Heres looking at you Geoff Huston The Theory
![Here is what we see in the web logs… [22/Jan/2014: 00: 10: 21 +0000]](https://slidetodoc.com/presentation_image_h2/cc198794e269eeb9e6d0e2471f0567b5/image-3.jpg "Here is what we see in the web logs… [22/Jan/2014: 00: 10: 21 +0000]")
- Slides: 15
Here’s looking at you… Geoff Huston
The Theory • We use Google Ads to deliver a test script to a very large profile of users – We measure the DNS, DNSSEC, IPv 6, performance, and many other aspects of the end user’s view of the Internet – We have some 500, 000 ads delivered per day – And each of them use uniquely generated URLs – So, in theory we should see each unique URL retrieved once – Right?
Here is what we see in the web logs… [22/Jan/2014: 00: 10: 21 +0000] 120. 194. 53. xxx "GET /1 x 1. png? t 10000. u 3697062917. s 1390349413. i 333. v 1794. rd. t d [22/Jan/2014: 00: 11: 29 +0000] 221. 176. 4. xxx "GET /1 x 1. png? t 10000. u 3697062917. s 1390349413. i 333. v 1794. rd. t d 68 seconds later: -- SAME URL -- 120. 194. 53. xxx – Origin AS = 24445 -- 221. 176. 4. xxx – Origin AS = 9808
How widespread is this? 48 days in 2013: – 29, 171, 864 unique URLS presented to end users – 612, 089 of these URLS were re-presented to us from a different client IP address That’s 2. 1% of URLs fetches that seem to have attracted a digital stalker!
The Top Repeaters Rank IP Address 1 119. 147. 146. xxx 2 182. 18. 208. xxx 3 182. 18. 209. xxx 4 124. 6. 181. xxx 5 112. 198. 64. xxx 6 203. 177. 74. xxx 7 120. 28. 64. xxx 8 211. 125. 138. xxx 9 210. 94. 41. xxx 10 222. 127. 223. xxx 11 210. 143. 35. xxx 12 202. 156. 10. xxx 13 14. 1. 193. xxx 14 183. 90. 103. xxx 15 202. 246. 252. xxx 16 192. 51. 44. xxx 17 183. 90. 41. xxx 18 110. 34. 0. xxx 19 110. 232. 92. xxx 20 37. 19. 108. xxx 21 24. 186. 96. xxx 22 161. 53. 179. xxx 23 193. 254. 230. xxx 24 121. 54. xxx 25 77. 244. 114. xxx Count 11, 241 1, 0982 5, 046 4, 641 3, 315 3, 230 3, 098 1, 414 1, 269 1, 177 1, 154 1, 128 1, 069 995 887 774 704 638 603 573 535 534 500 484 AS 4134 23944 4775 9619 6619 4775 2516 10091 45960 55430 2526 2510 55430 4007 23679 44143 6128 2108 25304 10139 42779 AS Name CHINANET-BACKBONE No. 31, Jin-rong Street CN SKYBB-AS-AP AS-SKYBroadband SKYCable Corporation PH GLOBE-TELECOM-AS Globe Telecoms PH SSD Sony Global Solutions Inc. JP SAMSUNGSDS-AS-KR Samsung. SDS Inc. KR GLOBE-TELECOM-AS Globe Telecoms PH KDDI CORPORATION JP SCV-AS-AP Star. Hub Cable Vision Ltd SG YTLCOMMS-AS-AP YTL COMMUNICATIONS SDN BHD MY STARHUBINTERNET-AS-NGNBN Starhub Internet Pte Ltd SG HITNET HITACHI, Ltd. Information Technology Division. JP INFOWEB FUJITSU LIMITED JP STARHUBINTERNET-AS-NGNBN Starhub Internet Pte Ltd SG Subisu Cablenet (Pvt) Ltd, Baluwatar, Kathmandu, Nepal NP NUSANET-AS-ID Media Antar Nusa PT. ID VIPMOBILE-AS Vip mobile d. o. o. RS CABLE-NET-1 - Cablevision Systems Corp. US CARNET-AS Croatian Academic and Research Network HR UNITBV Universitatea TRANSILVANIA Brasov RO SMARTBRO-PH-AP Smart Broadband, Inc. PH AZERFON Azerfon AS AZ
