Tuesday, April 08, 2008

Roger proxying for Ottawa customers

In the past weeks, we've been trolling through logs looking at Rogers' IPs.  One especially useful set of logs are found here.  These are an especially useful dataset for two reasons. First is its size, with over 100,000 hits between mid-2002 and mid-2005. Second, unlike most logs, this one reports the http_forwarded_for header (on which see here), which means that when a transparent proxy visits, both the proxy's address and the IP of the original user are reported. As a result, over 200 visits from Rogers proxies can be identified in these logs, including most of the proxies identified here.  

But these logs offer another opportunity.  Because they reveal the individual IP behind the proxy, they give some insight into how Roger distributes these proxies.  Consider this entry, from the logs of July, 2003:
    Wed Jul 9 17:28:37 2003|wc09.wlfdle.rnc.net.cable.rogers.com|66.185.84.76| http://www.cs.ualberta.ca/~mburo/|35621:24.114.18.212$|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSOCD; AtHome021SI; AtHome0200; .NET CLR 1.0.3705)
    Wed Jul 9 17:32:10 2003|wc09.wlfdle.rnc.net.cable.rogers.com|66.185.84.76| http://www.cs.ualberta.ca/~mburo/ggsa/|14811:24.114.18.212$|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSOCD; AtHome021SI; AtHome0200; .NET CLR 1.0.3705)
In this case the web-cache (wc09.wlfdle.etc, which has the IP address 66.185.84.76) is proxying for 24.114.18.212.  Unfortunately, this is no longer a functioning address.  But for some reason some obsolete data remains in this database, and it reports the name as ON-ROG-1-FLFRD-4.  According to this, FLFRD stands for Fallowfield Road in Ottawa. 

Each of the proxy entries in these logs, then, provides us both with the visitor's unique IP address (hidden behind the proxy address that is forwarding its traffic) and a means by which to estimate a geographical point of origin.   Obviously we're especially interested in visits originating in Ottawa.  (Only about two-thirds of the IPs forwarded by Rogers' proxies are in the database mentioned, which means that the following is suggestive only.)

Here is another pair from the Dec. 2003 log:
    Wed Dec 24 22:53:37 2003|wc13.mtnk.rnc.net.cable.rogers.com|66.185.84.208| http://www.cs.ualberta.ca/~mburo/log.html|49683:24.102.22.213$|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Wed Dec 24 22:54:27 2003|wc09.mtnk.rnc.net.cable.rogers.com|66.185.84.204| http://www.cs.ualberta.ca/~mburo/publications.html|11277:24.102.22.213$|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
This pair of visits nicely illustrates the kind of shifting that we've seen before (mapped out in a general way here, though obviously now that we know these are proxies we'll have to re-evaluate the causes of this phenomenon).  In this case, the personal IP yields ON-ROG-21-1SLNT-1, which this identifies as St. Laurent Rd. in Ottawa. 

There are seven other entries in these logs that originate in Ottawa:
  1. on Sat Feb 7 13:33:55 2004, 24.42.51.190 (resolving to ON-ROG-6-SLNT-6), proxied by wc09.wlfdle.rnc.net.cable.rogers.com (=66.185.84.76);
  2. on Fri Jun 4 18:39:08 2004, 24.114.145.64 (resolving to ON-ROG-5-FLFRD-5), proxied by wc09.ym.~ (=66.185.85.76);
  3. on Mon Aug 30 13:30:11 2004, 24.112.0.122 (resolving to ON-ROG-FLFRD-7), proxied by wc09.wlfdle.~ (=66.185.84.76);
  4. on Wed Oct 6 10:14:56 2004, 24.156.226.105 (resolving to ON-ROG-18-SLNT-7), proxied by wc09.ym.~ (=66.185.85.76);
  5. on Sun Jan 9 21:10:26 2005, 24.112.88.50 (resolving to ON-ROG-FLFRD-1), proxied by wc05.wlfdle.~ (=66.185.84.72);
  6. on Mon Jan 31 13:53:08 2005, 24.103.2.52 (resolving to ON-ROG-13-FLFRD-3), proxied by wc13.ym.~ (=66.185.85.80);
  7. on Sat Feb 5 22:07:10 2005, 24.156.226.105 (resolving to ON-ROG-18-SLNT-7), proxied by wc01.wlfdle.rnc.~ (=66.185.84.68).
Note especially examples 4 and 7 of this list, in which the IP proxied in October 2004 by wc09-ym~ is proxied by wc01.wlfdle~ in February 2005.  Clearly individual nodes are not each assigned to their own proxy.  (We'll return to this in a future post.)

How these proxies are assigned is unclear.  Nevertheless, it is clear that no geographical region is limited to a single proxy or even to a single bank of proxies.  
  • SLNT (St. Laurent) is proxied by York Mills (09.ym), Newkirk (09.mtnk, 13.mtnk), and Wolfedale (01.wlfdle, 09.wlfdle, 13.wlfdle)
  • FLFRD (Fallowfield Rd) is proxied by York Mills (09.ym, 13.ym), Newkirk (none), and Wolfedale (05.wldle, 09.wlfdle)
This has important implications that I will discuss soon.
Posted by at