Is this fishy?

[rezerekted]

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 1.79 ms xxx.xxx.x.xxx
2 18.23 ms 10.29.146.1 <THIS?
3 19.78 ms plalca01ci01.bb.telus.com (75.154.217.78)
4 13.51 ms cache.google.com (209.52.189.113)

Starting Nmap 6.40 ( Nmap: the Network Mapper - Free Security Scanner ) at 2016-04-23 10:04 PDT
Nmap scan report for 10.29.146.1
Host is up (0.0065s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
53/tcp closed domain

From what I can tell it is a DNS server and/or for IPv6 but why is it between my router and my ISP? I've also found out since this came along I can no longer use 3rd party DNS servers such as OpenDNS, it always defaults to Telus.

 

[michalrz]

Hell yes it's fishy, the guy is somewhere in your house! 10.0... are NAT-ed people.

 

[rezerekted]

I live in an apartment building. I talked to my ISP via online chat support about it some time ago and the women was useless to help explain it to me but I have researched it before and a post I came across said it is for handing out IP addresses, something to do with limitation of IPv4 addresses. Need more opinions before getting paranoid but will contact my ISP about it again and hopefully get someone that knows more than reading from a script.

Look at the pings, it is very close to my ISP and not in my house/apartment.

Also, port 53 is for IPv6 and DNS going by my research. Although, I read they should be using UDP and not TCP for security reasons.

 

[Red Squirrel]

Do you have a double NAT? Ex: an ISP provided router/modem, and then your own router? If you HAVE to use the provided router there's not much you can do unfortunately. Some may have a function to setup the internet as pass through.

That, or your ISP is actually providing you with a "LAN" IP range from the get go, and that is their NAT router. That is super dirty if that's what they're doing though, as it means you can't really port forward anything. ISPs have this weird thing against people running servers anyway so from their point of view doing NAT for customers is not really a bad thing and saves them from buying more IPs.

Not sure if that's what they're doing though, just a thought. Check to see what your IP is at your router. (you don't have to post here) to see if it's a routable range or not.

 

[rezerekted]

Yes, it is a combo modem/router provided by the ISP that I am using. There is an option to use it in passthrough mode but my own router is packed away in a box buried deep somewhere and can't be bothered to look for it until I move to a larger place. I expct it is what you say, it is the ISP's NAT router because they are short of IPv4 addresses, or something like that.

I remember at my last ISP they went through a USA military address first for the same reason, they leased the addresses from the military because they had lots of them. At first that made me paranoid until I did some research on it and found out is a common thing to do now due to IPv4 address shortages. Either that, or it is all a lie and I am being surveilled.

I see two IP addresses, my computer and the router.

 

[the_servicer]

at my last ISP they went through a USA military address first for the same reason

That would have freaked me out.

 

[bds1904]

I can no longer use 3rd party DNS servers such as OpenDNS, it always defaults to Telus.

Sounds like Telus is doing Layer 7 packet inspection and forcing DNS queries through their own servers. That's how most ISP's are doing piracy monitoring now days. In some cases certain addresses are "captured" and forwarded on to the ISP's own server. In other cases the forwarding is done by protocol, port or analysis of the packet.

Personally I tunnel all my DNS though 2 offsite servers (in another country it so happens) via site-to-site VPN's. I do it for other reasons than "easy ISP monitoring" or "DNS hijacking" but I guess it does bypass that too. I do it because I run a multi-site AD setup and it's just easier to have DNS offsite in a datacenter.

 

[rezerekted]

I went into router settings and see they now have separate IP and DNS settings for IPv4 and IPv6. I manually set IPv4 to OpenDNS and tested it using OpenDNS web page and it said it was configured correctly but then I tested it again five minutes later and it failed so set it back to dynamic DNS. I see I can disable IPv6 in the router so if I did that I can probably get OpenDNS working but didn't try it. I know OpenDNS won't work with IPv6 so should try and disable IPv6 completely and see how it goes. DNS poisoning is something that concerns me too because I downloaded ettercap and now see just how easy it is to do. Also, I have been a victim of DNS poisoning in the past. With ettercap they can even strip SSL.

One thing I don't like about ISP routers, there is no way to clone or change the mac address. My own router is a Linux router with Tomato firmware so should go find it.

 

[rezerekted]

That would have freaked me out.

Well, you know, when I really think about it, them claiming they are doing it due to a shortage of IPv4 addresses would be the perfect ruse for the USA government to do packet inspection on Canadians. Like, who wants a connection to, say, Seattle, to be first routed all the way to a Texas military base then back up to Seattle? Yea, it looked real fishy to me and others too and that is why I researched what was going on.

I'm going to phone my ISP and find out exactly why they have this router between me and them.

