Oct 25 2017

A surprising amount of people want to be in North Korea

While the president of the United States and the leader of North Korea were/are currently beefing on Twitter about who should destroy the world first, North Korea was also causing me some personal frustration on data quality.

The issue lies with “GeoIP” (or more widely speaking a database that contains the geographical mapping between IP addresses and locations on the planet).

If you run services with Internet traffic from a variety of users you may find sometimes the GeoIP information actually isn’t that great, especially if you’re dealing with IPv6 because most of this information has not been filled in yet.

However after a bit investigation I found that there were a set of of geoip errors that were unusual in that they didn’t actually appear to be an issue of data quality. More an issue of people maliciously inserting fake data into the database in order to appear to websites as if they were elsewhere.

The initial discovery came as a pure curiosity search. North Korea’s Internet recently got another upstream (through Russia’s TTK):

North Korea switching to TTK

This extra upstream makes a massive difference with latency for EU traffic to North Korea.

China Unicom route vs TTK route

Above are two ISP’s in the UK: Virgin takes the slower US -> China -> DPRK Route, while Sky takes the RU -> DPRK route!

A whole 108ms faster!

Down a GeoIP adventure

So the question I had was “How much traffic do I even get from North Korea anyway?” The answer surprised me when the little amount of my North Korean traffic wasn’t from the only ISP in North Korea but in fact Avast. The anti virus company.

An example lookup on one of the IPs shows it being located in Manp’o, Chagang-do.

a example maxmind lookup

A border city between China and North Korea.

Manpo Photo by George Wenn (Link | Archive 1 | Archive 2)

However this location assessment doesn’t align with logic, traceroute hop names or the bounding limits of the speed of light:

ben@gb:~$ mtr -rwc 5 -o "B        " -f 3 5.62.61.65
Start: Sun Oct 15 22:30:19 2017
HOST: gb                                      Best        
  3.|-- 185.84.16.242                            0.8        
  4.|-- 185.84.16.241                            1.2        
  5.|-- ae-6.r00.londen10.uk.bb.gin.ntt.net      1.1        
  6.|-- ae-0.level3.londen10.uk.bb.gin.ntt.net   1.1        
  7.|-- ???                                      0.0        
  8.|-- ???                                      0.0        
  9.|-- AVAST-SOFTW.bear1.Prague1.Level3.net    34.8        
 10.|-- r-227-076-074-195.avast.com             38.3        
 11.|-- r-65-61-62-5.ff.avast.com               34.7

Thankfully MaxMind does provide a CSV version of their database which means that you can grep through to find all the other offenders who fraudulently locate themselves in North Korea:

$ cat GeoLite2-City-Locations-en.csv | grep 'Asia,KP'
1871859,en,AS,Asia,KP,"North Korea",01,Pyongyang,,,Pyongyang,,Asia/Pyongyang
1873107,en,AS,Asia,KP,"North Korea",,,,,,,Asia/Pyongyang
2042893,en,AS,Asia,KP,"North Korea",04,Chagang-do,,,Manp'o,,Asia/Pyongyang

$ cat GeoLite2-City-Blocks-IPv4.csv | grep '1871859'
31.220.29.128/27,1871859,2921044,,0,0,,39.0194,125.7547,200
46.36.203.81/32,1871859,3164670,,0,0,,39.0194,125.7547,50
46.36.203.82/31,1871859,3164670,,0,0,,39.0194,125.7547,50
185.56.163.144/28,1871859,1873107,,0,0,,39.0194,125.7547,200

$ cat GeoLite2-City-Blocks-IPv4.csv | grep '1873107'
5.62.56.160/30,1873107,1873107,,0,0,,40.0000,127.0000,1000
5.62.61.64/30,2042893,1873107,,0,0,,41.1544,126.2894,100
57.73.224.0/19,1873107,3017382,,0,0,,40.0000,127.0000,100
175.45.176.0/22,1873107,1873107,,0,0,,40.0000,127.0000,50
185.56.163.144/28,1871859,1873107,,0,0,,39.0194,125.7547,200
210.52.109.0/24,1873107,1814991,,0,0,,40.0000,127.0000,50

