main1colo45-core2-oc48.lga2.above.net (216.200.127.174) (New York, NY)

This last one above (216.200.127.174) is a colocated server at above.net in NYC.

From there, using a small piece of IP redirector software that they call "Triangle Boy", Safeweb just bounces packets around their network.

About half the pings timed out before the last hop at:

208.184.48.173.safeweb.com (San Jose, CA)

A few hit a "private" address after 208.184.48.173:

10.100.0.2 (no location)

Likely just an internal Proxy-less netblock.... this is done often for private, non-routable IP addresses within a network. In other words, packets route ONLY in the internal network, routers are programmed to ignore any packets within such netblocks.

before ending at:

64.124.150.130.safeweb.com (San Jose, CA)

Interpretation is needed for:

1. How much about the Safeweb stations is true and how much

cloaking. It's all true until you hit the colocated box. Then it's all cloaking.

2. Why some pings timed out and others didn't.

ICMP squelching is why.... you can selectively top ICMP return packets from being sent.... often done to protect the "topography" of a network. If you can't hear the pings, you can count the servers or hops in a network path.

3. Phantom station 10.100.0.2

See above... not a phantom, just can't route.

4. Whether the San Jose hops actually go to San Jose or are spoofed.

It doesn't really matter..... even if the server is physically in San Jose, which I doubt, so what? The end user connecting to that specific server could have been anywhere -- in the Hindu Kush mountains, for instance :)

5. Why go to New York then hop across the continent unless the last hops are just administrative not physical.

They are probably not administrative... they exist to basically make the lives of anyone tracking a lone packet miserable :) Basically, it's just inserted path to hide the origin of the packet.

6. How is cloaking done on addresses and physical locations

Email me offline.... I can answer some questions on this, but to really understand it you basically have to understand how TCP works. But this kind of "cloaking" isn't really cloaking, it's just one simple technique partnered with a network that has enough depth to make it look like you're bouncing around from one place to another. I forget the specifics, but there's an old physics problem involving a black box and inputs and outputs. That's what you have here..... the black box isn't really so big, but because you can't see in it, you don't know EXACTLY how big, or more to the point, exactly what is in it. That's the idea behind ICMP squelching. btw, this is really a simple defense; it is somewhat easy to overcome, although that doesn't mean that you could actually learn anything useful by overcoming it.

Is cloaking done by a Safeweb program, say by address spoofer or by phantom proxies, or is there a way to do this by special agreement with Network Central (whatever that is), say, as Intel Web and

other

classified systems covertly use the Web.

:) Nothing special at all..... any well-designed network implements this right off the bat, to stop the little scripties from following a trail of bread crumbs. Safeweb DOES do some (simplistic) IP spoofing and "cloaking", but what you see is NOT it.... Mike _______________________________________________________________________________ WANT YOUR OWN FREE AND SECURE WEB EMAIL ADDRESS? Visit http://www.fastcircle.com