Reverse VPN Sharding

Observations on obfuscated web server access patterns.

by Andrew G. Watters, Esq.

This was a random discovery that occurred when I was transferring documents to a government agency in one of my legal cases. This particular agency appears to have a contract with Microsoft to run their web browsing through a Microsoft-provided VPN in order to conceal the underlying IP addresses of the agency. That could have a number of benefits, such as not tipping off defendants that they are under investigation, or otherwise.

Consider the following web server log entries:

40.94.27.72 - - [19/Aug/2022:11:46:56 -0700] "GET / HTTP/1.1" 200 21886 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.6 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/css/main.css HTTP/1.1" 200 76391 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /andrew-g-watters-lawyer-800x1200.jpg HTTP/1.1" 200 200123 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.6 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/js/jquery.min.js HTTP/1.1" 200 89501 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/css/fontawesome-all.min.css HTTP/1.1" 200 59401 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/js/jquery.scrollex.min.js HTTP/1.1" 200 2257 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/js/browser.min.js HTTP/1.1" 200 2051 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/js/breakpoints.min.js HTTP/1.1" 200 2439 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/js/util.js HTTP/1.1" 200 12433 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /assets/js/main.js HTTP/1.1" 200 2705 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/camera.jpg HTTP/1.1" 200 290848 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/Creative_Cloud.svg HTTP/1.1" 200 2646 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/IBM_logo.svg HTTP/1.1" 200 705 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/KSC.jpg HTTP/1.1" 200 14197 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.6 - - [19/Aug/2022:11:46:57 -0700] "GET /images/intel.png HTTP/1.1" 200 108172 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.82 - - [19/Aug/2022:11:46:57 -0700] "GET /images/exos.png HTTP/1.1" 200 50272 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/Nvidia_logo.svg HTTP/1.1" 200 3307 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/RHEL.svg HTTP/1.1" 200 5713 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.6 - - [19/Aug/2022:11:46:57 -0700] "GET /images/pitbull.png HTTP/1.1" 200 17751 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.80 - - [19/Aug/2022:11:46:57 -0700] "GET /images/CodeWeavers-logo1.png HTTP/1.1" 200 23918 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.76 - - [19/Aug/2022:11:46:57 -0700] "GET /images/Mathematica_Logo.svg HTTP/1.1" 200 3457 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.36 - - [19/Aug/2022:11:46:57 -0700] "GET /images/collis.jpg HTTP/1.1" 200 44933 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/curating.png HTTP/1.1" 200 9879 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.6 - - [19/Aug/2022:11:46:57 -0700] "GET /images/gtr.jpg HTTP/1.1" 200 29953 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.82 - - [19/Aug/2022:11:46:57 -0700] "GET /images/Boardwalk.png HTTP/1.1" 200 73583 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.76 - - [19/Aug/2022:11:46:57 -0700] "GET /images/ABS.png HTTP/1.1" 200 6241 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.80 - - [19/Aug/2022:11:46:57 -0700] "GET /images/AMEX.svg HTTP/1.1" 200 9816 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.58 - - [19/Aug/2022:11:46:57 -0700] "GET /images/Vimlogo.svg HTTP/1.1" 200 10191 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.76 - - [19/Aug/2022:11:46:57 -0700] "GET /law/new.png HTTP/1.1" 200 19306 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.6 - - [19/Aug/2022:11:46:57 -0700] "GET /images/bg.jpg HTTP/1.1" 200 294492 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.82 - - [19/Aug/2022:11:46:58 -0700] "GET /assets/css/images/close.svg HTTP/1.1" 200 246 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.6 - - [19/Aug/2022:11:46:58 -0700] "GET /assets/webfonts/fa-solid-900.woff2 HTTP/1.1" 200 78268 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.76 - - [19/Aug/2022:11:46:58 -0700] "GET /assets/webfonts/fa-regular-400.woff2 HTTP/1.1" 200 13224 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.82 - - [19/Aug/2022:11:46:58 -0700] "GET /assets/webfonts/fa-brands-400.woff2 HTTP/1.1" 200 76736 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
40.94.27.76 - - [19/Aug/2022:11:47:06 -0700] "GET /favicon.ico HTTP/1.1" 200 12014 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"

