I decided it would be prudent to recreate this experiment and see if my results match these. Turns out they do.

Here's what I did:

1) I verified that the akamai client ip header is actually the IP of the machine making the request to akamai. Confirmed.

Show thread

2) I signed up NordVPN, connected to it, and checked the client ip header when making requests to disneyplus.com like in the link. Every request returns a different IP, so I wrote a little script to just make this request over and over and log it.

Show thread

3) I run each IP through the unix 'host' command which uses the DNS system to return a valid reverse-dns hostname for the appropriate IP (when available. I'd guess about 5% didn't resolve to anything.

Here's a de-duped text file of about ~2 hours of continuously asking akamai what my IP is when making the disneyplus request:

github.com/jerwarren/nordvpn-i

That repo also has a very simple bash script that just runs over and over logging to a file so you can replicate it yourself.

This doesn't really tell us anything other than requests are getting to akamai through unexpected paths at just about every major ISP (and many smaller ones) across the US. How is this happening? I can't explain it.

Can you? Did I cock something up?

I don't know how reliable nmap's "OS fingerprinting" mechanism is (other than it reporting its own accuracy, of course) but a strikingly large percentage of those IPs all appear to be cable modems by the same manufacturer.

Can someone smarter than me take a look at this?

Alright, NordVPN basically admitted they're using residential IPs, but are claiming it's not secret, it's not malware, and they'll explain it to you if you sign an NDA.

twitter.com/MalwareJake/status

Hey, look. A new page on NordVPN explaining this. What a coincidence that it'd appear today...

nordvpn.com/blog/smartplay-exp

Follow

OCR Output (chars: 849) 

@FiXato
Here’s how it goes:

1. We purchase services that provide pools of

IP addresses.

2. There are two types of pools. The first one
consists of IPs purchased from ISPs directly.
The second one consists of the IPs of
people who have voluntarily downloaded
specific applications on their devices. The
sole purpose of these applications is to
reward the end user for voluntarily sharing
part of their bandwidth with various
services. Each individual who has the app
downloaded is fully aware of this purpose
and receives a reward for the traffic sent
and received through their device.

3. These IPs are only used initially when
forming a connection. Regular browsing

data and user IPs are never sent this way.

4. The owner of the IP address can’t see any
individual identifiable personal data
because no such data is ever sent.

Sign in to participate in the conversation
Lynnestodon

@lynnesbian@fedi.lynnesbian.space's anti-chud pro-skub instance for funtimes