dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9
share rss forum feed


tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·Hollis Hosting
·G4 Communications

1 recommendation

reply to grasmussen

Re: Questionable IP address outside service provider's gateway

Welcome to BBR.

Private IP addresses can be used and reused many time by multiple entities.

»tools.ietf.org/html/rfc1918

If is not uncommon for ISPs to use private addresses for internal routers. As a residential ISP customer you are bridged to their local network. Those addresses are visible to you but not to computers outside the ISP. It is unusual they are "wasting" a public IP for the edge router 199.193.10c.65.

Tracing route to 199.193.104.65 over a maximum of 30 hops
 
  1    <1 ms    <1 ms    <1 ms  192.168.2.1
  2    22 ms    22 ms    22 ms  10.20.6.1
  3    23 ms    24 ms    23 ms  64.222.166.167
  4    28 ms    28 ms    29 ms  burl-lnk-70-109-168-138.ngn.east.myfairpoint.net
 [70.109.168.138]
  5    34 ms    33 ms    33 ms  te7-5.ccr01.alb02.atlas.cogentco.com [38.104.52.21]
  6    36 ms    37 ms    36 ms  te4-4.ccr01.jfk01.atlas.cogentco.com [154.54.42.142]
  7    37 ms    37 ms    37 ms  te0-3-0-7.mpd21.jfk02.atlas.cogentco.com [154.54.24.146]
  8    43 ms    44 ms    43 ms  te0-1-0-4.mpd21.dca01.atlas.cogentco.com [154.54.2.66]
  9    54 ms    55 ms    54 ms  te0-3-0-7.mpd21.atl01.atlas.cogentco.com [154.54.25.254]
 10    68 ms    68 ms    68 ms  te8-8.ccr01.mia01.atlas.cogentco.com [154.54.3.26]
 11   155 ms   207 ms   212 ms  te8-8.ccr01.mia03.atlas.cogentco.com [154.54.80.42]
 12    69 ms    69 ms    71 ms  te4-1.mag01.mia03.atlas.cogentco.com [154.54.47.182]
 13    69 ms    68 ms    68 ms  38.104.94.150
 14    70 ms    69 ms    69 ms  208.67.164.158
 15    71 ms    70 ms    71 ms  208.67.164.149
 16    70 ms    70 ms    69 ms  74.120.47.234
 17    70 ms    70 ms    70 ms  192.168.1.2
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 

I ran a traceroute back to your ISP's edge router with the intent of showing that the 192.168.1.x address block was invisible to someone external to your ISP's network. But low and behold look at hop 17.

I think next step is to contact your ISP and talk to them. Looks like someone misconfigurated their network.

BTW - notice the second hop in my traceroute. That is the ISP's edge router. The 10/8 address block is one of the RFC 1918 private addresses.

/tom

grasmussen

join:2012-11-29
Pompano Beach, FL
Tom,
Thank you for responding. I have been trying to get to the head technician but after leaving 3 voice messages and getting no callbacks I'm frustrated. I will try to get to the corporate offices next.

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

Jerry

public

join:2002-01-19
Santa Clara, CA
said by grasmussen:

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

presumably that is encrypted. If not, you have a bigger problem.
All of your traffic is recorded by the NSA.


tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·Hollis Hosting
·G4 Communications

1 recommendation

reply to grasmussen
said by grasmussen:

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

Not sure what you mean by "scanning traffic." There is nothing special about the Private Address blocks. If this was something nefarious why would the attacker make it so obvious? If this was a CALEA tap you would never see it.

The 74.115.232.0/22 and 208.67.164.0/22 IPs belong to Fibernet. Looks like Hop 5 is the interface between your ISP and wholesale ISP Fibernet.

Likewise on my traceroute 74.120.40.0/21 is Fibernet.
»tools.whois.net/whoisbyip/

KISS - keep it simple stupid - Your ISP is using private IPs for routers within their network - nothing wrong with that. Using private IPs and exposing them to the Internet - a big no no. I should not be able to see hop 17 on my traceroute 192.168.1.2. As mentioned the fact you can see 192.168.1.5 and 192.168.1.1 is normal since you are internal to the ISP's network

The choice of particular private IP address block is unusual in that most home routers also use the 192.168/16 block making collision with customer LAN address more likely. Remember the benefit of Private Addresses is that the block can be used multiple times by multiple entities. However each user must keep the block hidden from the Internet.

If you are interested in the gory details of the side effects of using Private IPs within ISP core, RFC 6752 discusses the issue. I found it interesting reading. I had not paid much attention to the down side until I responded to your problem. BTW I am not an ISP nor do I play one on TV so this is new territory for me.
»tools.ietf.org/html/rfc6752

/tom



stormbow
Freedom isn't FREE
Premium
join:2002-07-31
Simi Valley, CA
reply to grasmussen
said by grasmussen:

Is it possible that someone could be scanning traffic through this 192.168.x.x hop for the purpose of recording private info such as online bank account information?

Jerry

If I was going to sniff your traffic, you would never know it. I would put a managed switch in the mix with a monitor port running. It would show no trace. I do it here to make sure we aren't having issues on our exterior segment. (We are not an ISP, so no I'm not sniffing my coworkers details)

grasmussen

join:2012-11-29
Pompano Beach, FL
Thank you all for your input. Interesting feedback! Looks like some research as suggested by Tom could be entertaining and enlightening. Jerry