Update Nov. 10: The mystery has been solved. Sprint’s borrowing DoD IP addresses, most likely without DOD’s knowledge. It appears to be entirely harmless.
A few of my friends have weighed in with their theories as to why I was seeing my phone traffic coming from a DoD network. Many of these theories point out how the DoD is the owner of vast stretches of IP address space, many of which aren’t advertised as public routes. Some organizations treat these addresses as non-routable addresses, making it appear traffic originates from the DoD. One blogger discovered the IPs of the UK Ministry of Defence being used similarly by T-Mobile.
Here’s why I don’t think this applies to my situation. If my phone were being masked behind a non-routeable IP, why would my phone traffic be routed through a DoD address when moments later my phone’s music player makes its request from my phone’s public IP, 67.88.x.x? I would think that both of these kinds of traffic would originate from the same IP address, either public or non-public – but that’s not what’s happening. The SIP traffic is being treated differently from the other traffic.
Plus, the traffic is following this path:
Phone (67.88.x.x) -> Sprint’s 3G network -> DoD/NSA -> RoadRunner network -> my firewall -> my home server
I’m no router guru but I can’t figure out how RoadRunner’s routers would accept traffic from an address not publicly advertised. Why wouldn’t the routers drop these packets?
One commenter opined that Deep Packet Inspection (DPI) is being used. I think that’s a good theory. The SIP packets that are being sent from my phone’s SIP client (SIPdroid) to my phone server are written to register to the DoD IP. A typical, dumb router doesn’t get that in-depth with packets. Either the phone is sending them to the DoD, or perhaps the routers on Sprint’s network are doing it.
Now, let’s say I wanted to do some surreptitious snooping on SIP packets (or other traffic). I could put something into the phone’s firmware or apps to redirect my traffic, but that’s bound to get discovered by someone sooner or later. Enough hackers are reverse-engineering and/or jailbreaking phones that a trick like that would sure to be discovered. If I wanted to best cover my snooping tracks, I would do it at the router level or beyond. It would be something that I could control at the flip of a switch, with an NDA or hefty jail time keeping it secret.
Oh, and an nmap scan of the IP in question does seem to indicate something’s there:
root@maestro:# nmap -sT -P0 28.191.58.169
Starting Nmap 5.21 ( http://nmap.org ) at 2011-11-08 17:38 EST
Nmap scan report for 28.191.58.169
Host is up.
All 1000 scanned ports on 28.191.58.169 are filtered
So there you go.
Update Nov. 10: The mystery has been solved. Sprint’s borrowing DoD IP addresses, most likely without DOD’s knowledge. It appears to be entirely harmless.