[HN Gopher] Millions of the Pentagon's dormant IP addresses spra...
___________________________________________________________________
Millions of the Pentagon's dormant IP addresses sprang to life on
January 20
Author : jimschley
Score : 328 points
Date : 2021-04-24 14:02 UTC (8 hours ago)
(HTM) web link (www.washingtonpost.com)
(TXT) w3m dump (www.washingtonpost.com)
| throwaway2474 wrote:
| Can someone explain how we know these "announcements" are real?
| What's to stop me setting up a company and announcing random
| dormant address ranges that I don't own?
| ThothIV wrote:
| Also adding 255.0/8 and 255/4 which is essentially just... IPV6.
| So we're finally going ipv6, I guess!
| yftsui wrote:
| Previous story in 2015:
| https://news.ycombinator.com/item?id=10006534 . This article is
| exaggerating by saying it happened overnight, which started
| actually 5 years ago.
| frombody wrote:
| Global Resource Systems LLC was only created in September of
| last year.
|
| It is very much worth asking who this legal entity is and why a
| private company is better suited to these efforts than the
| government.
| yftsui wrote:
| I read the article but I believe the key point is since when
| 11.x.x.x stopped being dormant addresses, instead of these
| IPs just transferred ownership but not "dormant".
|
| As an interesting fact, when searching "aliyun 11.0.0.0"
| which is the mentioned Chinese cloud provider I believe, they
| apparently has been using that as internal IPs since 2015 as
| well
| jessriedel wrote:
| In practice the US government is constrained from paying
| market rates for tech talent. It can either hire companies to
| complete the entire project, or it can hire a consulting
| service (which skims off a massive overhead) to provide
| technical talent inside a government agency.
| [deleted]
| jvdvegt wrote:
| Paywall-free link: https://archive.is/tKOOA
| codeproject wrote:
| Thanks a lot, Appreciate. It is not I don't want to pay the
| washingtonpost.com. I just don't have time to read them.
| GekkePrutser wrote:
| https://github.com/iamadamdev/bypass-paywalls-chrome also
| really works well on the desktop. Unfortunately I haven't
| found a way to get it working on Firefox on mobile (the
| chrome repo also contains the FF one now ;) ). Thanks for the
| archive link.
|
| PS I understand that websites need to monetise.. But getting
| a subscription to read one linked article per month or so is
| just not going to happen. The sites I use a lot I do pay a
| membership for.
| fwn wrote:
| You need Firefox 68 ( fennec 68.11.0 ) to use extensions
| from the open internet. Mozilla axed general extension
| support in later versions of their android browser.
|
| I just keep it around next to my regular browser for the
| occasional paywall.
| GekkePrutser wrote:
| Thanks, I'm not sure if I want to run a browser that old
| though... Security-wise. Even if it's probably ok now,
| it's never going to get updated.
|
| I wish they just supported sideloading of extensions. I
| wonder how developers are supposed to test their stuff on
| mobile.
| bagacrap wrote:
| perhaps you should consider getting a subscription one
| month per year and using the extension the other 11 if you
| think that's a more fair price to pay
| GekkePrutser wrote:
| Good point. But I'm not sure if I'd do this with the
| Washington post. I wouldn't normally read this unless
| it's linked from somewhere else (I live in Europe).
|
| I actually had an online subscription to the Guardian for
| a while because they were really good on the privacy
| advocacy news. I wanted to support a paper with deep
| dives into privacy issues. However the last couple of
| years I got annoyed with too much Brexit stuff (not
| surprising for a UK based paper obviously but as I don't
| live in the UK I don't want to read about it every day).
| So I let it lapse.
|
| But there's another thing holding me back. If I subscribe
| I have to give all my personal details. I don't want to
| have too many sites where I have that around, data leaks
| are now happening too often. Even a couple days ago I got
| yet another notification from haveibeenpwned (this time
| it was the Spanish company phonehouse.es that was hit).
|
| Anyway, I just wanted to say that while I use paywall
| avoiding tools I'm not blind to the problem of
| monetisation and the cost of real journalism :)
| uptown wrote:
| They'll actually take your money whether you read it or not.
| joezydeco wrote:
| If you have Amazon prime, it's half price and free for the
| first month.
| pelagic_sky wrote:
| Thank you! Had to use Safari on mobile as the captcha did not
| play well with Firefox.
| gitowiec wrote:
| Google recaptcha? I get the same problem continuously on FX
| desktop and Android :(
| GekkePrutser wrote:
| Really? I use Firefox literally all the time (with the
| minor exception of some internal work sites where they
| require Edge) and while all captchas annoy me to no end,
| recaptcha does work perfectly fine on Firefox even with
| uBlock origin and pihole running. Both on Desktop (I use
| FF on Windows, Mac, Linux and FreeBSD :) ) and on
| Android.
|
| What is the problem you're seeing?
|
| In fact I really rarely have any issues with FF
| whatsoever, and if I do it is always either uBlock Origin
| blocking a little bit too much, or a site that
| specifically rules out Firefox (like
| https://business.apple.com ), probably for no real reason
| other than not bothering to test their site with it.
| rch wrote:
| I've tried subscribing to a few news sources, including WaPo,
| but I can't handle the political agendas (right, left, or any
| of it).
|
| I've had better luck with subscription based aggregators, but
| nothing exciting enough to want to plug one in particular.