40.94.28.33 - - [19/Aug/2022:15:29:12 -0700] "GET / HTTP/1.1" 200 21886 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:16 -0700] "GET /assets/css/main.css HTTP/1.1" 200 76391 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:16 -0700] "GET /andrew-g-watters-lawyer-800x1200.jpg HTTP/1.1" 200 200123 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:16 -0700] "GET /assets/css/fontawesome-all.min.css HTTP/1.1" 200 59401 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:16 -0700] "GET /assets/js/jquery.min.js HTTP/1.1" 200 89501 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /assets/js/jquery.scrollex.min.js HTTP/1.1" 200 2257 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /assets/js/breakpoints.min.js HTTP/1.1" 200 2439 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /assets/js/browser.min.js HTTP/1.1" 200 2051 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /assets/js/util.js HTTP/1.1" 200 12433 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /assets/js/main.js HTTP/1.1" 200 2705 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.6 - - [19/Aug/2022:15:29:17 -0700] "GET /images/Creative_Cloud.svg HTTP/1.1" 200 2646 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /images/IBM_logo.svg HTTP/1.1" 200 705 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /images/KSC.jpg HTTP/1.1" 200 14197 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.6 - - [19/Aug/2022:15:29:17 -0700] "GET /images/intel.png HTTP/1.1" 200 108172 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /images/exos.png HTTP/1.1" 200 50272 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /images/Nvidia_logo.svg HTTP/1.1" 200 3307 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /images/RHEL.svg HTTP/1.1" 200 5713 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /images/pitbull.png HTTP/1.1" 200 17751 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.85 - - [19/Aug/2022:15:29:17 -0700] "GET /images/camera.jpg HTTP/1.1" 200 290848 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /images/CodeWeavers-logo1.png HTTP/1.1" 200 23918 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /images/Mathematica_Logo.svg HTTP/1.1" 200 3457 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /images/collis.jpg HTTP/1.1" 200 44933 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /images/curating.png HTTP/1.1" 200 9879 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.6 - - [19/Aug/2022:15:29:17 -0700] "GET /images/gtr.jpg HTTP/1.1" 200 29953 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.85 - - [19/Aug/2022:15:29:17 -0700] "GET /images/Boardwalk.png HTTP/1.1" 200 73583 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /images/ABS.png HTTP/1.1" 200 6241 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /images/AMEX.svg HTTP/1.1" 200 9816 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.6 - - [19/Aug/2022:15:29:17 -0700] "GET /images/Vimlogo.svg HTTP/1.1" 200 10191 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.85 - - [19/Aug/2022:15:29:17 -0700] "GET /law/new.png HTTP/1.1" 200 19306 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.33 - - [19/Aug/2022:15:29:17 -0700] "GET /images/bg.jpg HTTP/1.1" 200 294492 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.82 - - [19/Aug/2022:15:29:17 -0700] "GET /assets/css/images/close.svg HTTP/1.1" 200 246 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.26 - - [19/Aug/2022:15:29:22 -0700] "GET /assets/webfonts/fa-solid-900.woff2 HTTP/1.1" 200 78268 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.80 - - [19/Aug/2022:15:29:22 -0700] "GET /assets/webfonts/fa-brands-400.woff2 HTTP/1.1" 200 76736 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.39 - - [19/Aug/2022:15:29:22 -0700] "GET /assets/webfonts/fa-regular-400.woff2 HTTP/1.1" 200 13224 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"
40.94.28.52 - - [19/Aug/2022:15:29:29 -0700] "GET /favicon.ico HTTP/1.1" 200 12014 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"

