Akamai or who is watching your every move on Internet and how to „drop“ them

Source: George Yury Matveev

1. What is going on

If you’ve been using Internet on a regular basis during last decade (say from year 2k) no doubt you have noticed that it’s become *slower* during recent years. Getting through to the data takes dozens of seconds and in some cases one can not get connected in several minutes even though the server is alive and up and running. And all this happens not in 28 KBit/s modem environment but in at least 3G, Turbo-3G (HSPA) or even 4G networks (in Scandinavia) with speeds 1 MBit/s and higher. Why is that?

Let’s make an experiment: turn off images and JavaScript in a browser (to minimize connectivity) and try connecting to some web sites.

To see where exactly my browser is connecting to I will use utility called netstat with following keys:
t – for tcp sockets, a – all sockets, p – for PID/program, e – extended, c – continuous listing, n – numerical IP addresses.

First let us try connecting to popular among people working for big companies LinkedIn:

$ netstat -tapecn

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          5872        1665/exim4      
tcp        0      0 192.168.42.14:62570     216.52.242.80:443       ESTABLISHED 1000       532490      2310/firefox    
tcp        0      0 192.168.42.14:11287     2.23.145.244:443        ESTABLISHED 1000       533061      2310/firefox    
tcp        0      0 192.168.42.14:11288     2.23.145.244:443        ESTABLISHED 1000       533062      2310/firefox    
tcp        0      0 192.168.42.14:11284     2.23.145.244:443        ESTABLISHED 1000       533052      2310/firefox    
tcp        0      0 192.168.42.14:31136     75.126.153.214:80       TIME_WAIT   0          0           -               
tcp        0      0 192.168.42.14:48286     173.194.32.48:80        TIME_WAIT   0          0           -               
tcp        0      0 192.168.42.14:11286     2.23.145.244:443        ESTABLISHED 1000       533054      2310/firefox    
tcp        0      0 192.168.42.14:11285     2.23.145.244:443        ESTABLISHED 1000       533053      2310/firefox    
tcp        0      0 192.168.42.14:16959     173.194.32.51:80        TIME_WAIT   0          0           -               
tcp        0      0 192.168.42.14:14222     173.194.32.60:80        TIME_WAIT   0          0           -               
tcp     3675      0 192.168.42.14:62571     216.52.242.80:443       ESTABLISHED 1000       532491      2310/firefox    
tcp        0      0 192.168.42.14:16315     80.239.254.97:80        TIME_WAIT   0          0           -               
^C
$

216.52.242.80 is IP address of LinkedIn Corporation, but who are the owners of other IP addresses (2.23.145.244, 80.239.254.97, 173.194.32.51)?

Let’s find out using whois:

$ whois 2.23.145.244
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '2.23.144.0 - 2.23.159.255'

inetnum:         2.23.144.0 - 2.23.159.255
netname:         AKAMAI-PA
descr:           Akamai Technologies
country:         EU
admin-c:         NARA1-RIPE
tech-c:          NARA1-RIPE
status:          ASSIGNED PA
mnt-by:          AKAM1-RIPE-MNT
mnt-routes:      AKAM1-RIPE-MNT
source:          RIPE # Filtered

role:           Network Architecture Role Account
address:        Akamai Technologies
address:        8 Cambridge Center
address:        Cambridge, MA 02142
phone:          +1-617-938-3130
abuse-mailbox:  abuse@akamai.com
admin-c:        NF1714-RIPE
admin-c:        JP1944-RIPE
tech-c:         NF1714-RIPE
tech-c:         JP1944-RIPE
tech-c:         APB15-RIPE
tech-c:         CKAK-RIPE
tech-c:         PWG8-RIPE
tech-c:         MH7314-RIPE
tech-c:         TBAK-RIPE
nic-hdl:        NARA1-RIPE
mnt-by:         AKAM1-RIPE-MNT
source:         RIPE # Filtered

