Researchers Probe Dark and Murky Net

umm qasr writes: "Security Focus has an interesting article on blocks of internet space that are hidden from most users, it is based on a survey by Arbor Networks. The most common 'invisible sites' being .mil, which seems is unintentional. The survey suggests others, which seem more sinister...using unused netblock addresses to send spam. It's a bit short on the details but interesting none the less."

Interesting

[rmadmin]

Kinda interesting what all is out there. Now, add on top of that all of those evil spam sending servers that are behind firewalls on 'reserved' ip blacks. Its kinda crazy thinking about all the stuff thats out there that no one will ever see. I always figured anything sensative for military use would be stored on a proprietary government network. But now that I think of it. If they put it on some obscure ip block and give it no hostname, who will ever find it? Wonder if they found my secret porn stash when they were probing all them blocks. =)

.info and other new TLDs in the dark, too?

[chrysalis]

ICANN is changing the domain namespaces by adding new TLDs like .info, and accepting new conventions like non-ASCII characters.
The problem is that many software, libraries, and hand-made filters validate domain names based on simple rules like "only 0-9, a-z, dots, and it should end by two characters or com/net/org/edu" .
For instance, I guess that many web forms are currently refusing mail addresses like "john@johncompany.info".
These new, non backward-compatible domain names will probably belong to the "dark and murky net" too.

Guess even the military's heard of /.

[Ramuh]

Many discussion sites have marginal value because it is difficult to sort through the background noise to find intelligent, meaningful dialogue. Slashdot is interesting because it resists the typical Internet qualities of anonymity and egalitarianism. ...next thing ya know, they're gonna be using slashcode for missles

Arbor analyzed ISP mail logs?

[ShaunC]

From the article,

Arbor Networks' researchers went to the mail logs of a local ISP and compared several thousand unique mail sources with "murky" addresses spotted in their monitoring.

Am I reading this right? If so, am I alone in feeling uneasy about it? It would be interesting to know what ISP allowed "some research company" to look through their mail logs. I suspect Arbor was only interested in source IP addresses, but it still smells.

Shaun

routing

[underpaidISPtech]

I'm with an ISP in Vancouver, and I can tell you that 1 out of 5 sites I try will fail. If a site cannot be reached, a quick traceroute reveals that UUnet is the culprit. Always a 152.158.xxx.xxx address.

Over the last 6 months or so, it definitely seems like the 'Net is .... not so reliable. Has anyone else noticed a slow degadation in the performance of the 'Net in general? Or is it the crack again?

The Cause..

[fwc]

The article doesn't really do a good job of saying what this is really about, and the report several people have linked to does provide detailed information, but again you need to have some context to understand it.

What they are really saying is that there are large chunks of the internet which can't talk to each other. This isn't because of firewalling or "hiding" behind a NAT box or the like, but is instead a result of the peering "politics" (which better describes what goes on than policies) between carriers.

Let me explain. If I am ISP A and I connect via peering to ISP B, I can't talk to ISP C's customers through B even if ISP B and C are connected. That is, unless I have an arrangement with ISP B to provide transit to ISP C. ISP C also has to agree to accept my routes even if ISP B provides transit to me.

Generally the big "Tier 1" ISP's peer with each other and generally don't exchange or buy transit from each other (except in some limited cases). Smaller ISP's generally buy transit from one or more Tier 1 ISP's. Some of the smaller Tier 1's both peer and buy transit.

It is not altogether unexpected that with hundreds of ISP's out there that certain ISP pairs just plain do not have connectivity between them. It would be almost impossible both economically, politically, and technically to insure that each ISP could talk to every other ISP out there.

Add on to that that there are some ISP's who set arbitrary limits on how many addresses you have to announce together in one chunk (prefix) before they will even listen to them. If you have a small ISP with insufficiently sized address blocks you may find that your connectivity to the internet suffers.

The other piece which WAS said fairly well is that most people don't notice the problem as 99% of the people out there don't use more than the most popular 1% of the internet. And THOSE sites are almost 100% connected (and if you ran an ISP which wasn't connected to the big sites, you would quickly find yourself without a customer base).

Note that I've taken some liberties with this description so there is some minor technical/political breakage in the description above. Or probably better put, this isn't meant as a technical reference piece on peering policies....

