Forwarded from: John Q. Public <tpublicat_private> Kevin Poulsen's article fills in the vague blanks in Middleton's article at http://www.securityfocus.com/news/282 but I think what they are still lightly discussing is the large number of old-style "A" and "B" class networks that many organizations have put behind firewalls. I recently departed a company whose close associate had more than a dozen /16s that were literally private and internal only. The fact that they were still using the public space given to them years ago was strictly due to legacy requirements of not being able to renumber such large chunks that were being used in a production environment. (For the record, I am not in favor of networks like these.) If any of those networks were accidentally breached and spawned tens of thousands of infected hosts, many of them were still able to further attack the internet via proxies and NAT configurations. Especially if the attack was spam (via 25/tcp) or IIS-based bugs (via 80/tcp) which have become all too common lately. Attacks by these 'unreachable' hosts would certainly seem suspicious, but that is only because of the way those addresses are normally protected from the outside of their organizations. I don't think this should be a surpise to anyone who has more than a few /24s under their belt, since many organizations are currently implementing firewalls and routing tricks to prevent their space from being attacked by the wild, while still trying to make that space usable as communication sources to the internet. The fact that large customer base providers like cable and dsl ISPs seem to have large empty blocks is simply because they requested tons of space from their address coordinators and they don't have the customers to fill the space yet. There are very few service providers that utilize NAT on their customers, and for those that don't, we'll see this obvious underutilization of their address space. I don't think this is anything to be concerned about, because I don't think many people that it affects will be surprised by this "new" information. .nhoJ On Thu, 15 Nov 2001, InfoSec News wrote: |Date: Thu, 15 Nov 2001 01:20:32 -0600 (CST) |From: InfoSec News <isnat_private> |To: isnat_private |Subject: [ISN] 'Dark web space' hides net nasties | |http://www.vnunet.com/News/1126843 | |By James Middleton |14-11-2001 | |Results of a three-year study on internet 'reachability' have |confirmed that the web is partitioned and littered with pockets of |'dark web space' which are home to some of the internet's nasties. | |The existence of dark web space runs contrary to the common belief |that the internet is one fully connected graph. The research suggests |that the web is partitioned and some prefixes are available for some |providers, and not others. | |But more worryingly, the study found that this dark space is often |used as a launch pad for fleeting internet attacks or as a spamming |platform. | |A report released by Arbor Networks has revealed that as much as five |per cent of the internet could exist in dark web space, a figure |representing tens of millions of possible end hosts. | |Arbor found that these short-lived routing activities, like spamming, |indicated a misuse of the routing infrastructure. | |The findings backed up last month's warning from the Computer |Emergency Response Team that hackers may increasingly be targeting |routing infrastructures as a platform for denial of service attacks. | |These murky parts of the internet could also be used to intentionally |'black hole' a target network's traffic. | |Arbor also found a large number of SMTP servers, including over 40,000 |unique mail sources, a number of which were associated closely with |known spamming incidents. These net nasties work by exploiting |inherent weaknesses in the web's routing infrastructure. | |If a router can stake a claim on a block of address space, the rest of |the net's infrastructure will simply accept it and route all traffic |for that block. | |Because routers aren't set up to log such incidents, these dark |corners of the web represent pockets of malicious or sinister activity |and "intentional misuse and co-option of the internet routing |infrastructure", said Arbor. | |The research found that over 70 per cent of the discovered |disenfranchised hosts responded to 'reachability' tests identifying |them as cable or ISDN pools, as well as US military networks. | |Strangely, a further 24 per cent of hosts responded to active |availability tests, but had neither addressing nor routing information |available. Arbor is now researching further into this area. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Nov 16 2001 - 03:32:55 PST