RIAA Safeweb Ping
mikecabot at fastcircle.com
mikecabot at fastcircle.com
Fri Oct 12 05:37:32 PDT 2001
> main1colo45-core2-oc48.lga2.above.net (216.200.127.174) (New
York, NY)
This last one above (216.200.127.174) is a colocated server at
above.net in NYC.
>From there, using a small piece of IP redirector software that they
call "Triangle Boy", Safeweb just bounces packets around their
network.
>
> About half the pings timed out before the last hop at:
>
> 208.184.48.173.safeweb.com (San Jose, CA)
>
> A few hit a "private" address after 208.184.48.173:
>
> 10.100.0.2 (no location)
Likely just an internal Proxy-less netblock.... this is done often
for private, non-routable IP addresses within a network. In other
words, packets route ONLY in the internal network, routers are
programmed to ignore any packets within such netblocks.
>
> before ending at:
>
> 64.124.150.130.safeweb.com (San Jose, CA)
>
> Interpretation is needed for:
>
> 1. How much about the Safeweb stations is true and how much
cloaking.
It's all true until you hit the colocated box. Then it's all cloaking.
> 2. Why some pings timed out and others didn't.
ICMP squelching is why.... you can selectively top ICMP return
packets from being sent.... often done to protect the "topography" of
a network. If you can't hear the pings, you can count the servers or
hops in a network path.
> 3. Phantom station 10.100.0.2
See above... not a phantom, just can't route.
> 4. Whether the San Jose hops actually go to San Jose or are spoofed.
It doesn't really matter..... even if the server is physically in San
Jose, which I doubt, so what? The end user connecting to that
specific server could have been anywhere -- in the Hindu Kush
mountains, for instance :)
> 5. Why go to New York then hop across the continent unless the
> last hops are just administrative not physical.
They are probably not administrative... they exist to basically make
the lives of anyone tracking a lone packet miserable :) Basically,
it's just inserted path to hide the origin of the packet.
> 6. How is cloaking done on addresses and physical locations
Email me offline.... I can answer some questions on this, but to
really understand it you basically have to understand how TCP works.
But this kind of "cloaking" isn't really cloaking, it's just one
simple technique partnered with a network that has enough depth to
make it look like you're bouncing around from one place to another.
I forget the specifics, but there's an old physics problem involving
a black box and inputs and outputs. That's what you have here.....
the black box isn't really so big, but because you can't see in it,
you don't know EXACTLY how big, or more to the point, exactly what is
in it. That's the idea behind ICMP squelching.
btw, this is really a simple defense; it is somewhat easy to
overcome, although that doesn't mean that you could actually learn
anything useful by overcoming it.
>
> Is cloaking done by a Safeweb program, say by address spoofer or by
> phantom proxies, or is there a way to do this by special agreement
> with Network Central (whatever that is), say, as Intel Web and
other
> classified systems covertly use the Web.
:) Nothing special at all..... any well-designed network implements
this right off the bat, to stop the little scripties from following a
trail of bread crumbs. Safeweb DOES do some (simplistic) IP spoofing
and "cloaking", but what you see is NOT it....
Mike
_______________________________________________________________________________
WANT YOUR OWN FREE AND SECURE WEB EMAIL ADDRESS?
Visit http://www.fastcircle.com
More information about the cypherpunks-legacy
mailing list