtest.net on my phone is shows the 25.x IP as an internal IP, yet it shows a 74.198.x.x IP as the external IP.
OK dumb question, why would they use a routable address for an internal one, and then NAT it. |
|
resa1983 Premium Member join:2008-03-10 North York, ON |
resa1983
Premium Member
2011-Apr-14 11:10 am
said by elwoodblues:OK dumb question, why would they use a routable address for an internal one, and then NAT it. This is Rogers... Need you really ask? The company that released an update for their DPI systems without fully reading it, and without testing it, resulting in a user's entire connection being throttled while p2p is active.. The company that has their employees blatantly lie to customers.. Come on now. :P I really wonder at their network personnel.. They can't be this inept, can they? |
|
sbrook Mod join:2001-12-14 Ottawa |
to elwoodblues
Probably because 25.*.*.* is not actually routed outside of Rogers. It's probably the same deal as the 7.*.*.* and is only being used within Rogers network.
I suspect you'll find that there are no hosts on the CIDR's that Rogers is using visible from the public ethernet anyway.
So in fact the 25.* is also a NATted address.
Again because Rogers has run out of internal addresses because its network is not segmented like the US carriers. |
|
sbrook |
to tdurd
Now now resa! This actually makes sense, although it shows poor planning on Rogers part (or a hope that they'd make IP6 happen a lot sooner!) and the use of walled IP addresses is cerrtainly strange!
In this case the external address is the address of the NATting router, and your internal address is the address that NATting router is sending packets to ... i.e. you. So, it makes perfect sense. Of course, the hitch is that NAT really can upset "connectionless" protocols. TCP/IP will create a "connection" ... i.e. a protocol specific link that is created when the connection is initiated and destroyed when cleared down. On the other hand, UDP does not ... it happens by a stream of packets sent to the other end. In general on the internet, connectionless protocols are usually preceded by a "connection" protocol exchange, which is used to establish the NAT router link to the destination.
And as for why a CMTS has an internal and external IP address, this is because the users on a single CMTS segment can be on multiple subnets, so by using the internal addresses they escape this problem.
If you traceroute to the CMTS, its public IP address will reply.
If you traceroute through the the CMTS, its private IP address will reply. |
|
|
to tdurd
I am experiencing the same issue with my Android smartphone.
I had reason to believe that a spy program was installed and that someone is viewing my activities, etc. on a secure server, as advertised. I do actually have reason to think someone would do this, as there is a person and they have been stalking me, blah, blah... It seems those programs are designed for that purpose and some may be able to be installed remotely.
That said, the 4G phone that I got a few months ago has never performed very well, I think my last apartment was a dead zone and maybe I just expect too much performance from devices. The connection is better since I moved.
The reason for my first alarm was that the battery started draining very quickly. I looked into the spyware issue and followed instructions on how to determine if there may be a spy program draining the battery. The battery drained halfway down over night, without the charger, the phone would get very hot, and there was a lot of bandwidth used. I did install a lot of apps and use it a lot, but still suspicious. I've since, uninstalled many apps.
I installed a monitoring app to see if I could detect any unusual activity and have found the same result. It appears that everything is routing through a strange IP before going to a legitimate one. After monitoring the traffic, the IPs have shown up as either DoD Network Information Center in Ohio or the Ministry of Defense in UK. The DNS has changed, but those are the only two results.
My first thought was that Big Bro is a bit over zealous, because I'm not very politically opinionated and don't post or visit sites like that, but I do search for what I want and visit sites that I want and maybe I set up some sort of flag or maybe someone used my email..... Anyway, let's just prove that I'm normal and leave my phone alone.
But then I read that there can be spoofing and am back to suspecting a commercial spy program and that they are covering their tracks to be undetected. I still need more info on spoofing and for that matter not eliminate the possibility that some lowlife has hacked me for personal info.
I just found it very interesting that someone else tracked the IPs to the same two military intelligence agencies. |
|
sbrook Mod join:2001-12-14 Ottawa |
to tdurd
No, you're not going to a military agency. Rogers has just received permission to use these IP addresses as long as they are firewalled as "internal IP addresses" ... since no address in the 7.* range or 25.* range that Rogers is using is routable to from the internet.
Your draining battery and poor performance are far more likely to be poor signal than anything else.
Even for my old generic phone, where I live in a cell phone near dead spot (1 bar!), I'll kill a phone battery overnight. On the other hand, if I take it away with me to a 3 or more bar area, it lasts days. It gets hot because it's having to transmit a lot of power to stay in touch with the nearest tower because the signal strengths are marginal.
You can be sure that if MOD (UK) or US military or police or gov't wanted to track internet services, they sure as hell wouldn't let a visible IP address show in the tracert! |
|
elwoodbluesElwood Blues Premium Member join:2006-08-30 Somewhere in |
Here is what I find interesting, the last time I jailbroke my phone, it had a 10x IP, so I knew they were natting.. No problem.
I find it difficult to believe that Rogers has over 4billion ip's in use (assuming full 10.x ip space). They're big but not that bloody big. |
|
MashikiBalking The Enemy's Plans join:2002-02-04 Woodstock, ON |
They could be segmenting zones. Stupid way to do it, but I've seen stupider things done. |
|
|
|
to tdurd
Does the explaination that it's Rogers apply if I'm in the US. |
|
sbrook Mod join:2001-12-14 Ottawa |
to elwoodblues
Well, it's not a whole 4 billion, but they need lots of .1's so that they can keep everybody together on a CMTS subnet. you've probably got maybe 100 subs on a 10.*.x.* so really you only have about 65535 subnets available ... I can see Rogers getting through them. |
|
|
Austin Tejas to sbrook
Anon
2011-Apr-14 7:29 pm
to sbrook
I am experiencing the same issue with my Android smartphone.
I had reason to believe that a spy program was installed and that someone is viewing my activities, etc. on a secure server, as advertised. I do actually have reason to think someone would do this, as there is a person and they have been stalking me, blah, blah... It seems those programs are designed for that purpose and some may be able to be installed remotely.
That said, the 4G phone that I got a few months ago has never performed very well, I think my last apartment was a dead zone and maybe I just expect too much performance from devices. The connection is better since I moved.
The reason for my first alarm was that the battery started draining very quickly. I looked into the spyware issue and followed instructions on how to determine if there may be a spy program draining the battery. The battery drained halfway down over night, without the charger, the phone would get very hot, and there was a lot of bandwidth used. I did install a lot of apps and use it a lot, but still suspicious. I've since, uninstalled many apps.
I installed a monitoring app to see if I could detect any unusual activity and have found the same result. It appears that everything is routing through a strange IP before going to a legitimate one. After monitoring the traffic, the IPs have shown up as either Department of Defense (DoD) Network Information Center in Ohio or the Ministry of Defense in UK. The DNS has changed, but those are the only two results.
My first thought was that Big Bro is a bit over zealous, because I'm not very politically opinionated and don't post or visit sites like that, but I do search for what I want and visit sites that I want and maybe I set up some sort of flag or maybe someone used my email..... Anyway, let's just prove that I'm normal and leave my phone alone.
But then I read that there can be spoofing and am back to suspecting a commercial spy program and that they are covering their tracks to be undetected. I still need more info on spoofing and for that matter not eliminate the possibility that some lowlife has hacked me for personal info.
I just found it very interesting that someone else tracked the IPs to the same two military intelligence agencies. |
|