8

I see this ip address actively accessing gmail account in spite of 2-Step Verification.

whois 243.25.203.20 produces following message: No whois server is known for this kind of object.

How can I find out what functionality uses this ip?

Peter J
  • 83
  • 1
  • 5
  • 5
    My `whois` client tells me this is IANA reserved for future use. It should not be allocated. – tripleee Sep 04 '18 at 09:31
  • What you describe sounds like a bug. I tried to reproduce the symptom, but I wasn't able to. So some more information would be useful. There is a few pieces of information which would help in reproducing the problem. First of all, which links did you follow to find that IP address in the first place? And what additional information is displayed about that client? At the very least you should be able to find a User-Agent which should help you identify which of your devices is most likely to be the one. And if you are able to find a plausible device, what is the real IP address of it? – kasperd Sep 04 '18 at 20:23
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer. – Ron Maupin Dec 25 '18 at 09:23
  • That's "class E" address space ... Thanks! – Peter Juselius Jan 02 '19 at 15:21
  • Thank you all, It was MacOs keeping a ' copy' of all mails. I disconnected gmail account from MacOs mail and that solved the issue. Please close question. – Peter J Apr 22 '20 at 07:50

3 Answers3

8

As @tripleee said in his comment, looks like it is an IP from a reserved block, so it should not be public routable on the Internet (in an ideal world, that is :D).

You can check by specifying an explicit whois server, for example

$> whois -h whois.ripe.net 243.25.203.20

returns

inetnum:        243.0.0.0 - 243.255.255.255
netname:        IETF-RESERVED-ADDRESS-BLOCK
descr:          IPv4 address block reserved by the IETF
remarks:        ------------------------------------------------------
remarks:
remarks:        This address block is reserved by the IETF
remarks:
remarks:        You can find more information on the IANA registry page:
remarks:        http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks:        ------------------------------------------------------

Checking on public looking glasses returns empty results, too:

route-views>sho ip ro 243.25.203.20
% Network not in table
route-views>sho ip bgp 243.25.203.20
% Network not in table

It could be a spoofed IP Address but more likely someone is hijacking unused address space.

Daniele Santi
  • 381
  • 1
  • 3
  • 7
  • 1
    So the next question is, how is the user (or bot, heh) at that *purported* IP actually gaining access to OP's GMail despite 2SV? – Doktor J Sep 04 '18 at 16:32
  • 1
    @DoktorJ, that question is actually off-topic here. You could try to ask it on [security.se]. – Ron Maupin Sep 04 '18 at 17:42
  • 1
    @DoktorJ Most likely the OP himself is the source of that activity and a bug is causing an incorrect IP address to be shown. A likely explanation for the incorrect IP address is given in the [answer](https://networkengineering.stackexchange.com/a/53016/5842) that [MaZe](https://networkengineering.stackexchange.com/users/49922/maze) posted. – kasperd Sep 08 '18 at 21:18
4

Read up on ipv6 address coercion.

  • "Address coercion" protects IPv4-only code from IPv6
    • Take IPv6 address
    • Remove user-modifiable bits
    • Hash into 224.0.0.0/3
  • Sometimes not perfect
    • "Your last login was from 238.1.2.3"

https://www.nanog.org/meetings/nanog50/presentations/Wednesday/NANOG50.Talk41.colitti-IPv6%20transition%20experiences.pdf

I'm pretty sure Google came up with hashing IPv6 into the 224.0.0.0/3 subnet for IPv6 unaware apps.

Guess OP must have found some edge case...

As kasperd said it'd be nice to understand what the edge case is though so they can fix it...

kasperd
  • 764
  • 1
  • 6
  • 13
MaZe
  • 141
  • 1
3

That's "class E" address space -- 240/4, aka. the space beyond multicast. It is not a valid internet address. (and never will be.) Almost no commercial network gear will even allow assigning such an address.

The only "internet" source I'm aware of that even remotely uses that range is Cloudflare. And it's only for IPv6-to-IPv4 proxied traffic (X-Forwarded-For header), with explicit admin opt-in.

Ultimately, you'd have to ask Google (good luck with that) how such an address can appear in their gmail headers.

Ricky
  • 31,438
  • 2
  • 43
  • 84