Slashdot Mirror
Researchers Probe Dark and Murky Net
umm qasr writes: "Security Focus has an interesting article on blocks of internet space that are hidden from most users, it is based on a survey by Arbor Networks. The most common 'invisible sites' being .mil, which seems is unintentional. The survey suggests others, which seem more sinister...using unused netblock addresses to send spam. It's a bit short on the details but interesting none the less."
Kinda interesting what all is out there. Now, add on top of that all of those evil spam sending servers that are behind firewalls on 'reserved' ip blacks. Its kinda crazy thinking about all the stuff thats out there that no one will ever see. I always figured anything sensative for military use would be stored on a proprietary government network. But now that I think of it. If they put it on some obscure ip block and give it no hostname, who will ever find it? Wonder if they found my secret porn stash when they were probing all them blocks. =)
Can all fish swim?
"First Officer! Demurk!" ... Finished!"
"Yes Captain Spamford."
"Prepare spam... Bulk Email!"
"Bulk Emailing sir!
"Excellent, return to Murk space."
.
.
.
"Sir! it's an anti spammer!"
"What's he want?"
"He wants to shove our testicles up our noses and beat us to death with toner cartridges. He said something about sucking your eyes out with a penis enlarger as well."
"again?"
dave
It's strange to discover that a network born from military efforts is actually badly managed by its originators. This adds to the fact that the initial dream of having a network connected through multiple routes in case of attacks has been never fulfilled, or at least it is no more possible. Apart from those addresses, after the recent WTC attacks the Italian research network has been cut out from US networks because the backbone connection was passing under the towers. Some day was needed to find a backup connection, and we are still on backup at a lower bandwidth than usual.
So.. Does this mean that if they find enough "dark address space", the Internet will eventually stop growing, and someday, billions of years from now collapse back in upon itself to start the cycle all over again?
-j
Torg, come out of the spaceship. Nothing can stop Torg.
And all that time I thought it was just my ISP that sucked when the "dark side" was taking over the address space. "Oh, now I get it. errrrrrr I think?"
It seems like the article could have had more explanaton and real information on what dark address space is.. I'm still not fully clear after reading. Is "dark address space" just unconnected networks or more subtle. I guess you really need to be a network person to understand fully.
Reminds me of the raging debate over dark matter in Astronomy, and how it accounts for the mass of the universe etc... The debates always involve crazy theories that pretty much contradict eachother until they finally high-enough resolution data..
__ No registration required to read this message. They did it in the Matrix.
With all these secret netblocks with unaccountable traffic producers, various dead IP's and hackers gunning after the vulnerable DNS the Internet shall soon implode and the world shall be plunged into a great darkness, second only to the fall of the Roman empire!
Really, is this a huge surprise? Quality of service for unregulated CableCo's is an issue many have to deal with. Plus, human error is a big factor in DNS setups. Then you've got physical problems on end-point sites that don't have redundant connections.
I'd say 5% isn't bad.
Regards
I like teamwork. It's easier to assign blame that way.
All this time I thought the slashdot effect was like the sword of Damocles, you never know when it might hit your site. This article shows that some sites can live their lives in oblivion...Anyone looking for the red and blue pill for his site, there you have it.
I intend to live forever, so far so good.
ICANN is changing the domain namespaces by adding new TLDs like .info, and accepting new conventions like non-ASCII characters.
The problem is that many software, libraries, and hand-made filters validate domain names based on simple rules like "only 0-9, a-z, dots, and it should end by two characters or com/net/org/edu" .
For instance, I guess that many web forms are currently refusing mail addresses like "john@johncompany.info".
These new, non backward-compatible domain names will probably belong to the "dark and murky net" too.
{{.sig}}
Not sure about the idea of an 'obscure' IP block? IP addresses follow defined patterns - you can scan for whatever range you like. Certainly the recent Nimda stuff isn't based on hostnames - it's based on going to nearby IP ranges. If you wanted to scan the entire net you could. Might take a while though...
