dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
28987

tdurd
@server4you.net

tdurd

Anon

Why is my first hop to a DoD assigned IP address?

Sorry for the embellished title. I wasn't sure what to use.

Today, while I was troubleshooting a remote assistance connection issues with someone I know, I noticed the first hop in a tracert is to the 7.0.0.0/8 network (DoD DNIC). The second is to the 69.63.240.0/20 network (Rogers). Does anyone know what the deal is with Rogers Canada's network design?

The person I was helping has a SMC8014WG network device supplied by Rogers. The SMC device has a LAN IP of 192.168.0.1. The SMC device also listed a WAN IP and WAN Gateway address, but I didn't write them down (66.x.x.x IIRC).

As far as tracert is concerned, their LAN gateway (192.168.0.1), the WAN IP and the WAN Gateway on the SMC device are all one hop from their computer. None of them show up in a normal tracert (ex: tracert google.ca).

It acts as if their machine is connected via VPN to, and routing all traffic via, the 7.0.0.0/8 network, but, AFAIK, it's not. Unfortunately, I didn't think to look at the routing table since they wanted help with something that wasn't network related and I didn't want to waste their time.

They had a virtual network adapter that was somehow related to IPV6 (disappeared when IPV6 was disabled) and looked like it was installed against their WiFi adapter. IIRC it was named Teredo Tunneling Pseudo Interface. Windows remote assistance complained about not having a public IPV4 address until they disabled their WiFi adapter. Their WiFi NIC and wired NIC were both connected to the same LAN, so it doesn't make sense that disabling their WiFi NIC would change anything significant, does it?

I haven't looked at IPV6 at all and am not familiar with how it would get integrated with an IPV4 network. Does Rogers have some kind of hybrid IPV4 / IPV6 network that would make things look weird to someone who is only used to IPV4?

Also, why would an IP address from an IP block that is assigned to the DoD show up anywhere in Rogers' network design?

I'm five nines sure this person is not a spy.

Nap
@rogers.com

Nap

Anon

Check this other thread, you're not alone:

»[Extreme Plus] Frequent, intermittent disconnections in Toronto

nap.

P.S. Maybe DOD is spying on your friend, not the other way round? Just kidding. Take care. Lol.

bigggbrutha
@telus.net

bigggbrutha to tdurd

Anon

to tdurd
»www.google.com/webhp#scl ··· 0f8b4ab9

Lots of speculative information on Google.
Lots of people noticing DoD port scans after leaving political comments to certain sites.
Firewalls are your friend.
Disabling the back door to a ISP supplied router/modem is good to do.
Either someone is spoofing DoD's IP range or there is a little black box at the ISP, recording all the traffic on that connection.

I've said too much. Keep safe Citizen.

sbrook
Mod
join:2001-12-14
Ottawa

sbrook to tdurd

Mod

to tdurd
This is far more likely to be some mistake by a network engineer who put an ip of 7.4.16.1 instead of 10.4.16.1 onto that CMTS router.

Normally on Rogers, the first hop (after any router(s) you have) is the CMTS and that's assigned a 10.*.*.* non-routable address.

Somebody should be dragged over the coals for this one. Your first hop wouldn't be outside Rogers network. So, conspiracy theorists ... take your tinfoil hats off ... this is just plain stupidity.

tdurd
@amazonaws.com

tdurd

Anon

Yeah. The 10 and the 7 are like right next to each other on the keyboard

In this case, neither the LAN gateway nor the WAN gateway showed up in a tracert. It behaved exactly as if the machine were part of a VPN with an alternate default route that funneled all traffic over the VPN gateway. The weird IP was quite literally hop #1.

If traffic were hitting the LAN gateway, then a weird IP, then a Rogers IP, I'd chalk it up to a typo. As far as an IPV4 networking goes, it sure looked like traffic from their machine was being passed over an alternate route.

I'm not a tinfoil hat conspiracy theorist and I should be able to get another look at their machine later tonight. I'll have a look at their routing table(s) and see what the deal is.

I mainly wanted to know if Rogers has some wonky VPN(ish) setup for their home broadband subscribers.
tdurd

tdurd to sbrook

Anon

to sbrook
I probably should have been more clear that I don't think it's likely someone is spying on my friend.

If their machine were connected to an alternate network via VPN and having traffic routed via the VPN gateway, the first hop off the network would show as the internal IP of the VPN gateway, not an external, world rout-able IP. A VPN like setup is, AFAIK, the only way your first hop can be anything other than your LAN gateway IP.

