whois 243.25.203.20
whois 243.25.203.20
I see this ip address actively accessing gmail account in spite of 2-Step Verification.
whois 243.25.203.20 produces following message:
No whois server is known for this kind of object.
How can I find out what functionality uses this ip?
whois
What you describe sounds like a bug. I tried to reproduce the symptom, but I wasn't able to. So some more information would be useful. There is a few pieces of information which would help in reproducing the problem. First of all, which links did you follow to find that IP address in the first place? And what additional information is displayed about that client? At the very least you should be able to find a User-Agent which should help you identify which of your devices is most likely to be the one. And if you are able to find a plausible device, what is the real IP address of it?
– kasperd
Sep 4 '18 at 20:23
Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer.
– Ron Maupin♦
Dec 25 '18 at 9:23
4 Answers
4
As @tripleee said in his comment, looks like is an IP from a reserved block, it should not be public routable on the Internet (in an ideal world, that is :D).
You can check by specifying an explicit whois server, for example
$> whois -h whois.ripe.net 243.25.203.20
returns
inetnum: 243.0.0.0 - 243.255.255.255
netname: IETF-RESERVED-ADDRESS-BLOCK
descr: IPv4 address block reserved by the IETF
remarks: ------------------------------------------------------
remarks:
remarks: This address block is reserved by the IETF
remarks:
remarks: You can find more information on the IANA registry page:
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks: ------------------------------------------------------
Checking on public looking glasses returns empty results, too:
route-views>sho ip ro 243.25.203.20
% Network not in table
route-views>sho ip bgp 243.25.203.20
% Network not in table
It could be a spoofed IP Address but more likely someone is hijacking unused address space.
Spoofing is unlikely, since they would need to spoof a 3-way TCP handshake. More likely, someone is hijacking unassigned IP space.
– Teun Vink♦
Sep 4 '18 at 9:59
@Teun Vink you're right, i've edited my answer accordingly.
– Mr Shunz
Sep 4 '18 at 10:07
So the next question is, how is the user (or bot, heh) at that purported IP actually gaining access to OP's GMail despite 2SV?
– Doktor J
Sep 4 '18 at 16:32
@DoktorJ, that question is actually off-topic here. You could try to ask it on Information Security.
– Ron Maupin♦
Sep 4 '18 at 17:42
@DoktorJ Most likely the OP himself is the source of that activity and a bug is causing an incorrect IP address to be shown. A likely explanation for the incorrect IP address is given in the answer that MaZe posted.
– kasperd
Sep 8 '18 at 21:18
That's "class E" address space -- 240/4, aka. the space beyond multicast. It is not a valid internet address. (and never will be.) Almost no commercial network gear will even allow assigning such an address.
The only "internet" source I'm aware of that even remotely uses that range is Cloudflare. And it's only for IPv6-to-IPv4 proxied traffic (X-Forwarded-For header), with explicit admin opt-in.
Ultimately, you'd have to ask Google (good luck with that) how such an address can appear in their gmail headers.
Read up on ipv6 address coercion.
https://www.nanog.org/meetings/nanog50/presentations/Wednesday/NANOG50.Talk41.colitti-IPv6%20transition%20experiences.pdf
I'm pretty sure Google came up with hashing IPv6 into the 224.0.0.0/3 subnet for IPv6 unaware apps.
Guess OP must have found some edge case...
As kasperd said it'd be nice to understand what the edge case is though so they can fix it...
That's "class E" address space ... Thanks!
Network classes are dead and have been for 21 years. RFC 2317 is dated March 1998.
– Zac67
12 hours ago
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
My
whois
client tells me this is IANA reserved for future use. It should not be allocated.– tripleee
Sep 4 '18 at 9:31