Cheers,
Ian
Will there be more dark places in which to hide with IPv6? Sounds like a good argument for sticking to the 4 billion IPv4 addresses, and fix the shortage problem by allocating the space better.
>Its kinda crazy thinking about all the stuff thats out
>there that no one will ever see. I always figured
>anything sensative for military use would be stored on
>a proprietary government network
Might already be that way and we just don't know it. Talk about "dark netspace," nobody holds more of it than the US military... A bunch of class A's - 6.*, 7.*, 11.*, 21.*, 22.* - not to mention the smaller, uglier blocks. I imagine they could be running some sort of TOP-SEC-NET (or maybe SEC-PORN-NET) on one of these, unbeknownst to the outside world.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Many discussion sites have marginal value because it is difficult to sort through the background noise to find intelligent, meaningful dialogue. Slashdot is interesting because it resists the typical Internet qualities of anonymity and egalitarianism. ...next thing ya know, they're gonna be using slashcode for missles
//radiotakeover.
We've been running a LAN out of our home for several years now and have never come across much of what is *lightly* discussed in the article. With a heavy user load (we have 1.3Mbps downstream capabilites, usually running at near full throttle) the only black holes we usually encouter are webservers that have crashed or simply gone down permanently; something which I believe deserves a lot more focus than a little bit of missing space. It is nice to know that there are still places to hide, but we didn't need the article to tell us that! :-P
It [the article] was so vague, in fact, that there was little reason wasting the time to read it. Murk space, dark matter, anti-matter, anti-time. I'm going to go back to downloading more STTNG episodes!
IPv6 could lead to a lot of new problems. I think it's necessary but even with IPv6 we need better methods of allocation.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Sorry 'bout the whoring..
What does anybody mean by this? Intranets? Bad term if I ever saw one...
If this mean things that, well, are closed to robots, let them be the way they are. Work a bit more, go to the site itself, and do a search.
If it means things in DBs, how come you prove that you've extracted everything in the DB?
In any case, has anybody seen one of those "dark" addresses sometime?
It's just a BloJJ
I wunder what will happen when IPv6 comes into its own with its billions of IP addresses. You think its hard to track these people now, just wait until people can hide in plain site with the reasonable expectation that nobody will ever come looking to allocate their ill-gotten address space.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Just think of what will happen when IPv6 comes into its own with its billions of IP addresses. You think its hard to track these people now, just wait until people can hide in plain site with the reasonable expectation that nobody will ever come looking to allocate their ill-gotten address space.
Well, i'd rather have these blocked/unreachable hosts out there from the rest of the internet, if it's for military/government/research purposes. Some of these servers just shouldn't be accessed by the general public, and it keeps the script kiddies out. (well, at least it tries to keep them out.) Any explanation as to why cable users typically fall in to this shadow zone of addresses? that's probably what interests me the most. The gov't shadow zone i can understand, they've been hiding stuff for years, and will continue to do so, but wtf is with the cable users?
From the article:
Because routers don't normally log such activity, murky address space could hide the full range of antisocial or illegal network behavior, says Labovitz.
Oh no, here we go again. Just because it's about the internet and contains a lot of words that are a little bit different to what "normal" people use daily - like "router", "hosts" and "routable address space" - it doesn't mean it's something dangerous. Not even new.
Can you imagine someone getting funds to look into the origins of "paper spam"? "Oh no, the spammers are using bogus return addresses!" "Bad guys can communicate pretty safe and unhindered by putting their messages in envelopes, stamping them and sendim them by mail!"
I can understand that the guys had to show something for 3 years worth of "research", but unless the securityfocus article is a very-very short, abridged version for the masses, they have no results.
I'm with an ISP in Vancouver, and I can tell you that 1 out of 5 sites I try will fail. If a site cannot be reached, a quick traceroute reveals that UUnet is the culprit. Always a 152.158.xxx.xxx address.