In the case of a VPN, their would have to be some kind of virtual NIC in use. There wasn't.

It might be possible for someone to be bridged onto your LAN (via the gateway device). Then it would be possible to change the routing table on network connected devices (aka your computer) and route traffic via a different gateway.

However, if anyone had the means to get bridged onto your LAN via the gateway device, they wouldn't need to screw around with stupid tricks since they could divert your traffic from a point that would make it impossible for you to detect.

The only way someone could be spying on my friend would be if they had physical access to the house and were able to bridge onto the LAN + change the routing table on their PC. And that's just a little too tinfoil hatty for me

Nap
@rogers.com

Nap

Anon

said by tdurd :

I probably should have been more clear that I don't think it's likely someone is spying on my friend.

So the DoD squad is at your house and kindly asked you to post a "forget it guys it was just a joke" message?

Let's thicken the plot. Any Samsung laptop near you?

»yro.slashdot.org/story/1 ··· -Laptops

There's someone at my door, I'll be back in a minute....

Nap.
kliles
join:2007-06-26
Mississauga, ON

kliles

Member

said by Nap :

said by tdurd :

I probably should have been more clear that I don't think it's likely someone is spying on my friend.

So the DoD squad is at your house and kindly asked you to post a "forget it guys it was just a joke" message?

Let's thicken the plot. Any Samsung laptop near you?

»yro.slashdot.org/story/1 ··· -Laptops

There's someone at my door, I'll be back in a minute....

Nap.

The Samsung laptop key logger was a false positive from the AV software the "researcher" was using... see:

Samsung Laptops do not have a keylogger (and it was our fault):
»sunbeltblog.blogspot.com ··· ger.html

tdurd
@santrex.net

tdurd to tdurd

Anon

to tdurd
Ok. I got another look at this machine and it defies my understanding of networking. Hopefully someone here knows more than me. I'll post the info I think is important below. I've obfuscated the first couple hops of the tracerts and WAN IPs, but kept all IPs in the same CIDR range (as listed by ARIN).

NIC Info: A single, wired NIC.  Everything else disabled.
NIC Settings: IPV6 is disabled.
NIC IPV4 Settings: DHCP
 

Network info:

LAN IP: 192.168.0.10
LAN GW: 192.168.0.1
WAN IP: 99.224.0.1
WAN GW: 99.224.0.2
WHATS MY IP: 99.224.0.1
 

ipconfig /all

Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : User-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : phub.net.cable.rogers.com
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : phub.net.cable.rogers.com
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : [removed]
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : [removed]
   Lease Expires . . . . . . . . . . : [removed]
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.phub.net.cable.rogers.com:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : phub.net.cable.rogers.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : [removed]
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : [removed]
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : [removed] (Preferred)
   Link-local IPv6 Address . . . . . : [removed] (Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
 

route print

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.10     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link      192.168.0.10    276
     192.168.0.10  255.255.255.255         On-link      192.168.0.10    276
    192.168.0.255  255.255.255.255         On-link      192.168.0.10    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.0.10    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.0.10    276
===========================================================================
Persistent Routes:
  None
 

tracert google.ca

 
Tracing route to google.ca [74.125.225.20]
over a maximum of 30 hops:
 
  1     8 ms    11 ms     7 ms  7.0.0.1
  2     8 ms    13 ms     9 ms  69.63.240.1
  3    10 ms    12 ms     9 ms  69.63.240.2
  4    27 ms    26 ms    31 ms  69.63.240.3
  5    26 ms    27 ms    40 ms  74.125.49.229
  6    27 ms    35 ms    27 ms  72.14.238.232
  7    62 ms    50 ms    41 ms  216.239.46.217
  8    54 ms    42 ms    44 ms  64.233.174.173
  9    41 ms    41 ms    42 ms  74.125.225.20
 
Trace complete.
 

tracert facebook.com

 
Tracing route to facebook.com [69.63.189.16]
over a maximum of 30 hops:
 
  1   131 ms    21 ms     7 ms  7.0.0.1
  2    20 ms     9 ms     7 ms  69.63.240.1
  3    11 ms    12 ms    10 ms  69.63.240.2
  4    28 ms    26 ms    48 ms  69.63.240.3
  5    25 ms    27 ms    26 ms  xe-1-1-0.br01.lga1.tfbnw.net [198.32.118.27]
  6    28 ms    28 ms    52 ms  xe-4-3-0.bb01.iad1.tfbnw.net [204.15.20.128]
  7    30 ms    28 ms    28 ms  ae1.dr03.ash2.tfbnw.net [204.15.21.95]
  8    28 ms    28 ms    28 ms  po1016.csw01b.ash2.tfbnw.net [74.119.76.117]
  9    29 ms    28 ms    28 ms  www-11-01-ash2.facebook.com [69.63.189.16]
 
Trace complete.
 

