[HN Gopher] Millions of the Pentagon's dormant IP addresses spra... ___________________________________________________________________ Millions of the Pentagon's dormant IP addresses sprang to life on January 20 Author : jimschley Score : 328 points Date : 2021-04-24 14:02 UTC (8 hours ago) (HTM) web link (www.washingtonpost.com) (TXT) w3m dump (www.washingtonpost.com) | throwaway2474 wrote: | Can someone explain how we know these "announcements" are real? | What's to stop me setting up a company and announcing random | dormant address ranges that I don't own? | ThothIV wrote: | Also adding 255.0/8 and 255/4 which is essentially just... IPV6. | So we're finally going ipv6, I guess! | yftsui wrote: | Previous story in 2015: | https://news.ycombinator.com/item?id=10006534 . This article is | exaggerating by saying it happened overnight, which started | actually 5 years ago. | frombody wrote: | Global Resource Systems LLC was only created in September of | last year. | | It is very much worth asking who this legal entity is and why a | private company is better suited to these efforts than the | government. | yftsui wrote: | I read the article but I believe the key point is since when | 11.x.x.x stopped being dormant addresses, instead of these | IPs just transferred ownership but not "dormant". | | As an interesting fact, when searching "aliyun 11.0.0.0" | which is the mentioned Chinese cloud provider I believe, they | apparently has been using that as internal IPs since 2015 as | well | jessriedel wrote: | In practice the US government is constrained from paying | market rates for tech talent. It can either hire companies to | complete the entire project, or it can hire a consulting | service (which skims off a massive overhead) to provide | technical talent inside a government agency. | [deleted] | jvdvegt wrote: | Paywall-free link: https://archive.is/tKOOA | codeproject wrote: | Thanks a lot, Appreciate. It is not I don't want to pay the | washingtonpost.com. I just don't have time to read them. | GekkePrutser wrote: | https://github.com/iamadamdev/bypass-paywalls-chrome also | really works well on the desktop. Unfortunately I haven't | found a way to get it working on Firefox on mobile (the | chrome repo also contains the FF one now ;) ). Thanks for the | archive link. | | PS I understand that websites need to monetise.. But getting | a subscription to read one linked article per month or so is | just not going to happen. The sites I use a lot I do pay a | membership for. | fwn wrote: | You need Firefox 68 ( fennec 68.11.0 ) to use extensions | from the open internet. Mozilla axed general extension | support in later versions of their android browser. | | I just keep it around next to my regular browser for the | occasional paywall. | GekkePrutser wrote: | Thanks, I'm not sure if I want to run a browser that old | though... Security-wise. Even if it's probably ok now, | it's never going to get updated. | | I wish they just supported sideloading of extensions. I | wonder how developers are supposed to test their stuff on | mobile. | bagacrap wrote: | perhaps you should consider getting a subscription one | month per year and using the extension the other 11 if you | think that's a more fair price to pay | GekkePrutser wrote: | Good point. But I'm not sure if I'd do this with the | Washington post. I wouldn't normally read this unless | it's linked from somewhere else (I live in Europe). | | I actually had an online subscription to the Guardian for | a while because they were really good on the privacy | advocacy news. I wanted to support a paper with deep | dives into privacy issues. However the last couple of | years I got annoyed with too much Brexit stuff (not | surprising for a UK based paper obviously but as I don't | live in the UK I don't want to read about it every day). | So I let it lapse. | | But there's another thing holding me back. If I subscribe | I have to give all my personal details. I don't want to | have too many sites where I have that around, data leaks | are now happening too often. Even a couple days ago I got | yet another notification from haveibeenpwned (this time | it was the Spanish company phonehouse.es that was hit). | | Anyway, I just wanted to say that while I use paywall | avoiding tools I'm not blind to the problem of | monetisation and the cost of real journalism :) | uptown wrote: | They'll actually take your money whether you read it or not. | joezydeco wrote: | If you have Amazon prime, it's half price and free for the | first month. | pelagic_sky wrote: | Thank you! Had to use Safari on mobile as the captcha did not | play well with Firefox. | gitowiec wrote: | Google recaptcha? I get the same problem continuously on FX | desktop and Android :( | GekkePrutser wrote: | Really? I use Firefox literally all the time (with the | minor exception of some internal work sites where they | require Edge) and while all captchas annoy me to no end, | recaptcha does work perfectly fine on Firefox even with | uBlock origin and pihole running. Both on Desktop (I use | FF on Windows, Mac, Linux and FreeBSD :) ) and on | Android. | | What is the problem you're seeing? | | In fact I really rarely have any issues with FF | whatsoever, and if I do it is always either uBlock Origin | blocking a little bit too much, or a site that | specifically rules out Firefox (like | https://business.apple.com ), probably for no real reason | other than not bothering to test their site with it. | rch wrote: | I've tried subscribing to a few news sources, including WaPo, | but I can't handle the political agendas (right, left, or any | of it). | | I've had better luck with subscription based aggregators, but | nothing exciting enough to want to plug one in particular. | | Always looking