.... not so reliable. Has anyone else noticed a slow degadation in the performance of the 'Net in general? Or is it the crack again?
Over the last 6 months or so, it definitely seems like the 'Net is
Does anyone have any more details on this? From what I can see, it appears that routers get compromised and certain addresses get re-mapped. Perhaps class A,B and C and other reserved addresses? This allows these addresses to be used as part of the internet. Then they are removed, hopefully before anyone notices, because the routers don't hold records of changes. Have I got this correct?
Seems like a clear cut case of bad administration.. again. Interesting Reg link on how to own a Cisco router..
What they are really saying is that there are large chunks of the internet which can't talk to each other. This isn't because of firewalling or "hiding" behind a NAT box or the like, but is instead a result of the peering "politics" (which better describes what goes on than policies) between carriers.
Let me explain. If I am ISP A and I connect via peering to ISP B, I can't talk to ISP C's customers through B even if ISP B and C are connected. That is, unless I have an arrangement with ISP B to provide transit to ISP C. ISP C also has to agree to accept my routes even if ISP B provides transit to me.
Generally the big "Tier 1" ISP's peer with each other and generally don't exchange or buy transit from each other (except in some limited cases). Smaller ISP's generally buy transit from one or more Tier 1 ISP's. Some of the smaller Tier 1's both peer and buy transit.
It is not altogether unexpected that with hundreds of ISP's out there that certain ISP pairs just plain do not have connectivity between them. It would be almost impossible both economically, politically, and technically to insure that each ISP could talk to every other ISP out there.
Add on to that that there are some ISP's who set arbitrary limits on how many addresses you have to announce together in one chunk (prefix) before they will even listen to them. If you have a small ISP with insufficiently sized address blocks you may find that your connectivity to the internet suffers.
The other piece which WAS said fairly well is that most people don't notice the problem as 99% of the people out there don't use more than the most popular 1% of the internet. And THOSE sites are almost 100% connected (and if you ran an ISP which wasn't connected to the big sites, you would quickly find yourself without a customer base).
Note that I've taken some liberties with this description so there is some minor technical/political breakage in the description above. Or probably better put, this isn't meant as a technical reference piece on peering policies....
While the proposed explanation is quite possible, there is a simpler explanation: The spammer's upstream ISP disconnected them. Cut them off, and their advertised BGP routes will automatically lapse -- resulting in the rest of the internet simply seeing a spam source followed by a withdrawn BGP route.
Tarsnap: Online backups for the truly paranoid
The Internet was never a military network. This seems to confuse many people buts its quite simple. ARPAnet was created to allow the computer science community to share resources since all the new CS departments in the 1960's were calling for more and more government funds to pay for bigger and faster computer systems. It was though that networking them would allow collaboration and sharing of big iorn machines. Futile hope I know 8)
The confusion is based on the fact that Paul Baran at RAND had designed a network which would have used inexpensive links with multiple redundancies to ensure that communications would not be disrupted in a command and control structure for the Nuclear deterant. This idea was also being developed seperately in the UK and called Packet Switching by Donald Davis at the UK National Physics Lab on the first system to use this technology. It was later used as a basis for ARPAnet.
The important point is that when the ARPAnet was created the inventors had never heard of the RAND report and the Air Force had turned down RANDs plan to build a test syestem. It was civilian to the core. However when the military absorbed ARPA to form DARPA the created a nonclassified system called MilNet. This came later and is not the same as saying the Internet is built on a military system
Ok that was my 2c's worth. Any comments?
In other words: science discovers goatse.cx
I intend to live forever, so far so good.
But the longest path does exist? Do we blame the journalist, or the researchers who got paid for three years to conclude this amazingly useful fact?
People with BGP clues, please throw some this way.