Web Proxies? • A strong indicator of a proxy device is that it is located in the same AS as the end client. • So lets filter that list and look at those repeaters that use a different AS from the original request • And here’s what we see
Different Origin AS Repeaters Rank 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 IP Address 119. 147. 146. xxx 220. 181. 158. xxx 123. 125. 161. xxx 210. 133. 104. xxx 202. 214. 150. xxx 112. 65. 211. xxx 221. 176. 4. xxx 62. 84. 94. xxx 212. 40. 141. xxx 101. 69. 163. xxx 59. 162. 23. xxx 8. 35. 201. xxx 118. 186. 36. xxx 190. 96. 112. xxx 202. 155. 113. xxx 118. 228. 151. xxx 123. 125. 73. xxx 69. 41. 14. xxx 118. 97. 198. xxx 112. 215. 11. xxx 122. 2. 0. xxx 176. 28. 78. xxx 14. 139. 97. xxx 211. 155. 120. xxx 121. 96. 61. xxx Count 8, 886 493 446 285 266 248 226 204 203 163 158 156 149 147 143 142 136 133 131 128 125 123 120 116 114 AS 4134 23724 4808 7677 2497 17621 9808 16130 31126 4837 4755 15169 23724 262150 4795 4538 4808 47018 17974 17885 9299 197893 55824 23724 6648 AS Name CHINANET-BACKBONE No. 31, Jin-rong Street CN CHINANET-IDC-BJ IDC, China Telecommunications Corporation CN CHINA 169 -BJ CNCGROUP IP China 169 Beijing Province Network CN DNP Dai Nippon Printing Co. , Ltd JP IIJ Internet Initiative Japan Inc. JP CNCGROUP-SH China Unicom Shanghai network CN CMNET-GD Guangdong Mobile Communication Co. Ltd. CN Fiber. Link Networks LB SODETEL-AS SODETEL SAL LB CHINA 169 -BACKBONE CNCGROUP China 169 Backbone CN TATACOMM-AS TATA Communications IN GOOGLE - Google Inc. US CHINANET-IDC-BJ IDC, China Telecommunications Corporation CN Empresa Provincial de Energia de Cordoba AR INDOSATM 2 -ID INDOSATM 2 ASN ID ERX-CERNET-BKB China Education and Research Network Center CN CHINA 169 -BJ CNCGROUP IP China 169 Beijing Province Network CN CE-BGPAC - Covenant Eyes, Inc. US TELKOMNET-AS 2 -AP PT Telekomunikasi Indonesia ID JKTXLNET-AS-AP PT Excelcomindo Pratama ID IPG-AS-AP Philippine Long Distance Telephone Company PH ELSUHD-AS Elsuhd Net Ltd. Communications and Computer Services IQ RSMANI-NKN-AS-AP National Knowledge Network IN CHINANET-IDC-BJ IDC, China Telecommunications Corporation CN BAYAN Bayan Telecommunications, Inc. PH
Maybe its National Infrastructure • We’ve all heard about the Great Firewall of China • And other countries may be doing similar things • So perhaps these repeaters are the result of some form of national / regional content cache program • So lets filter this further by using geolocate information to find those cases where the original end client and the digital stalker locate to different countries
Different Country Stalkers Rank 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 IP Address 119. 147. 146. xxx 8. 35. 201. xxx 190. 216. 130. xxx 190. 27. 253. xxx 61. 92. 16. xxx 208. 80. 194. xxx 112. 140. 187. xxx 69. 41. 14. xxx 126. 117. 225. xxx 113. 43. 175. xxx 202. 249. 25. xxx 139. 193. 204. xxx 180. 13. 45. xxx 201. 221. 124. xxx 123. 125. 161. xxx 220. 181. 158. xxx 208. 184. 77. xxx 183. 179. 254. xxx 203. 192. 154. xxx 139. 193. 223. xxx 175. 134. 