[CONTACT]

[ABOUT]

[POLICY]

While the president of the United

Found at: gopher.blog.benjojo.co.uk:70/north-korea-dprk-bgp-geoip-fruad

 A surprising amount of people want to be in North Korea
 ===
 While the president of the United States and the leader of
North Korea were/are currently beefing on Twitter about who should
destroy the world first, North Korea was also causing me some
personal frustration on data quality.
 The issue lies with "GeoIP" (or more widely speaking a
database that contains the geographical mapping between IP addresses
and locations on the planet).
 If you run services with Internet traffic from a variety
of users you may find sometimes the GeoIP information actually
isn't that great, especially if you're dealing with IPv6 because
most of this information has not been filled in yet.
 However after a bit investigation I found that there were
a set of of geoip errors that were unusual in that they
didn't actually appear to be an issue of data quality. More an
issue of people maliciously inserting fake data into the database
in order to appear to websites as if they were elsewhere.
 The initial discovery came as a pure curiosity search.
North Korea's Internet recently got another upstream (through
Russia's TTK):

North Korea switching to TTK

 North Korea switching to TTK
 This extra upstream makes a massive difference with latency
for EU traffic to North Korea.

China Unicom route vs TTK route

 China Unicom route vs TTK route
 Above are two ISP's in the UK: Virgin takes the slower US
-> China -> DPRK Route, while Sky takes the RU -> DPRK
route!
 A whole 108ms faster!
 ## Down a GeoIP adventure

the only ISP in North Korea

 So the question I had was "How much traffic do I even
get from North Korea anyway?" The answer surprised me when the
little amount of my North Korean traffic wasn't from the only ISP
in North Korea but in fact Avast. The anti virus company.
 An example lookup on one of the IPs shows it being
located in Manp'o, Chagang-do.

a example maxmind lookup

 a example maxmind lookup
 A border city between China and North Korea.

Manpo

 Manpo

Link

Archive 1

Archive 2

 Photo by George Wenn (Link | Archive 1 | Archive 2)
 However this location assessment doesn't align with logic,
traceroute hop names or the bounding limits of the speed of light:
 ```
 ben@gb:~$ mtr -rwc 5 -o "B        " -f 3 5.62.61.65
 Start: Sun Oct 15 22:30:19 2017
 HOST: gb
        Best
   3.|-- 185.84.16.242
     0.8
   4.|-- 185.84.16.241
     1.2
   5.|-- ae-6.r00.londen10.uk.bb.gin.ntt.net      1.1
   6.|-- ae-0.level3.londen10.uk.bb.gin.ntt.net   1.1
   7.|-- ???
          0.0
   8.|-- ???
          0.0
   9.|-- AVAST-SOFTW.bear1.Prague1.Level3.net    34.8
  10.|-- r-227-076-074-195.avast.com             38.3
  11.|-- r-65-61-62-5.ff.avast.com
34.7
 ```
 Thankfully MaxMind does provide a CSV version of their
database which means that you can grep through to find all the
other offenders who fraudulently locate themselves in North Korea:
 ```
 $ cat GeoLite2-City-Locations-en.csv | grep 'Asia,KP'
 1871859,en,AS,Asia,KP,"North
Korea",01,Pyongyang,,,Pyongyang,,Asia/Pyongyang
 1873107,en,AS,Asia,KP,"North Korea",,,,,,,Asia/Pyongyang
 2042893,en,AS,Asia,KP,"North
Korea",04,Chagang-do,,,Manp'o,,Asia/Pyongyang
 ```
 ```
 $ cat GeoLite2-City-Blocks-IPv4.csv | grep '1871859'
 31.220.29.128/27,1871859,2921044,,0,0,,39.0194,125.7547,200
 46.36.203.81/32,1871859,3164670,,0,0,,39.0194,125.7547,50
 46.36.203.82/31,1871859,3164670,,0,0,,39.0194,125.7547,50
 185.56.163.144/28,1871859,1873107,,0,0,,39.0194,125.7547,200
 $ cat GeoLite2-City-Blocks-IPv4.csv | grep '1873107'
 5.62.56.160/30,1873107,1873107,,0,0,,40.0000,127.0000,1000
 5.62.61.64/30,2042893,1873107,,0,0,,41.1544,126.2894,100
 57.73.224.0/19,1873107,3017382,,0,0,,40.0000,127.0000,100
 175.45.176.0/22,1873107,1873107,,0,0,,40.0000,127.0000,50
 185.56.163.144/28,1871859,1873107,,0,0,,39.0194,125.7547,200
 210.52.109.0/24,1873107,1814991,,0,0,,40.0000,127.0000,50
 $ cat GeoLite2-City-Blocks-IPv4.csv | grep '2042893'
 5.62.61.64/30,2042893,1873107,,0,0,,41.1544,126.2894,100
 45.42.151.0/24,2042893,6252001,,0,0,,41.1544,126.2894,1000
 172.97.82.128/25,2042893,6252001,,0,0,,41.1544,126.2894,1000
 ```
 The only genuine entry here is this one:
 ```
 175.45.176.0/22,1873107,1873107,,0,0,,40.0000,127.0000,50
 ```
 Avast isn't the only one in this list. NFOrce customers,
"Roya Hosting" and others have also done this.
 I submitted whois inaccuracy complaints and maxmind
corrections to each fake one.
 Avast has not just limited themselves to North Korea, they
have set IP ranges to be all over the world for their VPN
service:

RIPE Stat geoip summary

 RIPE Stat geoip summary
 This is nothing short of insanity driving for anyone who
uses GeoIP to compile statistics, and depending on the VPN
offering it is fraudulent advertising.
 One of the motivations for faking your location in your
whois and thus GeoIP is that if you are torrenting you will get
less DMCA emails, since a lot of the copyright enforcement bots
will check GeoIP to see "if it's worth it" to send a abuse
email.
 ## That time the DPRK had IPv6
 Bad actors abusing BGP is nothing new, we have seen them
come up with increasing frequency for things like:
  * Spam

Understanding the Network-Level Behavior of Spammers

     * "Understanding the Network-Level Behavior of
Spammers" - Anirudh Ramachandran and Nick Feamster

Cantonal IP space in Switzerland hijacked by Spammers - Swiss CERT

     * Cantonal IP space in Switzerland hijacked by
Spammers - Swiss CERT

Using BGP data to find Spammers - BGPMon

     * Using BGP data to find Spammers - BGPMon
  * Censorship

Pakistan hijacks YouTube - Dyn

     * Pakistan hijacks YouTube - Dyn

Turkey Hijacking IP addresses for popular Global DNS providers - BGPMon

     * Turkey Hijacking IP addresses for popular Global
DNS providers - BGPMon
  * Or just plain showing off
     * 
 
 However one day I was burning time and searching through
bgp.he.net and found that North Korea had suddenly got IPv6!
 But actually that IPv6 didn't make sense, it turned out
that it was upstreamed by a suspicious ISP:

suspicious upstream for north korea

 suspicious upstream for north korea
 Looking at RIPE Stat and the IPv6 prefix announced it is
clear that for a short amount of time, the network operator
spoofed his way to make it look like his prefix was being
announced by the only ISP in North Korea:

RIPE stat showing a hijack on North Korea

 RIPE stat showing a hijack on North Korea
 Assuming everything in the world was done correctly, this
would not be a problem. The prefix announcement would be filtered
by the upstream network of the offender, but this time it did
not. Hurricane Electric accepted the bad announcement and relayed
it to peers:

Upstreaming though HE

 Upstreaming though HE

Archive 1

Archive 2

 The interesting part of this is that the ISP put China
Unicom's AS in front. This made the whole attempt look a lot more
legitimate. I then looked to who else might be doing this and found
a company called "Crowd Control" (Archive 1 | Archive 2).

website copy

 website copy
 Their site implies they are a new security startup, if we
look at their routes and also find fake inserted China AS
numbers in their AS Path:

HE Upstreaming again

 HE Upstreaming again
 Once again, Hurricane Electric are accepting this and
sending it to their peers, giving that HE are a Tier 1 (if you
ignore Cogent, who also isn't really even Tier 1) it's pretty bad
that this fake information wasn't filtered out in BGP
configuration.
 The silly part of this is that it's pointless. It only
serves to make it seem like these ISPs peer with China Telecom
and other major providers:

bgp.he.net peering list

 bgp.he.net peering list
 But it's easy to spot the implausible routing in another
tab:

routing graph

 routing graph
 The root of these issues appear to be that Hurricane
Electric's tunnel broker BGP tunnels do not check the AS Path, but
only the IP Range. This is problematic since it allows clearly
fake paths to be advertised.
 And what for? Just to fraud some people that they have
connections with some well known ISPs? Or to sell VPN Services?
 Amusingly some of those ISPs they are putting on their AS
path don't even have IPv6.


AD: