While the president of the United
Found at: gopher.blog.benjojo.co.uk:70/north-korea-dprk-bgp-geoip-fruad
A surprising amount of people want to be in North Korea
While the president of the United States and the leader of
North Korea were/are currently beefing on Twitter about who should
destroy the world first, North Korea was also causing me some
personal frustration on data quality.
The issue lies with "GeoIP" (or more widely speaking a
database that contains the geographical mapping between IP addresses
and locations on the planet).
If you run services with Internet traffic from a variety
of users you may find sometimes the GeoIP information actually
isn't that great, especially if you're dealing with IPv6 because
most of this information has not been filled in yet.
However after a bit investigation I found that there were
a set of of geoip errors that were unusual in that they
didn't actually appear to be an issue of data quality. More an
issue of people maliciously inserting fake data into the database
in order to appear to websites as if they were elsewhere.
The initial discovery came as a pure curiosity search.
North Korea's Internet recently got another upstream (through
North Korea switching to TTK
This extra upstream makes a massive difference with latency
for EU traffic to North Korea.
China Unicom route vs TTK route
Above are two ISP's in the UK: Virgin takes the slower US
-> China -> DPRK Route, while Sky takes the RU -> DPRK
A whole 108ms faster!
## Down a GeoIP adventure
So the question I had was "How much traffic do I even
get from North Korea anyway?" The answer surprised me when the
little amount of my North Korean traffic wasn't from the only ISP
in North Korea but in fact Avast. The anti virus company.
An example lookup on one of the IPs shows it being
located in Manp'o, Chagang-do.
a example maxmind lookup
A border city between China and North Korea.
Photo by George Wenn (Link | Archive 1 | Archive 2)
However this location assessment doesn't align with logic,
traceroute hop names or the bounding limits of the speed of light:
ben@gb:~$ mtr -rwc 5 -o "B " -f 3 184.108.40.206
Start: Sun Oct 15 22:30:19 2017
5.|-- ae-6.r00.londen10.uk.bb.gin.ntt.net 1.1
6.|-- ae-0.level3.londen10.uk.bb.gin.ntt.net 1.1
9.|-- AVAST-SOFTW.bear1.Prague1.Level3.net 34.8
10.|-- r-227-076-074-195.avast.com 38.3
Thankfully MaxMind does provide a CSV version of their
database which means that you can grep through to find all the
other offenders who fraudulently locate themselves in North Korea:
$ cat GeoLite2-City-Locations-en.csv | grep 'Asia,KP'
$ cat GeoLite2-City-Blocks-IPv4.csv | grep '1871859'
$ cat GeoLite2-City-Blocks-IPv4.csv | grep '1873107'
$ cat GeoLite2-City-Blocks-IPv4.csv | grep '2042893'
The only genuine entry here is this one:
Avast isn't the only one in this list. NFOrce customers,
"Roya Hosting" and others have also done this.
I submitted whois inaccuracy complaints and maxmind
corrections to each fake one.
Avast has not just limited themselves to North Korea, they
have set IP ranges to be all over the world for their VPN
RIPE Stat geoip summary
This is nothing short of insanity driving for anyone who
uses GeoIP to compile statistics, and depending on the VPN
offering it is fraudulent advertising.
One of the motivations for faking your location in your
whois and thus GeoIP is that if you are torrenting you will get
less DMCA emails, since a lot of the copyright enforcement bots
will check GeoIP to see "if it's worth it" to send a abuse
## That time the DPRK had IPv6
Bad actors abusing BGP is nothing new, we have seen them
come up with increasing frequency for things like:
* "Understanding the Network-Level Behavior of
Spammers" - Anirudh Ramachandran and Nick Feamster
* Cantonal IP space in Switzerland hijacked by
Spammers - Swiss CERT
* Using BGP data to find Spammers - BGPMon
* Pakistan hijacks YouTube - Dyn
* Turkey Hijacking IP addresses for popular Global
DNS providers - BGPMon
* Or just plain showing off
lang="en" dir="ltr">220.127.116.11/24 ( = 18.104.22.168 ) is the Capture The Flagfor BGP.
Announcement = Incompetent||Malicious ISP
RIPE Statsays 6 ASN's have managed ithref="https://t.co/B6SZMTDGZO">pic.twitter.com/B6SZMTDGZO— Ben Cox (@Benjojo12)href="https://twitter.com/Benjojo12/status/914177609877135360?ref_src=twsrc%5Etfw">September 30, 2017
However one day I was burning time and searching through
bgp.he.net and found that North Korea had suddenly got IPv6!
But actually that IPv6 didn't make sense, it turned out
that it was upstreamed by a suspicious ISP:
suspicious upstream for north korea
Looking at RIPE Stat and the IPv6 prefix announced it is
clear that for a short amount of time, the network operator
spoofed his way to make it look like his prefix was being
announced by the only ISP in North Korea:
RIPE stat showing a hijack on North Korea
Assuming everything in the world was done correctly, this
would not be a problem. The prefix announcement would be filtered
by the upstream network of the offender, but this time it did
not. Hurricane Electric accepted the bad announcement and relayed
it to peers:
Upstreaming though HE
The interesting part of this is that the ISP put China
Unicom's AS in front. This made the whole attempt look a lot more
legitimate. I then looked to who else might be doing this and found
a company called "Crowd Control" (Archive 1 | Archive 2).
Their site implies they are a new security startup, if we
look at their routes and also find fake inserted China AS
numbers in their AS Path:
HE Upstreaming again
Once again, Hurricane Electric are accepting this and
sending it to their peers, giving that HE are a Tier 1 (if you
ignore Cogent, who also isn't really even Tier 1) it's pretty bad
that this fake information wasn't filtered out in BGP
The silly part of this is that it's pointless. It only
serves to make it seem like these ISPs peer with China Telecom
and other major providers:
bgp.he.net peering list
But it's easy to spot the implausible routing in another
The root of these issues appear to be that Hurricane
Electric's tunnel broker BGP tunnels do not check the AS Path, but
only the IP Range. This is problematic since it allows clearly
fake paths to be advertised.
And what for? Just to fraud some people that they have
connections with some well known ISPs? Or to sell VPN Services?
Amusingly some of those ISPs they are putting on their AS
path don't even have IPv6.