for new options to try. | dogman144 wrote: | Yeah all the news sources my parents sub'd to in the early | 00s and I sort of figured I'd sub to as well once ready are | aggravatingly narrative driven. I'm not sure if I never | noticed that, or if it's a new media approach, but I don't | need "baseball + narrative injection" articles in my life. | I'm actually fairly bummed out about this, I go to Reuters | now. | anigbrowl wrote: | News coverage has always been narrative driven to some | extent, but previously that was more in selectivity of | coverage. The quality of reporting has been in a long | slow decline due to a mix of sagging finances and low-no | quality control competition. The 'Action News' TV format | significantly degraded things, and then blogs and | specifically conservative-targeted media drove adoption | of the narrative approach. | | This revealing interview gives an interesting perspective | on the media business around the turn of the century. | Note that this is a pdf archive copy saved to draw | attention to a particular segment, and I'd urge you | ignore that and rad the whole thing. I can't link to the | original as it vanished some time ago, and this archive | predates the establishment of the internet archive. Thus | the presentation is biased (sorry) but it's the only | complete copy of the interview I know of. https://zfacts. | com/zfacts.com/metaPage/lib/Weekly_Standard_M... | deanCommie wrote: | I think the key question isn't which political agenda they | have, but whether they report facts or opinions. | | In that regard, WaPo is pretty good but you can still do | better: https://www.adfontesmedia.com/static-mbc/ | axaxs wrote: | It's not nearly that simple. You can essentially print an | opinion based only in fact, both by picking carefully | which stories you cover, and also which details of which | story you choose to report. It's completely possible to | frame the exact same story as either left wing or right | wing using only facts. | | If you want recent proof, look at that debacle with that | Toledo kid. Some reported police shoot an armed thug, | some report police shoot an unarmed kid. The video proof | shows neither side is telling the whole truth. | ufmace wrote: | That isn't really how it works anymore. It's possible | (and standard) to push any political agenda without ever | stating an opinion directly. It's all about which | specific facts you choose to report and which you choose | to ignore. It's very easy to select and report only facts | that make group A look good, or only facts that make them | look bad. In that way, 2 news sources can give people the | opposite opinion without anyone ever stating an opinion | or saying something that isn't true. | frogpelt wrote: | And furthermore, public sentiment (and therefore | elections) are decided by what the main sources of media | determine is the most important news. | | Example: Cops have shot a thousand people a year for | several years in a row (maybe a decade). About 300 of | those each year have been black, which is a | disproportionate amount by some measures. | | However, it is nowhere near the biggest problem in our | country even for black people. But because the media has | chosen to report on that problem near constantly since | Colin Kaepernick took a knee, it has dominated the public | consciousness and therefore influences thousands of | people to loot, burn, protest, riot and thousands more to | develop opinions and attitudes that create more and more | division in our country. | | Most of what they report is factual but is it as | important as the lofty position they are giving it in the | news? Is it helping? | shigawire wrote: | Yes - cops should kill fewer people. | crooked-v wrote: | Every news source of any kind has some sort of bias. The | only way to escape that completely is to live alone in the | woods as a hermit. | dkdk8283 wrote: | It's the principle for me. I won't support any publication | with obvious bias. | crooked-v wrote: | Everyone has bias of one kind or another. | atat7024 wrote: | Do you pay for the Financial Times/WSJ? | mitchdoogle wrote: | All news outlets are biased. Choosing what to report is | part of bias. Nobody has the resources to report on every | possible news story. There is even such a thing as | "centrist bias". Better to choose a few reputable | publications with different bias (according to FAIR or | whoever) if you want a more balanced approach. | williesleg wrote: | Aah, the wapo, that's Bezos, isn't it? | dr_dshiv wrote: | "large amounts of data could provide several benefits for those | in a position to collect and analyze it for threat intelligence | and other purposes" | smoldesu wrote: | Another great example of computer literacy in the world of | journalism. | LogicX wrote: | Related: https://news.ycombinator.com/item?id=26924988 | echelon wrote: | I want to reply to the following dead comment [1] | | > Aah, the wapo, that's Bezos, isn't it? | | It actually doesn't seem that unreasonable to me that a company | as large as Amazon sees vast, unused resources held by the | government. They publish an article as a sort of "wink wink, | nudge nudge" to see if they can get it put up for auction. | | In fact, I'd be shocked if someone at Amazon or another company | hasn't tried to ask the Pentagon about this. | | > Russell Goemaere, a spokesman for the Defense Department, | confirmed in a statement to The Washington Post that the Pentagon | still owns all the IP address space and hadn't sold any of it to | a private party. | | I bet they'd find a buyer if they wanted to sell. | | edit: Downvotes? Really? I'm just trying to start a conversation | on something I find interesting. | | [1] https://news.ycombinator.com/item?id=26925616 | judge2020 wrote: | I think the downvotes come from entertaining the idea that, | because WAPO writes about something, that it's ultimately in | order to further the interests of AWS/Amazon/Bezos. This is not | really supported by evidence, so any "conversation" regarding | this is pretty much useless and helps nobody. | 1MachineElf wrote: | Had Amazon won JEDI, a significant chunk of those IPs would | exist on their infrastructure. | bushn1989 wrote: | JEDI was a deal for internal cloud infrastructure. I don't | think they would be utilizing public IP address ranges. | pelagic_sky wrote: | I don't know why you're being down voted. It's an interesting | idea. | hobs wrote: | I didnt downvote, but random speculation with no evidence | doesn't get upvotes on hacker news; a discussion of things | you find interesting that others find baseless with get you | downvotes immediately. | blux wrote: | Well, the article sort of requires discussion on what might | be happening here, not? | cmeacham98 wrote: | "edit: Downvotes? Really?" is a surefire method of attracting | downvotes. | echelon wrote: | I got -4 in downvotes. (-2 before my edit.) I don't know | what's going on. | | I understand when I call out Apple or Google for bad | behavior that I can attract downvotes. Sometimes my posts | are snarky, and I understand in that case too. | | But I can point to instances where posts I made days ago | were all downvoted in unison. Or completely informational | threads where every single one of my comments gets a | downvote or two. | | Just a few days ago I got downvoted the second after I | posted a comment. I spotted a typo immediately after | submitting, clicked edit, and found myself downvoted before | anyone could have possibly even read my comment (it was | long). Maybe it was a mis-click -- who knows? But it was | great feedback after having just submitted. And in concert | with all the other recent downvotes, it's frustrating... | | I've been sitting at the same "karma" value for months, and | I don't think I'm being a bad member of the community. | | It's more than likely noise, but it's got me rattled. It's | not actionable feedback. With the pandemic and lack of | social contact with other engineers, and this sort of | judgement, I don't like it. I honestly don't think I'm | being a nuisance. | | (And here this comment is with downvotes and no comments. | Sigh.) | ufmace wrote: | I upvoted, if nothing else it's a perfectly reasonable | comment with an interesting hypothesis. | | HN karma is a little weird. IMO, if you've never been | downvoted to -4, then you've never said anything really | interesting. It's easy to just tell the crowd what they | want to hear, saying true and important things doesn't | always go down so well. Don't sweat it too hard. | Sometimes posts do acquire downvotes at suspicious times | and rates. Makes me wonder if some external orgs managed | to build downvote bots for HN or are directing voting | somehow. | WalterGR wrote: | You already got feedback in hobs's comment. They wrote: | | "I didnt downvote, but random speculation with no | evidence doesn't get upvotes on hacker news; a discussion | of things you find interesting that others find baseless | with get you downvotes immediately." | ratsmack wrote: | Speculation is part of the conversation. | regextegrity wrote: | Don't criticise lord bezos | [deleted] | dang wrote: | Related: https://www.kentik.com/blog/the-mystery-of-as8003/ | | (via https://news.ycombinator.com/item?id=26924988, but no | comments there to speak of) | pgn674 wrote: | "several Chinese companies use network numbering systems that | resemble the U.S. military's IP addresses in their internal | systems" | | I don't think I've heard of this before. What does it mean? Does | China operate a disconnected BGP network? Or do they have some | modified protocol, or what? | fred256 wrote: | Not just Chinese companies. I know of one FAANG company that | used internal IP addresses in the 11.0.0.0/8 space (in addition | to, not instead of, RFC 1918 space). | walrus01 wrote: | Every time I've seen this it's because of inefficient and | wasteful use of 10/8 internally. Like, not every tiny site or | thing needs a /24. Once the wasteful use becomes entrenched | as a practice, it would be very labor intensive and time- | consuming to go on a renumbering plan. As compared to the | effort to just use 11/8. | | And then ultimately because of refusal to get over the | technical hurdle of using IPv6 for internal management. | knorker wrote: | But have you seen inside of FAANG? | snowwrestler wrote: | Well I would hope it's not Apple since they already own all | of 17.0.0.0... one of only 7 private companies that own their | own /8, as far as I know. | nanliu wrote: | Alibaba for example use DoD address ranges for their management | servers running Alicloud services. They assumed since nothing | in their cloud platform would connect to those addresses they | can use these them to alleviate IPv4 shortage. In Alicloud, the | customer have the right to use any RFC1918 addresses, so they | had to be creative since they didn't have sufficient IPv4 | addresses. | sterlind wrote: | but if they're not filtering BGP announcements for those | ranges (however unlikely), and the GFW isn't blocking traffic | out to those addresses (even more unlikely), and the internal | metrics were high (super unlikely), I guess it'd slurp out | all the traffic? maybe this was a weird smash-and-grab. | walrus01 wrote: | Lots of less clueful network operators worldwide have used the | DoD /8 IP blocks internally, under the impression that they'll | never show up in the global v4 routing table, essentially for | the same purposes that people would use the 10/8 RFC1918 | blocks. | jeroenhd wrote: | Some of those less-cluefull operators include Juniper and | Azure[1], Cisco[2][3], and probably many other companies. | When Cloudflare put its 1.1.1.1 DNS server into use, it | started receiving huge amounts of packets destined to | unroutable addresses because the 1.0.0.0/8 space was | (mostly?) unused. | | If you configure your routers correctly, none of these IP | addresses should resolve, anyway. If something in your | network is intentionally dialing the department of defence, | you probably have some kind of problem at hand. In theory | this might become a huge problem, but in practice it probably | won't. | | [1]: https://www.juniper.net/documentation/en_US/vmx/informat | ion-... | | [2]: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017 | /pdf... | | [3]: https://security.stackexchange.com/questions/157682/why- | does... | LinuxBender wrote: | I know of a couple companies that used 1.0.0.0/8 as their | internal VPN/WAN network. Myself and others explained why | this could be problematic but we were ignored. It's | actually _mostly_ fine as long as you 1) never need to | reach that network and 2) block traffic in that network | from leaving your edge network and 3) triple-check that you | have blocked that network from ever being announced from | your routers. Downside being you have to double or triple | NAT to reach anything in that network. Hamachi uses _or | used_ 25 /8 _ministry of defense_ as their VPN network. | ev1 wrote: | T-Mobile used or uses UK MoD space also for NAT. | walrus01 wrote: | Juniper and Cisco are equipment vendors, not ISPs. If the | DOD /8s are used in some documentation examples, that's a | whole other thing. | | If network operators are taking the theoretical network | blocks provided in training examples and attempting to copy | and paste them into real world use, that is a whole other | problem with training and education. And lack of oversight | by senior people who should know better at their company. | | 1/8 is also a whole other thing because it's a legitimately | announced block controlled by, as I recall, APNIC. If it's | in some peoples' 20 year old bogon folded that's their | problem, not apnic's. | ethbr0 wrote: | What IPs does the DoD actually host defense-related | services on? | | E.g. https://www.defense.gov/Resources/Military- | Departments/A-Z-L... | walrus01 wrote: | NIPR and SIPR don't talk to the global routing tables for | v4 and v6. Generally if a DOD person needs to access | commercial internet resources for things, it'll be | through a separate commercial network purpose LAN, or | through something like an rdp session to a Citrix thin | client to do that. | chipsa wrote: | I think you'd be surprised. Most NIPR computers just use | a regular proxy server for internet access. But example: | 214 /8 is a DoD owned block, and "weather.af.mil" is on | that block, and both externally and internally reachable. | walrus01 wrote: | Not that NIPR computers don't have access to the internet | - but because this isn't 1987, those individual | workstations would never have public facing DoD v4 IPs. | They'll always be behind some combination of NAT and | firewall or as you mentioned, proxy. Certainly there | could be some DoD public IP on the external interfaces of | said firewalls. If I had to guess very often the public | facing side of those boxes might be a commercially | acquired local ISP using that ISP's IP space, and not | actual DoD IP space... | photon-torpedo wrote: | If I remember correctly, one of the large Chinese | supercomputers (ex #1 in the TOP500) uses the 11.0.0.0 address | space for its internal network. | woah wrote: | These IP addresses were unused for a very long time, so using | them on internal networks worked fine. Once the Floridian | company in the article started announcing them, gateway routers | on the Chinese internal networks may have started sending their | traffic to Florida. | pgn674 wrote: | Ohh, I think I see. So instead of (or in addition to) | creating internal subnets inside 10.0.0.0/8, 172.16.0.0/12, | and 192.168.0.0/16, they set up subsets inside DoD's | 11.0.0.0/8 etc., and it worked out because there were no | external BGP announcements for those ranges. But now that | there are, if they did not explicitly configure their border | gateways to route those ranges inside their networks, the | traffic may now leak out to DoD's pilot effort. | jasonhansel wrote: | Maybe DoD is trying to catch security flaws caused by | traffic intended for _their own_ internal networks | accidentally reaching the public internet? Advertising | those IPs publicly and logging all traffic could be a good | way of detecting such bugs in DoD systems. | dannyw wrote: | It also explains the lack of public commentary. | jasonhansel wrote: | Indeed. Publicly commenting on it would expose the | potential vulnerability (i.e. the accidental leakage of | traffic onto the public internet). | capableweb wrote: | Not sure. If the government is doing something large- | scale in public (like construction projects [or maybe | global IP routing]), they should communicate what is | happening before doing it, in order to not phase people. | kelnos wrote: | Eh, I wouldn't be surprised if an org like the Pentagon | is secretive about things that aren't really necessary to | be secrets. It's just kinda in their nature to be that | way (kinda like Apple's default-secrecy about products | and features). | | (Also, sorry to be That Guy, but this one always gets to | me: in the sense you've used it, it's "faze", not | "phase".) | dunmalg wrote: | I used to work in intelligence. "Secrecy creep" has long | been a serious problem inside DoD. How information get | classified has largely been left up to low level federal | bureaucrats, people my