 

[the_servicer]

Well, let us know what you find out. Please do not think I was trying to encourage fear or suspicion.

 

[thebufenator]

You are paranoid bro.

 

[rezerekted]

If you saw a router address between you and your ISP you would not question it? Question everything "bro".

Anyway, got OpenDNS working fine by disabling IPv6 in the router so am good to go now.

 

[thebufenator]

That address is not a routable address. What do you think that means?

 

[rezerekted]

0110011001110101011000110110101100100000011011110110011001100110

It means it is a NAT router that all my traffic is passing through and I want to know exactly why. Problem?

 

[michalrz]

Have you tried unleashing nmap upon the suspect?
Maybe something obvious would pop out - such as a tell-tale NIC vendor or operating system.

 

[diizzy]

It's common practice for ISPs so use private IP address ranges within their own network.

 

[rezerekted]

I've been on the Internet since 1993 and seeing another address before your ISPs has only started popping up in the last few years. You telling me it is not prudent to found out why an unknown address is there before your ISPs and I should just trust blindly? That doesn't seem very wise to me.

BTW, I have a good reason for being paranoid, which I won't get into here.

@micharlz, I've already run nmap on it as posted above to get some info but that is the first time I have ever used it so don't know more advanced stuff I can do with it. I installed ettercap, snort and dsniff in Linux too but know very little on how to use them also. I did run arp cop in ettercap and a couple of other intrusion detection plugins and came up clean. I also have wireshark in Windows but I can't make much out of what it is showing me. I have read some tutorials on these progs so am learning as I go.

 

[diizzy]

It's not an unknown IP address, if anything call your ISP and create a ticket.

 

[rezerekted]

I've already talked to support and they know shit so have been given a phone number to call.

It's an address of a box between me and my ISP, let me state that again, between my router address and my ISP's address. I'm just curious to know exactly what it is for, like is it being used for DPI on their customers. etc.

You have nothing of value to add so go post elsewhere.

 

[Red Squirrel]

Keep in mind that whether or not there is a "black box" the government sees all your packets anyway. They pretty much deep inspect the whole internet as they have sniffers at key gateway points in COs. Not sure how long they keep it though as it's a ridiculously huge amount of data, but guess they build metadata on the fly and then just keep that. They have huge data centres all over dedicated for this. So best bet for privacy is VPN + Tor, it won't guarantee privacy but at least make their job harder. They are more likely to drop encrypted traffic due to lack of time/space, than clear text that can quickly be meta data'ed and stored. Though I could be under estimating their capabilities as well.

 

[diizzy]

@ rezerekted
Since you have no clue at least show some respect. It's normal....

traceroute www.yahoo.co.jp
traceroute to www.yahoo.co.jp (124.83.203.233), 30 hops max, 38 byte packets
1  10.244.130.17 (10.244.130.17)  20.147 ms  19.624 ms  19.998 ms
2  195.54.104.201 (195.54.104.201)  15.790 ms  16.340 ms  15.789 ms
3  ti3002d401-xe0-2-1.ti.telenor.net (146.172.81.93)  16.539 ms  17.327 ms  16.799 ms
4  ti3002c400-ae4-0.ti.telenor.net (146.172.19.206)  50.696 ms  49.454 ms  49.062 ms
5  ti3003c400-ae0-0.ti.telenor.net (146.172.100.70)  49.318 ms  49.422 ms  49.557 ms
6  ti9002b400-ae0-0.ti.telenor.net (146.172.105.14)  49.335 ms  48.922 ms  49.453 ms
7  ldn001bb10.iij.net (195.66.225.237)  49.517 ms  49.175 ms  49.621 ms
8  ldn001bb11.IIJ.Net (58.138.98.142)  50.041 ms  49.466 ms  tky001bb08.IIJ.Net (58.138.98.137)  217.651 ms
9  tky001bb08.IIJ.Net (58.138.98.133)  220.326 ms  219.971 ms  tky001bf01.IIJ.Net (58.138.82.125)  232.270 ms
10  osk005bf01.IIJ.Net (58.138.98.2)  231.228 ms  osk005bf00.IIJ.Net (58.138.84.66)  230.204 ms  tky001bf00.IIJ.Net (58.138.82.121)  217.138 ms
11  osk004ix50.IIJ.Net (58.138.81.198)  226.660 ms  osk004ix50.IIJ.Net (58.138.81.222)  229.360 ms  osk004ix50.IIJ.Net (58.138.81.198)  226.781 ms
12  210.138.106.238 (210.138.106.238)  229.620 ms  247.763 ms  229.135 ms
13  124.83.252.226 (124.83.252.226)  229.970 ms  210.138.106.238 (210.138.106.238)  231.650 ms  124.83.252.226 (124.83.252.226)  229.429 ms
14  124.83.128.170 (124.83.128.170)  229.106 ms  124.83.252.226 (124.83.252.226)  232.379 ms  232.022 ms
15  *  *  124.83.128.170 (124.83.128.170)  232.378 ms
16  *  *^C

</tinfoilhat>

Taken from of a box running busybox (hence the somewhat odd layout).