|
| Always looking for new options to try.
| dogman144 wrote:
| Yeah all the news sources my parents sub'd to in the early
| 00s and I sort of figured I'd sub to as well once ready are
| aggravatingly narrative driven. I'm not sure if I never
| noticed that, or if it's a new media approach, but I don't
| need "baseball + narrative injection" articles in my life.
| I'm actually fairly bummed out about this, I go to Reuters
| now.
| anigbrowl wrote:
| News coverage has always been narrative driven to some
| extent, but previously that was more in selectivity of
| coverage. The quality of reporting has been in a long
| slow decline due to a mix of sagging finances and low-no
| quality control competition. The 'Action News' TV format
| significantly degraded things, and then blogs and
| specifically conservative-targeted media drove adoption
| of the narrative approach.
|
| This revealing interview gives an interesting perspective
| on the media business around the turn of the century.
| Note that this is a pdf archive copy saved to draw
| attention to a particular segment, and I'd urge you
| ignore that and rad the whole thing. I can't link to the
| original as it vanished some time ago, and this archive
| predates the establishment of the internet archive. Thus
| the presentation is biased (sorry) but it's the only
| complete copy of the interview I know of. https://zfacts.
| com/zfacts.com/metaPage/lib/Weekly_Standard_M...
| deanCommie wrote:
| I think the key question isn't which political agenda they
| have, but whether they report facts or opinions.
|
| In that regard, WaPo is pretty good but you can still do
| better: https://www.adfontesmedia.com/static-mbc/
| axaxs wrote:
| It's not nearly that simple. You can essentially print an
| opinion based only in fact, both by picking carefully
| which stories you cover, and also which details of which
| story you choose to report. It's completely possible to
| frame the exact same story as either left wing or right
| wing using only facts.
|
| If you want recent proof, look at that debacle with that
| Toledo kid. Some reported police shoot an armed thug,
| some report police shoot an unarmed kid. The video proof
| shows neither side is telling the whole truth.
| ufmace wrote:
| That isn't really how it works anymore. It's possible
| (and standard) to push any political agenda without ever
| stating an opinion directly. It's all about which
| specific facts you choose to report and which you choose
| to ignore. It's very easy to select and report only facts
| that make group A look good, or only facts that make them
| look bad. In that way, 2 news sources can give people the
| opposite opinion without anyone ever stating an opinion
| or saying something that isn't true.
| frogpelt wrote:
| And furthermore, public sentiment (and therefore
| elections) are decided by what the main sources of media
| determine is the most important news.
|
| Example: Cops have shot a thousand people a year for
| several years in a row (maybe a decade). About 300 of
| those each year have been black, which is a
| disproportionate amount by some measures.
|
| However, it is nowhere near the biggest problem in our
| country even for black people. But because the media has
| chosen to report on that problem near constantly since
| Colin Kaepernick took a knee, it has dominated the public
| consciousness and therefore influences thousands of
| people to loot, burn, protest, riot and thousands more to
| develop opinions and attitudes that create more and more
| division in our country.
|
| Most of what they report is factual but is it as
| important as the lofty position they are giving it in the
| news? Is it helping?
| shigawire wrote:
| Yes - cops should kill fewer people.
| crooked-v wrote:
| Every news source of any kind has some sort of bias. The
| only way to escape that completely is to live alone in the
| woods as a hermit.
| dkdk8283 wrote:
| It's the principle for me. I won't support any publication
| with obvious bias.
| crooked-v wrote:
| Everyone has bias of one kind or another.
| atat7024 wrote:
| Do you pay for the Financial Times/WSJ?
| mitchdoogle wrote:
| All news outlets are biased. Choosing what to report is
| part of bias. Nobody has the resources to report on every
| possible news story. There is even such a thing as
| "centrist bias". Better to choose a few reputable
| publications with different bias (according to FAIR or
| whoever) if you want a more balanced approach.
| williesleg wrote:
| Aah, the wapo, that's Bezos, isn't it?
| dr_dshiv wrote:
| "large amounts of data could provide several benefits for those
| in a position to collect and analyze it for threat intelligence
| and other purposes"
| smoldesu wrote:
| Another great example of computer literacy in the world of
| journalism.
| LogicX wrote:
| Related: https://news.ycombinator.com/item?id=26924988
| echelon wrote:
| I want to reply to the following dead comment [1]
|
| > Aah, the wapo, that's Bezos, isn't it?
|
| It actually doesn't seem that unreasonable to me that a company
| as large as Amazon sees vast, unused resources held by the
| government. They publish an article as a sort of "wink wink,
| nudge nudge" to see if they can get it put up for auction.
|
| In fact, I'd be shocked if someone at Amazon or another company
| hasn't tried to ask the Pentagon about this.
|
| > Russell Goemaere, a spokesman for the Defense Department,
| confirmed in a statement to The Washington Post that the Pentagon
| still owns all the IP address space and hadn't sold any of it to
| a private party.
|
| I bet they'd find a buyer if they wanted to sell.
|
| edit: Downvotes? Really? I'm just trying to start a conversation
| on something I find interesting.
|
| [1] https://news.ycombinator.com/item?id=26925616
| judge2020 wrote:
| I think the downvotes come from entertaining the idea that,
| because WAPO writes about something, that it's ultimately in
| order to further the interests of AWS/Amazon/Bezos. This is not
| really supported by evidence, so any "conversation" regarding
| this is pretty much useless and helps nobody.