father used to angrily refer to as | "big haired women from Mississippi". Basically, they are | low level federal office drones, with minimal knowledge | about the actual content of classified programs, who re | left to determine how they are classified. They start | with the core information of a project and classify it | "Top Secret". Then they take all the peripheral | information of that project and classify it TS as well, | just to be safe, because it might overlap with the core | info, but they have no clue because they're a GS-4 clerk | from Boogerville with a high school diploma. Later as | more content is generated in a program, stuff peripheral | to the previous peripheral data, which realistically | should be classified "Confidential" at most, it too gets | classified as TS because of its proximity to the | previously over-classified peripheral data. Lather-Rinse- | Repeat for a few decades and you have huge swathes of | widely known, utterly inconsequential information | classified Secret or Top Secret. | MereInterest wrote: | Don't answer this if it isn't legal to answer, but do you | have any examples you can share? I can entirely picture | the process, and completely believe that it happens, but | I don't have a mental image of what the end result looks | like. | spiritplumber wrote: | There has been a brief period in my life when I did not | have the clearance to read code I was writing. | withinboredom wrote: | From my personal experience: a cat died. A very non- | important cat. It was the only thing of note in my | report. | dwarfsandstuff wrote: | A random cat's death got to be top secret? Oh gawd... | wbl wrote: | The top secret lunch: someone ate an orange at Los | Alamos. That orange was top secret. This actually makes | some sense. | ajross wrote: | Right, because if there's anything the Pentagon has been | known for over the past seven decades or so it's clear | publication and transparent disclosure of all its large | scale classified projects so as not to phase the public. | xwolfi wrote: | Reading what the DOD said "officially" it appears that | maybe they were just looking to see if these IP could be | registered, simply. | | It sounds a bit weird they would have needed 170+M ips to | get a good attack sample from the internet if the ip are | contiguous, a few thousands would have sufficed. It | sounds very weird to expect "China" to suddenly route | Xi's dirty videos and why not Iran, Japan, everyone | suddenly routing craps there, it's not very targetted and | would cost quite a bit to read all the potential tcp | packets that got lost by bad WAN vs LAN priority | decisions in routers. | | Also, it's one shot, so why now ? They would have just | lost a huge weapon, if true, in a very public manner, for | no particular visible threat, not precise target and at | great cost possibly. | | I'm okay to believe this was possibly just an | inventory/activation exercise because someone noticed | they owned stuff they can't use until they register them. | hujun wrote: | it is very unlikely to for a company like Alibaba not | configuring their BGP right | Havoc wrote: | Why would you do that though when there are perfectly fine | internal address ranges available? | twic wrote: | In our case, we were setting up VPN tunnels to a partner, | who for some reason required that the addresses on our side | should (appear to be) public IP addresses. So we couldn't | use 10/8 or 192.168/16 in (that part of) our network. | | They didn't actually need the addresses to be routable from | the public internet (that was the whole point of the VPN). | I think the requirement was really a way of making sure | they were unique. I'm sure they had several partners who | used 10/8 internally. | GekkePrutser wrote: | There's also 172.16/12 :) But yeah I agree. If you're | running a VPN for a large company it's kinda hard to | avoid such conflicts. | | In my work we use 10.0.0.0/8 but of course some people | use the same at home even though 192.168/16 is way more | common. In general I find 172.16/12 the least common in | the field. | jamiek88 wrote: | I know the old Apple extreme and time machine routers | used to default to 10 rather than 192 ever since then | I've kept my internal routing within that block. | | It just looks nicer to me which shows the power of Apple | and how easily I am influenced. | [deleted] | Godel_unicode wrote: | I suspect there are a decent number of network engineers | who think it's funny to use DoD IPs for their internal | network, especially given what their logging system will | probably tell them by default. | | If you drive around with a WiFi stumbler running, you'll | run into networks with names like "UTAH DATA CENTER" and | "SIPRnet", etc for the same reason. | imwillofficial wrote: | I always hated seeing "FBI Surveillance Van" | | Made me wanna climb out of my FBI Surveillance Van and | have a word with them. | leesalminen wrote: | Ha! "Unmarked white van" is the WiFi name at my local dog | daycare. I got a good laugh. | dwarfsandstuff wrote: | My wifi is called nsa_net | Denvercoder9 wrote: | Two things that come to mind are running out of private | address space (a /8 isn't that large), or wanting address | space that doesn't clash with other private networks (e.g. | to ensure a VPN doesn't overlap with home networks). | There's probably more reasons. | VLM wrote: | > running out of private address space | | Classic merger "solution". | | Company A uses 10/8 Company B uses 10/8, company A buys | company B and orders new subsidiary B to renumber into | 11/8 "All you have to do is change every first octet to | 11" | woleium wrote: | or, you know, use NAT to do so :) | WanderPanda wrote: | how would nat help in this case? | xxpor wrote: | If they're not