Why aren't the first two hops 192.168.0.1 and 99.224.0.2?

sbrook
Mod
join:2001-12-14
Ottawa

sbrook

Mod

Good question as to why the first hop isn't 192.168.0.1 BUT that said, some routers don't actually report themselves in a tracert.

The next hop should be the CMTS (aka the UBR). The CMTS has two IP addresses ... a routable address that is the default gateway address, and a non-routable address that is used internally within Rogers network to access the CMTS and your modem.

So, in fact 7.0.0.1 and 99.224.0.2 are probably one and the same.

pwnage
Powdered Toast Man
Premium Member
join:2004-03-20
ComeByChance

pwnage to tdurd

Premium Member

to tdurd
rogers is converting all 10. IP's to 7.

sbrook
Mod
join:2001-12-14
Ottawa

1 edit

sbrook

Mod

Unless they've been added to the non-routable address list, somebody should slap them over the knuckles!

It appears that 7.0.0.0/16 has not actually been allocated although it's IANA reserved.

But unless Rogers is firewalling 7.0.0.0/16 it could case some interesting messes.

tdurd
@torservers.net

tdurd to sbrook

Anon

to sbrook
sbrook: That is exactly what it is. I didn't realized there was more than one IP aliased to that particular interface. So, to recap:

- the LAN gateway doesn't report itself in a tracert
- the WAN gateway gets misreported with an internal (Rogers) IP in the 7.0.0.0/8 range

I can confirm that you are correct with near certainty. Although I can't ping 7.0.0.1, I can ping 99.224.0.2. The latency is basically an exact match to what I'm seeing using tracert (usually ~8ms, yet inconsistent into the 125ms+ range). I'm satisfied they're the same physical interface.

It would also explain why the guy in that other thread was seeing a 7.0.0.0/8 IP as his second hop.

Now for the million dollar question. How does a Canadian communications company like Rogers build an internal management network using the public IP space allocated to the US DoD without anyone in the company raising an objection? There are more WTFs with that idea than you can shake a stick at.

For the record, the IP I was seeing was not even close to the one in that other thread, but still on the 7.0.0.0/8 network which is why I'm assuming Rogers uses 7.0.0.0/8 for more than the odd typo.
tdurd

tdurd to pwnage

Anon

to pwnage
said by pwnage:

rogers is converting all 10. IP's to 7.

Are they mad?
said by sbrook:

It appears that 7.0.0.0/16 has not actually been allocated although it's IANA reserved.

Am I looking in the wrong place?

»whois.arin.net/rest/net/ ··· -0-1/pft

sbrook
Mod
join:2001-12-14
Ottawa

1 recommendation

sbrook

Mod

Well, I've found out a bit more ...

Parts of that 7.*.*.* are non-routed (note not non-routable!) DoD keep them reserved behind their firewalls, so they aren't really in the "publicly addressable" IP address space. You can't get a routing to DoD machines in that address space.

Rumour has it that Rogers ran out of non-routable IP address space! (Rogers, unlike the American ISPs) run a unified network rather than a geographically segregated network which means that each non-routable IP address is unique in its entire geography, so they can run out!

Rumour also has it that they went to IANA and DoD and got permission to use the non-routed parts of the 7.* address space if it's not routed out of Rogers networks.

Sketchy but until IP V6 comes along, all kinds of bandaid solutions are coming along to problems like this.
JAC70
join:2008-10-20
canada

JAC70

Member

Heheh...the poll starts now as to how long it takes Rogers to screw this up and break the internet.

tdurd
@online.de

tdurd to sbrook

Anon

to sbrook
said by sbrook:

Rumour also has it that they went to IANA and DoD and got permission to use the non-routed parts of the 7.* address space if it's not routed out of Rogers networks.

That's like borrowing a strangers video camera to film yourself banging a hooker. There are plenty of things that can go wrong with a plan like that.