| 1MachineElf wrote:
| Had Amazon won JEDI, a significant chunk of those IPs would
| exist on their infrastructure.
| bushn1989 wrote:
| JEDI was a deal for internal cloud infrastructure. I don't
| think they would be utilizing public IP address ranges.
| pelagic_sky wrote:
| I don't know why you're being down voted. It's an interesting
| idea.
| hobs wrote:
| I didnt downvote, but random speculation with no evidence
| doesn't get upvotes on hacker news; a discussion of things
| you find interesting that others find baseless with get you
| downvotes immediately.
| blux wrote:
| Well, the article sort of requires discussion on what might
| be happening here, not?
| cmeacham98 wrote:
| "edit: Downvotes? Really?" is a surefire method of attracting
| downvotes.
| echelon wrote:
| I got -4 in downvotes. (-2 before my edit.) I don't know
| what's going on.
|
| I understand when I call out Apple or Google for bad
| behavior that I can attract downvotes. Sometimes my posts
| are snarky, and I understand in that case too.
|
| But I can point to instances where posts I made days ago
| were all downvoted in unison. Or completely informational
| threads where every single one of my comments gets a
| downvote or two.
|
| Just a few days ago I got downvoted the second after I
| posted a comment. I spotted a typo immediately after
| submitting, clicked edit, and found myself downvoted before
| anyone could have possibly even read my comment (it was
| long). Maybe it was a mis-click -- who knows? But it was
| great feedback after having just submitted. And in concert
| with all the other recent downvotes, it's frustrating...
|
| I've been sitting at the same "karma" value for months, and
| I don't think I'm being a bad member of the community.
|
| It's more than likely noise, but it's got me rattled. It's
| not actionable feedback. With the pandemic and lack of
| social contact with other engineers, and this sort of
| judgement, I don't like it. I honestly don't think I'm
| being a nuisance.
|
| (And here this comment is with downvotes and no comments.
| Sigh.)
| ufmace wrote:
| I upvoted, if nothing else it's a perfectly reasonable
| comment with an interesting hypothesis.
|
| HN karma is a little weird. IMO, if you've never been
| downvoted to -4, then you've never said anything really
| interesting. It's easy to just tell the crowd what they
| want to hear, saying true and important things doesn't
| always go down so well. Don't sweat it too hard.
| Sometimes posts do acquire downvotes at suspicious times
| and rates. Makes me wonder if some external orgs managed
| to build downvote bots for HN or are directing voting
| somehow.
| WalterGR wrote:
| You already got feedback in hobs's comment. They wrote:
|
| "I didnt downvote, but random speculation with no
| evidence doesn't get upvotes on hacker news; a discussion
| of things you find interesting that others find baseless
| with get you downvotes immediately."
| ratsmack wrote:
| Speculation is part of the conversation.
| regextegrity wrote:
| Don't criticise lord bezos
| [deleted]
| dang wrote:
| Related: https://www.kentik.com/blog/the-mystery-of-as8003/
|
| (via https://news.ycombinator.com/item?id=26924988, but no
| comments there to speak of)
| pgn674 wrote:
| "several Chinese companies use network numbering systems that
| resemble the U.S. military's IP addresses in their internal
| systems"
|
| I don't think I've heard of this before. What does it mean? Does
| China operate a disconnected BGP network? Or do they have some
| modified protocol, or what?
| fred256 wrote:
| Not just Chinese companies. I know of one FAANG company that
| used internal IP addresses in the 11.0.0.0/8 space (in addition
| to, not instead of, RFC 1918 space).
| walrus01 wrote:
| Every time I've seen this it's because of inefficient and
| wasteful use of 10/8 internally. Like, not every tiny site or
| thing needs a /24. Once the wasteful use becomes entrenched
| as a practice, it would be very labor intensive and time-
| consuming to go on a renumbering plan. As compared to the
| effort to just use 11/8.
|
| And then ultimately because of refusal to get over the
| technical hurdle of using IPv6 for internal management.
| knorker wrote:
| But have you seen inside of FAANG?
| snowwrestler wrote:
| Well I would hope it's not Apple since they already own all
| of 17.0.0.0... one of only 7 private companies that own their
| own /8, as far as I know.
| nanliu wrote:
| Alibaba for example use DoD address ranges for their management
| servers running Alicloud services. They assumed since nothing
| in their cloud platform would connect to those addresses they
| can use these them to alleviate IPv4 shortage. In Alicloud, the
| customer have the right to use any RFC1918 addresses, so they
| had to be creative since they didn't have sufficient IPv4
| addresses.
| sterlind wrote:
| but if they're not filtering BGP announcements for those
| ranges (however unlikely), and the GFW isn't blocking traffic
| out to those addresses (even more unlikely), and the internal
| metrics were high (super unlikely), I guess it'd slurp out
| all the traffic? maybe this was a weird smash-and-grab.
| walrus01 wrote:
| Lots of less clueful network operators worldwide have used the
| DoD /8 IP blocks internally, under the impression that they'll
| never show up in the global v4 routing table, essentially for
| the same purposes that people would use the 10/8 RFC1918
| blocks.