actually using the whole /8 (highly | likely), you can setup a 1:1 NAT. basically from network | b, if you want to talk to network a, you find out the | address in 11/8 that corresponds to the 10/8 address and | vice versa. You can use split horizon dns to make it | mostly transparent. | | Every networking problem in the world can be solved with | more NAT or more encapsulation :) | jandrese wrote: | You don't have to use every address in 10.0.0.0/8 to | effectively fill it up. If your corporate policy is to | assign a /16 to each floor of a building, and you have a | LOT of buildings it's pretty easy to fill up the space | even if most of the /16s are sparsely populated. It's | much easier to move on to the 11. space when you build | that new building that pushes you over than renumbering | your entire corporate LAN. | woleium wrote: | what you call 1:1 NAT is just called NAT by cisco, the | stuff most folks think NAT is is actually NAT+PAT (like | what you run on your home router with a single public IP) | chiph wrote: | It basically maps addresses visible on one interface to | those on a different interface. So you can route many | addresses on 10.x to a single 10.x address that is on a | different network. | | https://www.cisco.com/c/en/us/support/docs/ip/network- | addres... | kenniskrag wrote: | or upgrade to ipv6 :) | ratsmack wrote: | or maybe ask the question regarding why we're not all | running ipv6. | kenniskrag wrote: | why? | mrkstu wrote: | In the case of a managed service provider I worked for, | using non-announced gov/mil space allowed us to inject | routes for monitoring purposes into the MPLS vrfs of our | customers so we could poll the routers without using our | own public space. | Godel_unicode wrote: | There are lots of examples of this type of "squat space" | being used for largely internal addressing in addition to rfc | 1918 space: | | https://teamarin.net/2015/11/23/to-squat-or-not-to-squat/ | motohagiography wrote: | If that were true, depending on path inforation, any botnet or | other traffic destined to those networks would end up in this | new AS8003 traffic sink, which would create a map of candidate | CCP assets to target on the internet. | | You could do the same with any AS. I haven't looked into bgp | spoofing since about '99, but it seems to have matured since | then. The idea of using it as ephemeral canary/honeynet space | for tracking botnet C&C traffic seems like a reasonable play. | xwolfi wrote: | But the internet is not just CCP vs Captain America. I mean | my home network has random ips and a shit network admin, so I | will also send crap data to the DOD, from Hong Kong. | | You imagine the work to figure out if my tcp heartbeats | between my torrent server and my nginx proxy are CCP botnets | or me misconfiguring my router ? From the same place kinda ? | And you imagine the amount of people we are in China that are | doing shit networking but not CCP-relevant things ? | | And the amount of botnets we have in China that are to scam | each other that even the CCP doesn't want ? :D | ufmace wrote: | Yeah, that's why the stated explanation sounds weird. | | Suddenly advertise this never-used block, and you're just | going to get a massive torrent of previously-internal | traffic from bazillions of organizations all over the | planet that used it for something internal and were | slightly lazy and didn't set up their routing quite right. | Probably 99.9% of it is of no use whatsoever to anyone | outside that org. It's tough to imagine that anyone thought | they'd get any useful information on any hostile CCP | activity by doing this. | | I would also expect that any department doing hostile | things on the net would be at least smart enough to not let | any of their internal traffic leak out like that, no matter | who they actually worked for. | Forbo wrote: | I once had a client who decided to use an IP block that was | registered to APNIC for their internal network. Made for | quite the headache as I tried to track down why there was a | ton of traffic supposedly going to China and Japan. -__- | TechBro8615 wrote: | Way back when, I was working at a startup with little clue what | I was doing. Long story short, I setup a VPN network to connect | 600 devices through 8 wifi routers to a VPC. I used 11.0.0.0/8 | because I didn't want to bother sorting through the conflicts | with 10.x, 192.168.x, and 172.x which were all used at various | places throughout the chain (e.g. the routers on 192, some | upstream services on 10.x and 172.) | | All I had to do to make it work, IIRC, was add an ip routing | rule to prioritize our internal routing for traffic on | 11.0.0.0/8 instead of sending it over the default interface. | | This solution worked fine, but it broke in weird ways and I | remember one time I did arp -a on one of the Amazon boxes and | saw some DoD registered addresses, which was a little alarming, | but I just chalked it up to my not understanding the details. | twic wrote: | I did the same with 51/8 back when that was owned by the UK | Department of Work and Pensions but not publicly routable. | client4 wrote: | T-mobile does the same thing. | tyingq wrote: | Still seems a bit odd to me. It doesn't explain why "GLOBAL | RESOURCE SYSTEMS, LLC" is involved. Poking around, the | individuals associated with that aren't government employees. The | company was formed 9/8/2020 in Delaware. | cronix wrote: | If I were to guess, because private companies aren't subject to | FOIA requests. It's a little trick the gov't has been doing for | some time now to avoid legitimate, legal scrutiny by the | public. | [deleted] | mattkrause wrote: | Outsourcing to private companies also (somehow) appeases the | "small government" folks, even when it costs