Oct 25 2017

A surprising amount of people want to be in North Korea

While the president of the United States and the leader of North Korea were/are currently beefing on Twitter about who should destroy the world first, North Korea was also causing me some personal frustration on data quality.

The issue lies with “GeoIP” (or more widely speaking a database that contains the geographical mapping between IP addresses and locations on the planet).

If you run services with Internet traffic from a variety of users you may find sometimes the GeoIP information actually isn’t that great, especially if you’re dealing with IPv6 because most of this information has not been filled in yet.

However after a bit investigation I found that there were a set of of geoip errors that were unusual in that they didn’t actually appear to be an issue of data quality. More an issue of people maliciously inserting fake data into the database in order to appear to websites as if they were elsewhere.

The initial discovery came as a pure curiosity search. North Korea’s Internet recently got another upstream (through Russia’s TTK):

This extra upstream makes a massive difference with latency for EU traffic to North Korea.

Above are two ISP’s in the UK: Virgin takes the slower US -> China -> DPRK Route, while Sky takes the RU -> DPRK route!

A whole 108ms faster!

Down a GeoIP adventure

So the question I had was “How much traffic do I even get from North Korea anyway?” The answer surprised me when the little amount of my North Korean traffic wasn’t from the only ISP in North Korea but in fact Avast. The anti virus company.

An example lookup on one of the IPs shows it being located in Manp’o, Chagang-do.

A border city between China and North Korea.

Photo by George Wenn (Link | Archive 1 | Archive 2)

However this location assessment doesn’t align with logic, traceroute hop names or the bounding limits of the speed of light:

ben@gb:~$ mtr -rwc 5 -o "B " -f 3 5.62.61.65 Start: Sun Oct 15 22:30:19 2017 HOST: gb Best 3.|-- 185.84.16.242 0.8 4.|-- 185.84.16.241 1.2 5.|-- ae-6.r00.londen10.uk.bb.gin.ntt.net 1.1 6.|-- ae-0.level3.londen10.uk.bb.gin.ntt.net 1.1 7.|-- ??? 0.0 8.|-- ??? 0.0 9.|-- AVAST-SOFTW.bear1.Prague1.Level3.net 34.8 10.|-- r-227-076-074-195.avast.com 38.3 11.|-- r-65-61-62-5.ff.avast.com 34.7

Thankfully MaxMind does provide a CSV version of their database which means that you can grep through to find all the other offenders who fraudulently locate themselves in North Korea:

$ cat GeoLite2-City-Locations-en.csv | grep 'Asia,KP' 1871859,en,AS,Asia,KP,"North Korea",01,Pyongyang,,,Pyongyang,,Asia/Pyongyang 1873107,en,AS,Asia,KP,"North Korea",,,,,,,Asia/Pyongyang 2042893,en,AS,Asia,KP,"North Korea",04,Chagang-do,,,Manp'o,,Asia/Pyongyang

$ cat GeoLite2-City-Blocks-IPv4.csv | grep '1871859' 31.220.29.128/27,1871859,2921044,,0,0,,39.0194,125.7547,200 46.36.203.81/32,1871859,3164670,,0,0,,39.0194,125.7547,50 46.36.203.82/31,1871859,3164670,,0,0,,39.0194,125.7547,50 185.56.163.144/28,1871859,1873107,,0,0,,39.0194,125.7547,200 $ cat GeoLite2-City-Blocks-IPv4.csv | grep '1873107' 5.62.56.160/30,1873107,1873107,,0,0,,40.0000,127.0000,1000 5.62.61.64/30,2042893,1873107,,0,0,,41.1544,126.2894,100 57.73.224.0/19,1873107,3017382,,0,0,,40.0000,127.0000,100 175.45.176.0/22,1873107,1873107,,0,0,,40.0000,127.0000,50 185.56.163.144/28,1871859,1873107,,0,0,,39.0194,125.7547,200 210.52.109.0/24,1873107,1814991,,0,0,,40.0000,127.0000,50 $ cat GeoLite2-City-Blocks-IPv4.csv | grep '2042893' 5.62.61.64/30,2042893,1873107,,0,0,,41.1544,126.2894,100 45.42.151.0/24,2042893,6252001,,0,0,,41.1544,126.2894,1000 172.97.82.128/25,2042893,6252001,,0,0,,41.1544,126.2894,1000

The only genuine entry here is this one:

175.45.176.0/22,1873107,1873107,,0,0,,40.0000,127.0000,50

Avast isn’t the only one in this list. NFOrce customers, “Roya Hosting” and others have also done this.

I submitted whois inaccuracy complaints and maxmind corrections to each fake one.

Avast has not just limited themselves to North Korea, they have set IP ranges to be all over the world for their VPN service:

This is nothing short of insanity driving for anyone who uses GeoIP to compile statistics, and depending on the VPN offering it is fraudulent advertising.

One of the motivations for faking your location in your whois and thus GeoIP is that if you are torrenting you will get less DMCA emails, since a lot of the copyright enforcement bots will check GeoIP to see “if it’s worth it” to send a abuse email.

That time the DPRK had IPv6

Bad actors abusing BGP is nothing new, we have seen them come up with increasing frequency for things like:

However one day I was burning time and searching through bgp.he.net and found that North Korea had suddenly got IPv6!

But actually that IPv6 didn’t make sense, it turned out that it was upstreamed by a suspicious ISP:

Looking at RIPE Stat and the IPv6 prefix announced it is clear that for a short amount of time, the network operator spoofed his way to make it look like his prefix was being announced by the only ISP in North Korea:

Assuming everything in the world was done correctly, this would not be a problem. The prefix announcement would be filtered by the upstream network of the offender, but this time it did not. Hurricane Electric accepted the bad announcement and relayed it to peers:

The interesting part of this is that the ISP put China Unicom’s AS in front. This made the whole attempt look a lot more legitimate. I then looked to who else might be doing this and found a company called “Crowd Control” (Archive 1 | Archive 2).

Their site implies they are a new security startup, if we look at their routes and also find fake inserted China AS numbers in their AS Path:

Once again, Hurricane Electric are accepting this and sending it to their peers, giving that HE are a Tier 1 (if you ignore Cogent, who also isn’t really even Tier 1) it’s pretty bad that this fake information wasn’t filtered out in BGP configuration.

The silly part of this is that it’s pointless. It only serves to make it seem like these ISPs peer with China Telecom and other major providers:

But it’s easy to spot the implausible routing in another tab:

The root of these issues appear to be that Hurricane Electric’s tunnel broker BGP tunnels do not check the AS Path, but only the IP Range. This is problematic since it allows clearly fake paths to be advertised.

And what for? Just to fraud some people that they have connections with some well known ISPs? Or to sell VPN Services?

Amusingly some of those ISPs they are putting on their AS path don’t even have IPv6.