% Information related to '2.16.0.0/13as31377'

route:           2.16.0.0/13
descr:           Akamai Technologies
origin:          as31377
mnt-by:          AKAM1-RIPE-MNT
mnt-routes:      AKAM1-RIPE-MNT
mnt-routes:      AS6762-MNT {2.18.80.0/20^+, 2.23.112.0/20^+, 2.16.220.0/22, 2.16.178.0/23^+}
mnt-routes:      CW-EUROPE-GSOC { 2.16.180.0/23^+, 2.21.228.0/22^+, 2.21.232.0/22^+, 2.22.44.0/22^+, 2.22.242.0/23^+, 2.22.248.0/23^+, 2.23.0.0/20^+, 2.23.16.0/20^+, 2.23.32.0/20^+, 2.23.48.0/20^+, 2.23.160.0/20^+, 2.23.192.0/20^+, 2.23.208.0/20^+, 2.23.236.0/23^+ }
source:          RIPE # Filtered

% Information related to '2.23.144.0/20AS16625'

route:           2.23.144.0/20
descr:           Akamai Technologies
origin:          AS16625
mnt-by:          AKAM1-RIPE-MNT
source:          RIPE # Filtered
$

Ok, so it is some other organization, Akamai Technologies, which is connected to my machine from IP address 2.23.145.244, using several ports. Moreover, IP address 80.239.254.97 also belongs to them. Google is behind the IP 173.194.32.51.

Even though I am using LinkedIn login page URL it takes more than 10 seconds to see the page.

But! If *one second* after hitting „Enter“ I go offline (using Alt-F-W on Firefox) I will see the login page immediately!

Which means web page is delivered alright (since it is simple login/password two fields HTML, no flash),
but someone needs to do some sort of „processing“ (your IP address, location, software, etc).
This is obviously what they call „optimization“.

Let’s now try connecting to Yahoo mail service:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp      907      0 192.168.42.116:10829    217.146.187.60:443      ESTABLISHED 1000       27123       2328/firefox    
tcp        0      0 192.168.42.116:47766    2.23.141.227:443        ESTABLISHED 1000       27047       2328/firefox    
tcp        0      0 192.168.42.116:10828    217.146.187.60:443      ESTABLISHED 1000       27084       2328/firefox    
tcp        0      0 192.168.42.116:47769    2.23.141.227:443        ESTABLISHED 1000       27050       2328/firefox    
tcp        0      0 192.168.42.116:47765    2.23.141.227:443        ESTABLISHED 1000       27046       2328/firefox    
tcp        0      0 192.168.42.116:47767    2.23.141.227:443        ESTABLISHED 1000       27048       2328/firefox    
tcp        0      0 192.168.42.116:2690     173.204.115.235:80      ESTABLISHED 1000       27137       2328/firefox    
tcp        0      0 192.168.42.116:47768    2.23.141.227:443        ESTABLISHED 1000       27049       2328/firefox    
^C
$

IP 217.146.187.60 belongs to Yahoo Europe Operations, but Akamai (IP 2.23.141.227) got connected to my machine again without invitation using several ports! IP 173.204.115.235 is GoGrid LLC from San Francisco, CA.

Now let’s check what happens when I connect to my Internet Service Provider (Surftown IP 212.97.132.34):

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp        0      1 192.168.42.116:35143    213.150.61.61:443       SYN_SENT    1000       33752       2328/firefox    
tcp        0    198 192.168.42.116:37072    212.97.132.34:443       ESTABLISHED 1000       32804       2328/firefox    
tcp        0      1 192.168.42.116:47779    2.23.141.227:443        SYN_SENT    1000       33802       2328/firefox    
tcp        0      1 192.168.42.116:35145    213.150.61.61:443       SYN_SENT    1000       33801       2328/firefox    
tcp        0      0 192.168.42.116:37071    212.97.132.34:443       ESTABLISHED 1000       32782       2328/firefox    
tcp        0      1 192.168.42.116:47777    2.23.141.227:443        SYN_SENT    1000       33753       2328/firefox    
^C
$ 

Same story: apart from connection to my ISP and their broadband partners (213.150.61.61, Tune Kabelnet, Kopenhagen, DK), same Akamai tries hard to get connected to my box. Let’s try and find out who are they.

