Skip to content

Instantly share code, notes, and snippets.

@pierky
Last active July 1, 2020 11:16
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pierky/fe8ad5395ff1cf0e3c8a3096e426fd8d to your computer and use it in GitHub Desktop.
Save pierky/fe8ad5395ff1cf0e3c8a3096e426fd8d to your computer and use it in GitHub Desktop.

Measurement: 4454125 - whoami.akamai.net via 8.8.8.8

  • GOOGLE - Google Inc., US: 963 probes
  • OPENDNS - OpenDNS, LLC, US: 4 probes probes: 11104, 20197, 21048, 26519
  • BT-UK-AS BTnet UK Regional network, GB: 3 probes probes: 11036, 12234, 13893
  • INTERLINK-TECH-AS-ID INTERLINK TECHNOLOGY, PT, ID: 1 probe probes: 18850
  • ENTANET ENTANET International Limited, GB: 1 probe probes: 24963
  • LGI-UPC formerly known as UPC Broadband Holding B.V., AT: 1 probe probes: 21363

Measurement: 4459168 - whoami.akamai.net via 209.244.0.3

  • LEVEL3 - Level 3 Communications, Inc., US: 950 probes
  • BT-UK-AS BTnet UK Regional network, GB: 3 probes probes: 11036, 12234, 13893
  • OPENDNS - OpenDNS, LLC, US: 2 probes probes: 11104, 26519
  • GOOGLE - Google Inc., US: 2 probes probes: 17775, 23014
  • LANETUA-AS , UA: 1 probe probes: 12618

Measurement: 4459167 - whoami.akamai.net via 4.2.2.1

  • LEVEL3 - Level 3 Communications, Inc., US: 951 probes
  • OPENDNS - OpenDNS, LLC, US: 3 probes probes: 11104, 23424, 26519
  • BT-UK-AS BTnet UK Regional network, GB: 3 probes probes: 11036, 12234, 13893
  • GOOGLE - Google Inc., US: 2 probes probes: 17775, 23014
  • MGTLD - VeriSign Global Registry Services, US: 1 probe probes: 15847
  • LGI-UPC formerly known as UPC Broadband Holding B.V., AT: 1 probe probes: 21363

Measurement: 4459166 - whoami.akamai.net via 64.6.64.6

  • CGTLD - VeriSign Global Registry Services, US: 292 probes
  • MGTLD - VeriSign Global Registry Services, US: 149 probes
  • GGTLD - VeriSign Global Registry Services, US: 44 probes
  • XGTLD - VeriSign Global Registry Services, US: 41 probes
  • LGTLD - VeriSign Global Registry Services, US: 33 probes
  • YGTLD - VeriSign Global Registry Services, US: 12 probes
  • OPENDNS - OpenDNS, LLC, US: 3 probes probes: 11104, 23424, 26519
  • BT-UK-AS BTnet UK Regional network, GB: 3 probes probes: 11036, 12234, 13893
  • GOOGLE - Google Inc., US: 2 probes probes: 17775, 23014
  • AGTLD - VeriSign Global Registry Services, US: 2 probes
  • LANETUA-AS , UA: 1 probe probes: 12618

Measurement: 4459170 - whoami.akamai.net via 208.67.222.222

  • OPENDNS - OpenDNS, LLC, US: 949 probes
  • BT-UK-AS BTnet UK Regional network, GB: 3 probes probes: 11036, 12234, 13893
  • GOOGLE - Google Inc., US: 2 probes probes: 17775, 23014
  • MGTLD - VeriSign Global Registry Services, US: 1 probe probes: 15847
  • LGI-UPC formerly known as UPC Broadband Holding B.V., AT: 1 probe probes: 21363

Measurement: 4461438 - whoami.akamai.net via www.ripe.net

  • BT-UK-AS BTnet UK Regional network, GB: 3 probes probes: 11036, 12234, 13893
  • OPENDNS - OpenDNS, LLC, US: 2 probes probes: 11104, 26519
  • GOOGLE - Google Inc., US: 2 probes probes: 17775, 23014
  • LANETUA-AS , UA: 1 probe probes: 12618
  • LGI-UPC formerly known as UPC Broadband Holding B.V., AT: 1 probe probes: 21363

Probe 12234, country GB, ASN 2856: 6 measurements

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via 208.67.222.222
    • whoami.akamai.net via www.ripe.net

Probe 13893, country GB, ASN 2856: 6 measurements

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via 208.67.222.222
    • whoami.akamai.net via www.ripe.net

Probe 11036, country GB, ASN 2856: 6 measurements

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via 208.67.222.222
    • whoami.akamai.net via www.ripe.net

Probe 17775, country IQ, ASN 198183: 5 measurements

  • hijacked results:
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via 208.67.222.222
    • whoami.akamai.net via www.ripe.net

Probe 26519, country US, ASN 20001: 5 measurements

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via www.ripe.net

Probe 11104, country CZ, ASN 198977: 5 measurements

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via www.ripe.net

Probe 23014, country GB, ASN 13037: 5 measurements

  • hijacked results:
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via 208.67.222.222
    • whoami.akamai.net via www.ripe.net

Probe 21363, country CZ, ASN 6830: 4 measurements

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 208.67.222.222
    • whoami.akamai.net via www.ripe.net

Probe 12618, country UA, ASN 41911: 3 measurements

  • hijacked results:
    • whoami.akamai.net via 209.244.0.3
    • whoami.akamai.net via 64.6.64.6
    • whoami.akamai.net via www.ripe.net

Probe 15847, country MT, ASN 200127: 2 measurements

  • hijacked results:
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 208.67.222.222