more/works | worse. | kdmdmdmmdmd wrote: | Somehow? Money the spent is money in the economy, not in | the government. It's pretty easy to understand, I think. | CameronNemo wrote: | Alternatively, money is grifted for political patronage. | kdmdmdmmdmd wrote: | Huh i wonder how we can prevent that problem | ttul wrote: | Who are the people associated with that company? I'd like to | further investigate them. | tyingq wrote: | You can look up the company name on Florida's Division of | Corporations: | http://search.sunbiz.org/Inquiry/CorporationSearch/ByName | | The Delaware company is registered there as a an "outside of | the state of Florida" entity operating in Florida. Some | actual people names are listed. I'm fairly confident it's the | same company, as the Plantation, FL address is there. | anigbrowl wrote: | Allow me to suggest looking up their donation history at | https://www.fec.gov/data/ | sam36 wrote: | The answer is clear. They sprang to life right as Trump was | leaving office because Biden knew he would win and though his | company is registered in Delaware, it is actually just a | Chinese front. | Lammy wrote: | Imagine believing in nationality as anything more than high- | end sports teams for the elite. | chiph wrote: | When you want to do some secret squirrel stuff, you start a | small closely-held company. | | Wait until you read about Air America - an actual airline | started by Claire Chennault (of Flying Tigers fame), that was | bought by the CIA in the post WW-II years and used to run | missions in Southeast Asia up until the mid 1970's. | | https://en.wikipedia.org/wiki/Air_America_(airline) | Fnoord wrote: | Means nothing. Companies can be a front for a government. | tyingq wrote: | Well, yes, but I'm interested in "for what purpose, in this | specific case". | dathinab wrote: | The simplest would be to make sure the addresses are _not_ | announced by the DoD, which depending on the thinks they | want to test could matter, or could be irrelevant. | gumby wrote: | This is a complete side point, but what does this sentence mean? | | > Created in 2015, the DDS operates a Silicon Valley-like office | within the Pentagon. | splithalf wrote: | Open office plan, ping pong and bean bag chairs. Slogans on the | walls. Sit stand desks. Lots of h1b workers. Have you never | silicon valley'd? | dogman144 wrote: | DDS hires professional engineers at a special paygrade pegged | to their civilian pay stubs for a 2 year tour of duty fixing | pressing issues in DoD tech via pretty broad authority to | sidestep | | A) the usual senior military slow-roll* in the way of these | fixes | | B) the sh**y govt contractors who made the tech and usually get | paid to fix their own bad tech. | | DDS Hires a lot of motivated engineers who would be in civil | service but for the $180k -> $90k paycuts and fear of | bureaucratic hell. It is run by one of the ~founders of | opentable who, post opentable riches, was flying on 9/11/01, | decided to join the Chicago PD as a result, did west Chicago | homicide until the PD discovered his past, he then stood up | Chicago's data-based policing technical approaches, and | eventually the Obama admin heads about him asked him to take | over DDS (iirc, +/- details there). | | Cool stuff and I'd work for them in a second, probably need | another few years in private sector though. | kelnos wrote: | > _DDS hires professional engineers at a special paygrade | pegged to their civilian pay stubs_ | | I wish USDS would do this as well; I feel like they'd attract | a lot more talent. Although perhaps they want to attract | exactly the kind of talent who would take a big pay cut out | of a sense of service/duty. | | > _Cool stuff and I'd work for them in a second_ | | For myself, while I recognize that military is a necessary | evil in the world we live in, and I have a ton of respect for | the people who put themselves in harm's way, working for an | org with a .mil address would be against my values. I'm so | torn, though, since (e.g.) the Internet itself came out of | the DoD. It's a hard pill to swallow for me sometimes that a | lot of essential civilian tech was originally developed by or | for the military. | jamiek88 wrote: | Theres a strong argument that people,with this outlook are | needed in DOD. | | It's the whole those who seek power are least suited to it | schtick. | | I understand your reluctance and you of course make your | own life choices but something to consider. | kingkilr wrote: | I don't know Brett super well so I can't speak to the rest of | his background, but it's not correct that the Obama admin | asked him to take over DDS. | | DDS's founding head was Chris Lynch, who served in that role | until the middle of the Trump administration, when he left | government service and that's when Brett got the job. | dogman144 wrote: | There ya go. +/- details. | | I saw him present on DDS and his backstory at BSidesLV a | few years ago and did a bit of non-profit govt<>tech | chatter with the team there. | | Correct, it was in the middle of the Trump Admin. | gumby wrote: | This is quite interesting -- glad I asked! | dogman144 wrote: | The org has done really interesting things under a few | different political climates. To the extent it's | safe/neutral to say we're entering a more pro-govt can-do | env, I think they'll have a cool next 4 years as an org. | | Some of the projects they talk about doing have huge value- | adds to technically underserved groups like military | families during mandatory base moves every few years. Those | groups are totally dependent on following the system as | designed (get your travel voucher here, your goods shipped | here, etc) and much of it depends on single option, very | janky govt, almost intranet-like, porfals. Iirc, one