South Korea Backtracks On China As Source of Cyberattack

hackingbear writes "The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim. The Korea Communications Commission said that after 'detailed analysis,' the IP address used in the attack is the bank's internal IP address — which is, coincidentally identical to a Chinese ISP's address, among the 2^32 address space available."

Re:Well, where's my cyberwar then?

[SternisheFan]

Let me think. Was it... This guy?

http://www.theonion.com/articles/kim-jongun-privately-doubting-hes-crazy-enough-to,18374/

Hanlon's

[gmuslera]

The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.

BTW, the CNN editorial "Why cyber attacks threaten our freedom" is another piece of art of more or less the same magnitude. I'd say that is on a par with this one

Re:Hanlon's

[cigawoot]

In an Intranet that isn't the case. However, the bank really failed if it wasn't using subnets allocated for private use...

Re:Hanlon's

[icebike]

They are supposed to be.
But read what gmusiera said in his first sentence.

For your internal address (inside your router, you typically use a Private Network Address from one of the common ranges specifically set aside for this per RFC 1819.

This bank instead chose a public address range that was not theirs and used that as their private range. You can get away with this in a NAT situation, because only YOUR OWN ROUTER knows about this.

But it is monumentally dumb to do this.
I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified. And there are security implications and mind bogglingly hard to figure out routing errors if you have to actually deal with the real owner of the address space.

Re:Hanlon's

[PAjamian]

If it was 192.168.0.0/16 that's fine as it is reserved by RFC1918 for private use.

Re:Hanlon's

[icebike]

Define Exhausted all private Address space?

In just the 10 block alone there are 16,777,216. This bank isn't that big.

Re:Hanlon's

its RFC 1918...

They will grab your geek card on the way out.

Re:Hanlon's

[LordLimecat]

The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.

You realize that it is possible to firewall without NAT, right?

You realize that a number of very well secured places use public IPs internally right?

Re:Hanlon's

[icebike]

DOH! Can I get a pass for being lisdexic?

Re:Hanlon's

With IPV6 you would be using your own public address internally, perfectly legitimate and no problem. The problem here is using someone elses public address internally. Among the minor gotchas, it becomes hard for your internal users to reach that external site, should they ever need to.

Should you inadvertently start to advertise someone elses IP address to your ISP, they will probably and quite correctly shut you down.

anonymous CCNP!

Re:Hanlon's

I agree that it seems insane that a major bank would do this, however I've seen it in practice. A very major financial firm (who shall remain nameless) that I did some work for actually uses the public IP address range of the US dept. of defense as their internal IP space. It's never caused them any problems - since there's no need for them to connect to the US military, but it definitely left me and several colleagues scratching our heads when we first started looking at the network.

Re:Hanlon's

[Spazmania]

Until a couple years ago, it was common practice to squat on 1.0.0.0/8 for internal use when 10.0.0.0/8 ran out. Then IANA allocated the space to APNIC which subsequently allocated most of it to China.

Re:Hanlon's

[gmuslera]

There are a lot of things that could go very wrong using public IPs (that are being used actually) for internal networks. You eventually could want to access or send mail to one of those public IPs. Or if you have an internal site, the public IP could be used to deploy a fake site so if you try to connect from outside (i.e. dropped vpn connection) or inside (i.e. proxy to access outside). Or you have a firewall that enables certain internal IPs to access a resource that could be accessed from outside too. This are just a few easy examples, but things usually go wrong in more imaginative ways.

Yes, it could be managed securely, but why take the risk if the right way to do things is just less complex than messing in that way with everything?

Re:Hanlon's

[ColdWetDog]

on

Re:Hanlon's

[TwineLogic]

Point is, PAjamian's comment went way over your head. If X=168, there was nothing wrong with the configuration. If you had trouble with it, that might be explained by this sequence of comments.

Re:Hanlon's

[Luckyo]

Well, they mapped non-private addresses to intranet machines. So I think we're past the question "were they doing something wrong" here.

Re:Hanlon's

[thegarbz]

This thread is confusing a public IP as an IP that is supposed to be addressable to the internet with an IP address that is owned by yourself as a private entity.

There's no reason why you shouldn't be able to use a publicly addressable IP address internally. Many companies which own big blocks do just this. The problem is when you use in your own network an IP address owned by someone else. This causes obvious problems i.e. if I use 8.8.8.x in my internal network and isolate it at the router I will have problems hitting Google's DNS server.