140. xxx 210. 187. 58. xxx 195. 93. 102. xxx 221. 82. 58. xxx 167. 205. 22. xxx Count 7, 001 156 84 82 62 53 33 32 31 29 26 25 22 21 21 17 17 16 16 13 12 12 12 AS 4134 15169 3549 19429 9269 13448 45634 47018 17676 17506 4717 23700 4713 27989 4808 23724 6461 9269 10026 23700 2516 4788 1668 17676 4796 AS Name CHINANET-BACKBONE No. 31, Jin-rong Street CN GOOGLE - Google Inc. US GBLX Global Crossing Ltd. AR ETB - Colombia CO HKBN-AS-AP Hong Kong Broadband Network Ltd. HK WEBSENSE Websense, Inc. US SPARKSTATION-SG-AP 10 Science Park Road SG CE-BGPAC - Covenant Eyes, Inc. US GIGAINFRA Softbank BB Corp. JP UCOM Corp. JP AI 3 WIDE Project JP BM-AS-ID PT. Broadband Multimedia, Tbk ID OCN NTT Communications Corporation JP BANCOLOMBIA S. A CO CHINA 169 -BJ CNCGROUP China 169 Beijing Province Network CN CHINANET-IDC-BJ IDC, China Telecommunications Corporation CN MFNX MFN - Metromedia Fiber Network US HKBN-AS-AP Hong Kong Broadband Network Ltd. HK PACNET Pacnet Global Ltd JP BM-AS-ID PT. Broadband Multimedia, Tbk ID KDDI CORPORATION JP TMNET-AS-AP TM Net, Internet Service Provider MY AOL-ATDN - AOL Transit Data Network GB GIGAINFRA Softbank BB Corp. JP BANDUNG-NET-AS-AP Institute of Technology Bandung ID
Different Country Stalkers Rank 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 IP Address 119. 147. 146. xxx 8. 35. 201. xxx 190. 216. 130. xxx 190. 27. 253. xxx 61. 92. 16. xxx 208. 80. 194. xxx 112. 140. 187. xxx 69. 41. 14. xxx 126. 117. 225. xxx 113. 43. 175. xxx 202. 249. 25. xxx 139. 193. 204. xxx 180. 13. 45. xxx 201. 221. 124. xxx 123. 125. 161. xxx 220. 181. 158. xxx 208. 184. 77. xxx 183. 179. 254. xxx 203. 192. 154. xxx 139. 193. 223. xxx 175. 134. 140. xxx 210. 187. 58. xxx 195. 93. 102. xxx 221. 82. 58. xxx 167. 205. 22. xxx Count 7, 001 156 84 82 62 53 33 32 31 29 26 25 22 21 21 17 17 16 16 13 12 12 12 AS 4134 15169 3549 19429 9269 13448 45634 47018 17676 17506 4717 23700 4713 27989 4808 23724 6461 9269 10026 23700 2516 4788 1668 17676 4796 AS Name CHINANET-BACKBONE No. 31, Jin-rong Street CN GOOGLE - Google Inc. US GBLX Global Crossing Ltd. AR ETB - Colombia CO HKBN-AS-AP Hong Kong Broadband Network Ltd. HK WEBSENSE Websense, Inc. US SPARKSTATION-SG-AP 10 Science Park Road SG CE-BGPAC - Covenant Eyes, Inc. US GIGAINFRA Softbank BB Corp. JP UCOM Corp. JP AI 3 WIDE Project JP BM-AS-ID PT. Broadband Multimedia, Tbk ID OCN NTT Communications Corporation JP BANCOLOMBIA S. A CO CHINA 169 -BJ CNCGROUP China 169 Beijing Province Network CN CHINANET-IDC-BJ IDC, China Telecommunications Corporation CN MFNX MFN - Metromedia Fiber Network US HKBN-AS-AP Hong Kong Broadband Network Ltd. HK PACNET Pacnet Global Ltd JP BM-AS-ID PT. Broadband Multimedia, Tbk ID KDDI CORPORATION JP TMNET-AS-AP TM Net, Internet Service Provider MY AOL-ATDN - AOL Transit Data Network GB GIGAINFRA Softbank BB Corp. JP BANDUNG-NET-AS-AP Institute of Technology Bandung ID
Lets zoom in for a second And look at the distribution of the clients who were stalked by 119. 147. 146. xxx Which countries were the clients located?
