I received a tweet from a friend yesterday morning, that showed a screenshot of the
whatismyip.com website. My friend was alarmed that instead the website showing him his public IP address, it was showing another IP address in Netherlands.
What are these websites?
These websites provide a simple service that shows the visitor his own public IP address. If you check the network settings on your computer or mobile device it will show you the local IP address assigned to your device by your router, not your public IP address.
People usually check websites like monip.org, ifconfig.co, whatismyip.com & many others to see their public IP address.
You could also log into your ISP's router to check your public IP address.
Why is whatismyip.com showing Netherlands instead of Mauritius?
My first reaction was that it must be probably an issue with whatismyip.com.
I replied a few comments on Facebook yesterday & posted on my wall that I will analyze this later.
whatismyip.com from an Emtel or My.T Internet connection, one will see the above IP address, i.e
18.104.22.168 instead of the router's public IP address. This behaviour is not seen when trying another similar service such as monip.org or ifconfig.co.
Find the route
I used a utility in Linux called
traceroute to check which network path the request takes before reaching the
traceroute to whatismyip.com (22.214.171.124), 30 hops max, 60 byte packets 1 _gateway (192.168.100.1) 2.654 ms 3.785 ms 4.420 ms 2 126.96.36.199 (188.8.131.52) 7.296 ms 9.084 ms 10.440 ms 3 184.108.40.206 (220.127.116.11) 10.400 ms 10.333 ms 10.290 ms 4 18.104.22.168 (22.214.171.124) 236.662 ms 236.611 ms 236.544 ms 5 mauritiusams3.netsweeper.com (126.96.36.199) 238.951 ms 238.896 ms 238.851 ms 6 * * * 7 10.82.69.47 (10.82.69.47) 227.325 ms 10.82.69.39 (10.82.69.39) 222.554 ms 225.284 ms 8 188.8.131.52 (184.108.40.206) 225.229 ms 225.636 ms 227.063 ms 9 220.127.116.11 (18.104.22.168) 225.108 ms 22.214.171.124 (126.96.36.199) 276.327 ms 188.8.131.52 (184.108.40.206) 276.249 ms 10 220.127.116.11 (18.104.22.168) 276.206 ms 22.214.171.124 (126.96.36.199) 275.141 ms 188.8.131.52 (184.108.40.206) 275.044 ms 11 * * * 12 220.127.116.11 (18.104.22.168) 255.166 ms 255.124 ms 254.842 ms
The above result indicates that after leaving the Mauritius Telecom network at hop no. 4, it heads to
22.214.171.124 and there instead of a network routing device, there is a proxy server by Netsweeper which then forwards the request further ahead until it reaches its destination at
The behaviour is not observed when accessing other websites, e.g facebook.com.
Who can shed light on this behaviour?
I asked the question on the Mauritius Network Operators Group (MUNOG), which is a group comprising of Computer Network Professionals from various organizations (ISPs, Network Operators, Regional Internet Registries, etc).
I got an answer from someone who works for an ISP who said that Netsweeper is advertising the address
126.96.36.199/32. What's happening here?
Let's see, the domain
whatismyip.com resolves to the below two IP addresses by Cloudflare.
; <<>> DiG 9.16.8-Ubuntu <<>> @188.8.131.52 A whatismyip.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27070 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;whatismyip.com. IN A ;; ANSWER SECTION: whatismyip.com. 300 IN A 184.108.40.206 whatismyip.com. 300 IN A 220.127.116.11 ;; Query time: 11 msec ;; SERVER: 18.104.22.168#53(22.214.171.124) ;; WHEN: Mon May 03 17:59:29 +04 2021 ;; MSG SIZE rcvd: 75
However, when tracing the network path to either
126.96.36.199 the request is being sent to
You will note earlier when writing the Cloudflare IP address I specified
/32 which indicates that specific IP address instead of a block of IP addresses.
One more thing that I learned in the Network Operators Group is that the Internet Service Providers do not accept
/32 addresses from their peers but only a minimum of
/24 which represents 256 IP addresses. Then, how come a single IP address of another organization is being advertised with a different routing info?
ICTA enters the scene
Indeed, when Network Operators peer among them they accept only the minimum of
/24 addresses. The CSA filter of the ICT Authority uses the Border Gateway Protocol, the same that Network Operators use to peer with each other and they advertise their networks.
However, the difference here is that the CSA filter advertises
/32 i.e individual IP addresses with further routing information.
In Mauritius, it seems that only ICTA's CSA filter does so and the Internet Service Providers accept it.
Therefore, the conclusion (so far) is that the CSA filter managed by the ICT Authority is telling the Internet Service Providers in Mauritius that the request to
whatismyip.com should be routed to
188.8.131.52 (which hosts a proxy server by Netsweeper).
Netclean or Netsweeper
ICTA implemented Netclean Whitebox solution in 2011 which was an on-premise solution hosted at ICTA itself. In 2014, it was upgraded to Netclean Cloud Solution and hosted in Sweden. In 2017, after an international tender exercise, Netclean was selected again.
There is no mention of changing provider in the annual report of 2018.
There is no information about who won the bid or Netsweeper for that matter on ICTA's website. However, while replying to a question on CSA filter in the National Assembly on 17 November 2020, the Prime Minister mentioned that the CSA filtering system is currently being provided by a Canadian-based company, Netsweeper Ltd. Refer to page 32 of Hansard No. 34 of 2020.
Based on the Prime Minister's answer, we can assume that the tender was awarded to Netsweeper instead of Netclean.
I did not contact ICTA for a response on this issue because they have not publicly informed Internet users in Mauritius that they have changed the configuration of the CSA filter, whether they changed the software itself, what new features the software provides, what are the data collected on Internet users now, etc. ICTA does not mention Netsweeper in its Consultation Paper either.
I sent an email to Netsweeper support asking them why the request to
whatismyip.com from Mauritius has been proxied via the Digital Ocean server in Netherlands. I'll update this blog post when I have more information.
- I got a reply from Netsweeper support that they're looking into this.
- Issue has been fixed and request to
whatismyip.comis no more being proxied to Amsterdam, Netherlands.
- Will update if I obtain the root cause from Netsweeper.
- ICTA issued a communique with a reply from Netsweeper stating that the incident involving
whatismyip.comwas due to the same IP addressed being on the Internet Watch Foundation's list.
Thanks to subscribers of the Mauritius Internet Users Group & the Mauritius Network Operators Group to provide information that helped me understand this "network anomaly" observed by Mauritian Internet users.