LWN: Comments on "FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back"

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

zblaxell — Thu, 28 Aug 2014 21:56:29 +0000

"Legit apps" know where their correct hosts and ports are, even on sites open to the public. Everyone else is running incompatible or misconfigured software at best, and up to no good at worst. Either way they are in the wrong place, so straight to the tarpits they go.

HACIENDA is about mapping unadvertised hosts. The point is to build a database of services that can be discovered by port scanning but have not already been discovered by other surveillance projects. Your blog host is not interesting to HACIENDA, but the ssh remote port forwarding you occasionally set up to bypass local internet interference is.

IPv6 US rollout

Arker — Sun, 24 Aug 2014 14:34:43 +0000

That does vary. My ISP permits at least 4 (I think it was actually 6) different IPs on my home connection. So I can run a 4 port switch, use 3 IPs, including one for the router, and any extra devices attach via the router. Works quite well.

Unfortunately the largest ISPs also seem to be the worst ISPs, and they are the ones that are growing. :(

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

jhardin — Sat, 23 Aug 2014 17:50:40 +0000

I would note that the comment on the tarpit iptables page that suggests LaBrea requires dedicated IP addresses is no longer correct given the patch I provided.

http://sourceforge.net/p/labrea/patches/

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

jhardin — Sat, 23 Aug 2014 17:43:42 +0000

I've been doing this for a *long* time (well prior to the iptables stuff) using LaBrea ( http://labrea.sourceforge.net/ ) - note that I've provided some patches that should be applied.

I also use it to tarpit abusive spammers.

There's more information on how I do it at http://www.impsec.org/~jhardin/antispam/ including sample scripts.

IPv6 US rollout

tialaramex — Sat, 23 Aug 2014 00:29:21 +0000

There's no reason why the average consumer (say, my mother) would want to know about IPv6. These are people for whom the distinctions between Windows (an operating system) the PC (hardware) and Microsoft (a company) are difficult to discern, never mind knowing Internet Explorer from Firefox, both of which they will just call "Google" or if you're lucky "The Internet".

Imagine trying to get a non-technical friend or relative excited about the end of the Big Kernel Lock. Most likely if you manage they'll end with a bunch of misconceptions that are perhaps worse than if they'd remained ignorant.

In the ideal world the transition would have begun about a decade ago, most people today would already have working IPv6 and the discussions would now be about how quickly and easily we can begin the far end of the transition, deprecating IPv4 and removing it from the core, and my mother _still_ wouldn't know about it.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

flussence — Fri, 22 Aug 2014 23:52:16 +0000

In the distant past I've used the tarpit iptables patch for this, but I gave up on it after a few weeks because it was very high-maintenance.

On the other hand, it seems like they've fixed that problem in the newest iteration (and added a few more tools to mess with port scanners besides), so maybe it's worth another shot...

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

apoelstra — Fri, 22 Aug 2014 22:54:19 +0000

Is there an easy or standard way to tarpit ports or did you have to write a daemon that listens for connections and holds them open?

IPv6 US rollout

ewan — Fri, 22 Aug 2014 20:20:09 +0000

This actually sounds like the best configuration to encourage IPv6 adoption.

IPv6 US rollout

danieldk — Fri, 22 Aug 2014 20:17:00 +0000

We are on Kabel BW in Germany, and have native IPV6 and DS-Lite. DS-Lite is a bit inconvenient, since we don't have a unique IP address, we cannot do port forwarding, etc. That said, I am happy we are on IPv6 :).

IPv6 US rollout

jannic — Fri, 22 Aug 2014 18:43:59 +0000

Yes, exactly, large number of customers with single IP address. So you can't even configure port forwarding. Impossible to run even a small private server behind such a thing.

Of course you can run the server on the native IPv6 address you get. But then you can't access it when you are on an IPv4 only network. (Like, say, from your mobile phone...)

They call it 'carrier-grade NAT' to make it sound like it's something good.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

JoeBuck — Fri, 22 Aug 2014 18:29:13 +0000

Port knocking is only useful if you want to hide the existence of a server from unauthorized people. For example, you might want to be able to ssh into your home machine without allowing anyone else to, but if scanners see port 22 they'll run dictionary attacks and exploit attempts against it all day long. So you could use port knocking.

Perhaps the GNUnet people have some kind of decentralized peer-to-peer mesh network in mind where only neighboring nodes would be authorized to connect. In that case, only the authorized neighbors might know the knock code and anyone else wouldn't be able to see the existence of servers at all.

This would provide additional security against random crackers, but I don't think it would really stop a determined adversary with the resources of the NSA of GCHQ. If they could crack one node, and everyone's running the same software, they could then knock over the neighboring nodes until they own the whole network.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

jhardin — Fri, 22 Aug 2014 18:06:20 +0000

Personally, I don't see any point in trying to block or prevent this scanning at all ... The only benefit to hiding a server behind port-knocking or the like would be to protect against cracking attempts ...