Rank AE AG AL AM AR AT AU AW AZ BA BD BE BG BN BO BR BS BY BZ CA CL CN CO CR CW CY CZ DE DO DZ Country 27 United Arab Emirates 2 Antigua and Barbuda 32 Albania 13 Armenia 19 Argentina 5 Austria 21 Australia 6 Aruba 8 Azerbaijan 27 Bosnia and Herzegovina 1 Bangladesh 10 Belgium 45 Bulgaria 1 Brunei Darussalam 1 Bolivia 44 Brazil 1 Bahamas 7 Belarus 4 Belize 125 Canada 13 Chile 4, 622 China 11 Colombia 1 Costa Rica 2 Curaçao 1 Cyprus 37 Czech Republic 21 Germany 2 Dominican Republic 19 Algeria EC EG ES FR GB GE GR GY HK HN HR HU ID IE IL IN IQ IT JM JO JP KE KG KH KR KW KZ LA LK LT LV MA 8 Ecuador MD ME 22 Egypt MK 38 Spain MM 68 France MN 45 United Kingdom MO 12 Georgia MP 25 Greece MT MU 1 Guyana MX 721 Hong Kong MY 1 Honduras NC 9 Croatia NI 67 Hungary NL 159 Indonesia NO NP 16 Ireland NZ 8 Israel OM 32 India PA 21 Iraq PE 52 Italy PH 5 Jamaica PK PL 2 Jordan PR 2, 910 Japan PS 1 Kenya PT 1 Kyrgyzstan RO 28 Cambodia RS 27 Republic of Korea RU RW 1 Kuwait SA 11 Kazakhstan SE 6 Laos SG 11 Sri Lanka SI 12 Lithuania SK 6 Latvia SR 6 Morocco 2 7 69 2 36 37 4 4 7 107 375 1 1 15 8 1 20 1 11 29 166 1 340 7 9 1 197 62 32 1 24 3 83 13 13 2 Republic of Moldova Montenegro Macedonia Myanmar Mongolia Macao Northern Mariana Islands Malta Mauritius Mexico Malaysia New Caledonia Nicaragua Netherlands Norway Nepal New Zealand Oman Panama Peru Philippines Pakistan Poland Puerto Rico Occupied Palestinian Territory Portugal Romania Serbia Russian Federation Rwanda Saudi Arabia Sweden Singapore Slovenia Slovakia Suriname
SV TH TN TR TW UA US UZ VC VE VN YE 3 138 3 57 1, 241 37 371 1 1 16 249 1 El Salvador Thailand Tunisia Turkey Taiwan Ukraine United States of America Uzbekistan Saint Vincent and the Grenadines Venezuela Vietnam Yemen
What the…? • That’s an impressive list of countries! • And our collection of 30 million URLs across 49 days is a mere drop in the ocean of web fetches on the Internet • So are we glimpsing here the tip of some much larger program of URL stalking?
Accident? Deliberate? Something Else? • Why go to all the trouble to collect URLs but use the same IP address to perform the followup stalking? • Is this some kind of deliberate leakage from a middleware device? • Or the result of some kind of a virus? • Or the outcome of TOR + virus? • Or a smart, but at the same time remarkably dumb, digital stalking program? • Or <insert your favourite conspiracy theory here>
