dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1646
grasmussen
join:2012-11-29
Gallatin, TN

grasmussen

Member

Questionable IP address outside service provider's gateway

I ran a tracert from one of my home computers to the speedtest.net server in Miami supported by Comcast. The Internet service provider is OMGFAST (a subsidiary of Clearband) and their gateway IP address is 199.193.104.65. The tracert data follows below. Why is there what appears to be a home or small office router in the path??

Tracing route to sto-pomp-01.sys.comcast.net [69.241.6.18]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 199.51.216.197 (The IP address I assigned to my omgfast supplied router)
2 93 ms 34 ms 39 ms 199.193.104.65 (omgfast gateway)
3 42 ms 38 ms 44 ms 192.168.1.5 ** WHAT IS THIS DOING HERE?? **
4 51 ms 39 ms 62 ms 192.168.1.1 ** WHAT IS THIS DOING HERE?? **
5 44 ms 57 ms 65 ms 74.115.233.161
6 51 ms 41 ms 71 ms 208.67.164.150
7 60 ms 39 ms 79 ms 208.67.164.157
8 70 ms 48 ms 79 ms be-10-902-pe01.nota.fl.ibone.comcast.net [66.208.228.113]
9 48 ms 59 ms 59 ms pos-1-5-0-0-cr01.miami.fl.ibone.comcast.net [68.86.87.105]
10 43 ms 59 ms 172 ms he-0-12-0-0-ar03.northdade.fl.pompano.comcast.net [68.86.93.86]
11 55 ms 77 ms 150 ms pos-0-7-0-0-ar03.pompanobeach.fl.pompano.comcast.net [68.86.164.6]
12 52 ms 161 ms 51 ms te-7-4-ur02.pompanobeach.fl.pompano.comcast.net [68.85.127.157]
13 117 ms 84 ms 78 ms te-7-2-ur01.pompanobeach.fl.pompano.comcast.net [68.85.127.153]
14 46 ms 78 ms 79 ms sto-pomp-01.sys.comcast.net [69.241.6.18]

Trace complete.

tschmidt
MVM
join:2000-11-12
Milford, NH
·Consolidated Com..
·Republic Wireless
·Hollis Hosting

1 recommendation

tschmidt

MVM

Welcome to BBR.

Private IP addresses can be used and reused many time by multiple entities.

»tools.ietf.org/html/rfc1918

If is not uncommon for ISPs to use private addresses for internal routers. As a residential ISP customer you are bridged to their local network. Those addresses are visible to you but not to computers outside the ISP. It is unusual they are "wasting" a public IP for the edge router 199.193.10c.65.

Tracing route to 199.193.104.65 over a maximum of 30 hops
 
  1    <1 ms    <1 ms    <1 ms  192.168.2.1
  2    22 ms    22 ms    22 ms  10.20.6.1
  3    23 ms    24 ms    23 ms  64.222.166.167
  4    28 ms    28 ms    29 ms  burl-lnk-70-109-168-138.ngn.east.myfairpoint.net
 [70.109.168.138]
  5    34 ms    33 ms    33 ms  te7-5.ccr01.alb02.atlas.cogentco.com [38.104.52.21]
  6    36 ms    37 ms    36 ms  te4-4.ccr01.jfk01.atlas.cogentco.com [154.54.42.142]
  7    37 ms    37 ms    37 ms  te0-3-0-7.mpd21.jfk02.atlas.cogentco.com [154.54.24.146]
  8    43 ms    44 ms    43 ms  te0-1-0-4.mpd21.dca01.atlas.cogentco.com [154.54.2.66]
  9    54 ms    55 ms    54 ms  te0-3-0-7.mpd21.atl01.atlas.cogentco.com [154.54.25.254]
 10    68 ms    68 ms    68 ms  te8-8.ccr01.mia01.atlas.cogentco.com [154.54.3.26]
 11   155 ms   207 ms   212 ms  te8-8.ccr01.mia03.atlas.cogentco.com [154.54.80.42]
 12    69 ms    69 ms    71 ms  te4-1.mag01.mia03.atlas.cogentco.com [154.54.47.182]
 13    69 ms    68 ms    68 ms  38.104.94.150
 14    70 ms    69 ms    69 ms  208.67.164.158
 15    71 ms    70 ms    71 ms  208.67.164.149
 16    70 ms    70 ms    69 ms  74.120.47.234
 17    70 ms    70 ms    70 ms  192.168.1.2
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 

I ran a traceroute back to your ISP's edge router with the intent of showing that the 192.168.1.x address block was invisible to someone external to your ISP's network. But low and behold look at hop 17.

