Visitor
•
1 Message
Traceroute Question
I am using a Opnsense router with 1 WAN and 4 LAN networks. I have Linux, Windows, and Android O.S. Here is a typical trace example:
1. 96.120.9.53
2. 162.151.166.10
3. 96.110.148.x
4. 96.108.4.x
5. 69.139.168.x
6. 96.110.x.x
7. 96.110.x.x
It continues to the destination but what i'm concerned with is this. The first node never has any domain name nor does the 162.151.166.10 node. After that practially all the hops to the destination have domain names attached with the majority being of comcast. Of course the nodes vary I.P assisgnments with the exception of the first two. They are consistant.
Some time ago I flashed my router, upgraded my modem, and started to educate myself and follow through with setting restrictive firewall rules, policies, and general overall tighter security. It seems now that the 162.151.166.10 node no longer appears when tracing from a client on my networks to any public destination.
That is until I decided to tunnel into a VPN service and then run a trace back to the IP assigned by Xfinity. The trace will continue from what starts out as private address space into more private space then into the public sector but it 100% of the time hits 162.151.166.10 and then the rest of the limited hops time out.
I even tried using websites suchas dnschecker.org, hackertarget.com, and bgp.he.net with the same result. The buck stops at 162.151.166.10.
Questions:
1. Why is there a node that always appears in outbound traces but when I replace my modem it vanishes although the first node 96.120.9.53 remained consistant?
2. Why would the 1st, 3rd - 4th, 6th and beyond all have similiar ip address's and domain names but #2 have such a out of place ip address?
3. Why when tracing from a distant service or using a VPN would tracing back to myself 100% of the time show the mysterious node but never go one more step towards my IP, which seems to be just 2 hops away. Changing the delay doesn't seem to matter.
4. More of a hunch than question but from what I've read this seems to point towards a Man-in-the-Middle attack.
Help!!!
user_6ff608
Visitor
•
15 Messages
2 years ago
Hi, i'm a network engineer by trade although not affiliated with Comcast in any way.
1. This device is very likely another router in the Comcast network. It may be a physical router, or a virtual one. It is not a sign of a MITM attack. You can always search for who owns an IP address, in this case 162.151.166.10 is for sure a Comcast address, with a WHOIS registered to "AS7922 · Comcast Cable Communications, LLC"
2. IPs of individual ISP routers don't necessarily have to be within the same IP ranges. Comcast owns many different blocks of global IP addresses across numerous different numerical IP segments. While it's true that sometimes for ease of management they may dedicate a certain block or range for their routers, over time IP ranges may get added/removed or reorganized. It's possible that the 162. router is newer/was replaced and assigned a new address, while the others in the path remain within the 96. range.
3. The fact that you see a traceroute failing to respond after a certain point can be because in order for traceroute to work, a router must be configured to responed with a "TTL expired" message. Not all routers are configured to do this, possibly because of concerns about impacting performance (the main job of a router is to forward traffic, and while it can be useful for the router to send out TTL or other messages, doing so takes up hardware resources that could ordinarily be used for its main job of forwarding traffic.) One thing to note is that when you run traceroute, normally it will use the ICMP protocol. Some routers are configured to drop ICMP messages or otherwise not process them fully. To get around this, tell the traceroute utility to use TCP instead of ICMP. If the version of traceroute you're using doesn't support this you may have to find a different trace program that can do it. Using TCP for trace is generally recommended since most web traffic uses TCP, so tracing using TCP will be a closer approximation to "normal" internet traffic.
4. See above, I don't think it's a MITM. Just a Comcast router close to your destination. Also keep in mind that in order for an IP to have a hostname, the owner (Comcast in this case) needs to have registered a reverse DNS name for the IP. Comcast usually does this for all their IPs, but it's not uncommon to see a few they've missed or chosen not to register.
1
EG
Expert
•
110.2K Messages
2 years ago
@RasterFarm
FWIW. We have seen posts here lately that show that Comcast may be using CGN (Carrier Grade NAT) in some areas. The 100.93.89.xxx IP addy would point in that direction Some info;
https://en.wikipedia.org/wiki/Carrier-grade_NAT#
https://www.purevpn.com/blog/how-to-check-whether-or-not-your-isp-performs-cgnat/#:~:text=Check%20the%20router's%20WAN%20IP%20address&text=All%20you%20need%20to%20do,your%20ISP%20is%20using%20CGNAT
(edited)
4
0