Why is the DoD on My APN?
by ThoughtCrimes
I was recently doing some research of cellular networks and how public IP addresses change when moving from tower to tower when I came across an interesting discovery.
It seems that my Android mobile phone was reporting two different public IP addresses.
When I would use third-party tools like free websites to check my WAN IP, the results would always come back as expected and point to my existing carrier's network. However, when I dug through some of the internal menus in Android settings, I discovered a second IP public address which I did not recognize. This seemed odd as it was a completely different network than my carrier. Being a little curious, I ran a WHOIS query against the second IP and the results were astonishing.
It turns out that this second IP was tagged as belonging to a Department of Defense network based in Columbus, Ohio.
At first, I thought this was funny but also a little scary.
Frankly, I wasn't too worried about it as I'm not all that interesting nor was I committing any crimes that would warrant direct surveillance by the most powerful country on Earth. However, I do consider myself to be a privacy conscious individual and use VPN whenever possible, have very little social media presence, use an encrypted email provider, and use encrypted messaging for SMS . Based on this and some of the things I'd read in the Edward Snowden dumps, it wasn't improbable that I was deemed interesting for those reasons.
At any rate, I decided to investigate further to try and determine if this was just a fluke or something targeted at me specifically. To begin, I rebooted my device and then installed a couple of network monitoring apps. Each time I'd reboot the device, the same pattern of behavior occurred.
My external IP showed as belonging to my cellular provider, but a second "Carrier IP" was showing up. I continued by disabling and enabling my cellular connection to refresh the IPs and began recording what addresses I was receiving. I then began looking each of these IP addresses up to determine who owned them.
To my astonishment, four out of five times, this "Carrier IP" was coming back as belonging to the DoD network. In some instances, however, the IPs were showing up as coming from the United Kingdom's Ministry of Defence. That was obviously strange considering that I was in the USA at the time. Another weird fact was, depending on what system I used to look up the IP addresses, some were reporting as not available and others were throwing warnings with detailed legal language stating that I wasn't allowed to query the WHOIS records except for specific purposes.
To investigate further, I looked at the phones of friends and family members that were using the same carrier I was. The weird thing was that none of their devices showed this second IP address the way that mine did.... Now I was getting a little worried, but still thought it was worth digging a little deeper.
So I tethered my phone to my laptop and began sniffing some of the traffic and running traceroute to determine what was happening. Turned out that the DoD/MoD addresses were in fact showing as belonging to my device (only one hop away and only a few milliseconds of latency). An odd thing that occurred whenever I tethered the phone to my laptop, however, was that a third public IP address began showing up in some of the network analysis apps I had installed on my device. This third IP also showed as belonging to a DoD or MoD network. When I disabled my Wi-Fi hotspot, this IP would disappear, and when the hotspot was enabled, it would again reappear.
One thing that stood out about my friends' and family's devices as different than mine was that their devices were all showing an IPv6 address, whereas mine was an IPv4. I then began to compare the APN settings on my device to theirs, and that is when things got really interesting. I was using an Android device with a prepaid Mobile Virtual Network Operator (MVNO) that piggybacks on top of T-Mobile. When I set the phone up for this carrier, I followed their instructions and installed the APN as detailed in their onboarding guide. Some of my friends were using the exact same carrier as I was, but didn't bother setting up the APN that the carrier recommended we use; instead, they were using T-Mobile's default APN that automatically populated when inserting the SIM card. I tried setting up this APN on their devices and discovered that as soon as I did, the DoD IP addresses began showing up.
So at this point, I felt pretty confident that this mysterious APN was likely the culprit.
To investigate further, I began entering several new APNs with slightly different settings in each to see what kind of IP addresses I'd receive. Well, it turned out that T-Mobile would only allow me to connect using IPv6 whereas the prepaid MVNO would allow IPv4 or IPv6 connections. If I connected to the MVNO using an IPv6 connection, everything looked almost identical to what I'd get with the T-Mobile APN. None of the DoD/MoD IP addresses were showing up when I connected over IPv6, however they would always show up when I connected using IPv4. This seemed odd to me, especially since the MVNO's instructions explicitly called out using IPv4.
