ulTRAX'S ARCHIVE

WTV IPS



INTRODUCTION TO IPS

Updated: 9-19-2000. Page design, uninformed speculations, and Entire Site ulTRAX@webtv.net.


~ WTV IP INDEX ~

IPs & TCP:
PCs and set top boxes such as Webtv, hooked to the Internet must speak a common language in order to make contact with network servers. This is accomplished by two inseperable protocols.... the first is TCP which defines how information is transmitted. The second is the "Internet Protocol" or simply "IP."

There are four sets of IP connections involved in surfing the web. The first two are between you and WTV.

On the Internet each server is assigned a unique numerical address string. The current system allows four binary numbers for the first section of the IP making for 256 possibilities. Thus, no current IP can begin with a number higher than 255.

  • 1: Local Dialup (Client IP) to WTV server.

  • 2: WTV servers (this is a list of over 40 IPs assigned to us each time we log on or reconnect.

    The next set of IPs is between the WTV and the Site you are visiting.

  • 3: A request from a WTV "proxy" server goes out to the site you are visiting. This proxy can change with each fetch.

  • 4: The last IP is the Site IP.

    PCs hooked up to AOL and set-top boxes such as Webtv use proxy-servers. This means that instead of a direct PC/box to server connection, there is an intermediate step. That step is another server provided by the service. This can complicate the communication scheme since there is now an added set of IP links.

    The first is the link between the local dialup and the proxy-server. Since they operate on the open web using standard TCP/IP protocols, both must have seperate IP addresses. From the POP Dialup is provided a Client IP. This is the return address to which the proxy-server sends information. In the case of Webtv, with each logon we are assigned a set of the 37 IPs which can be found on the production version of the Client:ShowServices list. This list is assigned to us in an effort to dynamicaly balance the load on the proxy-servers... as well as to limit access to WTV IPs that are no longer needed, such as for the initial registration process.

    Each WTV service, be it wtv-home, wtv-customscript, is assigned its own IP and Port. After the :/ is a file name or specific URL.

    It is to these IPs that the local dialup communicates at the instruction of the Client. PC users in chat can access this Client IP.... and it's a simple matter to see what town the local dialup is located. From the proxy server to the webpage are two additional IPs. The first is the actual, unchanging, IP of the Site itself. The second is a variable proxy server IP assigned to the user for that particular session. It is this proxy IP that shows up on Site Trackers that log IP addresses and can change just reloading a page. For an example click here.

    DOMAIN NAME SYSTEM (DNS):
    Technically, only IPs, not domain names, are not needed for the Internet to work. But, while DNS is strictly optional, it's cetainly a convienience. It is much easier to remember a DNS name like www.pepsi.com, than some 10 digit numeric equivalent.

    If there are additional servers linked together in this domain, the DNS system allows them to be named server1.pepsie.com. This also may make for a cetain amount of convienience, but this has also allowed for a certain amount of abuse by banner ad networks... a topic left for another time.

    As for the process of converting DNS to IP addresses... this is done by the proxy-server and is completly transparent.

    WEBTV:
    What makes Webtv fascinating is that in its preoccupation to make an idiot-proof box that is as simple to use as a toaster, they have attempted to conceal the complexity of their network and the box itself. We are just supposed to log on and never have to worry about local dial-ups being busy, or slow service from overloaded servers, let alone what an IP or a URL is. Grandma would love it.

    Maybe for simplicity's sake, maybe for security, maybe even just for network flexibility.... WTV as also attempted to conceal information on the box's operation from the users. Part of this is accomplished by the system of WTV "services" mentioned earlier... those wtv-home, wtv-customscript URLs. Part of this attempt to conceal information and limit options is, as has been said, the removal of some WTV services from the Client IP list.

    As was stated elsewhere, there are 37 of these services in regular use and can easily be found on the Client:ShowSerices list.... and when we get a referrer on a Webtv page we get not an traditional DNS/filename, but something like wtv-home:/home or wtv-news:/news?group=alt.blahblah. The entire IP process is itself hidden... even when we direct access a WTV URL (something WTV is constantly trying to prevent) all that ever needed to be used for a URL was the wtv-service:/file URL... never an IP. While we may have known there had to be IPs, just what they were probably would have remained a secret if not for the WTV-TRICKS Breakin in August 98.

    WTV-TRICKS:/TRICKS is a Network Utility site for WTV and its licensees. The Breakin was a severe blow to WNI's network security from which WTV has struggled to recover ever since. It was at TRICKS that we saw, for the first time, the Client:ShowServices IP list. (Note: there are some additional wtv services NOT on the show Serviceslist. These are wtv-1800 and wtv-register. Both seem to be used only when the box is first being registered and are not needed for day to day operation. However, under certain circumstances both can be accessed.

    At this point, as we discovered in August, we could get responses back from these IP:ports... but the response tended to be merely getting kicked back to the login screen. Apparently, the server was not happy with that primative form of contact. Even if we knew the IP, port and file name of the page were were seeking to direct access... apparently, there are also some account specific IDs that included in each command to fetch a page from the servers. Otherwise, the server, again, will not respond properly. It is the role of the CLient to properly convert the wtv-sevice into IPs, read the file name from the button which we clicked, and to provide the verification needed to be authenticated by the server. Whether there are additional safeguards is not own at this time. Whether this process could be replicated manually remains speculative. Unlike hacking an entire account.... to use this method would require that each page being hacked would have to be accessed one at a time manually using all the information normally supplied by the Client automatically. Each new page would require a new service a new port, and new complete file names. Why would this be necessary? Because while the hacked page might be loaded into our box... when we press any button on that page, the command sent would be from our Client, not that of the hacked page. The server might react by sending out a Technical Error, or just kick us back to one of our own pages.

    This is in contrast to what has been done in direct accessing some TRICKS pages. These pages are not tied to our personal accounts and therefore did not need authentification. Because many of these pages could be direct accessed, they could also be validated and their codes copied... hence some of the copies of TRICKS pages you may have seen.

    DNS NAMES OF WTV SERVICES:
    All WTV service IPs have DNS names, which can be easily found by pinging an IP at a site such as the Webtv Beacon.... or doing a reverse IP lookup. At this point we know that WTV has hundreds of servers. ECWFRK2 also created the definitive list of IP/DNS conversions sorted by IP. ECW posted that list and a copy can be found at here. On that list you will notice familiar names like Thrashnet and Daily. Keep in mind that as far as the servers go, the IP and port 209.240.200.83:1200 are identical in function to the DNS version: proxy-383.public.rwc.webtv.net:1200

    to be continued...


    HISTORY:
    Up until the Tricks Breakin of August 16, none of had ever seen the Client:ShowServices IP list. On it were a list of 37 WTV "services" and specific IPs and ports. It was at this point it dawned on some of us that WTV was merely a virtual TCP/IP network.... Everything we accessed was just out there on the web somewhere, made secure by, who knew just what! What I wrote to my friends about differed sharply from what I was willing to post about.

    Saved message From: ulTRAX@webtv.net
    Date: Tue, Aug 18, 1998
    To: XXXXXXX
    Subject: IPs: NEED WILD (but private) SPECULATION

    The Show Service list of IPs is intriguing.... and I have been trying to speculate just how it works. As I said earlier... I used to think that some WTV URLs (like tricks itself) might have been behind a WTV firewall and only accessible to those in the network... This was in part because we could never get a JS location and for a while believed that the local POP dialups were direct lines to WTV. That would have made for a semi-secure network. But it seems that that notion is absurd.... that it would be an inefficient waste of bandwidth NOT to use standard TCP/IP. That then would mean that the various WTV functions would have standard IPs.

    My question is.... can we figure out how to direct these IPs as a way to get around the loss of JS? (hell... there are functions here I have never heard of)

    So.... assuming I try an direct access one of the IPs, say... WTV-cookie or IP 192.216.128.62:1619 (and is IP:port the proper way to address this?)(we need to make contact with some PC hackers).... most likely I will get bounced back to Login.... This reminds me of when I could hack [accounts] and when I tried to change users.... I was bounced back to MY user list... never the victim's. It was as if the head-waiter request went though with my SSID... Maybe, any request [to the server] must have an ID from the account whose Cookie List we are trying to access. If so... how would this be phrased? When we use JS.... we ask for the Cookie "list"... which makes one wonder whether some IPs accept javascript. [uh?]

    Can you all see the potential here...as well as the danger? Need some wild speculation here.... as well as a way to monitor modem traffic to see if our USER ID is transferred with each request we make. Since [WTV] is an open TCP/IP system.... I bet it has to be.