Re:The Cause..

I agree... one of the best demonstrations of this is to install AOL in australia (its the Australian version by the way :P)... it works great on the "major" sites, but if it isnt a "big" site, it will take hours (literally) to get there, if at all... Many servers you trace and it dies at about the 16th hop (which is in the US)... even traceroutes to LOCAL ISPs often fail on the AOL network... now im not having a go at AOL or abusing it or anything, but it does happen... As you say, everyone can't be connected in a mesh topology... it just wont happen... I can visualise it now, routers with 65 million serial ports... yep...

The net isnt really a net at all, its more of an extended star topology (for all you networkers)... for those who havent got a clue what I mean is that you have the major servers in the US, and off them hangs other servers, and off them others, etc... Often, there just isnt a route to a server due to router downtime, malconfiguration, or intentional force editing of the routing tables...

so... my proposal is... scrap the name of the internet... i say we all call it ... THE INTERSTAR!!!!!!!!!

So spammers can grab anything they want?

People with BGP clues, please throw some this way.

Let's say I'm an evil spammer (tm). I want to send out some spam that would be really hard to track down. So, I find a net block that's not being advertised by anyone, but isn't a part of a range that's "obviously" not allocated. Say, a piece of 64/8 or 65/8 that isn't being used yet.

OK, so I configure my spam pumping machine to be an address in that block, and start advertising it. Then I connect out, spew like nuts, and shut down. Once the routes disappear, you have *no idea* where I am or who my uplink is.

So, my request to those that know - is this possible? If so or if not, why?

If it is possible, just how much worse is it going to get when IPv6 starts getting widespread use and you can hide yourself anywhere?

Yes, I realize to do this I'd need a solid connection to lots of other well-routed ISPs. Assume that I do. Will it work? How can we stop it?

Re:So spammers can grab anything they want?

[billn]

You're close to right, that IS possible. The problem is, that someone has had the block allocated to them. It's a simple lookup to the IRRdb or various other registry's to find the owner of the block and contact them. It *is*, however, a pretty damn sneaky move, which fully thwarts the most common tool used to identify a spam source: traceroute.

As far as the IPv6 issue, a lot will depend purely on accounting: How is address space issued? Do you get an IP with your driver's license?

Accountability will be everything, at that point. IPv4, as it's designed, is based on trust. America, as it's designed, is based on civil disobediance. Stop laughing, I'm serious.

Re:Invisible web?

[billn]

Consider the source they used for their data: Routing tables. Aside from announcing the main superblock that says 'Hey, I have these IPs', looking at a full routing table to find out where blocks really wind up isn't effective. I actually had this discussion with a colleague a few days ago. They may announce it, but that doesn't mean it's reachable.

The report cites .mil and broadband land as the largest 'offenders', for lack of a better term. Personally, I could care less if .mil hosts aren't world reachable. By and large, I know for a fact there's a lot that exist that you simply can't get to, or wouldn't want to anyway.

As far as broadband goes, as well as large NSPs, consider how much address space is simply lost to breaking /24's up into /30's for interface numbering. Doing this produces a herd of four IP subnets. You immediately lose two IPs to Network Address and Broadcast, leaving you with two usable IPs, one for each end of the numbered interface, against 254 for a full Class C allocation. Do the math, and that's 64 point-to-point circuits.

Companies like Cisco and Unisphere sport routers capable of numbering interfaces in the THOUSANDS. Even making efficient use of IPs when numbering ATM topologies (common for DSL implementations), you're still losing one IP per interface, in addition to whatever small block is allotted to the customer on the other end. In most cases, every hop you see in a traceroute is one IP of a four ip subnet (exceptions would be LAN topology based peers or transits). For the purposes of security, or simplicity, providers may simply choose to not announce routes to IP space allocated for interface use. Inside their own networks, interior protocols like IGP, ISIS and OSPF can handle local delivery, but the world doesn't really need to know how to throw packets at a router's interfaces.

Cable modems are less guilty of this than most, since they tend to allocate two or four class C superblocks to a neighborhood and mask them accordingly.

Sad side commentary

[shani]

One of the people conducting the study, Abha Ahuja, has passed away.