I then took to the web to search on the APN settings that my carrier was recommending.
It turned out that at least five other prepaid phone carriers were providing instructions to use the exact same APN settings as my carrier. Upon further investigation, it seemed that all of them were using T-Mobile as the underlying network. Another interesting fact was that all of these carriers were providing prepaid SIM cards which didn't require any registration.
Many of them were targeted at people traveling to the USA from abroad who wanted a SIM card to use while on vacation. Others were providing SIMs for use in alarm systems and GPS tracking equipment.
Based on this, it seems probable that this APN may in fact be routing cellular traffic through a DoD network.
I could be wrong, but if others have any possible explanations, I'd love to hear them.
DoD APN?
Cellular Data Name - Ultra APN - Wholesale Proxy - (leave blank) Port - 8080 Username & Password - (leave blank) Server - (leave blank) MMS MMSC - http://wholesale.mmsmvno.com/mms/wapenc MMS Proxy - (leave blank) MMS Port - (leave blank) MCC - 310 MNC - 260 Authentication Type -- (leave blank) APN Type - default,supl,mmsCarriers That Use this APN
Ting Ultra SpeedTalk ZipSIM Roam Mint AlarmSIMIP Addresses
HOST IP --> 25.175.94.2, 21.250.106.162, 21.250.111.204, 26.194.83.43, 25.175.83.43 GATEWAY IP --> 25.175.94.1, 21.250.106.161, 21.250.111.205 External IP --> 172.58.35.148, 172.58.35.199, 172.58.38.251 HOTSPOT IP --> 26.194.57.144, 25.175.65.232, 25.175.205.29, 26.195.248.156, 25.174.65.239, 21.251.115.224WHOIS Query - Network 1
$ whois 26.194.83.43 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd. # NetRange: 26.0.0.0 - 26.255.255.255 CIDR: 26.0.0.0/8 NetName: DISANET26 NetHandle: NET-26-0-0-0-1 Parent: () NetType: Direct Allocation OriginAS: Organization: DoD Network Information Center (DNIC) RegDate: 1995-05-01 Updated: 2009-06-19 Ref: https://rdap.arin.net/registry/ip/26.0.0.0 OrgName: DoD Network Information Center OrgId: DNIC Address: 3990 E. Broad Street City: Columbus StateProv: OH PostalCode: 43218 Country: US RegDate: Updated: 2011-08-17 Ref: https://rdap.arin.net/registry/entity/DNIC OrgAbuseHandle: REGIS10-ARIN OrgAbuseName: Registration OrgAbusePhone: +1-844-347-2457 OrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil OrgAbuseRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN OrgTechHandle: MIL-HSTMST-ARIN OrgTechName: Network DoD OrgTechPhone: +1-844-347-2457 OrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil OrgTechRef: https://rdap.arin.net/registry/entity/MIL-HSTMST-ARIN OrgTechHandle: REGIS10-ARIN OrgTechName: Registration OrgTechPhone: +1-844-347-2457 OrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil OrgTechRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd. #WHOIS Query - Network 2
$ whois 25.175.83.43 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd. # NetRange: 25.0.0.0 - 25.255.255.255 CIDR: 25.0.0.0/8 NetName: RIPE-ERX-25 NetHandle: NET-25-0-0-0-1 Parent: () NetType: Early Registrations, Maintained by RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 1985-01-28 Updated: 2013-01-14 Comment: These addresses have been further assigned to users in the RIPE NCC region. Contact information can be found in the RIPE database at http://www.ripe.net/whois Ref: https://rdap.arin.net/registry/ip/25.0.0.0 ResourceLink: https://apps.db.ripe.net/search/query.html ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois://whois.ripe.net ResourceLink: https://apps.db.ripe.net/search/query.html OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: abuse@ripe.net OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: hostmaster@ripe.net OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd. # Found a referral