have me singing and dancing through a field of posies... except that my broke ass can't afford anything but the bottom run in Cox's cable net speeds... 2MB. 3 Mbps (Megabits per second) is my ceiling, even when "Speed-boost" is in effect. Curious about this seemingly fortuitous turn of events, I decided
to run a speed test. I chose a different site today, based on a recommendation of a friend. To my complete, slack-jawed, flabbergasted surprise I clocked in at a download rate of 25MBps.
For those of you that are not familiar with TCP/IP communications, that's enough bandwidth to run a small to mid-sized company; both telephony and net services. It's also the maximum bandwidth available to consumer level Cox Communications net subscribers.
Well what exactly (or who) was the "internet fairy" so graciously sprinkling me with magic web dust? The answer, as it usually turns out, was too good to be true. After doing several relatively nerdy things with a command prompt (I'll spare you the details), I identified an established, keep-
alive connection in my route path. My internet is being re-directed, so to speak... and not by a government or law enforcement agency. No sir, this ip traced to a rural farmhouse outside of Potwin, Ks. Farmhouse? Wth? I have a very hard time believing farmer Johnny needs server stacks and T1 lines, "heavy" and expensive hardware for a business, let alone a private residence. Usually being re-directed by your ISP slows you down, bottlenecks you. I've been increased by upwards of 5X what I pay for... so a capitalizing company is obviously not the culprit.
Following even more eyeball twisting research, I found several sites with people complaining loudly of someone traced from this farmhouse sending scary emails, hacking Facebook accounts, and random forms of other internet shadiness... but I could find no reference to complete data stream hijacking. Many of these complaints go back to mid 2011... hard to stay the outlaw in the digital age these days; let alone hijacking and entire ISP trunk line.
The physical address information associated with the IP is as follows.
Suspicious IP: 70.183.71.66 ---only IP ID'd with tracert not associated with Cox Communications. IP address connected to me was immediately changed from 70.183 subnet to the usual 68.1xx, but still on a different subnet than standard Cox servers. Additionally, domain registration info stayed the same, identifying as follows:
dukedsrj01-ge-210.0.rd.at.cox.net
This change happened as soon as I noticed it, after emailing an address I found online for a blogger dealing with this issue for the last few years. Which is then indicating an active attention to my network activity)
Associated geotag Address: 8689 County Road 576, also known as 8653 NW 120th St and
all geomaps point to the same real estate parcel. Standard people search has some info, but none all that helpful. Most info I've found are most likely falsified, such as recycling the identity of the recently deceased. Info as follows:
Thelma Hinnen Vogelman, Andy Nellans, James Arnold. Searches on Vogelman elude to this man having intimate knowledge of the Keystone pipeline project, which is a significant oil pipeline stemming from Alberta, Canada. Vogelman died in 1998, yet his name continues to be used... a prime account to land for an identity thief.
After much deliberation, I've decided on 3 theories.
1. A few years ago, a virus began circulating that would re-direct internet away from secured ISP backbones into private networks. It was not malicious, except for the network re-direction, so most people never even knew they had it. There was a URL in the article I read to a government funded/ran website that would identify a tampered route, with instructions for removal. I have since lost both the article AND the website, which is odd in and of itself. I use Gmail, I haven't deleted a single email since 2004. If anyone remembers that article and happens to know the site, I would appreciate a heads up. My searches are coming up empty for some reason, with stuff that should be there just simply deciding not to exist anymore.
*update- Ruled this out, not malware related. Someone sent me the link to the FBI's rogue DNS verification page, found here: https://forms.fbi.gov/check-
2. My second theory is a bit more far fetched... (as the only logical explanation I can conceive of is above) I can only imagine what I did to piss off an apparently wealthy networking genius, because it would take nothing short of that. Since it's not a federal/county/local civic building, I can rule out law
enforcement or government. That means that someone went out of their way to hijack my data stream, undetected to boot.
3. My only other theory on the matter would be a plot out of "Live Free or Die Hard". ISP redirection is used as a metaphorical chess piece is a plot called a "Fire Sale"... which is a massive
electronic attack on all communication/technology/banking/civil law/etc services at once, designed to cripple an entire economy in a matter of days. Although the technology exists, and the theory is valid, It would be more likely if I was abducted by aliens before I finish typing this paragraph.
So I suppose this is both a warning/FYI to my clients, and a venting session for myself; but moreover the first techie question I've had to ask the net community in years. Any information you might have about who/why/how on this would just be deliriously helpful, and I would invite those with such info to email me the stories. I'm gathering data on everything I find on my encrypted drive, and if I get enough together I have blogger buddies who I'm sure would perpetuate the info, as there seems to be 0 awareness on this matter at the moment.