of | their projects was fixing a portal was leaking SSNs like | gangbusters. Normal times, that's a 6 month -> 10 year | process to work with the contractor. DDS did it fairly | quickly. | lotsofpulp wrote: | More money, I assume. The government does not want to raise all | programmers' pay, so instead of adjusting the pay schedules | that apply to everyone, they make a special group that the | normal pay schedules don't apply to. | | I wonder if it came about because how much of a dumpster fire | the first version of healthcare.gov was for the premier of the | Affordable Care Act. That probably embarrassed a lot of people. | wslack wrote: | healthcare.gov's problem led to a rescue team, whose members | helped to start USDS, whose members helped to start DDS! | | To your first point, it'd be more accurate to say that many | government offices often don't hire any programmers, which | can (among other issues) make it challenging for those | offices to select strong contractors. | soared wrote: | The first paragraph a job description gives some context to | their culture: | | > How do you feel about the cloud? Specifically, what are your | thoughts on the cumulus clouds of Bespin? Do you believe Cloud | City is composed of only cumulus clouds? Do you have any idea | about what we are asking? If your answer is yes, definitely | read on. If no, still read on, but we might find your lack of | faith disturbing! | wslack wrote: | The office has a deliberately different type of culture. | | Edit: more info at https://www.dds.mil/about | Angostura wrote: | This page suggests a really interesting way of organising | things: https://www.dds.mil/team | gumby wrote: | Thanks for that informative link. I had no idea. | tiernano wrote: | when digging though some of the IPs, i came across 22.0.0.0/8, | which if you look at the DNS tab of bgp.he.net | (https://bgp.he.net/net/22.0.0.0/8#_dns) shows a LOT of people | are "using" those IPs... which means a LOT of people wont be | happy that their sites, email, dns, etc, are now essentially | being blackholed... for me (I run AS204994), the traffic hits | Frankfurt (i peer with HE there) goes over their network though | Paris, then to Ashburn and then is blackholed... gone after | that... wondering how much traffic is being seen by he.net with | this... | icedchai wrote: | If they're using them for internal networks, they'll (probably) | work just like they did before. It's likely many folks are | using these as like private RFC-1918 addresses. | djoldman wrote: | https://outline.com/3HuXPj | coderholic wrote: | Some details about the ASN announcing the DoD prefixes: | https://ipinfo.io/AS8003 | | It looks like they're not just announcing 11.0.0.0/8 but also a | bunch of more specific routes, including 11.0.0.0/13 and | 11.0.0.0/24 | | It looks like currently their only peer is Hurricane Electric: | https://ipinfo.io/AS6939 | cptskippy wrote: | One peer? Does that mean all that traffic is flowing through | Hurricane Electric? | [deleted] | drawkbox wrote: | > _Defense Digital Service (DDS) authorized a pilot effort | advertising DoD Internet Protocol (IP) space using Border Gateway | Protocol (BGP). This pilot will assess, evaluate and prevent | unauthorized use of DoD IP address space. Additionally, this | pilot may identify potential vulnerabilities. This is one of | DoD's many efforts focused on continually improving our cyber | posture and defense in response to advanced persistent threats. | We are partnering throughout DoD to ensure potential | vulnerabilities are mitigated._ | | Interesting, seems an effort to find out who was abusing ranges | that were exclusively allowed or disallowed based on the ranges. | Malware that tries to look like something else that uses a state | level IP range to evade blocking, or check for blocks.[1] | | > _I interpret this to mean that the objectives of this effort | are twofold. First, to announce this address space to scare off | any would-be squatters, and secondly, to collect a massive amount | of background internet traffic for threat intelligence._ | | > _On the first point, there is a vast world of fraudulent BGP | routing out there. As I've documented over the years, various | types of bad actors use unrouted address space to bypass | blocklists in order to send spam and other types of malicious | traffic._ | | Cloudflare example shows how much traffic some of these ranges | that are included/excluded have when turned on. | | > _On the second, there is a lot of background noise that can be | scooped up when announcing large ranges of IPv4 address space. A | recent example is Cloudflare's announcement of 1.1.1.0 /24 and | 1.0.0.0/24 in 2018._ | | > _For decades, internet routing operated with a widespread | assumption that ASes didn't route these prefixes on the internet | (perhaps because they were canonical examples from networking | textbooks). According to their blog post soon after the launch, | Cloudflare received "~10Gbps of unsolicited background traffic" | on their interfaces._ | | > _And that was just for 512 IPv4 addresses! Of course, those | addresses were very special, but it stands to reason that 175 | million IPv4 addresses will attract orders of magnitude more | traffic. More misconfigured devices and networks that mistakenly | assumed that all of this DoD address space would never see the | light of day._ | | Looks like a new cybersecurity policy/process started on | inauguration day. Probably a defensive or offensive measure to | combat the supply chain attacks that may well have used those | ranges in evading blocking. | | [1] https://www.kentik.com/blog/the-mystery-of-as8003/ ___________________________________________________________________ (page generated 2021-04-24 23:00 UTC)