I think next step is to contact your ISP and talk to them. Looks like someone misconfigurated their network.

BTW - notice the second hop in my traceroute. That is the ISP's edge router. The 10/8 address block is one of the RFC 1918 private addresses.

/tom
grasmussen
join:2012-11-29
Gallatin, TN

grasmussen

Member

Tom,
Thank you for responding. I have been trying to get to the head technician but after leaving 3 voice messages and getting no callbacks I'm frustrated. I will try to get to the corporate offices next.

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

Jerry

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

1 recommendation

stormbow to grasmussen

Premium Member

to grasmussen
said by grasmussen:

1 1 ms 1 ms 1 ms 199.51.216.197 (The IP address I assigned to my omgfast supplied router)
2 93 ms 34 ms 39 ms 199.193.104.65 (omgfast gateway)
3 42 ms 38 ms 44 ms 192.168.1.5 ** WHAT IS THIS DOING HERE?? **
4 51 ms 39 ms 62 ms 192.168.1.1 ** WHAT IS THIS DOING HERE?? **

This is normal. As Tom says they don't want to waste IP addresses, so they use private IP addresses inside their network. They normally only use non private IPs at the endpoints (at the user end and where the hand off to peers)
public
join:2002-01-19
Santa Clara, CA

public to grasmussen

Member

to grasmussen
said by grasmussen:

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

presumably that is encrypted. If not, you have a bigger problem.
All of your traffic is recorded by the NSA.

tschmidt
MVM
join:2000-11-12
Milford, NH
·Consolidated Com..
·Republic Wireless
·Hollis Hosting

1 recommendation

tschmidt to grasmussen

MVM

to grasmussen
said by grasmussen:

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

Not sure what you mean by "scanning traffic." There is nothing special about the Private Address blocks. If this was something nefarious why would the attacker make it so obvious? If this was a CALEA tap you would never see it.

The 74.115.232.0/22 and 208.67.164.0/22 IPs belong to Fibernet. Looks like Hop 5 is the interface between your ISP and wholesale ISP Fibernet.

Likewise on my traceroute 74.120.40.0/21 is Fibernet.
»tools.whois.net/whoisbyip/

KISS - keep it simple stupid - Your ISP is using private IPs for routers within their network - nothing wrong with that. Using private IPs and exposing them to the Internet - a big no no. I should not be able to see hop 17 on my traceroute 192.168.1.2. As mentioned the fact you can see 192.168.1.5 and 192.168.1.1 is normal since you are internal to the ISP's network

The choice of particular private IP address block is unusual in that most home routers also use the 192.168/16 block making collision with customer LAN address more likely. Remember the benefit of Private Addresses is that the block can be used multiple times by multiple entities. However each user must keep the block hidden from the Internet.

If you are interested in the gory details of the side effects of using Private IPs within ISP core, RFC 6752 discusses the issue. I found it interesting reading. I had not paid much attention to the down side until I responded to your problem. BTW I am not an ISP nor do I play one on TV so this is new territory for me.
»tools.ietf.org/html/rfc6752

/tom


stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

stormbow to grasmussen

Premium Member

to grasmussen
said by grasmussen:

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

Jerry

If I was going to sniff your traffic, you would never know it. I would put a managed switch in the mix with a monitor port running. It would show no trace. I do it here to make sure we aren't having issues on our exterior segment. (We are not an ISP, so no I'm not sniffing my coworkers details)
grasmussen
join:2012-11-29
Gallatin, TN

grasmussen

Member

Thank you all for your input. Interesting feedback! Looks like some research as suggested by Tom could be entertaining and enlightening. Jerry