Probe 23424, country NZ, ASN 9889: 2 measurements

  • hijacked results:
    • whoami.akamai.net via 4.2.2.1
    • whoami.akamai.net via 64.6.64.6

Probe 20197, country CZ, ASN 43542: 1 measurement

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8

Probe 24963, country GB, ASN 8468: 1 measurement

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8

Probe 21048, country ID, ASN 23951: 1 measurement

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8

Probe 18850, country ID, ASN 133817: 1 measurement

  • hijacked results:
    • whoami.akamai.net via 8.8.8.8

15 unique probes with unexpected results: 20197, 17775, 26519, 12234, 24963, 15847, 12618, 11104, 13893, 21048, 21363, 11036, 23014, 23424, 18850

#!/usr/bin/env python
#
# An analysis of DNS responses gathered by 1000 RIPE Atlas probes
# when queried about whoami.akamai.net using some public resolver
# projects.
#
# Usage:
#
# pip install ripe.atlas.tools ripe.atlas.cousteau ipdetailscache
# chmod +x dns-hijacking.py
# ./dns-hijacking.py
#
# Author: Pier Carlo Chiodi
# https://www.pierky.com
#
# Related posts:
#
# https://labs.ripe.net/Members/babak_farrokhi/is-your-isp-hijacking-your-dns-traffic
# https://labs.ripe.net/Members/babak_farrokhi/operator-level-dns-redirection
from pierky.ipdetailscache import IPDetailsCache
from ripe.atlas.cousteau import AtlasLatestRequest, Measurement, Probe
from ripe.atlas.sagan import Result
cache = IPDetailsCache(dont_save_on_del=True)
SHOW_ANSWER_IP_ADDRESSES = False
expectations = [
{
"msm_id": 4454125,
"expected_holders": [
"GOOGLE - Google Inc., US"
]
},
{
"msm_id": 4459168,
"expected_holders": [
"LEVEL3 - Level 3 Communications, Inc., US"
]
},
{
"msm_id": 4459167,
"expected_holders": [
"LEVEL3 - Level 3 Communications, Inc., US"
]
},
{
"msm_id": 4459166,
"expected_holders": [
"CGTLD - VeriSign Global Registry Services, US",
"MGTLD - VeriSign Global Registry Services, US",
"GGTLD - VeriSign Global Registry Services, US",
"XGTLD - VeriSign Global Registry Services, US",
"LGTLD - VeriSign Global Registry Services, US",
"YGTLD - VeriSign Global Registry Services, US",
"AGTLD - VeriSign Global Registry Services, US"
]
},
{
"msm_id": 4459170,
"expected_holders": [
"OPENDNS - OpenDNS, LLC, US"
]
},
{
"msm_id": 4461438,
"expected_holders": []
}
]
def process_msm(exp):
measurement = Measurement(id=exp["msm_id"])
exp["msm_descr"] = measurement.description
kwargs = {
"msm_id": exp["msm_id"]
}
is_success, results = AtlasLatestRequest(**kwargs).create()
exp["unique_holders"] = {}
for json_result in results:
result = Result.get(json_result, on_error=Result.ACTION_IGNORE,
on_malformation=Result.ACTION_IGNORE)
if not result:
continue
for response in result.responses:
if not response.abuf:
continue
for answer in response.abuf.answers:
ip = answer.address
ip_info = cache.GetIPInformation(ip)
probe_id = result.probe_id
holder = ip_info["Holder"]
if holder not in exp["unique_holders"]:
exp["unique_holders"][holder] = {"probes": []}
if probe_id not in exp["unique_holders"][holder]["probes"]:
exp["unique_holders"][holder]["probes"].append(probe_id)
if SHOW_ANSWER_IP_ADDRESSES:
tpl = "{probe_id},{ip},{holder}"
print(tpl.format(
probe_id=probe_id,
ip=ip,
holder=ip_info["Holder"]
))
def print_ok(s):
print("{}{}{}".format("\033[32m", s, "\033[m"))
def print_ko(s):
print("{}{}{}".format("\033[31m", s, "\033[m"))
hijacked_probes = {}
for exp in expectations:
process_msm(exp)
print("Measurement: {} - {}".format(exp["msm_id"], exp["msm_descr"]))
for holder in sorted(exp["unique_holders"], key=lambda h: -len(exp["unique_holders"][h]["probes"])):
is_expected = holder in exp["expected_holders"]
s = " - {}: {} probe{}".format(
holder,
len(exp["unique_holders"][holder]["probes"]),
"s" if len(exp["unique_holders"][holder]["probes"]) > 1 else ""
)
if is_expected:
print_ok(s)
else:
print_ko(s)
print(" probes: {}".format(", ".join(map(str, exp["unique_holders"][holder]["probes"]))))
for probe_id in exp["unique_holders"][holder]["probes"]:
probe_id = str(probe_id)
if probe_id not in hijacked_probes:
hijacked_probes[probe_id] = {"msms": []}
hijacked_probes[probe_id]["msms"].append(exp["msm_descr"])
print("")
for probe_id in sorted(hijacked_probes, key=lambda p: -len(hijacked_probes[p]["msms"])):
probe_info = Probe(id=int(probe_id))
print("Probe {}, country {}, ASN {}: {} measurement{}".format(
probe_id,
probe_info.country_code,
probe_info.asn_v4,
len(hijacked_probes[probe_id]["msms"]),
"s" if len(hijacked_probes[probe_id]["msms"]) > 1 else ""
))
print(" - hijacked results:\n{}".format(
"\n".join([" - {}".format(m) for m in hijacked_probes[probe_id]["msms"]])
))
print("")
print("{} unique probes with unexpected results:\n{}".format(
len(hijacked_probes.keys()), ", ".join(hijacked_probes.keys())
))
cache.SaveCache()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment