Someone recently contacted me concerned their Google account might be compromised. Although they live in California and have never traveled to Europe, Google will redirect them to European versions of Google, usually the Czech version. The individual informed me that after signing into a Google service from her home, Google notified her via email that a new sign-in was detected coming from Prague.
When responding to concerns of a breach, I begin by reviewing the evidence firsthand. A trained eye can spot what the average user would pass over. In her web browser, I opened maps.google.com and was met by a map of the Czech Republic. Sure enough, Google had redirected the browser to https://google.cz/maps. What was puzzling was that the “Locate Me” button on Maps did find her computer where it should be—In California.
To see if there were questionable sign-ins or activity on the Google account, I pulled up Google’s account and device activity history. The first place to check is the “Details” link at the bottom of the Gmail page. The second is in Google’s Account page. The Prague IP activity was there, along with a second entry for a California IP address.
Now that the symptom was confirmed, I ran a traceroute from a remote computer. Sure enough the DNS names of the hops came back as eventually hitting IP addresses in California, not Europe (see image below). A traceroute initiated at the concerned computer also confirmed the route didn’t leave the state. The traceroute indicated the domain name of my friend’s IP address was a subdomain of 10gbps.io, and that it ran through Cogent Communications’ infrastructure.
Now it’s time to look up this IP address in a database or tracking tool. I looked up both the California and the Czech IP addresses in http://www.ip-tracker.org. The tool said the California IP address ISP was AT&T, which is my friend’s ISP. The Czech IP is owned by the ISP and organization DataPeer s.r.o, with an AS number of AS60068 Datacamp Limited.
A quick Google search showed DataPeer s.r.o is a member of Ripe NCC, which is a regional internet registry organization. In other words, Ripe NCC helps manage internet IP addresses for Europe and west Asia. On the Ripe NCC membership profile of DataPeer s.r.o, address in Prague is listed, along with the Areas Serviced showing as the Czech Republic. Another search result brought up https://bgpview.io/prefix/22.214.171.124/22. This service gives organization details for owners of IP address subnets. In this case, DataPeer s.r.o was allocated 126.96.36.199/22, then subdivided two /24 and a /23. One of those /24 has the description and name “LAX-10g-SUBNET”. Drilling down into the BGP routing information on bgpview.io, Cogent Communications manages that subnet in the United States. Given the subnet names and router names contain “LAX”, it is safe to assume the address range services California.
Google must use organization’s IP address registration information to figure out what content to serve an individual. In my friend’s case, Google probably sees that the IP address is supposedly being serviced in the Czech Republic, and so serves Czech content.
Most of this mystery is solved, but I have one other question. Why is my friend getting a Cogent Communications IP address when her ISP is AT&T? Congent Communications tells us why right on their website in a news release. AT&T and Cogent Communications entered into an interconnection agreement. 10gbps.io and Level3 appear to have similar agreements. Although the details aren’t documented here, it looks like this would include sharing infrastructure and assets such as IP addresses.
To the relief of my friend, the computer or Google account isn’t compromised, but that Google serves them from the wrong country. It’s just a flaw somewhere in Google’s algorithm to decide which content to serve in an increasingly complex internet.