5m Read

The VPN Lurking in Comcast: An Analysis of StarVPN

With Spur's service offering now reaching over 500 anonymization services labeled, we thought it would be worth diving into a recently discovered VPN that has some interesting characteristics.

VPN services work hard to provide their customers access to location restricted content. Most services have a hard time circumventing Netflix or Disney+'s access restrictions. Continue reading to see how StarVPN uses ISP IP space to provide their customers with unrestricted access to region locked content.

StarVPN: The Residential VPN Service

Here is an excerpt taken from their site:

At first glance, this seems to be very similar to the value proposition provided by residential proxy services such as Luminati: an undetectable method of anonymization. This would not be the first VPN we have encountered to leverage residential IP space for their purposes. Previously, articles have been written (and since taken down) that showed a connection between NordVPN and OxyLabs. Nord seemed to be leveraging their relationship with OxyLabs to provide unrestricted access to Disney+.

Based on these suspicions of being related to a proxy service, we decided to dive in and examine the types of IPs this service provides their clients.

Residential IP Options

When looking at their plans, two different types of residential IP access is provided. They have Static Residential and Rotating/Sticky Residential.

The rotating option gives a couple different intervals to choose from but the shortest period is 5 minutes. The static option promises the same IP address but automatic rotation should the IP address encounter an issue. Just based on the descriptions alone, we wanted to try the rotating option first. This sounds like many of the proxy services out there.

Rotating/Sticky Residential IPs

There are two different classes of residential proxies that we encounter in the "legitimate" side. The first option is a simple price per GB of bandwidth used with no limit to the number of IPs. Examples of this type of service include Luminati, Spider, and OxyLabs. The second option is unlimited bandwidth but a rotating interval where you have the same IP address for that entire time. A notable example is Shifter (formerly MicroLeaves).

Based on StarVPN's description of the rotating residential option, we figured this service utilized a commercial proxy service under-the-hood that fit into the second class of proxies mentioned above. The only way to know for sure: try it out.

-> curl https://ipctx.me/json | jq
{
  "anonymous": true,
  "as": {
    "number": 701,
    "organization": "UUNET"
  },
  "deviceBehaviors": {
    "exists": false
  },
  "devices": {
    "estimate": 1
  },
  "geoLite": {
    "city": "Brooklyn",
    "country": "US",
    "state": "New York"
  },
  "ip": "108.41.241.33",
  "proxiedTraffic": {
    "exists": true,
    "proxies": [
      {
        "name": "SHIFTER_PROXY",
        "type": "RESIDENTIAL"
      }
    ]
  },
  "vpnOperators": {
    "exists": false
  },
  "wifi": {
    "exists": false
  }
}

On a separate note, if you are not familiar with ipctx.me, check out our previous blog post covering this free service.

One result does not make a trend. After several repeats of this process and waiting the required 5 minutes for rotation, we kept getting a similar answer.

-> curl https://ipctx.me/json | jq
{
  "anonymous": true,
  "as": {
    "number": 701,
    "organization": "UUNET"
  },
  "deviceBehaviors": {
    "exists": false
  },
  "devices": {
    "estimate": 1
  },
  "geoLite": {
    "city": "Buffalo",
    "country": "US",
    "state": "New York"
  },
  "ip": "71.186.166.150",
  "proxiedTraffic": {
    "exists": true,
    "proxies": [
      {
        "name": "SHIFTER_PROXY",
        "type": "RESIDENTIAL"
      }
    ]
  },
  "vpnOperators": {
    "exists": false
  },
  "wifi": {
    "exists": false
  }
}

-> curl https://ipctx.me/json | jq
{
  "anonymous": true,
  "as": {
    "number": 701,
    "organization": "UUNET"
  },
  "deviceBehaviors": {
    "exists": false
  },
  "devices": {
    "estimate": 10
  },
  "geoLite": {
    "city": "Oyster Bay",
    "country": "US",
    "state": "New York"
  },
  "ip": "100.38.221.33",
  "proxiedTraffic": {
    "exists": true,
    "proxies": [
      {
        "name": "SHIFTER_PROXY",
        "type": "RESIDENTIAL"
      }
    ]
  },
  "vpnOperators": {
    "exists": false
  },
  "wifi": {
    "exists": false
  }
}

We are only showing a few of the results, but this does go on for a bit. Good news: there is not another residential service out there with millions of IP addresses to track down. Shifter/MicroLeaves has a reseller program so it makes sense that a company might wrap up their offering into a VPN service.

Static Residential IPs

The promise that StarVPN makes about their static residential IPs tells me it is a bit different. How can they guarantee an IP will stay around for any length of time if they depend on a residential proxy service? Those services are notorious for providing proxy access through mobile devices and browser extensions. If that device moves, the IP will change though. We figured this was worth further inspecting as well.

After changing my slot to Static Residential, we got the following IP:

-> curl https://ipctx.me/json | jq
{
  "anonymous": false,
  "as": {
    "number": 174,
    "organization": "COGENT-174"
  },
  "deviceBehaviors": {
    "exists": false
  },
  "geoLite": {
    "city": "London",
    "country": "GB",
    "state": "England"
  },
  "ip": "154.62.180.109",
  "proxiedTraffic": {
    "exists": false
  },
  "vpnOperators": {
    "exists": false
  },
  "wifi": {
    "exists": false
  }
}

That IP address looks pretty clean. But also, kind of boring. We took a look at Shodan and did not see anything particularly interesting. whois just shows it belongs to Cogent. A lot of VPN services provide a different exit IP address from their entry. However, we really wanted a good fingerprint for this.

We kicked off one of our more intense internal port scans to see what might be of interest on this box. Luckily, we encountered some fingerprints that provide a strong connection to StarVPN. These fingerprints feed our rule engine that process hundreds of different techniques to catalog and label VPN services.

Here is a sample of some of the identified IPs in our feed:

{"ip":"12.205.151.38","org":"AT&T Services, Inc.","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"San Francisco","maxmind_cc":"US","maxmind_subdivision":"California"}
{"ip":"12.160.225.55","org":"AT&T Services, Inc.","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"Los Angeles","maxmind_cc":"US","maxmind_subdivision":"California"}
{"ip":"12.160.225.87","org":"AT&T Services, Inc.","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"Los Angeles","maxmind_cc":"US","maxmind_subdivision":"California"}
{"ip":"8.46.123.95","org":"CenturyLink Communications, LLC","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"New York","maxmind_cc":"US","maxmind_subdivision":"New York"}
{"ip":"12.160.225.240","org":"AT&T Services, Inc.","user_count":1,"services":["PROXY","STAR_VPN"],"maxmind_city":"Los Angeles","maxmind_cc":"US","maxmind_subdivision":"California"}
{"ip":"12.160.225.94","org":"AT&T Services, Inc.","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"Los Angeles","maxmind_cc":"US","maxmind_subdivision":"California"}
{"ip":"12.160.225.2","org":"AT&T Services, Inc.","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"Los Angeles","maxmind_cc":"US","maxmind_subdivision":"California"}
{"ip":"50.228.255.20","org":"Comcast Cable Communications, LLC","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"Mount Laurel","maxmind_cc":"US","maxmind_subdivision":"New Jersey"}
{"ip":"50.228.255.167","org":"Comcast Cable Communications, LLC","user_count":-1,"services":["STAR_VPN"],"maxmind_city":"Mount Laurel","maxmind_cc":"US","maxmind_subdivision":"New Jersey"}
{"ip":"12.205.151.93","org":"AT&T Services, Inc.","user_count":1,"services":["STAR_VPN"],"maxmind_city":"San Francisco","maxmind_cc":"US","maxmind_subdivision":"California"}

These IP addresses are in AT&T, CenturyLink, and Comcast. They are as "clean" as you can get for a VPN service.

StarVPN: A Summary

Overall, StarVPN is a service that provides a residential IP experience for its customers. It looks like they source their IP addresses from a variety of sources. Nearly every online proxy/vpn detection service misses these IP addresses. After our analysis, we were able to identify nearly 1,000 residential IP exits in their static offering. We did not provide any additional labels for their rotating option due to it being a suspected reseller of Shifter. Daily, we see over 360k IPs belonging to Shifter.

As a network administrator, how would you know if connections coming to your network are through a VPN like this or if they are innocuous?

Interested in learning more about our VPN/proxy detection products? Contact sales@spur.us.


Created At: 2021-02-04
Updated At: 2021-02-04
Written By: Tom Kilmer