2. What/who is Akamai?

According to Wikipedia article Akamai Technologies was founded in 1998 by two individuals:

Daniel M. Lewin, who was raised in Jerusalem and served several years in special forces units of Israel Defense Forces, before moving to Cambridge, MA, USA to study at MIT. And his adviser, Frank Thomson Leighton, professor of Applied Math at MIT. Brief biography page at MIT CSAIL says that from 2003 to 2005 professor Leighton served as the Chairman of President’s IT Advisory Committee, subcommittee on Cyber Security. In that capacity he issued a report entitled „Cyber Security: A Crisis in Prioritization“.

In a nutshell: this is the company founded by two cyber security professionals heavily involved with Israel and USA governments.

How they do it? Akamai plays the role of „middleware“ delivering content to its customers who need browsing by mirroring content, for example complete site HTML/CSS/JavaScript with its audio, graphics, etc. So when you need content from a web site it is likely to be delivered from Akamai’s IP addresses/servers, NOT from customer servers you expect.

Another trick is that they have peer-to-peer solution similar to BitTorrent which is based upon download manager delivering content to/from other user’s computers.

Usually it gets installed without much ado when users of *that* operating system upgrade their Flash player (described by Steve Jobs as „can of worms“), PDF reader or some other component of (closed source) Adobe Creative Suite (more on why Steve Jobs did not like Adobe and other proprietary software here).

Looking at the output of „whois 2.23.145.244“ you may have noticed the line „route: 2.16.0.0/13“. This is CIDR or Classless Inter-Domain Routing, method for allocating IP addresses and routing IP packets. Record like „a.b.0.0/13“ essentially means that there could be 524,288 IP addresses/hosts allocated for this customer. And it is only one of CIDRs which belong to Akamai. First ouput of netstat above contains another set of Akamai’s IP addresses (80.239.224.0/19) with 8,192 more hosts. They also own several more CIDRs e.g. 23.32.0.0/11 with 2,097,152 IP addresses!

Apart from operating several Internet domains (akam.net, akamai.com, akamai.net, akamaitech.net) they also buy blocks of IP addresses from major communication carriers like TeliaSonera (62.115.0.0/16, 80.239.128.0/19, 80.239.160.0/19, 80.239.192.0/19, etc):

geo@fermat:~$ whois 80.239.178.83
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '80.239.178.0 - 80.239.178.127'

inetnum:         80.239.178.0 - 80.239.178.127
netname:         AKAMAI
descr:           Akamai International BV
org:             ORG-AIB6-RIPE
country:         EU
admin-c:         RP8999-RIPE
tech-c:          RP8999-RIPE
status:          ASSIGNED PA
mnt-by:          TELIANET-LIR
source:          RIPE # Filtered

organisation:   ORG-AIB6-RIPE
org-name:       Akamai International B.V.
org-type:       OTHER
descr:          The Trusted Choice for Online Business
address:        8 Cambridge Center
address:        MA02412 Cambridge
address:        United States
phone:          +1 6174443007
admin-c:        NARA1-RIPE
tech-c:         NARA1-RIPE
mnt-by:         TELIANET-LIR
mnt-ref:        TELIANET-LIR
source:         RIPE # Filtered

person:          Roann Pacewicz
address:         Akamai International IV
address:         8 Cambridge Center
address:         02140 Cambridge, MA
address:         US
phone:           +6174442828
nic-hdl:         RP8999-RIPE
mnt-by:          TELIANET-LIR
source:          RIPE # Filtered

% Information related to '80.239.160.0/19AS1299'

route:          80.239.160.0/19
descr:          TELIANET-BLK
remarks:        Abuse issues should be reported
remarks:        to abuse@telia.com
origin:         AS1299
mnt-by:         TELIANET-RR
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.8.13 (WHOIS2)

geo@fermat:~$

If your ISP is not Telia but some other network operator you are likely to see different IP ranges used by Akamai.