| jeroenhd wrote:
| Some of those less-cluefull operators include Juniper and
| Azure[1], Cisco[2][3], and probably many other companies.
| When Cloudflare put its 1.1.1.1 DNS server into use, it
| started receiving huge amounts of packets destined to
| unroutable addresses because the 1.0.0.0/8 space was
| (mostly?) unused.
|
| If you configure your routers correctly, none of these IP
| addresses should resolve, anyway. If something in your
| network is intentionally dialing the department of defence,
| you probably have some kind of problem at hand. In theory
| this might become a huge problem, but in practice it probably
| won't.
|
| [1]: https://www.juniper.net/documentation/en_US/vmx/informat
| ion-...
|
| [2]: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017
| /pdf...
|
| [3]: https://security.stackexchange.com/questions/157682/why-
| does...
| LinuxBender wrote:
| I know of a couple companies that used 1.0.0.0/8 as their
| internal VPN/WAN network. Myself and others explained why
| this could be problematic but we were ignored. It's
| actually _mostly_ fine as long as you 1) never need to
| reach that network and 2) block traffic in that network
| from leaving your edge network and 3) triple-check that you
| have blocked that network from ever being announced from
| your routers. Downside being you have to double or triple
| NAT to reach anything in that network. Hamachi uses _or
| used_ 25 /8 _ministry of defense_ as their VPN network.
| ev1 wrote:
| T-Mobile used or uses UK MoD space also for NAT.
| walrus01 wrote:
| Juniper and Cisco are equipment vendors, not ISPs. If the
| DOD /8s are used in some documentation examples, that's a
| whole other thing.
|
| If network operators are taking the theoretical network
| blocks provided in training examples and attempting to copy
| and paste them into real world use, that is a whole other
| problem with training and education. And lack of oversight
| by senior people who should know better at their company.
|
| 1/8 is also a whole other thing because it's a legitimately
| announced block controlled by, as I recall, APNIC. If it's
| in some peoples' 20 year old bogon folded that's their
| problem, not apnic's.
| ethbr0 wrote:
| What IPs does the DoD actually host defense-related
| services on?
|
| E.g. https://www.defense.gov/Resources/Military-
| Departments/A-Z-L...
| walrus01 wrote:
| NIPR and SIPR don't talk to the global routing tables for
| v4 and v6. Generally if a DOD person needs to access
| commercial internet resources for things, it'll be
| through a separate commercial network purpose LAN, or
| through something like an rdp session to a Citrix thin
| client to do that.
| chipsa wrote:
| I think you'd be surprised. Most NIPR computers just use
| a regular proxy server for internet access. But example:
| 214 /8 is a DoD owned block, and "weather.af.mil" is on
| that block, and both externally and internally reachable.
| walrus01 wrote:
| Not that NIPR computers don't have access to the internet
| - but because this isn't 1987, those individual
| workstations would never have public facing DoD v4 IPs.
| They'll always be behind some combination of NAT and
| firewall or as you mentioned, proxy. Certainly there
| could be some DoD public IP on the external interfaces of
| said firewalls. If I had to guess very often the public
| facing side of those boxes might be a commercially
| acquired local ISP using that ISP's IP space, and not
| actual DoD IP space...
| photon-torpedo wrote:
| If I remember correctly, one of the large Chinese
| supercomputers (ex #1 in the TOP500) uses the 11.0.0.0 address
| space for its internal network.
| woah wrote:
| These IP addresses were unused for a very long time, so using
| them on internal networks worked fine. Once the Floridian
| company in the article started announcing them, gateway routers
| on the Chinese internal networks may have started sending their
| traffic to Florida.
| pgn674 wrote:
| Ohh, I think I see. So instead of (or in addition to)
| creating internal subnets inside 10.0.0.0/8, 172.16.0.0/12,
| and 192.168.0.0/16, they set up subsets inside DoD's
| 11.0.0.0/8 etc., and it worked out because there were no
| external BGP announcements for those ranges. But now that
| there are, if they did not explicitly configure their border
| gateways to route those ranges inside their networks, the
| traffic may now leak out to DoD's pilot effort.
| jasonhansel wrote:
| Maybe DoD is trying to catch security flaws caused by
| traffic intended for _their own_ internal networks
| accidentally reaching the public internet? Advertising
| those IPs publicly and logging all traffic could be a good
| way of detecting such bugs in DoD systems.
| dannyw wrote:
| It also explains the lack of public commentary.
| jasonhansel wrote:
| Indeed. Publicly commenting on it would expose the
| potential vulnerability (i.e. the accidental leakage of
| traffic onto the public internet).
| capableweb wrote:
| Not sure. If the government is doing something large-
| scale in public (like construction projects [or maybe
| global IP routing]), they should communicate what is
| happening before doing it, in order to not phase people.
| kelnos wrote:
| Eh, I wouldn't be surprised if an org like the Pentagon
| is secretive about things that aren't really necessary to
| be secrets. It's just kinda in their nature to be that
| way (kinda like Apple's default-secrecy about products
| and features).
|
| (Also, sorry to be That Guy, but this one always gets to
| me: in the sense you've used it, it's "faze", not
| "phase".)
