Scan of SpaceX Starlink Network (AS14593)

Traceroute from Google Cloud West to Starlink (AS14593)
traceroute to 192.31.243.1 (192.31.243.1), 30 hops max, 60 byte packets
1 * 66.249.94.93 (66.249.94.93) 7.475 ms 74.125.37.205 (74.125.37.205) 7.409 ms
2 72.14.236.185 (72.14.236.185) 8.201 ms 64.233.175.1 (64.233.175.1) 9.707 ms ae27.cs1.sea1.us.eth.zayo.com (64.125.29.0) 7.703 ms
3 108.170.245.117 (108.170.245.117) 7.411 ms 108.170.245.101 (108.170.245.101) 7.736 ms 74.125.243.199 (74.125.243.199) 7.591 ms
4 * * *
5 host.starlinkisp.net (192.31.243.1) 8.195 ms ae27.cs1.sea1.us.eth.zayo.com (64.125.29.0) 7.379 ms 7.472 ms

This gives us a small tidbit of info, the network currently resolves to host.starlinkisp.net. We can expect this to be the future domain for StarLink. For now, it 301 redirects to the SpaceX homepage, but I’m monitoring the domain for updates.

Full Network Scan:


sudo nmap -O -sV --version-intensity 5 192.31.243.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-02-21 18:56 UTC
Nmap scan report for host.starlinkisp.net (192.31.243.1)
Host is up (0.0100s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
25/tcp filtered smtp
111/tcp open rpcbind 2-4 (RPC #100000)
179/tcp open bgp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port179-TCP:V=6.40%I=5%D=2/21%Time=5C6EF46D%P=x86_64-redhat-linux-gnu%r
SF:(NULL,32,"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\
SF:xff\0\x1d\x01\x049\x01\0Z\n\xce\n\x02\0\xff\xff\xff\xff\xff\xff\xff\xff
SF:\xff\xff\xff\xff\xff\xff\xff\xff\0\x15\x03\x06\x05")%r(GenericLines,32,
SF:"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x1d
SF:\x01\x049\x01\0Z\n\xce\n\x02\0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\
SF:xff\xff\xff\xff\xff\xff\0\x15\x03\x06\x05")%r(GetRequest,32,"\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x1d\x01\x049\x
SF:01\0Z\n\xce\n\x02\0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff
SF:\xff\xff\xff\0\x15\x03\x06\x05")%r(HTTPOptions,32,"\xff\xff\xff\xff\xff
SF:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x1d\x01\x049\x01\0Z\n\xc
SF:e\n\x02\0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x
SF:ff\0\x15\x03\x06\x05")%r(RTSPRequest,32,"\xff\xff\xff\xff\xff\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\xff\xff\0\x1d\x01\x049\x01\0Z\n\xce\n\x02\0\
SF:xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x15\x
SF:03\x06\x05")%r(RPCCheck,32,"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf
SF:f\xff\xff\xff\xff\xff\0\x1d\x01\x049\x01\0Z\n\xce\n\x02\0\xff\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x15\x03\x06\x05")%
SF:r(DNSVersionBindReq,32,"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf
SF:f\xff\xff\xff\xff\0\x1d\x01\x049\x01\0Z\n\xce\n\x02\0\xff\xff\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x15\x03\x06\x05")%r(He
SF:lp,32,"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff
SF:\0\x1d\x01\x049\x01\0Z\n\xce\n\x02\0\xff\xff\xff\xff\xff\xff\xff\xff\xf
SF:f\xff\xff\xff\xff\xff\xff\xff\0\x15\x03\x06\x05")%r(SSLSessionReq,32,"\
SF:xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x1d\x
SF:01\x049\x01\0Z\n\xce\n\x02\0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf
SF:f\xff\xff\xff\xff\xff\0\x15\x03\x06\x05")%r(Kerberos,32,"\xff\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x1d\x01\x049\x01\0
SF:Z\n\xce\n\x02\0\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff
SF:\xff\xff\0\x15\x03\x06\x05");
Device type: router|switch|firewall|storage-misc|general purpose|printer
Running (JUST GUESSING): Juniper embedded (95%), Juniper JUNOS 8.X|9.X|10.X|11.X (95%), Acme Packet embedded (92%), FreeBSD 6.X (92%), Epson embedded (90%)
OS CPE: cpe:/h:juniper:m7i cpe:/o:juniper:junos:8 cpe:/o:juniper:junos:9 cpe:/o:juniper:junos:10 cpe:/o:juniper:junos:11 cpe:/o:freebsd:freebsd:6 cpe:/h:epson:stylus_pro_400
Aggressive OS guesses: Juniper M7i router (95%), Juniper Networks J2320 or MX5-T router; or EX2200, EX3200, EX4200, or EX8200 switch (JUNOS 8.5 - 11.2) (95%), Juniper Networks JUNOS 8.5B2.5 (95%), Juniper JUNOS 9.4R2.9 (93%), Acme Packet Net-Net 4250 VoIP session border controller (92%), FreeNAS 0.69RC2 (FreeBSD 6.4-RELEASE) (92%), FreeBSD 6.2-STABLE - 6.4-STABLE (92%), FreeBSD 6.3-RELEASE-p1 (92%), FreeNAS 0.69RC2 (FreeBSD 6.4-RELEASE-p3) (91%), FreeBSD 6.3-STABLE (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops

From this info, we can gather Starlink is likely using a Juniper powered router for this single IP. Unfortunately, connections to port 25 and 22 timeout so no further information could be gathered from that end.

The remaining hosts replied in the following way:

Nmap scan report for host.starlinkisp.net (192.31.243.2)
Host is up.
All 1000 scanned ports on host.starlinkisp.net (192.31.243.2) are filtered
Too many fingerprints match this host to give specific OS details
...
Nmap scan report for host.starlinkisp.net (192.31.243.254)
Host is up.
All 1000 scanned ports on host.starlinkisp.net (192.31.243.2) are filtered
Too many fingerprints match this host to give specific OS details

 

 

Latest Scan from 2018-04-16:

 

sudo nmap -O -sV --version-intensity 5 192.31.243.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2019-04-16 16:22 UTC
Nmap scan report for sea-fw-0.starlinkisp.net (192.31.243.1)
Host is up (0.0078s latency).
All 1000 scanned ports on sea-fw-0.starlinkisp.net (192.31.243.1) are filtered
Too many fingerprints match this host to give specific OS details

Nmap scan report for host.starlinkisp.net (192.31.243.9)
Host is up (0.0078s latency).
All 1000 scanned ports on host.starlinkisp.net (192.31.243.9) are filtered
Too many fingerprints match this host to give specific OS details

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (2 hosts up) scanned in 48.30 seconds

Leave a Reply

Your email address will not be published. Required fields are marked *