chaos.

On one website it logged my IP addy as : 172:185:126:26
On another website it logged my IP addy as : 195:93:33:7
And on a sent email it logged my IP addy as : 172:188:179:172


As each number is different, does this mean my Ip address is impossible to trace back to my aol account?

Its a dial up BTW.

Danny B

What does this place say?
http://www.lawrencegoetz.com/programs/ipinfo

chaos.

It says:


Your IP address is
195.93.33.8

NotoriousREV

Your IP address will probably be different every time you dial up as IP addresses will be allocated from a pool (a huge one in AOL's case).

However, they do keep records of which username was using which IP address at any given time. They will also more than likely log phone numbers as well.

chaos.

But a normal company/website would find it difficult to trace my details, right?

ajm

That depends how much of a reason they have to trace you! You **** them off, they lookup your IP address as I have just done on the one you gave above. Then I just report the time, offense and IP address to AOL, and they ban your account, phone the police, FBI etc.

cache-loh-ab02.proxy.aol.com

inetnum: 195.93.0.0 - 195.93.63.255
netname: AOL-EU-1
descr: AOL Inc
country: US
admin-c: AOL5-RIPE
tech-c: AOL5-RIPE
status: ASSIGNED PA
mnt-by: AOL-EU-MNT
mnt-lower: AOL-EU-MNT
changed: domains@aol.net 20000220
changed: domains@aol.net 20000621
source: RIPE

route: 195.93.0.0/17
descr: AOL International Operations, Europe
origin: AS8292
mnt-by: MAINT-ANSUK
changed: tar@ans.net 19970519
changed: sirving@ans.net 19980720
source: RIPE

person: AOL NOC
address: America Online Inc.
address: 22080 Pacific Blvd
address: Sterling, VA 20166
address: USA
phone: +1 703 265 4670
e-mail: domains@aol.net
nic-hdl: AOL5-RIPE
mnt-by: AOL-EU-MNT
changed: domains@aol.net 20000621
source: RIPE

stevencotton

This is all stored in RADIUS logfiles, it logs the CLI number as well as connection time, username and password used to authenticate etc.

Edit to add, the above hostname is that of an AOL proxy, to get the IP address of the actual end-user at the time is a bit more difficult. The only way you (AOL) could do it is to marry the logfiles provided by the remote web server with the proxy logfiles at AOL and work out the user that way. Even if AOL forward the original requestors IP address in an X-header that header wouldn't be logged anywhere, someone would have to go through and physically match the logfile entries to find out who it is.

Steve.

[Edited by stevencotton - 12/16/2003 6:48:28 PM]

Ian Griffiths

Its worth noting that although you've seen three different addresses on those three occasions, they are all ultimately accountable to AOL as investigation has shown, and it is there own internal logging that would track you down if required.

So to answer your question: yes. Any single webmaster wanting to investigate would have a hard job doing so on only that. With the right justification AOL would probably get involved and are certainly legally bound to keep such records in order to absolve themself from prosecution.

[Edited by Ian Griffiths - 12/17/2003 1:23:32 AM]

BuRR

Its amazing what information AOL can give you... but also frustrating what they can't

Fatman

It's also possible that the site was picking up one or more routers/proxies between you and the site.

Danny B

And was it correct?

Ian Griffiths

Interesting topic and its almost on topic so I'm going to chance it:

I get entries in my access logs from IP for example 10.100.4.5 which are clearly private. I can half see how this is happening and I'm pleased that my server is that clever. However, these are very anonymous if I don't know what network they're from! Any suggestions?

Gedi

Routers don't forward their addresses. Generally, the only time a router will change a packet is if its route interface is not on the same network. Then it will alter the mac address to that of the next hop and send it on its way.
You will only leave the address of a proxy if you are connected to that proxy. Unless you specify this, the AOL proxy will be the last one you connect to.




If your getting these logs there is really only one reasons
for this. The source IP is spoofed, this is strange as this is only generally done in DoS or MITM attacks.
Is your logging software running correctly?
What is this your saying about 'half understanding' and 'a clever server'? Maybe that will shed a little more light on the situation?