| dunmalg wrote:
| I used to work in intelligence. "Secrecy creep" has long
| been a serious problem inside DoD. How information get
| classified has largely been left up to low level federal
| bureaucrats, people my father used to angrily refer to as
| "big haired women from Mississippi". Basically, they are
| low level federal office drones, with minimal knowledge
| about the actual content of classified programs, who re
| left to determine how they are classified. They start
| with the core information of a project and classify it
| "Top Secret". Then they take all the peripheral
| information of that project and classify it TS as well,
| just to be safe, because it might overlap with the core
| info, but they have no clue because they're a GS-4 clerk
| from Boogerville with a high school diploma. Later as
| more content is generated in a program, stuff peripheral
| to the previous peripheral data, which realistically
| should be classified "Confidential" at most, it too gets
| classified as TS because of its proximity to the
| previously over-classified peripheral data. Lather-Rinse-
| Repeat for a few decades and you have huge swathes of
| widely known, utterly inconsequential information
| classified Secret or Top Secret.
| MereInterest wrote:
| Don't answer this if it isn't legal to answer, but do you
| have any examples you can share? I can entirely picture
| the process, and completely believe that it happens, but
| I don't have a mental image of what the end result looks
| like.
| spiritplumber wrote:
| There has been a brief period in my life when I did not
| have the clearance to read code I was writing.
| withinboredom wrote:
| From my personal experience: a cat died. A very non-
| important cat. It was the only thing of note in my
| report.
| dwarfsandstuff wrote:
| A random cat's death got to be top secret? Oh gawd...
| wbl wrote:
| The top secret lunch: someone ate an orange at Los
| Alamos. That orange was top secret. This actually makes
| some sense.
| ajross wrote:
| Right, because if there's anything the Pentagon has been
| known for over the past seven decades or so it's clear
| publication and transparent disclosure of all its large
| scale classified projects so as not to phase the public.
| xwolfi wrote:
| Reading what the DOD said "officially" it appears that
| maybe they were just looking to see if these IP could be
| registered, simply.
|
| It sounds a bit weird they would have needed 170+M ips to
| get a good attack sample from the internet if the ip are
| contiguous, a few thousands would have sufficed. It
| sounds very weird to expect "China" to suddenly route
| Xi's dirty videos and why not Iran, Japan, everyone
| suddenly routing craps there, it's not very targetted and
| would cost quite a bit to read all the potential tcp
| packets that got lost by bad WAN vs LAN priority
| decisions in routers.
|
| Also, it's one shot, so why now ? They would have just
| lost a huge weapon, if true, in a very public manner, for
| no particular visible threat, not precise target and at
| great cost possibly.
|
| I'm okay to believe this was possibly just an
| inventory/activation exercise because someone noticed
| they owned stuff they can't use until they register them.
| hujun wrote:
| it is very unlikely to for a company like Alibaba not
| configuring their BGP right
| Havoc wrote:
| Why would you do that though when there are perfectly fine
| internal address ranges available?
| twic wrote:
| In our case, we were setting up VPN tunnels to a partner,
| who for some reason required that the addresses on our side
| should (appear to be) public IP addresses. So we couldn't
| use 10/8 or 192.168/16 in (that part of) our network.
|
| They didn't actually need the addresses to be routable from
| the public internet (that was the whole point of the VPN).
| I think the requirement was really a way of making sure
| they were unique. I'm sure they had several partners who
| used 10/8 internally.
| GekkePrutser wrote:
| There's also 172.16/12 :) But yeah I agree. If you're
| running a VPN for a large company it's kinda hard to
| avoid such conflicts.
|
| In my work we use 10.0.0.0/8 but of course some people
| use the same at home even though 192.168/16 is way more
| common. In general I find 172.16/12 the least common in
| the field.
| jamiek88 wrote:
| I know the old Apple extreme and time machine routers
| used to default to 10 rather than 192 ever since then
| I've kept my internal routing within that block.
|
| It just looks nicer to me which shows the power of Apple
| and how easily I am influenced.
| [deleted]
| Godel_unicode wrote:
| I suspect there are a decent number of network engineers
| who think it's funny to use DoD IPs for their internal
| network, especially given what their logging system will
| probably tell them by default.
|
| If you drive around with a WiFi stumbler running, you'll
| run into networks with names like "UTAH DATA CENTER" and
| "SIPRnet", etc for the same reason.
| imwillofficial wrote:
| I always hated seeing "FBI Surveillance Van"
|
| Made me wanna climb out of my FBI Surveillance Van and
| have a word with them.
| leesalminen wrote:
| Ha! "Unmarked white van" is the WiFi name at my local dog
| daycare. I got a good laugh.
| dwarfsandstuff wrote:
| My wifi is called nsa_net
| Denvercoder9 wrote:
| Two things that come to mind are running out of private
| address space (a /8 isn't that large), or wanting address
| space that doesn't clash with other private networks (e.g.
| to ensure a VPN doesn't overlap with home networks).
| There's probably more reasons.
| VLM wrote:
| > running out of private address space
|
| Classic merger "solution".
|
| Company A uses 10/8 Company B uses 10/8, company A buys
| company B and orders new subsidiary B to renumber into
| 11/8 "All you have to do is change every first octet to
| 11"
| woleium wrote:
| or, you know, use NAT to do so :)
| WanderPanda wrote:
| how would nat help in this case?