I have a TCP tarpit set up on ports for commonly-abused services that shouldn't be (and which I don't) provide to the Internet at large - e.g. RDP, VNC, MSSQL, telnet - and I redirect any detected PHP scanning activity against my webserver to a tarpitted port as well.

I think this is a completely reasonable policy for such services, and if more people did this there'd be a lot less malicious scanning traffic and automatically-propagating malware around.

IPv6 US rollout

RobSeace — Fri, 22 Aug 2014 18:01:30 +0000

If true, that's awesome! You'd think they'd make a bit more noise about it, though, and maybe inform all their existing customers about it so that they could get new equipment if necessary and start using it...

I still can't seem to find any info about business class static IPv6s being available, though... I can find mention of them doing limited business class testing, but apparently of dynamic(?!) IPv6 addresses? (WTF is the point of that?? Give everyone a static /64, at least!) So, no joy for us yet, I guess...

But, it's good the consumer class is making progress, at least!

IPv6 US rollout

lambda — Fri, 22 Aug 2014 17:43:13 +0000

Comcast has rolled it out to a pretty substantial fraction of its customers by now. I recall that I had been waiting expectantly for it, and tunneling in the meantime. A few months ago, I decided to check again, and sure enough they offer IPv6 in my region now. I turned off my tunnel and turned on native v6 and have been using it ever since.

It's a lot more than "a few users in select areas" by now; it's pretty much "all users with up-to-date modems and routers, in areas with up-to-date CMTS systems." As the equipment turns over, pretty much everyone getting new equipment is getting IPv6 support.

IPv6 US rollout

RobSeace — Fri, 22 Aug 2014 15:32:50 +0000

Actually, I may have misunderstood... When you say NAT, do you mean the ISP is doing its own internal NAT'ing, such that several of its customers are all sharing a single real public IP? That, thankfully, isn't very common around here, that I know of... I just meant most people get a single public IPv4 (which changes regularly), and end up doing their own NAT on it (well, or the ISP does it for them with the supplied modem/router), such that all devices on their internal LAN are using non-public IPs...

I really, really long for the pre-NAT days, when every host had a publically addressable IP!

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

raven667 — Fri, 22 Aug 2014 15:27:42 +0000

As someone else pointed out, in IPv6 land active scanning is no longer effective but your big entities are tapping links so they can harvest active addresses by looking at flow data, and your big providers can harvest data from their logs. I see the future where the process of getting lists of addresses are done by breaking into organizations which collect them, like Akamai or Google.

IPv6 US rollout

jannic — Fri, 22 Aug 2014 15:13:04 +0000

Ouch, didn't know that. I mean, dynamic IPs are normal here, as well. But at least they are real IPs, not NAT. And getting a static IP isn't very expensive, either, in many cases. E.g. the option costs 5€/month for the DSL line I'm using at the moment.

I guess it's because we are in the lucky situation that in the cities, there are usually two or three providers available to choose from. (At least some kind of DSL connection and a cable based offer.)

IPv6 US rollout

RobSeace — Fri, 22 Aug 2014 14:54:22 +0000

Well, here in the US, pretty much everyone gets NAT over a single dynamic IPv4, anyway... Unless you pay big money for a business class connection and static IPs (which we do here at home)... So, for most people here, it wouldn't be any issue to have their IPv4 access over a single NAT'd IP... While the static IPv6 subnet they'd get to go along with it, would be an amazing new benefit!

IPv6 US rollout

jannic — Fri, 22 Aug 2014 14:44:36 +0000

Be careful what you wish for: Here in Germany, some providers (at least Unitymedia) are delivering native IPv6 to their customers. But they are using Dual Stack Lite: No native IPv4, but some kind of NAT instead.

Of course, in the long run, that's the way to go. Full Dual Stack deployments just don't solve the issue of scarce IPv4 addresses. But for now, from a customer's point of view, even native IPv4 + tunneled IPv6 would be better than native IPv6 + NATed IPv4.

IPv6 US rollout

RobSeace — Fri, 22 Aug 2014 14:36:07 +0000

Yes, supposedly Comcast is doing a lot of IPv6 work, and should be praised for it... But, as far as I know, they're still only rolling it out to a few users in select areas... And, last we checked, we couldn't get it here at home for our Comcast Business Class connection... I'm sure they'll keep doing more, and are probably wise to go slowly with it, but I'm just impatient to see the day where EVERY ISP offers a dual-stack connection as standard...

IPv6 US rollout

tialaramex — Fri, 22 Aug 2014 14:05:50 +0000

Are you sure of your facts?