What is important here is that they can dynamically change range of IPs used for their spider-activities!

One thing is clear – this is huge network spider spread across more than 70 countries.

Google, whose founders have same roots as Lewin, is also involved into this USA/Israel government spying activities:
according to Intellipedia article on Wikipedia Google servers and software enables US spy agencies CIA and NGA integration of social networks into their agents daily work habits.

Who are their customers? First and foremost – multimedia sites (Apple iTunes, Sony), social networks (Facebook, Twitter, LinkedIn, etc), global news providers like BBC and Yahoo, government (US Department of Defense, etc).
But as we noticed small ISP/hosting providers are also targeted.

What does it mean for you?

Each and every time you connect to your public domain email, pay bills via your Internet bank(!), comment on social networks, do some sort of download (iTunes, BitTorrent files, etc), they want to know about it!

„Big bro“ is really working hard to monitor each and every move you make on Internet.

3. What can be done?

Well, let’s see. Linux has packet filtering, Network Address Translation tool called iptables.

Which is a user space tool that works together with Linux kernel modules ip_tables and iptable_filter developed by Netfilter Core Team. Let’s use them!

 iptables -A INPUT -s 2.16.0.0/13 -j DROP
 iptables -A INPUT -s 2.23.144.0/20 -j DROP
 iptables -A INPUT -s 23.0.0.0/12 -j DROP
 iptables -A INPUT -s 23.32.0.0/11 -j DROP 
 iptables -A INPUT -s 23.64.0.0/14 -j DROP
 iptables -A INPUT -s 60.254.128.0/18 -j DROP
 iptables -A INPUT -s 62.115.0.0/16 -j DROP
 iptables -A INPUT -s 72.246.0.0/15 -j DROP
 iptables -A INPUT -s 80.239.128.0/19 -j DROP
 iptables -A INPUT -s 80.239.160.0/19 -j DROP
 iptables -A INPUT -s 80.239.192.0/19 -j DROP
 iptables -A INPUT -s 80.239.224.0/19 -j DROP
 iptables -A INPUT -s 84.53.168.0/22 -j DROP
 iptables -A INPUT -s 88.221.176.0/21 -j DROP
 iptables -A INPUT -s 96.6.0.0/15 -j DROP
 iptables -A INPUT -s 96.16.0.0/15 -j DROP
 iptables -A INPUT -s 217.208.0.0/13 -j DROP
 iptables -A INPUT -s 74.125.0.0/16 -j DROP
 iptables -A OUTPUT -s 74.125.0.0/16 -j DROP
 iptables -A INPUT -s 173.194.0.0/16 -j DROP
 iptables -A OUTPUT -s 173.194.0.0/16 -j DROP
 iptables -A INPUT -s 209.85.128.0/17 -j DROP
 iptables -A OUTPUT -s 209.85.128.0/17 -j DROP
 iptables -A INPUT -s 136.32.0.0/11 -j DROP
 iptables -A INPUT -s 104.64.0.0/10 -j DROP
 iptables-save
 iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination                    
DROP       all  --  2.16.0.0/13          anywhere            
DROP       all  --  2.23.144.0/20        anywhere
DROP       all  --  a23-0-0-0.deploy.akamaitechnologies.com/12  anywhere        
DROP       all  --  a23-32-0-0.deploy.akamaitechnologies.com/11  anywhere            
DROP       all  --  a23-64-0-0.deploy.akamaitechnologies.com/14  anywhere
DROP       all  --  62.115.0.0/16      anywhere
DROP       all  --  a72-246-0-0.deploy.akamaitechnologies.com/15  anywhere
DROP       all  --  80.239.128.0/19      anywhere
DROP       all  --  80.239.160.0/19      anywhere
DROP       all  --  80.239.192.0/19      anywhere
DROP       all  --  80-239-224-0.customer.teliacarrier.com/19  anywhere
DROP       all  --  84.53.168.0/22       anywhere
DROP       all  --  a88-221-176-0.deploy.akamaitechnologies.com/21  anywhere
DROP       all  --  a96-6-0-0.deploy.akamaitechnologies.com/15  anywhere
DROP       all  --  a96-16-0-0.deploy.akamaitechnologies.com/15  anywhere            
DROP       all  --  217.208.0.0/13       anywhere
DROP       all  --  any-in-0000.1e100.net/16       anywhere         
DROP       all  --  173.194.0.0/16       anywhere 
DROP       all  --  209.85.128.0/17       anywhere
DROP       all  --  a104-64-0-0.deploy.static.akamaitechnologies.com/10  anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  any-in-0000.1e100.net/16       anywhere
DROP       all  --  173.194.0.0/16       anywhere
DROP       all  --  209.85.128.0/17       anywhere
#