| xxpor wrote:
| If they're not actually using the whole /8 (highly
| likely), you can setup a 1:1 NAT. basically from network
| b, if you want to talk to network a, you find out the
| address in 11/8 that corresponds to the 10/8 address and
| vice versa. You can use split horizon dns to make it
| mostly transparent.
|
| Every networking problem in the world can be solved with
| more NAT or more encapsulation :)
| jandrese wrote:
| You don't have to use every address in 10.0.0.0/8 to
| effectively fill it up. If your corporate policy is to
| assign a /16 to each floor of a building, and you have a
| LOT of buildings it's pretty easy to fill up the space
| even if most of the /16s are sparsely populated. It's
| much easier to move on to the 11. space when you build
| that new building that pushes you over than renumbering
| your entire corporate LAN.
| woleium wrote:
| what you call 1:1 NAT is just called NAT by cisco, the
| stuff most folks think NAT is is actually NAT+PAT (like
| what you run on your home router with a single public IP)
| chiph wrote:
| It basically maps addresses visible on one interface to
| those on a different interface. So you can route many
| addresses on 10.x to a single 10.x address that is on a
| different network.
|
| https://www.cisco.com/c/en/us/support/docs/ip/network-
| addres...
| kenniskrag wrote:
| or upgrade to ipv6 :)
| ratsmack wrote:
| or maybe ask the question regarding why we're not all
| running ipv6.
| kenniskrag wrote:
| why?
| mrkstu wrote:
| In the case of a managed service provider I worked for,
| using non-announced gov/mil space allowed us to inject
| routes for monitoring purposes into the MPLS vrfs of our
| customers so we could poll the routers without using our
| own public space.
| Godel_unicode wrote:
| There are lots of examples of this type of "squat space"
| being used for largely internal addressing in addition to rfc
| 1918 space:
|
| https://teamarin.net/2015/11/23/to-squat-or-not-to-squat/
| motohagiography wrote:
| If that were true, depending on path inforation, any botnet or
| other traffic destined to those networks would end up in this
| new AS8003 traffic sink, which would create a map of candidate
| CCP assets to target on the internet.
|
| You could do the same with any AS. I haven't looked into bgp
| spoofing since about '99, but it seems to have matured since
| then. The idea of using it as ephemeral canary/honeynet space
| for tracking botnet C&C traffic seems like a reasonable play.
| xwolfi wrote:
| But the internet is not just CCP vs Captain America. I mean
| my home network has random ips and a shit network admin, so I
| will also send crap data to the DOD, from Hong Kong.
|
| You imagine the work to figure out if my tcp heartbeats
| between my torrent server and my nginx proxy are CCP botnets
| or me misconfiguring my router ? From the same place kinda ?
| And you imagine the amount of people we are in China that are
| doing shit networking but not CCP-relevant things ?
|
| And the amount of botnets we have in China that are to scam
| each other that even the CCP doesn't want ? :D
| ufmace wrote:
| Yeah, that's why the stated explanation sounds weird.
|
| Suddenly advertise this never-used block, and you're just
| going to get a massive torrent of previously-internal
| traffic from bazillions of organizations all over the
| planet that used it for something internal and were
| slightly lazy and didn't set up their routing quite right.
| Probably 99.9% of it is of no use whatsoever to anyone
| outside that org. It's tough to imagine that anyone thought
| they'd get any useful information on any hostile CCP
| activity by doing this.
|
| I would also expect that any department doing hostile
| things on the net would be at least smart enough to not let
| any of their internal traffic leak out like that, no matter
| who they actually worked for.
| Forbo wrote:
| I once had a client who decided to use an IP block that was
| registered to APNIC for their internal network. Made for
| quite the headache as I tried to track down why there was a
| ton of traffic supposedly going to China and Japan. -__-
| TechBro8615 wrote:
| Way back when, I was working at a startup with little clue what
| I was doing. Long story short, I setup a VPN network to connect
| 600 devices through 8 wifi routers to a VPC. I used 11.0.0.0/8
| because I didn't want to bother sorting through the conflicts
| with 10.x, 192.168.x, and 172.x which were all used at various
| places throughout the chain (e.g. the routers on 192, some
| upstream services on 10.x and 172.)
|
| All I had to do to make it work, IIRC, was add an ip routing
| rule to prioritize our internal routing for traffic on
| 11.0.0.0/8 instead of sending it over the default interface.
|
| This solution worked fine, but it broke in weird ways and I
| remember one time I did arp -a on one of the Amazon boxes and
| saw some DoD registered addresses, which was a little alarming,
| but I just chalked it up to my not understanding the details.
| twic wrote:
| I did the same with 51/8 back when that was owned by the UK
| Department of Work and Pensions but not publicly routable.
| client4 wrote:
| T-mobile does the same thing.
| tyingq wrote:
| Still seems a bit odd to me. It doesn't explain why "GLOBAL
| RESOURCE SYSTEMS, LLC" is involved. Poking around, the
| individuals associated with that aren't government employees. The
| company was formed 9/8/2020 in Delaware.
| cronix wrote:
| If I were to guess, because private companies aren't subject to
| FOIA requests. It's a little trick the gov't has been doing for
| some time now to avoid legitimate, legal scrutiny by the
| public.
| [deleted]
| mattkrause wrote:
| Outsourcing to private companies also (somehow) appeases the
| "small government" folks, even when it costs more/works
| worse.
| kdmdmdmmdmd wrote:
| Somehow? Money the spent is money in the economy, not in
| the government. It's pretty easy to understand, I think.
| CameronNemo wrote:
| Alternatively, money is grifted for political patronage.
| kdmdmdmmdmd wrote:
| Huh i wonder how we can prevent that problem
| ttul wrote:
| Who are the people associated with that company? I'd like to
| further investigate them.
| tyingq wrote:
| You can look up the company name on Florida's Division of
| Corporations:
| http://search.sunbiz.org/Inquiry/CorporationSearch/ByName
|
| The Delaware company is registered there as a an "outside of
| the state of Florida" entity operating in Florida. Some
| actual people names are listed. I'm fairly confident it's the
| same company, as the Plantation, FL address is there.
| anigbrowl wrote:
| Allow me to suggest looking up their donation history at
| https://www.fec.gov/data/
| sam36 wrote:
| The answer is clear. They sprang to life right as Trump was
| leaving office because Biden knew he would win and though his
| company is registered in Delaware, it is actually just a
| Chinese front.
| Lammy wrote:
| Imagine believing in nationality as anything more than high-
| end sports teams for the elite.
| chiph wrote:
| When you want to do some secret squirrel stuff, you start a
| small closely-held company.
|
| Wait until you read about Air America - an actual airline
| started by Claire Chennault (of Flying Tigers fame), that was
| bought by the CIA in the post WW-II years and used to run
| missions in Southeast Asia up until the mid 1970's.
|
| https://en.wikipedia.org/wiki/Air_America_(airline)
| Fnoord wrote:
| Means nothing. Companies can be a front for a government.
| tyingq wrote:
| Well, yes, but I'm interested in "for what purpose, in this
| specific case".
| dathinab wrote:
| The simplest would be to make sure the addresses are _not_
| announced by the DoD, which depending on the thinks they
| want to test could matter, or could be irrelevant.
| gumby wrote:
| This is a complete side point, but what does this sentence mean?
|
| > Created in 2015, the DDS operates a Silicon Valley-like office
| within the Pentagon.
| splithalf wrote:
| Open office plan, ping pong and bean bag chairs. Slogans on the
| walls. Sit stand desks. Lots of h1b workers. Have you never
| silicon valley'd?
| dogman144 wrote:
| DDS hires professional engineers at a special paygrade pegged
| to their civilian pay stubs for a 2 year tour of duty fixing
| pressing issues in DoD tech via pretty broad authority to
| sidestep
|
| A) the usual senior military slow-roll* in the way of these
| fixes
|
| B) the sh**y govt contractors who made the tech and usually get
| paid to fix their own bad tech.
|
| DDS Hires a lot of motivated engineers who would be in civil
| service but for the $180k -> $90k paycuts and fear of
| bureaucratic hell. It is run by one of the ~founders of
| opentable who, post opentable riches, was flying on 9/11/01,
| decided to join the Chicago PD as a result, did west Chicago
| homicide until the PD discovered his past, he then stood up
| Chicago's data-based policing technical approaches, and
| eventually the Obama admin heads about him asked him to take
| over DDS (iirc, +/- details there).
|
| Cool stuff and I'd work for them in a second, probably need
| another few years in private sector though.
| kelnos wrote:
| > _DDS hires professional engineers at a special paygrade
| pegged to their civilian pay stubs_
|
| I wish USDS would do this as well; I feel like they'd attract
| a lot more talent. Although perhaps they want to attract
| exactly the kind of talent who would take a big pay cut out
| of a sense of service/duty.
|
| > _Cool stuff and I'd work for them in a second_
|
| For myself, while I recognize that military is a necessary
| evil in the world we live in, and I have a ton of respect for
| the people who put themselves in harm's way, working for an
| org with a .mil address would be against my values. I'm so
| torn, though, since (e.g.) the Internet itself came out of
| the DoD. It's a hard pill to swallow for me sometimes that a
| lot of essential civilian tech was originally developed by or
| for the military.
| jamiek88 wrote:
| Theres a strong argument that people,with this outlook are
| needed in DOD.
|
| It's the whole those who seek power are least suited to it
| schtick.
|
| I understand your reluctance and you of course make your
| own life choices but something to consider.
| kingkilr wrote:
| I don't know Brett super well so I can't speak to the rest of
| his background, but it's not correct that the Obama admin
| asked him to take over DDS.
|
| DDS's founding head was Chris Lynch, who served in that role
| until the middle of the Trump administration, when he left
| government service and that's when Brett got the job.
| dogman144 wrote:
| There ya go. +/- details.
|
| I saw him present on DDS and his backstory at BSidesLV a
| few years ago and did a bit of non-profit govt<>tech
| chatter with the team there.
|
| Correct, it was in the middle of the Trump Admin.
| gumby wrote:
| This is quite interesting -- glad I asked!
| dogman144 wrote:
| The org has done really interesting things under a few
| different political climates. To the extent it's
| safe/neutral to say we're entering a more pro-govt can-do
| env, I think they'll have a cool next 4 years as an org.
|
| Some of the projects they talk about doing have huge value-
| adds to technically underserved groups like military
| families during mandatory base moves every few years. Those
| groups are totally dependent on following the system as
| designed (get your travel voucher here, your goods shipped
| here, etc) and much of it depends on single option, very
| janky govt, almost intranet-like, porfals. Iirc, one of
| their projects was fixing a portal was leaking SSNs like
| gangbusters. Normal times, that's a 6 month -> 10 year
| process to work with the contractor. DDS did it fairly
| quickly.