[Edited by Gedi - 12/17/2003 9:42:25 PM]

Ian Griffiths

Source IP is not spoofed, one such culprit in these remote addresses is my place of employment where I know enough about the network to know that this is not the intention. Furthermore the addresses that I see logged from here are correct and valid within that network - just obviously not the right thing to be seeing outside.

My half understanding relates to the fact that this is predictable behaviour - these IP addresses are actually correct if you consider complete end point of the route. However, my understanding of networks set up like this was that all machines appear as one externally assigned address - exactly as my home machines do. They all assume the identify of my statically assigned broadband IP externally.

The clever server I refer to is the one that manages to get inside the network to see these internal IPs although I do appreciate the problem is probably more that the network is giving away addresses rather than my server is probing intelligently.

Logging software is simply message board software considering PHP environment varibles, REMOTE_ADDR etc.

dsmith

Proxies embed the original address inside the HTTP request. - "X-Forwarded for" header unless explicity configured not to.

Freeserve for instance leave it there and a 3line php script on my own web server shows the detail....

REMOTE_ADDR 195.92.67.208
X_FORWARDED_FOR 81.76.182.128
HTTP_VIA 1.1 webcacheH08 (NetCache NetApp/5.3.1R2)

Deano

Gedi

If the local nodes are leaving the LAN on a public WAN(i.e. the ISP supplied connection) then local IP addresses will not leave that network. Its impossible for local addresses to make it onto public wires using conventional methods like IP, which leads me onto the next bit
For local IP addresses to retrive information on the public net, it must have a valid IP. This is where devices such as proxies or NAT come into play. Both do the job slightly differently, but the end result is that the local IP is left, exchanged for the public IP determined by your ISP.

Not 100% sure what you mean by this. For a machine to get inside a network, it most likely be using a service like ssh, ftp, http etc, which will leave it on the server intended........or it is allocated an IP and is allowed to join the network as a host (typical of VPN's) or in the case of a security breach proxy / tunneling software is installed on an exploited server leaving it free to piggyback into the network.

Whatever the case, unless you have a direct connection with your works network, you would not see any of their internal IP addresses on your logging software.

[Edited by Gedi - 12/18/2003 8:28:26 AM]

dsmith

Unless your company/organisation uses a web proxy which leaves the X-Forwarded-for header intact which many do.

Deano

Gedi

Yes, i'm not disputing that. Unless running high anonimity, HTTP proxies have this option enabled.
My point is, why would a simple php script be looking for this. Under normal circumstances, it will log the source header only.

druddle

chaos

when a website logs your IP address, scribble it down. open a DOS window and type "ipconfig". This is what your network adapter thinks its IP address is. It will give you the IP address for your PPP dialup modem connection.

Dave

dowser

Re. picking up private addresses in public space - tunnel software installed on the client and non-standard bindings?

While the restricted internal address could never really be used as the source on the net, if the logging software is asking the client then the client is apt to provide wrong information

Edit to add: ...and depending which 'logging' software is asking the question, maybe it's the right information

Richard

[Edited by dowser - 12/18/2003 12:15:45 PM]

Ian Griffiths

Gedi - these *are* local addresses.

My machine in work has a 10.x.x.x address - local.

The web server I administer as a hobby, completely unrelated to my employment and nowhere near work network-wise is able to see this 10.x.x.x address.

This is both very good and very bad. Very good as I can track down to last machine instead of cache/router etc. This is also very bad as without knowing what network the request originates from, I'm stuck.

Take a look at this image if you have some time - its the feature in the board for approving registrations. I've circled the strange ones.

http://www.corsasport.co.uk/misc/internaladdresses.gif

I'm going to have a look at exactly what is being logged as per Deanos reply.

Cheers all.

[Edited by Ian Griffiths - 12/18/2003 7:09:54 PM]

dowser

How are you administering the server, using a tunnel? Or just straight out of your work network's proxy?

Richard

Ian Griffiths

Works network is just a regular academic internet connection - its a college.

The server with the PHP running on logging funny stuff is a web server 200 miles away running regular Apache/PHP/MySQL.

The two entities are completely unrelated network/authentication/everything.