This investigation into nordvpn's "32+ million residential proxies" is interesting
https://medium.com/@derek./how-is-nordvpn-unblocking-disney-6c51045dbc30
I decided it would be prudent to recreate this experiment and see if my results match these. Turns out they do.
Here's what I did:
1) I verified that the akamai client ip header is actually the IP of the machine making the request to akamai. Confirmed.
2) I signed up NordVPN, connected to it, and checked the client ip header when making requests to http://disneyplus.com like in the link. Every request returns a different IP, so I wrote a little script to just make this request over and over and log it.
3) I run each IP through the unix 'host' command which uses the DNS system to return a valid reverse-dns hostname for the appropriate IP (when available. I'd guess about 5% didn't resolve to anything.
Here's a de-duped text file of about ~2 hours of continuously asking akamai what my IP is when making the disneyplus request:
https://github.com/jerwarren/nordvpn-ip-test/blob/master/nordhosts.txt
That repo also has a very simple bash script that just runs over and over logging to a file so you can replicate it yourself.
This doesn't really tell us anything other than requests are getting to akamai through unexpected paths at just about every major ISP (and many smaller ones) across the US. How is this happening? I can't explain it.
Can you? Did I cock something up?
I don't know how reliable nmap's "OS fingerprinting" mechanism is (other than it reporting its own accuracy, of course) but a strikingly large percentage of those IPs all appear to be cable modems by the same manufacturer.
Can someone smarter than me take a look at this?
Alright, NordVPN basically admitted they're using residential IPs, but are claiming it's not secret, it's not malware, and they'll explain it to you if you sign an NDA.
https://twitter.com/MalwareJake/status/1201097310064787456?s=20
Hey, look. A new page on NordVPN explaining this. What a coincidence that it'd appear today...
OCR Output (chars: 849)
@FiXato
Here’s how it goes:
1. We purchase services that provide pools of
IP addresses.
2. There are two types of pools. The first one
consists of IPs purchased from ISPs directly.
The second one consists of the IPs of
people who have voluntarily downloaded
specific applications on their devices. The
sole purpose of these applications is to
reward the end user for voluntarily sharing
part of their bandwidth with various
services. Each individual who has the app
downloaded is fully aware of this purpose
and receives a reward for the traffic sent
and received through their device.
3. These IPs are only used initially when
forming a connection. Regular browsing
data and user IPs are never sent this way.
4. The owner of the IP address can’t see any
individual identifiable personal data
because no such data is ever sent.