What happens when something goes wrong and information starts leaking off the network? It gets routed straight to the US DoD.
said by sbrook:

Sketchy but until IP V6 comes along, all kinds of bandaid solutions are coming along to problems like this.

If Comcast is down in the US, standing on a street corner and begging for spare IPV4 addresses for an internal network, I'll be very surprised if consumers see IPV6 in the next decade.

sbrook
Mod
join:2001-12-14
Ottawa

sbrook to tdurd

Mod

to tdurd
I tend to agree. Probably what's happened is all the wireless devices have been put on NAT to local addresses so as to avoid the IPV4 crunch ... and hey presto they hit the nonroutable crunch instead!!!

tdurd
@online.de

tdurd to tdurd

Anon

to tdurd
*Rogers, not Comcast. Sorry.

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

elwoodblues to tdurd

Premium Member

to tdurd
It gets better, my iPhone has a 25.x ip, which is odd, since the last time I jailbroke the phone it had a natted address.

Anyways, curiosity gets the best of me and I found out the 25.x IPspace belongs to the UK Ministry of Defence.

What's even odder, is I went to Speedtest.net on my phone is shows the 25.x IP as an internal IP, yet it shows a 74.198.x.x IP as the external IP.

OK dumb question, why would they use a routable address for an internal one, and then NAT it.
resa1983
Premium Member
join:2008-03-10
North York, ON

resa1983

Premium Member

said by elwoodblues:

OK dumb question, why would they use a routable address for an internal one, and then NAT it.

This is Rogers... Need you really ask?

The company that released an update for their DPI systems without fully reading it, and without testing it, resulting in a user's entire connection being throttled while p2p is active..

The company that has their employees blatantly lie to customers..

Come on now. :P

I really wonder at their network personnel.. They can't be this inept, can they?

sbrook
Mod
join:2001-12-14
Ottawa

sbrook to elwoodblues

Mod

to elwoodblues
Probably because 25.*.*.* is not actually routed outside of Rogers. It's probably the same deal as the 7.*.*.* and is only being used within Rogers network.

I suspect you'll find that there are no hosts on the CIDR's that Rogers is using visible from the public ethernet anyway.

So in fact the 25.* is also a NATted address.

Again because Rogers has run out of internal addresses because its network is not segmented like the US carriers.
sbrook

sbrook to tdurd

Mod

to tdurd
Now now resa! This actually makes sense, although it shows poor planning on Rogers part (or a hope that they'd make IP6 happen a lot sooner!) and the use of walled IP addresses is cerrtainly strange!

In this case the external address is the address of the NATting router, and your internal address is the address that NATting router is sending packets to ... i.e. you. So, it makes perfect sense. Of course, the hitch is that NAT really can upset "connectionless" protocols. TCP/IP will create a "connection" ... i.e. a protocol specific link that is created when the connection is initiated and destroyed when cleared down. On the other hand, UDP does not ... it happens by a stream of packets sent to the other end. In general on the internet, connectionless protocols are usually preceded by a "connection" protocol exchange, which is used to establish the NAT router link to the destination.

And as for why a CMTS has an internal and external IP address, this is because the users on a single CMTS segment can be on multiple subnets, so by using the internal addresses they escape this problem.

If you traceroute to the CMTS, its public IP address will reply.

If you traceroute through the the CMTS, its private IP address will reply.
Andlucky123
join:2011-04-14
Austin, TX

Andlucky123 to tdurd

Member

to tdurd
I am experiencing the same issue with my Android smartphone.

I had reason to believe that a spy program was installed and that someone is viewing my activities, etc. on a secure server, as advertised. I do actually have reason to think someone would do this, as there is a person and they have been stalking me, blah, blah... It seems those programs are designed for that purpose and some may be able to be installed remotely.

That said, the 4G phone that I got a few months ago has never performed very well, I think my last apartment was a dead zone and maybe I just expect too much performance from devices. The connection is better since I moved.

The reason for my first alarm was that the battery started draining very quickly. I looked into the spyware issue and followed instructions on how to determine if there may be a spy program draining the battery. The battery drained halfway down over night, without the charger, the phone would get very hot, and there was a lot of bandwidth used. I did install a lot of apps and use it a lot, but still suspicious. I've since, uninstalled many apps.

I installed a monitoring app to see if I could detect any unusual activity and have found the same result. It appears that everything is routing through a strange IP before going to a legitimate one. After monitoring the traffic, the IPs have shown up as either DoD Network Information Center in Ohio or the Ministry of Defense in UK. The DNS has changed, but those are the only two results.