I would suggest jumping in your preferred internet vehicle (any browser) and heading to www.dslreports.com/speedtests. Follow the instructions to get an accurate reading of your current
upload/download rates. The rate your paying for should be listed on the bill. If the rate is close to or less than your paid rate, then you're fine. If it's much different, it's a sign of re-direction.
If you or anyone you know should happen upon a similar situation, or receive any FB/email/social app hacking traced to that address, I would greatly appreciate a heads up. I'm currently shopping free
proxy server that would be safe enough to support secured browsing, which is the only way to force a re-direct. Pickings are slim in that area, but I'm sure I'll find something. As for the obvious question, "Why don't you call the ISP"?... if this turns out to be nothing, then I'm just an incredibly lucky guy with a bunch of free internet, and don't feel like being to hasty calling attention to it with the party poopers and their bottlenecks.
I would love to believe that I'm just being paranoid, but the lack of info on this is giving me the damned willies. So, as James Franco once so eloquently put it: "Safety First. Safety first, then teamwork".
-Matt McClellan
SimianTech IT Services
contact info:
simiantech@gmail.com
darthmonkey2004@gmail.com
620-204-0386 (mobile)
1 (785) 260-7633 (free web based texting through Pinger.com
links to information I was able to find:
MorganStanleyGate: Others Mysteriously Contacted Via Computer Connection Traced To SAME Farm House in Potwin, KS
http://www.ip-adress.com/whois/70.183.71.66 (basic IP registry info, I was able to use that to get an address, leading to the farm house.
*Update
Upon extended and rigorous research, I have decided this is the work of an ID hacker, an identity thief. My theory is he's somehow siphoning off traffic from local network service machines.. I would imagine it's automated network load relief exploit. ISPs stay busy, and sometimes need to drop data routing jobs off on other networks, happens all the time. it's done by an overloaded router simply deciding on a specific sub-netted group to drop from "Active" route to "Passive". Meaning it can forward it on and allocate it's bandwidth to it's Active routes. This is how the net works, passing through machines on the way to the one you want to talk to. He (She, they... it?) also appear to be using a network of "ghosted" DNS servers; virtual servers that spoof all incoming and outgoing packets with false IP/MAC/network hardware info. This way an admin can run a test on his route, and it would still appear legitimate at first glance. Upon closer inspection you see key differences: Domain info that should exist for an active route is missing, this means that your default gateway/DNS server is told to forward you on, rather than handle your routing; effectively changing you from an active route to a passive/anonymous multicast traffic. As long as the spoofed IP/mac is taken from a legitimate ISP Service machine, it's MAC address alone is enough to authenticate it. it's automatically passed on and assumed to be legit... no alarms, no red flags. Normally there is a latency monitoring method to find spoofed addresses. It takes time for a machine to intercept, alter, and forward the packet to it's original destination. latency is constantly computed with virtually every connection, automatically. When one person's latency is significantly higher than someone he's directly connected to, this is sometimes a sign of ghosting. It's not proof at all though, merely conjecture. Most servers deal with severe latency fluctuation by simply closing the connection and then routing them to a different subnet when they reconnect. Still, no warnings, no alarms. These events do get logged, but is classified as generic log info, rather than a flagged event. However, he fixes this problem by guaranteeing that 25 Mbps rate (which happens to be the maximum available data rate for consumer class Cox Cable internet. with enterprise level routing hardware, and what I can only assume is a series of fiber optics backing his network. This minimizes the increase in latency, tailoring it to permissible levels based on the level of latency sensitivity of the machine your spoofing. Tricky stuff, probably took years to work out the kinks.
The reasoning for all of this is obvious. Receiving, managing, and forwarding public internet traffic is the easiest method to access the data stream directly. Even https can't really help you here. Because, when your machine decided on an encryption key to use with the server it's talking to, that info is encoded in a packet. It gets intercepted, and is relatively easy to decode keys/credentials/passwords. The data stream then turns encrypted, preventing passive/anonymous connections from prying. but that is no worries for a hacker if they have the key.
All in all, this is a very expensive and labor intensive venture. The techniques employed in this scheme are state of the art, finding the tiniest flaws in modern tech and using it to hide while you sit back and capture mass quantities of data. At the very least you have cookie/web history info from surfers all over the world... there are people that will pay for enough of that. Then every once in a while you land a big fish, like the aforementioned Vogelman. Those are being kept to himself for use in obtaining the hardware/network access he needs. The Google map data is very lacking in pretty much all rural areas, and this particular area appears to be devoid of cellphone towers/communication arrays, and cellular "black spot". It would be easy to erect a 30 foot antenna that can broadcast line of sight for miles. And with no towers in the area, you can't triangulate the signal. Just because the info is registered to that address doesn't mean this guy doesn't live 5 miles away.
It's actually quite elegant, a lot of thought and time has been put into this. Leads me to think it's a team of people, working together. Although if it is just one man, I suppose that would be pretty impressive, if not a bit exhausting for him.
I'll continue to update as new information is made available.
