I don't think I've heard of this before. What does it mean? Does China operate a disconnected BGP network? Or do they have some modified protocol, or what?
All I had to do to make it work, IIRC, was add an ip routing rule to prioritize our internal routing for traffic on 11.0.0.0/8 instead of sending it over the default interface.
This solution worked fine, but it broke in weird ways and I remember one time I did arp -a on one of the Amazon boxes and saw some DoD registered addresses, which was a little alarming, but I just chalked it up to my not understanding the details.
If you configure your routers correctly, none of these IP addresses should resolve, anyway. If something in your network is intentionally dialing the department of defence, you probably have some kind of problem at hand. In theory this might become a huge problem, but in practice it probably won't.
[1]: https://www.juniper.net/documentation/en_US/vmx/information-...
[2]: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017/pdf...
[3]: https://security.stackexchange.com/questions/157682/why-does...
And then ultimately because of refusal to get over the technical hurdle of using IPv6 for internal management.
You could do the same with any AS. I haven't looked into bgp spoofing since about '99, but it seems to have matured since then. The idea of using it as ephemeral canary/honeynet space for tracking botnet C&C traffic seems like a reasonable play.
You imagine the work to figure out if my tcp heartbeats between my torrent server and my nginx proxy are CCP botnets or me misconfiguring my router ? From the same place kinda ? And you imagine the amount of people we are in China that are doing shit networking but not CCP-relevant things ?
And the amount of botnets we have in China that are to scam each other that even the CCP doesn't want ? :D
> Created in 2015, the DDS operates a Silicon Valley-like office within the Pentagon.
A) the usual senior military slow-roll* in the way of these fixes
B) the sh**y govt contractors who made the tech and usually get paid to fix their own bad tech.
DDS Hires a lot of motivated engineers who would be in civil service but for the $180k -> $90k paycuts and fear of bureaucratic hell. It is run by one of the ~founders of opentable who, post opentable riches, was flying on 9/11/01, decided to join the Chicago PD as a result, did west Chicago homicide until the PD discovered his past, he then stood up Chicago’s data-based policing technical approaches, and eventually the Obama admin heads about him asked him to take over DDS (iirc, +/- details there).
Cool stuff and I’d work for them in a second, probably need another few years in private sector though.
I wish USDS would do this as well; I feel like they'd attract a lot more talent. Although perhaps they want to attract exactly the kind of talent who would take a big pay cut out of a sense of service/duty.
> Cool stuff and I’d work for them in a second
For myself, while I recognize that military is a necessary evil in the world we live in, and I have a ton of respect for the people who put themselves in harm's way, working for an org with a .mil address would be against my values. I'm so torn, though, since (e.g.) the Internet itself came out of the DoD. It's a hard pill to swallow for me sometimes that a lot of essential civilian tech was originally developed by or for the military.
DDS's founding head was Chris Lynch, who served in that role until the middle of the Trump administration, when he left government service and that's when Brett got the job.
> How do you feel about the cloud? Specifically, what are your thoughts on the cumulus clouds of Bespin? Do you believe Cloud City is composed of only cumulus clouds? Do you have any idea about what we are asking? If your answer is yes, definitely read on. If no, still read on, but we might find your lack of faith disturbing!
Edit: more info at https://www.dds.mil/about
I wonder if it came about because how much of a dumpster fire the first version of healthcare.gov was for the premier of the Affordable Care Act. That probably embarrassed a lot of people.
To your first point, it'd be more accurate to say that many government offices often don't hire any programmers, which can (among other issues) make it challenging for those offices to select strong contractors.
I've had better luck with subscription based aggregators, but nothing exciting enough to want to plug one in particular.
Always looking for new options to try.
curl https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/?outputType=amp |grep -o "<p data".*</p>" > 1.htm
firefox ./1.htmPS I understand that websites need to monetise.. But getting a subscription to read one linked article per month or so is just not going to happen. The sites I use a lot I do pay a membership for.
Wait until you read about Air America - an actual airline started by Claire Chennault (of Flying Tigers fame), that was bought by the CIA in the post WW-II years and used to run missions in Southeast Asia up until the mid 1970's.
The Delaware company is registered there as a an "outside of the state of Florida" entity operating in Florida. Some actual people names are listed. I'm fairly confident it's the same company, as the Plantation, FL address is there.
It is very much worth asking who this legal entity is and why a private company is better suited to these efforts than the government.
As an interesting fact, when searching “aliyun 11.0.0.0” which is the mentioned Chinese cloud provider I believe, they apparently has been using that as internal IPs since 2015 as well
https://www.tampabay.com/news/military/2021/04/24/pentagon-m...
This Sunbiz record has company principals and filings from 2007-2013 - inc names (not in TBT article) and another dropbox address, this one in Chicago
http://search.sunbiz.org/Inquiry/corporationsearch/SearchRes...
That Chicago dropbox address is currently shared by:
This intellectual property law firm https://www.greengriffith.com/contact/
This venture capital firm http://www.lakecapital.com/contact_location.asp
This management company adds another name and address and is tied to the FL addresses https://floridadb.com/company/M06000002257/filinet-llc
.
OpenCorpWiki has an additional dropbox addy down the street
https://opencorporates.com/companies/us_fl/M20000009226
note: The BBB listing confirms reconciles FL address w/ the domain https://opencorporates.com/companies/us_fl/M20000009226
This mailing list has been following the same trail I have https://www.mail-archive.com/nanog@nanog.org/msg112229.html
Both of these leads have a lot of "supposedly"s attached, but the one to the spam front is a lot more tenuous.
It looks like they're not just announcing 11.0.0.0/8 but also a bunch of more specific routes, including 11.0.0.0/13 and 11.0.0.0/24
It looks like currently their only peer is Hurricane Electric: https://ipinfo.io/AS6939
Once every t1 drops invalid prefixes, then rpki will effectively mean no T1 can turn off the internet for other ASNs, but everyone signing their prefixes is required to mean nobody can fake announce an IP.
It looks like the DOD's routes are indeed signed[3].
1: https://www.thousandeyes.com/learning/glossary/bgp-route-hij...
The prefixes are in the https://www.radb.net
Somebody (as everybody can do this with radb) said to RADB that 8003 is the correct origin for these prefixes.
Considering the DoD hasnt rained hell on the RADB, Id guess theyre good as well, but its not RPKI signed.
(via https://news.ycombinator.com/item?id=26924988, but no comments there to speak of)
Interesting, seems an effort to find out who was abusing ranges that were exclusively allowed or disallowed based on the ranges. Malware that tries to look like something else that uses a state level IP range to evade blocking, or check for blocks.[1]
>I interpret this to mean that the objectives of this effort are twofold. First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background internet traffic for threat intelligence.
>On the first point, there is a vast world of fraudulent BGP routing out there. As I’ve documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic.
Cloudflare example shows how much traffic some of these ranges that are included/excluded have when turned on.
>On the second, there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space. A recent example is Cloudflare’s announcement of 1.1.1.0/24 and 1.0.0.0/24 in 2018.
>For decades, internet routing operated with a widespread assumption that ASes didn’t route these prefixes on the internet (perhaps because they were canonical examples from networking textbooks). According to their blog post soon after the launch, Cloudflare received “~10Gbps of unsolicited background traffic” on their interfaces.
>And that was just for 512 IPv4 addresses! Of course, those addresses were very special, but it stands to reason that 175 million IPv4 addresses will attract orders of magnitude more traffic. More misconfigured devices and networks that mistakenly assumed that all of this DoD address space would never see the light of day.
Looks like a new cybersecurity policy/process started on inauguration day. Probably a defensive or offensive measure to combat the supply chain attacks that may well have used those ranges in evading blocking.
Why use a front company? As a honeypot.
If other scammers are using spoofing the ranges then another company does it, that doesn't raise alarm in the other entities abusing the same trick. If you announce it as DoD then it may scare off the others.
In any good investigation, you want to shroud the data/intel collection. Using a front company, or series of levels of fronts, is the way you have to go about it.