Essentially I added (-A) new rules which instruct those two kernel modules to drop (-DROP) all packets that originate from IP addresses given by CIDR notation (e.g. 96.16.0.0/15). You need to be root (#) on the machine to be able to do that.

Why do I need two rules (for INPUT and OUTPUT chains) in case of Google (74.125.0.0/16, 173.194.0.0/16 and 209.85.128.0/17)?

Very good question!

Android software is designed in such a way that when you stop some service using „Manage applications“ or „Running services“ it only stops corresponding Java application (Activity), but Linux process is still running!
The only reliable way to remove application is by „rooting“ device.

Calendar application (com.htc.bgp), Facebook, and „Google Services“ are prime examples: you stop Calendar as well as „Calendar Storage“ and „Calendar Widget“ clearing all data and it disappears from „Running applications“. Then you start your browser (either on droid device or on Linux notebook using droid as a modem) and after a second or two you see that it appears again among „Running services“!
More on why Android Calendar connects to Google here.

So if you suspect that there’s Google device or Akamai „spider-ware“ installed on your network behind iptables firewall it might be a good idea to add matching OUTPUT rule for EVERY INPUT rule to make sure that they will not be able to send packets from your network to their IP addresses.

To avoid entering all those iptables rules after each reboot you can add them (without iptables -L) to the end of the file /etc/init.d/networking on Debian (and some of its derivatives like Mint, Xandros, etc.), right before „exit 0“ line. As a result you should see those lines appearing during Linux boot.

Ubuntu (popular clone of Debian) has a solution of its own – ufw or Uncomplicated FireWall, which is also easy to use.

FreeBSD (and its commercial overpriced clone Mac OS X) has similar solution called ipfirewall.

To monitor your connections you have to install net-tools package (on Debian), netstat is part of it and can be used from regular user account.

4. After blocking Akamai and Google:

Let’s see what results we get after adding new rules in iptables.

Connecting to LinkedIn:

$ netstat -tapecn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp        0      0 192.168.42.116:48645    199.7.50.72:80          TIME_WAIT   0          0           -               
tcp        0      1 192.168.42.116:40927    2.23.145.244:443        SYN_SENT    1000       153731      2522/firefox    
tcp        0      1 192.168.42.116:40928    2.23.145.244:443        SYN_SENT    1000       153799      2522/firefox    
tcp        0      1 192.168.42.116:40926    2.23.145.244:443        SYN_SENT    1000       153730      2522/firefox    
tcp        0      1 192.168.42.116:40924    2.23.145.244:443        SYN_SENT    1000       153726      2522/firefox    
tcp        0      1 192.168.42.116:40925    2.23.145.244:443        SYN_SENT    1000       153727      2522/firefox    
tcp        0      1 192.168.42.116:40932    2.23.145.244:443        SYN_SENT    1000       153803      2522/firefox    
tcp        0      1 192.168.42.116:40931    2.23.145.244:443        SYN_SENT    1000       153802      2522/firefox    
tcp        0      1 192.168.42.116:40923    2.23.145.244:443        SYN_SENT    1000       153725      2522/firefox    
tcp        0      1 192.168.42.116:40930    2.23.145.244:443        SYN_SENT    1000       153801      2522/firefox    
tcp        0      1 192.168.42.116:40929    2.23.145.244:443        SYN_SENT    1000       153800      2522/firefox    
tcp        0      0 192.168.42.116:39822    216.52.242.80:443       ESTABLISHED 1000       151724      2522/firefox    
^C
$ 

Connecting to Yahoo mail:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp      907      0 192.168.42.116:35069    217.12.8.31:443         ESTABLISHED 1000       66935       2328/firefox    
tcp        0      1 192.168.42.116:15352    2.23.141.227:443        SYN_SENT    1000       66836       2328/firefox    
tcp        0      1 192.168.42.116:15356    2.23.141.227:443        SYN_SENT    1000       66840       2328/firefox    
tcp        0      1 192.168.42.116:15362    2.23.141.227:443        SYN_SENT    1000       66934       2328/firefox    
tcp        0      1 192.168.42.116:15358    2.23.141.227:443        SYN_SENT    1000       66930       2328/firefox    
tcp        0      1 192.168.42.116:15354    2.23.141.227:443        SYN_SENT    1000       66838       2328/firefox    
tcp        0      1 192.168.42.116:15360    2.23.141.227:443        SYN_SENT    1000       66932       2328/firefox    
tcp        0      1 192.168.42.116:15361    2.23.141.227:443        SYN_SENT    1000       66933       2328/firefox    
tcp        0      1 192.168.42.116:15355    2.23.141.227:443        SYN_SENT    1000       66839       2328/firefox    
tcp        0      1 192.168.42.116:15353    2.23.141.227:443        SYN_SENT    1000       66837       2328/firefox    
tcp        0      1 192.168.42.116:15359    2.23.141.227:443        SYN_SENT    1000       66931       2328/firefox    
^C
$

Connecting to ISP (Surftown):

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6064        -               
tcp        0      1 192.168.42.116:57757    2.23.141.227:443        SYN_SENT    1000       143480      2522/firefox    
tcp        0      0 192.168.42.116:2860     212.97.132.34:443       ESTABLISHED 1000       142695      2522/firefox    
tcp        0      0 192.168.42.116:36685    213.150.61.61:443       ESTABLISHED 1000       143452      2522/firefox    
tcp      145      0 192.168.42.116:2865     212.97.132.34:443       ESTABLISHED 1000       143479      2522/firefox    
tcp        0      1 192.168.42.116:57754    2.23.141.227:443        SYN_SENT    1000       143453      2522/firefox    
tcp        0      0 192.168.42.116:2861     212.97.132.34:443       ESTABLISHED 1000       143397      2522/firefox    
tcp     3292      0 192.168.42.116:36687    213.150.61.61:443       ESTABLISHED 1000       143478      2522/firefox    
^C
geo@fermat:~$

SYN_SENT means that first step of establishing TCP connection – send SYN-chronization packet is there, but since we drop those packets without ACK-nowledging them no connection is established.

Now you can block any unwanted visitor (like Facebook) from accessing your box!
To (temporarily) remove existing rule from iptables simply replace -A with -D (delete).

But first and foremost you have to monitor your connections using netstat or more advanced packet inspection tool like tcpdump, because they have huge pool of IP addresses and can switch between them anytime!

Be the first to comment

Leave a Reply