Starman

This question for an FT IT guru who also frequents the UC's. I know the verification protocols have been unstable of late, but today was a new one for me. Logged in to WiFi at IAD UC using M+ number (I'm also a member), and immediately got a Google warning "Someone has your password", telling me a login was blocked from an unrecognized device located in Chicago. The time coincidence of the UC login and the warning makes me reasonably certain that the login was me (although it was with a device I use commonly, so not sure why this was triggered other than unfamiliar IP address), but I'm perplexed by the Chicago location, other than, obviously, it's WHQ. Is it possible that UC logins elsewhere are somehow routed via Chicago at times?

phltraveler

I've received that message from Google whilst on a VPN. The location shown for the login is not based on the geographic location of the device but instead where the IP address is registered. Depending on the number of blocks a company has and how they choose to allocate IPs, the geographic location varies.

For my home internet (from a cable company in NY), sometimes I show as a somewhat nearby town, sometimes it shows up as being in Connecticut, etc... this changes about once every one to two years when they change the IP blocks around. For my employer, in the office I'm in right now, the IP addresses are registered to the exact address of the building... so it's absolutely accurate. But I've seen other people on DSL or cable internet where the IP that shows up isn't even from the same state.

If you're curious, the next time you're in a club and logged into wifi, google "what is my IP address", then paste the resulting IP address into ws.arin.net and you can see where the IP block is registered to (physical address).

BThumme

Don't try connecting to the LH wifi at their lounge in IAD, it will show you in Germany ;-)

rdurlabhji

Or open a command prompt and type ipconfig (if the terminal allows you to do so).

joseeantonior

It's very very possible that their connection is being routed through Chicago, because WHQ (where I assume they have their IT stuff hosted as well). You can also do a 'traceroute' and find out where your packets are going through to reach a certain website.

vandrei

It's possible that they are going through Chicago.

It's likely that running traceroute will fail since competent network admins will have blocked ICMP at the firewall.

I could continue about 802.11 security and Cisco wireless (I'm not sure which wireless products UA is using in the UCs) but I need another glass of wine first.

vandrei

I found that out the hard way a few years back when I was still a newbie. I got dinged by security at the company I worked for, since international travel was a no-no without prior authorization.

docbert

The responses above are correct regarding the location being a bit of a half-guess based on where the IP address is registered to - but in this case it's a little bit more complex then just that.

As has been discussed at length in other threads on FT, web traffic from the United Club wifi is run through Zscaler's proxy servers in order to block "unwanted" content. Zscaler have nodes in a number of locations, and whilst they do have some near IAD, it's very likely that this traffic was actually being run through their node in Chicago. Thus as far as Google is concerned, the traffic IS actually originating in Chicago - how it gets there is something they can't tell.

As was said above, the Lufthansa lounges have a similar setup, with traffic being tunneled back to Germany. This not only causes your location to be misrepresented, but can also cause things like Google Search to default to returning results in German...

Starman

So this is all as I originally surmised, but I'm still a little perplexed as to why I've never had this Google warning before while in any UC.

pmarrsouth

www.whatismyipaddress.com to confirm where the IP is located today

nevansm

I believe the United club wifi hands out what are called "private" or non globally routable IP's all behind a firewall if theirs and then via an MPLS type connection actually routes all traffic within their Chicago POP and out to the Internet. It's the same idea as when when you do a speed test on inflight wifi and it chooses the "closest" server and is 3000 miles away from you. Just the way company does these types of things. Why did you recover the google warning? One hour you were "in" DC or wherever you last connected, the next hour you were "in" Chicago.

tehiota

It could be as others have suggested--United backhauling (which seems expensive for internet traffic) to Chicago or it could be a proxy. United sometimes uses zScaler, a cloud based proxy which tunnels traffic through it's cloud nodes located around the country/world in various data centers. The proxy happens transparently and a traceroute wouldn't normally indicate it as the traceroute might go directly out the connection whereas HTTP and HTTPS will be transparently routed via ipsec/gre to zScaler.

You can confirm by visiting: http://ip.zscaler.com and it will let you know if it's proxying you and both your proxy and real ip address.

popoemt

Same issue, but I was boarding in PHX and got the alert that I was logging in from Dallas (or Houston, can't remember specifically now), it was the same time as my login to United wifi. I still changed the PW as a precaution.

mahasamatman

I always use my PNR to log into the United Club network. It's a short-term ID with no personal link.

mozilla

Either all traffic is routed through Chicago (my bet, since Google keeps its IP-geo correlations pretty up to date) or it's not routed through Chicago but United or their contractor allocated an IP address that Google still believes is in Chicago. IP-geo correlations change all the time, the databases that try to track this are always lagging behind. But Google also knows to not believe everything ARIN says, Google has their own parallel database which contains "augmentations" to ARIN data.

In any case, it's nothing to worry about and isn't a reason to change your password per se (if the date/time in the google alert matches with the moment you first connected). As to why you didn't get the warning from Google earlier: Google looks at lots of factors to determine if a connection is suspicious. Preset cookies, time of day, time since last connection, your previous locations, browser etc all come into play. Only Google knows what triggered the warning this time, but rest assured there is a logic behind it. I receive these kinds of warnings from Apple all the time, while I receive them from Google only sometimes.

Tunneling isn't that expensive anymore nowadays if you can negotiate good rates for the data volume which isn't that hard due to the competitive market.

Not sure if you were being sarcastic, but blocking ICMP breaks internet functionality and hence isn't competent behavior. Try determining acceptable MTU for a tunnel interface if the other party has decided that it doesn't want your ICMP. ICMP is not evil. Yes, I know many "competent" network admins block it because they read some random consumer website which said that it needs to be blocked in your random consumer-grade TP-Link router, and it creates enormous headaches for the real competent network admins when they do that. But I disgress, more at Enterprise Networking 101.