My understanding, as a European, is that Comcast has an extensive IPv6 rollout, which contributes to that high percentage. The sheer size and population of the US makes IPv6 an attractive option for an ISP expecting to pick up a sizeable fraction of the national market.

In contrast in the UK none of the ISPs a typical consumer has heard of offer IPv6. All the big incumbents have decided they'll sit tight.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

RobSeace — Fri, 22 Aug 2014 13:24:30 +0000

I only now looked at your link... I'm amazed that the US is listed at 9.51% adoption! It must be mostly from mobile users, I'd bet... Supposedly, they're big IPv6 adopters, out of necessity, given the number of mobile devices... But, it's still next to impossible for anyone to get an IPv6 (or, ideally, dual-stack) connection from their home ISP... Tunnelling is about the only option available...

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

RobSeace — Fri, 22 Aug 2014 13:16:46 +0000

I should've specified I meant no (or very little) movement here in the USA... I know other countries are way ahead of us in IPv6 deployment, and that's great... Hopefully, their continued deployment will eventually push us into doing so as well...

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

spaetz — Fri, 22 Aug 2014 12:19:26 +0000

no movement is not true, fortunately.

Countries like Germany, Switzerland and Belgium are above 10% when accessing Google:
http://www.google.com/intl/en/ipv6/statistics.html#tab=pe...

End-users are finally getting native IPv6 addresses in these countries which goes a long way to start addressing the chicken-and-egg problem.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

DV — Fri, 22 Aug 2014 12:17:26 +0000

Seconded, very interesting, thanks !

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

jannic — Fri, 22 Aug 2014 12:15:58 +0000

Definitely :-)

And I should have added that smiley to my original post. It wasn't meant serious. Knowingly countering a bad idea (TCP stealth) with another bad idea.

That said, I do think that actually answering all TCP requests would make scanning more difficult. But, as you noticed, one would at least need to implement some basic fake three-way-handshake to make the service look real. I don't even want to think about the headaches that could cause when diagnosing network issues.

I guess some governments can already listen to most internet traffic, so they can see which servers are actually getting accessed. No need for active scans. So making scans more difficult wouldn't even help.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

RobSeace — Fri, 22 Aug 2014 11:42:56 +0000

Oh, how I wish everyone would hurry up and deploy IPv6! I've been waiting for the day to finally come now for a decade or more, it seems... When we finally ran out of IPv4 addresses a while back, I thought that would finally spur movement, but so far, nope... Ugh...

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

tialaramex — Fri, 22 Aug 2014 11:35:31 +0000

Indeed. Your mentions of port-knocking are apposite.

Scanning is practical because the address space to search is relatively modest. IPv6 expands that space so much it makes both botnets looking to recruit new SSH-capable hosts for C&C and this HACIENDA scheme impractical. So let's just get on with the migration.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

RobSeace — Fri, 22 Aug 2014 11:21:47 +0000

That sounds like a horrible idea... Worse than the opposite idea (which most firewalls take) of not responding at all (which is horrible enough and causes plenty of problems already)...

What do you do when it's not just a SYN-scan type port scanner, but a real client trying to connect to one of those ports? Do you send a RST when it sends the final ACK to complete the handshake? If so, all you've done is required the port scanner to do the same in order to learn the truth... Do you just silently drop it? If so, it's going to keep resending it for a while before eventually giving up, which will cause no end of frustration and head-scratching to legit apps... And, the port scanner will still be able to use the silence to detect that the port is not active, in much the same way they currently use the silence from firewalls dropping incoming SYNs to detect filtered ports...

Personally, I don't see any point in trying to block or prevent this scanning at all... What ports a publically facing host has open is something that's basically public information, and that's how it should be... The only benefit to hiding a server behind port-knocking or the like would be to protect against cracking attempts, eg. bots scanning for vulnerable SSH servers to run dictionary attacks against... But, it's the sort of thing you can only do on private servers that allow very few legit remote users in... On a public server that's meant to let everyone in (eg: a web server), you can't hide it like that... If you did, you'd have to let everyone know the secret knock, and then the port-scanning bots would know it as well, and be able to get past your hiding...

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

jannic — Fri, 22 Aug 2014 09:52:02 +0000

For fighting back, wouldn't it be better to modify the TCP stack to answer SYNs on every single TCP port, even if there is no service listening?

That way, the crawler doesn't learn anything about available services, and it's database is going to get quite big.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

fb — Fri, 22 Aug 2014 08:26:02 +0000

Thanks for sharing the article. Interesting read.

FSF: GNU hackers discover HACIENDA government surveillance and give us a way to fight back

grahame — Fri, 22 Aug 2014 05:43:14 +0000

Given someone did this in 2012 using ADSL modems it's no surprise really governments are doing it.

http://internetcensus2012.bitbucket.org/paper.html