111.7.100.25 - - [19/Aug/2022:16:14:25 -0700] "GET / HTTP/1.1" 200 21887 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.25 - - [19/Aug/2022:16:14:27 -0700] "GET /assets/css/main.css HTTP/1.1" 200 76391 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.25 - - [19/Aug/2022:16:14:27 -0700] "GET /andrew-g-watters-lawyer-800x1200.jpg HTTP/1.1" 200 200123 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.26 - - [19/Aug/2022:16:14:29 -0700] "GET / HTTP/1.1" 200 21887 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.26 - - [19/Aug/2022:16:14:32 -0700] "GET /andrew-g-watters-lawyer-800x1200.jpg HTTP/1.1" 200 200123 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.27 - - [19/Aug/2022:16:14:33 -0700] "GET /assets/css/fontawesome-all.min.css HTTP/1.1" 200 59401 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:35 -0700] "GET /assets/js/jquery.scrollex.min.js HTTP/1.1" 200 2257 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:36 -0700] "GET /assets/webfonts/fa-solid-900.woff2 HTTP/1.1" 200 78268 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.27 - - [19/Aug/2022:16:14:36 -0700] "GET /assets/webfonts/fa-regular-400.woff2 HTTP/1.1" 200 13224 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:36 -0700] "GET /assets/webfonts/fa-brands-400.woff2 HTTP/1.1" 200 76736 "https://www.andrewwatters.com/assets/css/fontawesome-all.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.26 - - [19/Aug/2022:16:14:36 -0700] "GET /assets/js/jquery.min.js HTTP/1.1" 200 89501 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.27 - - [19/Aug/2022:16:14:38 -0700] "GET /assets/css/images/close.svg HTTP/1.1" 200 246 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.26 - - [19/Aug/2022:16:14:36 -0700] "GET /images/bg.jpg HTTP/1.1" 200 294492 "https://www.andrewwatters.com/assets/css/main.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:39 -0700] "GET /assets/js/browser.min.js HTTP/1.1" 200 2051 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:39 -0700] "GET /assets/js/breakpoints.min.js HTTP/1.1" 200 2439 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:39 -0700] "GET /assets/js/util.js HTTP/1.1" 200 12433 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:40 -0700] "GET /assets/js/main.js HTTP/1.1" 200 2705 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:40 -0700] "GET /images/IBM_logo.svg HTTP/1.1" 200 705 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.27 - - [19/Aug/2022:16:14:43 -0700] "GET /images/KSC.jpg HTTP/1.1" 200 14197 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:43 -0700] "GET /images/Creative_Cloud.svg HTTP/1.1" 200 2646 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:44 -0700] "GET /images/intel.png HTTP/1.1" 200 108172 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.27 - - [19/Aug/2022:16:14:44 -0700] "GET /images/exos.png HTTP/1.1" 200 50272 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.27 - - [19/Aug/2022:16:14:34 -0700] "GET /images/camera.jpg HTTP/1.1" 200 290848 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.25 - - [19/Aug/2022:16:14:44 -0700] "GET /images/Nvidia_logo.svg HTTP/1.1" 200 3307 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.24 - - [19/Aug/2022:16:14:45 -0700] "GET /images/RHEL.svg HTTP/1.1" 200 5713 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"
111.7.100.25 - - [19/Aug/2022:16:14:45 -0700] "GET /images/pitbull.png HTTP/1.1" 200 17751 "https://www.andrewwatters.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36"

The first set of IP's traces to Microsoft. The second set of IP's traces to China Mobile. It seems pretty clear that these users are viewing my website through a proxy server that splits its GET requests across a multitude of IP addresses or devices in order to conceal the actual IP address of the user. Interesting that the same method is being used in both the U.S. and China.

It so happens that this same access pattern has occurred twice on my server: once when I was transferring files to the government agency in question a couple months ago and they clicked on the private link from the Microsoft IP address range when I was expecting them to use their usual IP address range. And yesterday, when one of my clients was actually meeting with the agency and was talking about me and my role in his case at this exact time. That's how I know the IP ranges are linked to the government agency. What a clever solution to the problem of tipping off people that the government is looking at them!

The issue with this approach is twofold. First, I can easily generate a digest of the GET requests to reconstruct the access patterns by listing out the components necessary to build my web page, and generating a report showing all the VPN IP's that were used. Second, I can attribute these IP's to particular VPN's and agencies merely by recognizing the behavior and sending myself an alert whenever the Microsoft VPN accesses my website. This kind of defeats the purpose of using a VPN inside the government, but I understand their reasons.

Further observations and analysis to follow, as well as scripts to reconstruct these patterns.

top

---

© 2023 Andrew G. Watters

Last updated: August 20, 2022 02:22:03