Re:Hanlon's

[dissy]

Before the big IPv4 crunch the start of 2011, there used to be a pretty big number of /8 blocks listed as "reserved" by ARIN, with a last modified date of 1975. Something like 30+ of them.

Quite a few people used such blocks as their internal addressing without ill effect up until the 2011 "IP crunch" when those blocks were finally allocated.

I have to admit I did the same for my tiny home network too.
From the mid 90s up until 2010 I was using the 42.x.x.x/8 space internally, however I did this with full knowledge about what I was doing. My router filtered ingress/egress on that route just as it does with the RFC1918 space, and with full knowledge I'd have to renumber if it ever became allocated, which happened at the end of 2010 (September or October, I can't remember. I was renumbered in June.)

But I would never have done this at a site managed or used by more than just myself.
At work for example I migrated us from the existing 182.168.1 space into 10.

One of the biggest advantages of doing this is when you deal with a bunch of VPNs all the time. It usually caused issues when your own network and the remote site had the same IP blocks.
192.168.[0/1].x and 10.x were the most popular networks in use to avoid, but even Cisco's VPN concentrators took over most or all of the less well known 172.16.x.x space.
The easiest solution was to avoid all of them.
This meant either purchsing your own public /20 or larger (only an option for ISPs) or use an unallocated since forever block.

ARINs rules for getting a public block were that you had to already have IP blocks from your two or more providers that are at least half that size, and at least half utilized. You must be BGP routed with two or more providers already, and once you get your ARIN space you have to return your current blocks to the ISPs that allocated them to you. A small /20 would cost $2500/year as well.
This is simply not something a home user could ever do.

The only time using public space caused problems was when done out of ignorance.
I've seen plenty of networks numbered in 192.x that was not 192.168 for example, unknowingly using public addresses. The same with 193.x.
Most of those sites also didn't bother with filtering those blocks at their border routers (some not even filtering RFC1918 space) which is probably the biggest mistake that would have a bite.

I... don't understand this at all.

[Nanoda]

On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!

All the articles I can find are equally uninformative.

Re:I... don't understand this at all.

[Narcocide]

Yes, you are right, whoever did this was not qualified to be setting up networks for their own personal use, much less production banking servers. Seems like the type of novice-level engineering mistake pretty typical of the hiring practices of the US IT industry lately, actually.

Why pay me 150$/hour when there is some teenager who will feel lucky to get the gig for 10$? This is why.

Re:I... don't understand this at all.

If I were to guess, the bank had an old assignment and used the addresses internally. Then they gave up the assignment and the addresses were reallocated to somebody in China, but the bank continued to use their assigned addresses internally.

Re:I... don't understand this at all.

[JASegler]

Unfortunately this isn't a huge shock to me. Back in the 90's I remember trying to hook up a fortune 500 company to the internet. They were using public IPs on their internal network.. They complained when I told them they had to readdress their network.. I even dug up the various RFCs, who owned the public blocks they were using, etc.

There was actually a discussion along the lines of will we ever need to communicate with those companies? i.e. can we just ignore the problem.. In the end the argument that those places using public IPs wouldn't be able to communicate properly with the reset of the network got things going in the right direction..

Re:I... don't understand this at all.

[rwyoder]

On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!

All the articles I can find are equally uninformative.

At at previous job we found some idiot had done this. We didn't know this until troubleshooting a complaint of not being able to reach a certain portion of the Internet. It really isn't a security issue, because a corporate network will first route to it's internal networks, and only if the destination is not internal will it fall back to the default route to the Internet. The default route will always have a shorter mask, therefore it will be the last chosen. The biggest problem is that doing this stupid trick means you have blackholed a portion of the Internet from your own users.

Mod SK up!

[AmiMoJo]

How Mani other countries would admit this instead of just continuing to blame the big bad boogyman?

Re:Mod SK up!

[Isaac+Remuant]

Yeah, but the problem is that every major news media out there has reported that it came from China and the awful ones (most) a) stated as a fact b) won't update the news because it doesn't have as much appeal.

Re:Wide subnets

[Luckyo]

I'm not the one making these decisions. I'm merely trying to figure out WHY someone would do something describe in the article.

Re:why

[Luckyo]

Thank you captain obvious! :D