[AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?

Matthew Moyle-Croft mmc at mmc.com.au
Mon Jun 25 12:27:58 EST 2012


> 50.57.190.113 

is the one "50-57-190-113.static.cloud-ips.com" is the reverse mapping - appears to come from Rackspace in Chicago.

There's a cluster of them over there.  I've seen a few different ones.  This isn't some minor test.

MMC

On 25/06/2012, at 11:55 AM, Joshua D'Alton wrote:

> 58.163.175.187  I assume you are all meaning? That is Telstra proxy of some sort, as is 1.136.95.242
> 
> On Mon, Jun 25, 2012 at 12:20 PM, Terry Manderson <terry at terrym.net> wrote:
> 
> My jaw dropped when I saw this.
> 
> And indeed confirmed on my telstra sim and new valid url:
> 
> 58.163.175.xxx - - [24/Jun/2012:21:58:46 -0400] "GET /sn.html HTTP/1.1" 200 340 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"
> 50.57.190.113 - - [24/Jun/2012:21:58:47 -0400] "GET /sn.html HTTP/1.0" 200 341 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0"
> 
> and then to confirm carrier and not phone, swapped to a AT&T travel sim.
> 
> 166.137.11.xxx - - [24/Jun/2012:22:05:50 -0400] "GET /sn.html HTTP/1.1" 200 378 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"
> 
> No followup GET seen.
> 
> I think like everyone, I would be most interested to see an explanation of the additional GET from a location in the US.
> 
> T.
> 
> 
> 
> On 25/06/2012, at 10:23 AM, Nicholas Weekley wrote:
> 
> > I too have discovered similar traffic...
> >
> > Legit:
> > 58.163.175.xxx /services.html 6/25/12 10:08 AM Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit
> >
> > CIA/NSA/Those-out-to-get-me
> > 50.56.58.47 /services.html 6/25/12 10:08 AM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906
> >
> > A quick signature scan of 50.56.58.47 identifies it as a squid proxy server based in Texas too. My best guess is the proxy takes time to process the retrieved page, so initial connections go directly to the source and subsequent requests to the proxy if valid caching occurs.
> >
> > Regards,
> >
> > Nicholas Weekley
> > TSM32 Pty Ltd
> >
> >
> > From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Eric Pinkerton
> > Sent: Monday, 25 June 2012 09:50
> > To: ausnog at ausnog.net
> > Subject: [AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?
> >
> > Ausnoggers..
> >
> > Whilst there is a lot of tin foil hattery and other spasticity on this WP Thread, http://forums.whirlpool.net.au/archive/1935438 - the questions it throws up have made me curious, esp given Telstra's official response in the following article "
> >
> > http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx
> >
> > "But in a short statement, Telstra's senior media boss Craig Middleton said the company's wireless network management assured that "there is nothing untoward in what the Whirlpool member has observed - it is a normal network operation" NOTHING TO SEE HEAR MOVE ALONG.
> >
> > In short, if you make a request to a web server on port 80 from a Telstra mobile, you'll see a request immediately after your legit request from the Telstra gateway that originates from a US IP address hosted at Rackspace.
> >
> > Legit request..
> > 58.163.xxx.xxx - - [24/Jun/2012:23:12:09 +0000] "GET /test101 HTTP/1.1" 404 464 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"
> >
> > Curious identical request follows...
> > 50.57.190.97 - - [24/Jun/2012:23:12:09 +0000] "GET /test101 HTTP/1.0" 404 526 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0"
> >
> > Whilst I accept this is probably benign, and can think of several reasons why the output of such a process might be of value to Telstra, I find myself less convinced than a certain senior media boss seems to be that this is "a normal network operation". To me normal would be to say pull this info straight from the proxy server.
> >
> > Also, just to be awkward, I am curious as to why a cloud provider, would be using what looks a lot like a cluster of VPS's in someone else's cloud based out of Texas ;-)
> >
> > Also why is there a black helicopter hovering above me?
> >
> > So many questions....
> >
> > Discuss!
> >
> >
> > E
> >
> > Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.
> > http://www.mailguard.com.au/mg
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120625/8620caa9/attachment.html>


More information about the AusNOG mailing list