Testing whether devices are NordVPN proxies

[Mirimir]

It seems that NordVPN is routing traffic to Disney+ through many
residential IPv4 in the US.[0,1] As much as I love VPN services, it
would suck if people's devices are unwittingly serving as NordVPN exits.
Even if it's just for something as innocuous as Disney+.

And it's easy to test that yourself, if you have a NordVPN account. If
you're hitting a site using the Akamai CDN via one of NordVPN's US
servers, you can see the server's exit IP address:

$ curl -LIX GET https://foo.bar -H 'Pragma: akamai-x-get-client-ip'

Generally, the "X-Akamai-Pragma-Client-IP" is the same as the server's
nominal exit IP address:

$ w3m -dump https://ipchicken.com

But when hitting https://www.disneyplus.com it's not. But rather, it's
some IPv4 from a residential ASN. Which you can check using
https://ipinfo.io or whatever.

I've seen no definitive information about the nature of these
residential proxies. They might be NordVPN customers in the US, although
that seems too footgun. Or they might have installed some third-party
app with a bundled proxy server. Or it could even be outright malware.

But in any case, it'd be cool if people could determine whether their
devices are being used as NordVPN exits.

I've run about 300 tests so far, on a few NordVPN's US servers, and
found about 270 distinct proxy addresses. And so I've hacked a simple
Linux test script, using hashed "X-Akamai-Pragma-Client-IP" values.[2]

Just save the code block at the top as "test.sh" or whatever. Then do
"chmod u+x", and execute in the terminal. It'll prompt "IPv4 to search
for?". Type an IPv4, and hit "Enter".

This is howling in the void, I know. But so it goes.

0)
https://www.wilderssecurity.com/thr...it-might-be-through-your-own-computer.423660/
1) https://news.ycombinator.com/item?id=21664692
2) https://pastebin.com/YYc9Kuax