to whois.ripe.net. % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '25.0.0.0 - 25.255.255.255' % Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.gov.uk' inetnum: 25.0.0.0 - 25.255.255.255 netname: UK-MOD-19850128 country: GB org: ORG-DMoD1-RIPE admin-c: MN1891-RIPE tech-c: MN1891-RIPE status: LEGACY mnt-by: UK-MOD-MNT mnt-domains: UK-MOD-MNT mnt-routes: UK-MOD-MNT mnt-by: RIPE-NCC-LEGACY-MNT created: 2005-08-23T10:27:23Z last-modified: 2016-04-14T09:56:26Z source: RIPE # Filtered organisation: ORG-DMoD1-RIPE org-name: UK Ministry of Defence country: GB org-type: LIR address: Whitehall address: SW1A 2HB address: London address: UNITED KINGDOM phone: +44(0)3001512351 admin-c: MN1891-RIPE abuse-c: MH12763-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-ref: UK-MOD-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: UK-MOD-MNT created: 2004-04-17T12:18:23Z last-modified: 2021-08-18T08:32:09Z source: RIPE # Filtered person: Mathew Newton address: Defence Digital, Strategic Command address: UK Ministry of Defence phone: +44 (0)30 677 00816 nic-hdl: MN1891-RIPE created: 2005-03-18T10:42:04Z last-modified: 2021-06-23T16:25:46Z source: RIPE # Filtered mnt-by: UK-MOD-MNT % This query was served by the RIPE Database Query Service version 1.105 (SHETLAND)WHOIS Query - Network 3
$ whois 172.32.0.0 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd. # NetRange: 172.32.0.0 - 172.63.255.255 CIDR: 172.32.0.0/11 NetName: TMO9 NetHandle: NET-172-32-0-0-1 Parent: NET172 (NET-172-0-0-0-0) NetType: Direct Allocation OriginAS: AS21928 Organization: T-Mobile USA, Inc. (TMOBI) RegDate: 2012-09-18 Updated: 2020-11-18 Comment: Geofeed https://raw.githubusercontent.com/tmobile/tmus-geofeed/main/tmus-geo-ip.txt Ref: https://rdap.arin.net/registry/ip/172.32.0.0 OrgName: T-Mobile USA, Inc. OrgId: TMOBI Address: 12920 SE 38th Street City: Bellevue StateProv: WA PostalCode: 98006 Country: US RegDate: 2003-01-02 Updated: 2017-01-28 Ref: https://rdap.arin.net/registry/entity/TMOBI OrgAbuseHandle: ABUSE4857-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-888-662-4662 OrgAbuseEmail: abuse@t-mobile.com OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE4857-ARIN OrgTechHandle: DNSAD11-ARIN OrgTechName: DNS Administrators OrgTechPhone: +1-888-662-4662 OrgTechEmail: ARINtechcontact@t-mobile.com OrgTechRef: https://rdap.arin.net/registry/entity/DNSAD11-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd. #WHOIS Query - Network 4
$ whois 21.0.0.0 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd. # NetRange: 21.0.0.0 - 21.255.255.255 CIDR: 21.0.0.0/8 NetName: DNIC-SNET-021 NetHandle: NET-21-0-0-0-1 Parent: () NetType: Direct Allocation OriginAS: Organization: DoD Network Information Center (DNIC) RegDate: 1991-07-01 Updated: 2009-06-19 Ref: https://rdap.arin.net/registry/ip/21.0.0.0 OrgName: DoD Network Information Center OrgId: DNIC Address: 3990 E. Broad Street City: Columbus StateProv: OH PostalCode: 43218 Country: US RegDate: Updated: 2011-08-17 Ref: https://rdap.arin.net/registry/entity/DNIC OrgTechHandle: REGIS10-ARIN OrgTechName: Registration OrgTechPhone: +1-844-347-2457 OrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil OrgTechRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN OrgAbuseHandle: REGIS10-ARIN OrgAbuseName: Registration OrgAbusePhone: +1-844-347-2457 OrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil OrgAbuseRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN OrgTechHandle: MIL-HSTMST-ARIN OrgTechName: Network DoD OrgTechPhone: +1-844-347-2457 OrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil OrgTechRef: https://rdap.arin.net/registry/entity/MIL-HSTMST-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2023, American Registry for Internet Numbers, Ltd.