Let's say I'm an evil spammer (tm). I want to send out some spam that would be really hard to track down. So, I find a net block that's not being advertised by anyone, but isn't a part of a range that's "obviously" not allocated. Say, a piece of 64/8 or 65/8 that isn't being used yet.
OK, so I configure my spam pumping machine to be an address in that block, and start advertising it. Then I connect out, spew like nuts, and shut down. Once the routes disappear, you have *no idea* where I am or who my uplink is.
So, my request to those that know - is this possible? If so or if not, why?
If it is possible, just how much worse is it going to get when IPv6 starts getting widespread use and you can hide yourself anywhere?
Yes, I realize to do this I'd need a solid connection to lots of other well-routed ISPs. Assume that I do. Will it work? How can we stop it?
It's "with my pocket calculator". Or rather "ich bin der Musikant mit Taschenrechner in der Hand".
meta-mod that guy a ham-sandwich!
the phenomenon is generally not noticeable to average Internet users because most netizens only use a tiny portion of the Net. "Most people access five or ten web sites," Labovitz says.
Oh...(SHOCKED!) so does it mean out there are other sites besides slashdot...
Cool... do you need any special software to browse them ? I use K-Meleon. There's a green icon on my desktop - I double click it and it takes me to slashdot.org, where I read the coolest stuff and then I click the tiny X button ontop when I finished.
Heard about a proggie, though: Internet Exploder that would supposedly take you places where you wanted to go that thay - I always thought it's some travel/tourism/ticket booking application or stuff like that....
Gone researching how to get to the others 4 or 9 web sites...
__________
Don't belong. Never join. Think for yourself. Peace!
One of the people conducting the study, Abha Ahuja, has passed away.
Shut up, bitch, and keep sucking!
An AC that puts his name and phone number in his post? What are you looking for? Do you think someone will call you with a big dick for you to suck?
IPv4 already has billions of addresses. 4294967296 of them, to be precise. Oh, I see, you are British, right?
Perhaps this guy has accessed
Can you find a dirtier story than this one?
I had posted this in an earlier discussion [http://slashdot.org/comments.pl?sid=23740&cid=256 1817] about DDOS networks being built.
:-/
Now one poster had suggested something about exchanging possibly "blacklisted" IPs. Perhaps we could build up a DB of such IPs and possibly compare these with those murkier IPs.
I'm almost certain that atleast some of the banned IPs would fall under the murkier regions. In fact, still worse is the fact that some of these come through wingates (as I found out), making it all the more troublesome
Scary though...
The military does lots of things (that people don't know about), but no porn unfortunately
I have a hidden storage device right on my desk.
It isn't connected to the internet.
It is a spiral bound notebook.
Since when does every computer have to be on
the internet? Of course their are 'hidden
networks'.
The mythology that people believe about
computers astounds me. Are people really
this dumb about networks and network topologies?
What about those new toy messaging watches for
children? They are new this Christmas, just
saw them on a commercial yesterday.
They allow the children to send secret messages
to each other. Yet another 'hidden' network.
By Definition, if its a part of the internet that is unconnected to the rest how do you expect to see it just casually browsing? The people who did the study had to consult ISP logs for months to understand the problem.
Not to mention stupid things like "ZIP" codes.
Guess what - other countries may have postal codes, but they don't always fall into a format of five contiguous numbers...
Just today, Yahoo told me that I had an impossible 'zip' code, so I did what I usually do in that case - enter "02134", which as many of you know. is pronounced "Oh!, two-one, three-FOUR!", especially if it follows "Box 3-5-0, Boston Mass", which I fill in whenever some braindead php monkey has never heard of my particular prefecture...
-- My Weblog.
I always figured anything sensative for military use would be stored on a proprietary government network
It's called SIPRNET, and is well protected.
For a variety of reasons ranging from contract disputes among network operators to simple router misconfiguration, over five percent of the Internet's routable address space lacks global connectivity.
