Articles in this section

See more

Why does it look like my traffic ends up in the US ?

Bo Ståhle
  • Updated
Follow

So this is going to be a bit network technical.

The AS number NORDUNet uses (AS2603) is formally registered with Stockholm as physical address, so a lookup for 109.105.112.235 or 109.105.112.236, like seen on https://db-ip.com/all/109.105.112 will return the registered location of Stockholm instead of the actual physical location of Copenhagen. Traceroute to those IP addresses might give you an indication of that they both are on either site, because it will lead you to the active firewall in front of the Zoom setup. On the "inside" of that firewall we distribute the traffic across multiple sites at different locations in the Greater Copenhagen area.

109.105.102.165 is actually in Stockholm on one of our peering sites (don't even remember which one).

Now what are they tracing - actually:
dig helsinki.zoom.us
... snip ...
helsinki.zoom.us.    300    IN    CNAME    eu01web.zoom.us.
eu01web.zoom.us.    59    IN    A    3.120.121.14

So helsinki.zoom.us is a DNS pointer to eu01web.zoom.us which in turn points to the IP address 3.120.121.14

whois 3.120.121.14

inetnum:      3.0.0.0 - 3.255.255.255
organisation: Administered by ARIN
status:      LEGACY

So that is "Legacy" space in other words IP addresses that where assigned before the invention of the RIR setup (in Europe it is RIPE, in the US it's ARIN).

NetRange:      3.0.0.0 - 3.127.255.255
CIDR:          3.0.0.0/9
NetName:        AT-88-Z
NetHandle:      NET-3-0-0-0-1
Parent:        NET3 (NET-3-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:  Amazon Technologies Inc. (AT-88-Z)

So this is Amazon space.

Now the next bit requires insight into how Zoom is set up.
They use Amazon for a lot of things and they have some of their own as well.

One of the things they use to facilitate load on the website side of things is Cloudfront, now Cloudfront is an AWS based website caching service (a CDN).
Hence the US addresses. Where they actually are located that is a different question and very hard for anyone not working in the Amazon Networking department
to say anything real about.

I happen to know that at least part of 3.0.0.0/12 is assigned to AWS in Frankfurt, but I don't if and when it changes. There could be subnets in the range assigned somewhere else in the world. And the internal workings on how Amazon AWS routes their traffic is kinda a dark spot. The people who know don't share.

Asking Zoom wont produce any usable result. They use Cloudfront, it works. The Cloudfront addresspoint they use for their Europe Cluster is eu01web.zoom.us.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html

Their main zoom.us site is also Cloudfront, just located in NYC. Now that site is somewhat bigger and handles the load of most of the world. That in 
Cloudfront language basically means more than one server and thus more IP addresses is covering zoom.us.

The Geo location Databases use different ways of determining where an IP address is physically located. For instance NORDUnets IPv6 range where in Norway
according to Google, until very recently, because Googles Geo location uses the AS numbers first discovery seen from Google Servers and lock the location.
We lend out our IPv6 addresses for a test in Norway before we started using them our selves, very long time ago.

Some are based on actual knowledge, some on inputs from phones with GPS. Some are based on Wifi location. None of them are accurate or real in any form.
It might give you an indication.
https://www.iplocation.net/ and punch in 109.105.112.236 and you get:


Hint: The top one is closest, but still off by 20km ;-)

Interestingly I see some of the listed adresses that are US registered when I trace, from the NORDUnet Zoom servers.

3.120.121.14
 1?: [LOCALHOST]                      pmtu 1500
 1:  dk-prod-fw.nordu.net                                  1.147ms asymm  2
 1:  dk-prod-fw.nordu.net                                  1.233ms asymm  2
 2:  dk-bal-sw-a01.nordu.net                              0.739ms
 3:  dk-uni.nordu.net                                      1.763ms asymm  4
 4:  dk-bal.nordu.net                                      1.726ms asymm  5
 5:  no reply
 6:  52.93.139.100                                        23.608ms asymm 13
 7:  52.93.139.113                                        10.257ms asymm 12
 8:  no reply
 9:  52.93.128.241                                        24.262ms asymm 12
10:  no reply
11:  no reply
12:  no reply
13:  54.239.107.130                                      22.328ms asymm 17
14:  52.93.111.184                                        19.697ms asymm 15
15:  52.93.111.191                                        16.208ms asymm 12
16:  54.239.107.71                                        15.064ms asymm 10
17:  52.93.23.116                                        16.234ms asymm  9
18:  no reply
19:  no reply
20:  no reply
21:  no reply
22:  no reply
23:  no reply
24:  no reply
25:  no reply
26:  no reply
27:  no reply
28:  no reply
29:  no reply
30:  no reply

Note the time difference from Ballerup to Washington and back vs Ballerup to Frankfurt.
52.93.111.184 Washington - 19.697ms (I think we're a lot faster than lightspeed on this one).
54.239.107.130 Frankfurt - 22.328ms

From a trace to a server actually in the US, this is in Chicargo, IL
ae-12.r08.chcgil09.us.bb.gin.ntt.net                122.642ms

Or tracing zoom.us, New York Internet Exchange (again from Ballerup Zoom server)
nyiix-peering.amazon.com                            100.074ms

So roundtrip time can give you an indication of range (when everything is running smoothly).
If you're in Europe and the roundtrip time is below 100ms, you're not hitting US servers.

Geolocation is fun to play with, not usable for actually saying much about where things are physically located.

Hope it helps.

Regards,
Bo Ståhle
Media Services Engineer
NORDUnet A/S

Related articles

Comments

0 comments

Article is closed for comments.