 

[Deleted member 88301]

She's right behind you. And she's putting a spider on either your right or left shoulder! It's a big, hairy, mean spider. And it's carrying a stick!

 

[rezerekted]

Call me a tinfoil hat wearer all you want but there is a damn good reason I have tinfoil on the walls of my apartment. And if you think your ISPs are on the up and up then you are fools.

 

[Quix]

Call me a tinfoil hat wearer all you want but there is a damn good reason I have tinfoil on the walls of my apartment. And if you think your ISPs are on the up and up then you are fools.

Maybe, but the fact that they have a router on their network between you and the internet isn't evidence of that.

 

[rezerekted]

I have other evidence I am not divulging here.

 

[rezerekted]

@ rezerekted
Since you have no clue at least show some respect. It's normal....

traceroute www.yahoo.co.jp
traceroute to www.yahoo.co.jp (124.83.203.233), 30 hops max, 38 byte packets
1  10.244.130.17 (10.244.130.17)  20.147 ms  19.624 ms  19.998 ms
2  195.54.104.201 (195.54.104.201)  15.790 ms  16.340 ms  15.789 ms
3  ti3002d401-xe0-2-1.ti.telenor.net (146.172.81.93)  16.539 ms  17.327 ms  16.799 ms
4  ti3002c400-ae4-0.ti.telenor.net (146.172.19.206)  50.696 ms  49.454 ms  49.062 ms
5  ti3003c400-ae0-0.ti.telenor.net (146.172.100.70)  49.318 ms  49.422 ms  49.557 ms
6  ti9002b400-ae0-0.ti.telenor.net (146.172.105.14)  49.335 ms  48.922 ms  49.453 ms
7  ldn001bb10.iij.net (195.66.225.237)  49.517 ms  49.175 ms  49.621 ms
8  ldn001bb11.IIJ.Net (58.138.98.142)  50.041 ms  49.466 ms  tky001bb08.IIJ.Net (58.138.98.137)  217.651 ms
9  tky001bb08.IIJ.Net (58.138.98.133)  220.326 ms  219.971 ms  tky001bf01.IIJ.Net (58.138.82.125)  232.270 ms
10  osk005bf01.IIJ.Net (58.138.98.2)  231.228 ms  osk005bf00.IIJ.Net (58.138.84.66)  230.204 ms  tky001bf00.IIJ.Net (58.138.82.121)  217.138 ms
11  osk004ix50.IIJ.Net (58.138.81.198)  226.660 ms  osk004ix50.IIJ.Net (58.138.81.222)  229.360 ms  osk004ix50.IIJ.Net (58.138.81.198)  226.781 ms
12  210.138.106.238 (210.138.106.238)  229.620 ms  247.763 ms  229.135 ms
13  124.83.252.226 (124.83.252.226)  229.970 ms  210.138.106.238 (210.138.106.238)  231.650 ms  124.83.252.226 (124.83.252.226)  229.429 ms
14  124.83.128.170 (124.83.128.170)  229.106 ms  124.83.252.226 (124.83.252.226)  232.379 ms  232.022 ms
15  *  *  124.83.128.170 (124.83.128.170)  232.378 ms
16  *  *^C

</tinfoilhat>

Taken from of a box running busybox (hence the somewhat odd layout).

All this tells me is that your ISP is probably spying on you too. LOL

I bet you think the cops are the good guys too. Naive.

 

[Phantum]

Everyone spies on everyone and has been doing so since the dawn of time... Are we really surprised by this? Come on guys. We don't need to make their jobs easy and asking questions about this kinda stuff is the first step. Once we've figured out how they're screwing us we make it harder (VPN, Tor, proxies, etc). Then they figure out a way around our work-arounds and we're back at square one and round and round it goes.

 

[vork]

It's called Carrier-grade NAT (CGN). Providers use it to save IPv4 addresses.

 

[Quix]

All this tells me is that your ISP is probably spying on you too. LOL

I bet you think the cops are the good guys too. Naive.

Once again, this is in no way evidence of spying, however we already know that Rogers and Bell monitor all their web traffic on behalf of the Canadian government so I'm sure Telus does to. This has been all over the media so I'm surprised you don't know about it. All US internet providers are monitored by US authorities too.

 

[rezerekted]

I know about it, but unlike you brown-nosers I make an issue out of it and make sure others know about it too.