My first thought was that Big Bro is a bit over zealous, because I'm not very politically opinionated and don't post or visit sites like that, but I do search for what I want and visit sites that I want and maybe I set up some sort of flag or maybe someone used my email..... Anyway, let's just prove that I'm normal and leave my phone alone.

But then I read that there can be spoofing and am back to suspecting a commercial spy program and that they are covering their tracks to be undetected. I still need more info on spoofing and for that matter not eliminate the possibility that some lowlife has hacked me for personal info.

I just found it very interesting that someone else tracked the IPs to the same two military intelligence agencies.

sbrook
Mod
join:2001-12-14
Ottawa

sbrook to tdurd

Mod

to tdurd
No, you're not going to a military agency. Rogers has just received permission to use these IP addresses as long as they are firewalled as "internal IP addresses" ... since no address in the 7.* range or 25.* range that Rogers is using is routable to from the internet.

Your draining battery and poor performance are far more likely to be poor signal than anything else.

Even for my old generic phone, where I live in a cell phone near dead spot (1 bar!), I'll kill a phone battery overnight. On the other hand, if I take it away with me to a 3 or more bar area, it lasts days. It gets hot because it's having to transmit a lot of power to stay in touch with the nearest tower because the signal strengths are marginal.

You can be sure that if MOD (UK) or US military or police or gov't wanted to track internet services, they sure as hell wouldn't let a visible IP address show in the tracert!

elwoodblues
Elwood Blues
Premium Member
join:2006-08-30
Somewhere in

elwoodblues

Premium Member

Here is what I find interesting, the last time I jailbroke my phone, it had a 10x IP, so I knew they were natting.. No problem.

I find it difficult to believe that Rogers has over 4billion ip's in use (assuming full 10.x ip space). They're big but not that bloody big.

Mashiki
Balking The Enemy's Plans
join:2002-02-04
Woodstock, ON

Mashiki

Member

They could be segmenting zones. Stupid way to do it, but I've seen stupider things done.
Andlucky123
join:2011-04-14
Austin, TX

Andlucky123 to tdurd

Member

to tdurd
Does the explaination that it's Rogers apply if I'm in the US.

sbrook
Mod
join:2001-12-14
Ottawa

sbrook to elwoodblues

Mod

to elwoodblues
Well, it's not a whole 4 billion, but they need lots of .1's so that they can keep everybody together on a CMTS subnet. you've probably got maybe 100 subs on a 10.*.x.* so really you only have about 65535 subnets available ... I can see Rogers getting through them.

Austin Tejas
@tmodns.net

Austin Tejas to sbrook

Anon

to sbrook
I am experiencing the same issue with my Android smartphone.

I had reason to believe that a spy program was installed and that someone is viewing my activities, etc. on a secure server, as advertised. I do actually have reason to think someone would do this, as there is a person and they have been stalking me, blah, blah... It seems those programs are designed for that purpose and some may be able to be installed remotely.

That said, the 4G phone that I got a few months ago has never performed very well, I think my last apartment was a dead zone and maybe I just expect too much performance from devices. The connection is better since I moved.

The reason for my first alarm was that the battery started draining very quickly. I looked into the spyware issue and followed instructions on how to determine if there may be a spy program draining the battery. The battery drained halfway down over night, without the charger, the phone would get very hot, and there was a lot of bandwidth used. I did install a lot of apps and use it a lot, but still suspicious. I've since, uninstalled many apps.

I installed a monitoring app to see if I could detect any unusual activity and have found the same result. It appears that everything is routing through a strange IP before going to a legitimate one. After monitoring the traffic, the IPs have shown up as either Department of Defense (DoD) Network Information Center in Ohio or the Ministry of Defense in UK. The DNS has changed, but those are the only two results.

My first thought was that Big Bro is a bit over zealous, because I'm not very politically opinionated and don't post or visit sites like that, but I do search for what I want and visit sites that I want and maybe I set up some sort of flag or maybe someone used my email..... Anyway, let's just prove that I'm normal and leave my phone alone.

But then I read that there can be spoofing and am back to suspecting a commercial spy program and that they are covering their tracks to be undetected. I still need more info on spoofing and for that matter not eliminate the possibility that some lowlife has hacked me for personal info.

I just found it very interesting that someone else tracked the IPs to the same two military intelligence agencies.