Sometimes you are not even safe behind a locked door...

News_manstealingdataThis morning as a powered up the systems I use to get on the internet and research the day’s articles I found that I was not able to get anywhere although everything appeared to be working the way it should. My Cable modem was working, my edge firewall had an valid IP address, and DNS all looked ok. Still no traffic was being routed out. I flushed the IP address and DNS resolvers internally and externally to no avail. Finally I power cycled the modem, after an unusually long period of time the modem came back up, but with an IP address that was nothing like the ones I have be receiving from RoadRunner for the past several years. It was not even close to the same subnet.

A call put into RoadRunner’s tech support yielded the “we are experiencing high call volume” and a rather long wait time. While I was waiting I did some poking around and found that my traffic was being routed through two IP addresses that showed up as part of RoadRunner’s residential IP address pool. This is rather unusual as normal traffic should never be routed through anything by edge hardware and the servers it is intended to reach. Once the “tech” came on the line I was told that my traffic could go through other people’s servers or hardware anytime I was on the Internet. Oddly enough after almost 20 years in IT I have never heard of any ISP routing customer traffic through residential systems. The tech later recanted and then dropped the comment completely. When I let them know that my internet speed was lower than normal (not much but enough to notice) and that websites are very slow to respond they had me run speeds tests. The Pings on this test was 223-337ms (VERY high for a 18Mbps connection), the speeds were between 8-9Mbps as well.

I was then told it was the fault of my router (which has worked for the past year without issue and had been rebooted and all logs and cache cleared). I commented that the issue only began after my IP block changed this morning. The tech then informed me that my IP address with change every 2 hours (yes that is what I was told). Anyone that knows how DHCP works knows that it does not just change every 2 hours unless forced or the lease is deleted. About a week ago we had line issues and a tech came out with a new modem and also replaced all wall jacks, cable ends and then tested the line. After being down for about two hours I still received the same IP when the new modem (with a new MAC address) was plugged in. This was over a week ago, which means that the idea of getting a new IP every two hours is out of the question.

To add to this little mix when I attempted to go to a secure website (https) I started receiving certificate revocation errors. This was even trying to connect to Facebook over https or any other https site. Normally this only happens when something is messing with your traffic (or your computer is infected with malware that uses a proxy). To test this I tried to connect to the same sites with a new install that had not been on the internet yet and received the alert for Facebook, the Java downloader site, and a few others. Running the same system using a cellular connection the sites came up without issue or warning.
ping
Now, after that I was transferred to a “network technician” who after several minutes decided to flush the modem and get it to reset. Despite trying several times and even removing the firewall from the network the traffic is still getting routed through those two unusual IP addresses. Even the Roadrunner tech was unable to identify them and stated that they were not their hardware (even though they are Roadrunner IP addresses). So far all Trace Route tests have come back with an absent default gateway (the one assigned does respond to pings though) the second hop in the Trace Route shows as request timed out and from there we are off into ten0-3-0.orld12-ser1.bhn.net [72.31.194.108]. In the end the tech has declared the modem’s MAC (Machine Address Code) compromised and we will have to replace it. As of this writing we are still not able to identify what sort of hardware those two systems belong to, they continue to show up in the same places no matter what site we try to trace to. It was after this that we stumbled across a post on broadbandreports.com from about two years ago which seemed to indicated that roadrunner was routing certain traffic destined for certain sites through specific servers. In the post the sites that shared the 66.109.10.62 IP address that we saw were all porn sites. This has us wondering if there is some logging going on with these servers. We were unable to find anything about the other IP (107.14.19.36) but in all cases it comes before the 66.109.10.62 address.

IP2 IP1

router
We will be following this up with more information after we have replaced the modem and moved to a different edge firewall (just in case its MAC is compromised). The questions we have now are; why is traffic being routed through these two IPs, what are these IPs assigned to and who really owns these devices? We also have to wonder why the technicians on the phone told us that these IPs were not their hardware. We will be keeping a very close eye on the situation and will be investigating this further to see if we can determine more about what is going on. There is too much going on in closed rooms lately for us not to want to check out what Roadrunner is doing at this point. Even if the modem is not compromised (as we were told) the unusual way that traffic is being routed is cause for concern. At this point, we are not all that certain that our modem was "compromised" at all.

Discuss this in our Forum

No comments

Leave your comment

In reply to Some User