For weeks i've tried to get to somethingawful.com, i've pinged it, traceroute, i could never get anything. That is the only site that i know up which i can't reach.
Only dead fish swim with the stream...
I don't think much of it (if any) is really sensitive information.. it wouldn't be surprising if they were just boxes that J. Random Military Sysadmin installed for a specific purpose (say, a temporary mail server, or a server which holds software to perform an FTP install of (insert system here) and forgot about. It might be documented and lost, it might not be documented at all, but no one's going to touch it because they don't know what it does.
If they put it on some obscure ip block and give it no hostname, who will ever find it?
People netmapping or portscanning entire blocks of IP addresses just to see what's out there? People tracerouting but a funky router returns some weird IP with no reverse record? Who knows.. maybe someone who's setting up /etc/hosts and makes a typo or two.
Proteus' Child
Doko ni datte; hito wa, tsunagette iru.
I've had a ton of problems getting to certain places on the internet. Whole IP blocks are giving me trouble. Some include:
That's not even the strangest thing. I think I've discovered some sort of strange parallel universe gateway at 127.0.0.1! The computer there is exactly like mine!
-Denor
When I worked for a company that made routers and other networking equipment (Gandalf, now part of MIke and TErry's Lawnmowers), we had a very large address block. I forget how big it was, it might have been a class B or even an A. But I know we had assigned to our lab three class Cs, one that we used for computers we put on the internal net, and two that we used for computers we put on test networks. Usually the two class Cs on test networks were only connected to each other through a router or bridge that we were testing, not to the internet at large.
Actually, this was a pretty interesting project to many slashdot readers. Using an extremely early version of Linux (SLS 1.02 with kernel 0.99pl14e, I seem to recall), we had a laboratory full of 486s and 386s with two ethernet cards. One was a standard card that was connected to the company lan, and the other was a special programmable card that could be commanded to do stuff that ethernet cards aren't supposed to do, like short packets and bad ethernet headers and the like. This card was connected to one of the lans on one side or the other of the unit under test. There was an automated program running on each box under control of the master box, which ran a script in a custom scripting language that could tell one box to emit a packet, and another box on the other side to check if it got it, and more sophisticated stuff.
It was very cool, and a very early use of Linux in a commercial environment.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
"It is you, who is mistaken about a great many things."
What they talk about is not computers-not-connected-to-internet, and not about general networks. The article is about ADDRESS SPACE. What they are saying is that there are legitimate internet address ranges owned and used by people to connect their systems to the internet which seem to be inaccessable from major parts of the internet due to misconfigured or restrictive or just plain mean routers.
Everybody Lies. But it doesn't matter since nobody listens.
Pssst, buddy. You new in town. I got some great IP addresses I can sell you. Cheap...real cheap!
Go here to check for yourself.
ZIP code 12345 is a special ZIP code belonging to GE in Schenectady, NY.
Please don't mod down though, I am sure others here probably have the same question!
/24's, /30's - and definitions of classes (A, B, C, etc), as well as what it means when you see like an IP followed by a /nn (like, oh, 27.141.102.18/24 or similar).
Can you explain (or better, point me to a source explaining) what is meant in networking terminology when you say
This is something I have been curious about for a long time, and would like to learn more (whether it would be useful to me or not).
Thank you for any help you or others can provide...
Reason is the Path to God - Anon
By definition, any classified machine CAN NOT be connected to the Internet. Try it, and you could be looking at a lifetime vacation in Leavenworth.
When I worked for a defense contractor, we were exceptionally paranoid about this sort of thing.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Is the "dark address space" made up of strange websites? Or perhaps charmed ones?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Dark matter for physicists, murky patches of net for CS types?
> Arbor Networks' researchers went to the mail logs of a local ISP and compared several thousand unique mail sources with "murky" addresses spotted in their monitoring. They found that 30 of those addresses sprang into existence shortly before sending the email, and quickly vanished afterwards.
