
How much traffic do I get from North Korea anyway? - fcambus
https://blog.benjojo.co.uk/post/north-korea-dprk-bgp-geoip-fruad
======
mirimir
> Or to sell VPN Services?

That seems to be a major aspect. There are hundreds of VPN services. They
compete on many dimensions, such as speed, security, not retaining any logs,
and the number of server locations. And some of them have insane numbers of
server locations.

Anyway, I've been look it this issue for a while, using ping services (such as
asm.ca.com, maplatency.com and ping.pe). For HMA and VyprVPN, only about half
of the servers seem to be located where claimed. And HMA claims to have one in
North Korea ;)

Some

~~~
mirimir
PS - Here's a scatter plot (rtt vs km) of all HMA servers, using ping probes
in Vancouver:

[https://keybase.pub/mirimir/HMA-
Vancouver.png](https://keybase.pub/mirimir/HMA-Vancouver.png)

Anything below the blue line is physically impossible. Notable is the
horizontal banding.

~~~
mirimir
Oops, I didn't mean to crop the plot that much :(

[https://keybase.pub/mirimir/HMA-Vancouver-
rev.png](https://keybase.pub/mirimir/HMA-Vancouver-rev.png)

Or to have a typo in the x title, but so it goes.

------
RingwormOne
I really have no idea what any of that means, but it sounds interesting and I
want to understand it. Where do I start?

~~~
feelin_googley
RFC 2650

    
    
       __=$(exec sed -n '/^4.31.198.44 /!d;=;q' /etc/hosts);
       test ${#__} -gt 0||
       echo 4.31.198.44 www.ietf.org >> /etc/hosts
    

[http://www.ietf.org/rfc/rfc2650.txt](http://www.ietf.org/rfc/rfc2650.txt)

Avast, NFOrce, etc. can update their BGP routing information with a routing
registry probably by just sending an email with some authentication details.
Apparently the veracity of provided information is not checked. The
information then gets propagated to a shared routing registry database offered
to the public for free by a handful of registries via WHOIS.

The blog author suggests that the inaccuracies in Maxmind may originate from
fake information in WHOIS.

[http://www.eecs.qmul.ac.uk/~steve/papers/geolocation-
ccr-11....](http://www.eecs.qmul.ac.uk/~steve/papers/geolocation-ccr-11.pdf)

This paper discusses accuracy of GeoIP databases. It concludes they are
between 96-98% accurate at the country-level. Maybe the database compilers
would use delay measurement for the 2-4% if the inaccuracies follow some
pattern, e.g. they are consitently associated with particular countries. Maybe
they already use this method. I don't know.

The IP addresses in the blog, and the idea of fake VPN exit nodes, were
discussed previously: [http://blog.trendmicro.com/trendlabs-security-
intelligence/a...](http://blog.trendmicro.com/trendlabs-security-
intelligence/a-closer-look-at-north-koreas-internet/)

~~~
jshap70
this is quite possibly the least helpful comment you could have made for
someone saying a lot of it went above their head

------
tinus_hn
In other news, ip based geolocation is not realiable and just guesswork.

------
Theodores
This is a bit beyond my knowledge of TCP/IP, however, does this support
Putin's assertion that hackers can make an attack appear to come from Russia
when they could be based somewhere else? How much work do you have to do to
make it that your IP address is from somewhere credibly in some other country?

~~~
mitchs
I'd say not really. BGP based lies are hilariously easy to spot, and can be
observed by any ISP in the world. When the US Intelligence community blames
Russia for hacking they aren't just doing geo-ip lookups and believing what
they see. Anyone with a credit card these days can rent a server in any
country anyway, so origin of traffic is more or less useless.

~~~
comex
> Anyone with a credit card these days can rent a server in any country anyway

Including North Korea? :)

~~~
isostatic
It would make sense for NK to sell VPn and server space to clients fro hard
currency.

------
SyneRyder
This is mostly unrelated, but is the AARNet peering with China Telecom in this
article meant to be legit or fake? I think it's meant to be legit, but I can't
get past AARNet misspelling their own name - "Reasearch" (sic).