$ cat GeoLite2-City-Blocks-IPv4.csv | grep '2042893'
5.62.61.64/30,2042893,1873107,,0,0,,41.1544,126.2894,100
45.42.151.0/24,2042893,6252001,,0,0,,41.1544,126.2894,1000
172.97.82.128/25,2042893,6252001,,0,0,,41.1544,126.2894,1000

The only genuine entry here is this one:

175.45.176.0/22,1873107,1873107,,0,0,,40.0000,127.0000,50

Avast isn’t the only one in this list. NFOrce customers, “Roya Hosting” and others have also done this.

I submitted whois inaccuracy complaints and maxmind corrections to each fake one.

Avast has not just limited themselves to North Korea, they have set IP ranges to be all over the world for their VPN service:

RIPE Stat geoip summary

This is nothing short of insanity driving for anyone who uses GeoIP to compile statistics, and depending on the VPN offering it is fraudulent advertising.

One of the motivations for faking your location in your whois and thus GeoIP is that if you are torrenting you will get less DMCA emails, since a lot of the copyright enforcement bots will check GeoIP to see “if it’s worth it” to send a abuse email.

That time the DPRK had IPv6

Bad actors abusing BGP is nothing new, we have seen them come up with increasing frequency for things like:

Spam
- “Understanding the Network-Level Behavior of Spammers” - Anirudh Ramachandran and Nick Feamster
- Cantonal IP space in Switzerland hijacked by Spammers - Swiss CERT
- Using BGP data to find Spammers - BGPMon
Censorship
- Pakistan hijacks YouTube - Dyn
- Turkey Hijacking IP addresses for popular Global DNS providers - BGPMon
Or just plain showing off
- 1.3.3.0/24 ( = 1.3.3.7 ) is the Capture The Flag for BGP.
  Announcement = Incompetent||Malicious ISP
  RIPE Stat says 6 ASN's have managed it pic.twitter.com/B6SZMTDGZO
  — Ben Cox (@Benjojo12) September 30, 2017

However one day I was burning time and searching through bgp.he.net and found that North Korea had suddenly got IPv6!

But actually that IPv6 didn’t make sense, it turned out that it was upstreamed by a suspicious ISP:

suspicious upstream for north korea

Looking at RIPE Stat and the IPv6 prefix announced it is clear that for a short amount of time, the network operator spoofed his way to make it look like his prefix was being announced by the only ISP in North Korea:

RIPE stat showing a hijack on North Korea

Assuming everything in the world was done correctly, this would not be a problem. The prefix announcement would be filtered by the upstream network of the offender, but this time it did not. Hurricane Electric accepted the bad announcement and relayed it to peers:

Upstreaming though HE

The interesting part of this is that the ISP put China Unicom’s AS in front. This made the whole attempt look a lot more legitimate. I then looked to who else might be doing this and found a company called “Crowd Control” (Archive 1 | Archive 2).

website copy

Their site implies they are a new security startup, if we look at their routes and also find fake inserted China AS numbers in their AS Path:

HE Upstreaming again

Once again, Hurricane Electric are accepting this and sending it to their peers, giving that HE are a Tier 1 (if you ignore Cogent, who also isn’t really even Tier 1) it’s pretty bad that this fake information wasn’t filtered out in BGP configuration.

The silly part of this is that it’s pointless. It only serves to make it seem like these ISPs peer with China Telecom and other major providers:

bgp.he.net peering list

But it’s easy to spot the implausible routing in another tab:

routing graph

The root of these issues appear to be that Hurricane Electric’s tunnel broker BGP tunnels do not check the AS Path, but only the IP Range. This is problematic since it allows clearly fake paths to be advertised.

And what for? Just to fraud some people that they have connections with some well known ISPs? Or to sell VPN Services?

Amusingly some of those ISPs they are putting on their AS path don’t even have IPv6.

The strange case of ICMP Type 69 on Linux (2015)

Random Post:

Calling the world cup goals 5 seconds before they happen (2018)