Murky alright, frickin' SPAMMERS using dialup accounts. Article emphasizes obvious, rides on ignorance of uncouth. UUCP is of same type, does
it mean that net was not connected in those days
either? How about that one: http://www.blug.linux.no/rfc1149/writeup.html
p.
Is that what they told you?
This next song is very sad. Please clap along. -- Robin Zander
might be somewhat offtopic, but...
anyone actually try an nmap -sS -O 0.0.0.0-255.255.255.255
i think it'd be an intresting project anyway. your ISP'd be pissed i'd think and it'd take FOREVER...
but it think it'd be interesting to see the log file... make for some interesting data mining maybe too
IPV6 is more than just "more addresses". The addresses are created by concatenating several different numbers such as your providers network string and your NIC's MAC address. So one immediately can tell who the ISP is (although the specs allow one to "create a MAC" on the fly). Another feature is that routing is integral to IPV6 so that that it is not an ad hoc add-on. Additionally, routing can be done with multicast messages to improve reachability.
Finally, one of IPV6's key benefits is that it eliminates the need for NAT'ing. So, it is likely that IPV6 would be the solution to this problem.
FWIW, the REALLY sensitive stuff is only on internal nets, air-gapped from the internet. An outsider can't break in and look at your files if there is no connectivity.
That's why I always laugh whenever I read about some some 'l33t d00dz' hacking into military computers and compromising all our secrets. They may get some semi-sensitive, For-Official-Use-Only type crap, but they're not going to get the true classified stuff.
Someone below mentions the SIPRNET. Yes, it exists for lower-classified stuff, but it has very few connections to the general internet, and those that exist are VERY tightly controlled. If you try to slip in through one of them, you will have the OSI, CID, FBI, and a bunch of other letters knocking on your door. (Yes, the government does have a bunch of very intelligent, capable computer security guys. No, they don't noise it around - better to let the 'l33t d00dz' _think_ they are getting away with it.)
We gotta make democracy safe for the world! -- Pogo
There are what I would call "confederations" of sites and networks which maintain connectivity through private networks, most likely research-community and government oriented. e.g. Abilene(Internet2), CA*Net, APAN, ESnet, etc. The members of these confederations may be different research labs, universities, etc which have need for complex routing policies based on endpoint and which private network to take. Unfortunately, the tools for implementing such policy are weak and often fall back on making decisions based on IP address. This in turn means that certain IP addresses are used to cause traffic to flow in a certain way and must be blocked to the public Internet.
Now with all of that said, one would naturally assume this could be accomplished with RFC 1918 (private) address space and shouldn't require using up valuable public address space. This is true if there was only one confederation, but many of these semi-private groups exist and many of the individual organizations participate in multiple confederations simultaneously. This means if RFC1918 address space were used for each confederation, someone would need to be responsible to make sure no conflicts existed in the variuous private address spaces. This would be problematic becuase 1) the confederations generally don't cooperate with each other (not in an antagonistic sense, more like ships-in-the-night) and 2) this would take take up someone's time which even in the research community is genereally not free (as in beer). Some confederations don't even know others exist. Furthermore, even if such a project were undertaken, all of the participants would need to agree on a common chunk of the RFC1918 space. This would be hard to do as many organizations probably have already used varying parts of this space for their own purposes. (again, none of which were coordinated.) Some people would not be happy about having to renumber.
So in order to maintain unique address space amongst this web of semi-private networks, the particpants simply use additional addresses out of the global Internet address space but only announce it amongst themselves. i.e. The global Internet registry is used to also coordinate use of addresses across these multiple, private interconnections of (usually) public institutions.
Now, I don't think this is the main cause of hidden address space. In fact it's probably so small compared to other causes that it is probably not necessary to address at this point. However, I wanted to offer it up as a legitimate reason some parts of the global Internet are not reachable from commodity ISPs.
-z
In Soviet Russia, the Beowulf cluster imagines you!
See my post in this earlier