[AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?
Nicholas Weekley
nweekley at tsm32.com
Mon Jun 25 10:23:04 EST 2012
I too have discovered similar traffic...
Legit:
58.163.175.xxx /services.html 6/25/12 10:08 AM Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit
CIA/NSA/Those-out-to-get-me
50.56.58.47 /services.html 6/25/12 10:08 AM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906
A quick signature scan of 50.56.58.47 identifies it as a squid proxy server based in Texas too. My best guess is the proxy takes time to process the retrieved page, so initial connections go directly to the source and subsequent requests to the proxy if valid caching occurs.
Regards,
Nicholas Weekley
TSM32 Pty Ltd
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Eric Pinkerton
Sent: Monday, 25 June 2012 09:50
To: ausnog at ausnog.net
Subject: [AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?
Ausnoggers..
Whilst there is a lot of tin foil hattery and other spasticity on this WP Thread, http://forums.whirlpool.net.au/archive/1935438 - the questions it throws up have made me curious, esp given Telstra's official response in the following article "
http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx
"But in a short statement, Telstra's senior media boss Craig Middleton said the company's wireless network management assured that "there is nothing untoward in what the Whirlpool member has observed - it is a normal network operation" NOTHING TO SEE HEAR MOVE ALONG.
In short, if you make a request to a web server on port 80 from a Telstra mobile, you'll see a request immediately after your legit request from the Telstra gateway that originates from a US IP address hosted at Rackspace.
Legit request..
58.163.xxx.xxx - - [24/Jun/2012:23:12:09 +0000] "GET /test101 HTTP/1.1" 404 464 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"
Curious identical request follows...
50.57.190.97 - - [24/Jun/2012:23:12:09 +0000] "GET /test101 HTTP/1.0" 404 526 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0"
Whilst I accept this is probably benign, and can think of several reasons why the output of such a process might be of value to Telstra, I find myself less convinced than a certain senior media boss seems to be that this is "a normal network operation". To me normal would be to say pull this info straight from the proxy server.
Also, just to be awkward, I am curious as to why a cloud provider, would be using what looks a lot like a cluster of VPS's in someone else's cloud based out of Texas ;-)
Also why is there a black helicopter hovering above me?
So many questions....
Discuss!
E
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.
http://www.mailguard.com.au/mg
More information about the AusNOG
mailing list