| lotsofpulp wrote:
| More money, I assume. The government does not want to raise all
| programmers' pay, so instead of adjusting the pay schedules
| that apply to everyone, they make a special group that the
| normal pay schedules don't apply to.
|
| I wonder if it came about because how much of a dumpster fire
| the first version of healthcare.gov was for the premier of the
| Affordable Care Act. That probably embarrassed a lot of people.
| wslack wrote:
| healthcare.gov's problem led to a rescue team, whose members
| helped to start USDS, whose members helped to start DDS!
|
| To your first point, it'd be more accurate to say that many
| government offices often don't hire any programmers, which
| can (among other issues) make it challenging for those
| offices to select strong contractors.
| soared wrote:
| The first paragraph a job description gives some context to
| their culture:
|
| > How do you feel about the cloud? Specifically, what are your
| thoughts on the cumulus clouds of Bespin? Do you believe Cloud
| City is composed of only cumulus clouds? Do you have any idea
| about what we are asking? If your answer is yes, definitely
| read on. If no, still read on, but we might find your lack of
| faith disturbing!
| wslack wrote:
| The office has a deliberately different type of culture.
|
| Edit: more info at https://www.dds.mil/about
| Angostura wrote:
| This page suggests a really interesting way of organising
| things: https://www.dds.mil/team
| gumby wrote:
| Thanks for that informative link. I had no idea.
| tiernano wrote:
| when digging though some of the IPs, i came across 22.0.0.0/8,
| which if you look at the DNS tab of bgp.he.net
| (https://bgp.he.net/net/22.0.0.0/8#_dns) shows a LOT of people
| are "using" those IPs... which means a LOT of people wont be
| happy that their sites, email, dns, etc, are now essentially
| being blackholed... for me (I run AS204994), the traffic hits
| Frankfurt (i peer with HE there) goes over their network though
| Paris, then to Ashburn and then is blackholed... gone after
| that... wondering how much traffic is being seen by he.net with
| this...
| icedchai wrote:
| If they're using them for internal networks, they'll (probably)
| work just like they did before. It's likely many folks are
| using these as like private RFC-1918 addresses.
| djoldman wrote:
| https://outline.com/3HuXPj
| coderholic wrote:
| Some details about the ASN announcing the DoD prefixes:
| https://ipinfo.io/AS8003
|
| It looks like they're not just announcing 11.0.0.0/8 but also a
| bunch of more specific routes, including 11.0.0.0/13 and
| 11.0.0.0/24
|
| It looks like currently their only peer is Hurricane Electric:
| https://ipinfo.io/AS6939
| cptskippy wrote:
| One peer? Does that mean all that traffic is flowing through
| Hurricane Electric?
| [deleted]
| drawkbox wrote:
| > _Defense Digital Service (DDS) authorized a pilot effort
| advertising DoD Internet Protocol (IP) space using Border Gateway
| Protocol (BGP). This pilot will assess, evaluate and prevent
| unauthorized use of DoD IP address space. Additionally, this
| pilot may identify potential vulnerabilities. This is one of
| DoD's many efforts focused on continually improving our cyber
| posture and defense in response to advanced persistent threats.
| We are partnering throughout DoD to ensure potential
| vulnerabilities are mitigated._
|
| Interesting, seems an effort to find out who was abusing ranges
| that were exclusively allowed or disallowed based on the ranges.
| Malware that tries to look like something else that uses a state
| level IP range to evade blocking, or check for blocks.[1]
|
| > _I interpret this to mean that the objectives of this effort
| are twofold. First, to announce this address space to scare off
| any would-be squatters, and secondly, to collect a massive amount
| of background internet traffic for threat intelligence._
|
| > _On the first point, there is a vast world of fraudulent BGP
| routing out there. As I've documented over the years, various
| types of bad actors use unrouted address space to bypass
| blocklists in order to send spam and other types of malicious
| traffic._
|
| Cloudflare example shows how much traffic some of these ranges
| that are included/excluded have when turned on.
|
| > _On the second, there is a lot of background noise that can be
| scooped up when announcing large ranges of IPv4 address space. A
| recent example is Cloudflare's announcement of 1.1.1.0 /24 and
| 1.0.0.0/24 in 2018._
|
| > _For decades, internet routing operated with a widespread
| assumption that ASes didn't route these prefixes on the internet
| (perhaps because they were canonical examples from networking
| textbooks). According to their blog post soon after the launch,
| Cloudflare received "~10Gbps of unsolicited background traffic"
| on their interfaces._
|
| > _And that was just for 512 IPv4 addresses! Of course, those
| addresses were very special, but it stands to reason that 175
| million IPv4 addresses will attract orders of magnitude more
| traffic. More misconfigured devices and networks that mistakenly
| assumed that all of this DoD address space would never see the
| light of day._
|
| Looks like a new cybersecurity policy/process started on
| inauguration day. Probably a defensive or offensive measure to
| combat the supply chain attacks that may well have used those
| ranges in evading blocking.
|
| [1] https://www.kentik.com/blog/the-mystery-of-as8003/
___________________________________________________________________
(page generated 2021-04-24 23:00 UTC)