
Scans of North Korean IP Space - djcapelis
http://nknetobserver.github.io
======
jedberg
So they seem to have at least some commercial software and hardware made by
American companies. Given that the US cannot trade with NK that means either
1) the companies broke the embargo or 2) they bought through a 3rd party or 3)
the software is pirated/stolen/

I'll assume #1 isn't true since it would be stupid for those companies to do
that for so little money.

#2 has interesting implications about trade embargoes. Unless everyone in the
world participates, it seems like all an embargo does is add complexity and
middle-men to the transaction. For example, if they legally acquired the
software and hardware through a Chinese or Russian reseller, then all that
happened was the Chinese or Russians took a cut.

#3 interestes me because what happens there? Ok, they are using clearly stolen
software, now what? Are there any consequences?

~~~
ghshephard
There is a _huge_ market (In the Billions of dollars) for used technology
hardware - I've seen some warehouses that had over $500million dollars (at
list price) of used Networking and Server equipment. I can't believe it would
be particularly difficult for places like Cuba, North Korea, etc... to
purchase a bunch of containers of Cisco Routers or HP servers and have them
routed through cut-out countries before final shipping to them.

~~~
MrJagil
> I've seen some

Please elaborate! If you're comfortable with it of course.

~~~
ghshephard
These guys (who I've worked with back when they were NHR) have massive
warehouses of used equipment that you purchase for 70-80% off list. They sell
about $250mm worth of equipment each year.

[https://www.curvature.com](https://www.curvature.com)

Here is their distribution center:
[https://www.curvature.com/DistributionCenter](https://www.curvature.com/DistributionCenter)

Carrying inventory valued at $200mm.

------
deanclatworthy
Fascinating. Has anyone ever penetrated the NK intranet via an internet-facing
machine, to do a thorough analysis? I've read a few articles [1] but never a
detailed analysis of what's available.

[1] [http://www.fastcolabs.com/3036049/what-its-like-to-use-
north...](http://www.fastcolabs.com/3036049/what-its-like-to-use-north-koreas-
internet)

------
gwern
The generally old-school services available and minimal turnover suggests to
me that the official IP space is entirely controlled by a few NK government
entities (maybe one of the universities?) and the real NK IP space is
dispersed among Chinese allocations/assignments. Is there any way to know how
representative these results are of overall NK Internet usage?

~~~
azernik
That's possible, but the general consensus is this (FTA):

"The country is said to have a fairly large internal domestic internet
disconnected from the rest of the world. Most citizens with access to
computers are only allowed to access this network, not the global computer
network the rest of us connect to."

That is, absolutely, the official IP space is assigned to government and
government-affiliated institutions. The rest of the local internet isn't in
the Chinese address space, though; it's instead on a disconnected network with
its own address space allocations, which may overlap with addresses in the
rest of the world's IPv4 instance.

~~~
threeseed
I've been to North Korea and confirm this is accurate. They have an internal
intranet with message boards etc. Pretty dated.

Also when Indian contractors were brought in to work on the pyramid hotel in
Pyongyang I was told that they had a special network provided by NK government
which curiously had full access to everything e.g. Facebook etc.

------
totony
Despite the controversial topic, I think it is interesting to see what one can
conclude about a country from freely available information (even though the
nmap'ing might have been illegal, I'm not sure about laws regarding nmap
anymore).

~~~
spacefight
And one can try to imagine if the alleged 100TB went that way.

~~~
dba7dba
No it surely did not.

N Korea however has rather free movement of people/cargo with china, limited
to govt official/cargo.

I'm pretty sure N Korea did it.

------
driverdan
Anyone have an idea how much bandwidth NK has? How easy would it be for a
large botnet to DDoS the whole country?

~~~
junto

      Anyone have an idea how much bandwidth NK has? How easy 
      would it be for a large botnet to DDoS the whole country?
    
    

How ironic would that be? Anonymous gathers up all its 4chan script kiddies to
LOIC NK, to save the face of a company that has systematically treated its
customers like criminals, namely those script kiddies with their DRM'ed
Playstations and Audio CDs and DVDs, whilst fancifully offering up their
credit card details online to be hacked and dumped on black hat card trader
websites.

Oh, yep. Sign me up to some of that illegal shit. /end sarcasm.

I genuinely find the suggestion to attack an entire countries internet
infrastructure to be a poor idea, whoever they are.

~~~
personjerry
Ok, but you can also consider it from a theoretical point of view and try to
think of the ramifications rather than simply dismiss it as impractical.
Personally my hacker side finds the idea intriguing and I hope someone could
answer this question.

~~~
junto
Agreed it is an interesting theoretical question.

But, sometimes theoretical questions have shaky moral ground, and more
importantly, put stupid ideas in stupid people's heads.

Adam and Eve is probably the classic example.

~~~
functional_test
Avoiding questions because of theoretical potential outcomes of people knowing
the answer is neither good nor useful. Knowledge is not implicitly dangerous
or immoral.

Also, in this particular case, it seems that the people interested in that
sort of thing could figure it out anyway. Obscurity isn't security.

~~~
droope
> Knowledge is not implicitly dangerous or immoral

Good phrase!

~~~
corin_
Sometimes I feel like half of my HN comments are about this guy, but Aaron
Sorkin (writer/creator of A Few Good Men, The West Wing, The Social Network,
and recently The Newsroom) wrote this line in a not-very-successful TV show 15
years ago called Sports Night, which is the same phrase but slightly nicer,
and has stuck with me.

Dan is a TV host who did a Variety Fair interview in which he was semi-pro
drug legalisation.

> _Dan: The validity of your read on what most of the country thinks
> notwithstanding, Stanley.... Actions are immoral. Opinions are not. And I
> won 't apologize for mine. Discussion is good, and for those of us fortunate
> enough to be the subject of magazine articles, it may be our responsibility
> from time to time to try and raise the level of debate. _

------
symlinkk
I don't really see how this tells us anything interesting. You would see
pretty similar results no matter where you scanned, with the exception of the
Red Star OS stuff.

~~~
kubiiii
That's interesting by itself. One could expect something unusual in NK.

------
JonnieCache
Kudos for resisting the temptation to login to that macbook's VNC server. Or
at least, kudos for not telling us about it.

~~~
mrleiter
Kudos for pointing it out to us, then.

------
internetisthesh
My webpage get a few visits from NK every week. A bit curious wether this is
common. Anyone else seeing this in their logs?

~~~
coroxout
We looked at our web stats for the past year recently and found we'd had
visits from every country except two, NK being one of the two not logged. (I
forget the other, and I don't recall what definition of "all the countries"
was used.)

So I'm thinking not common. Anyone else seen or conspicuously not seen hits
from NK?

~~~
internetisthesh
I looked a bit closer at my web server logs and the IP addresses matched one
of the ranges described in the blog post. My application is translated to
Korean by end-users, and reading the logs I see that the user downloaded it,
read some tutorials in the documentation and some months later downloaded the
latest version. I'm not sure why it surprised me that there visitors from NK
when I saw it yesterday, it makes sense when I think about it. I already know
that my software happens to be used by governments in several dictatorships
(yay for open source.)

------
kbuck
Small correction: VMware authd runs on the host machine, not the guest. That's
actually a Windows machine running VMware Workstation.

------
jmnicolas
I was surprised they're using Cisco. Some Chinese hardware (Huawei ?) would
make more sense : both are back-doored, but at least the Chinese are kind of
allies.

~~~
jaimehrubiks
do you have any link with info about cisco backdooring?

~~~
higherpurpose
Cisco is the one that came up with the "legal intercept" backdoor IETF
protocol for routers. There have also been "mistakes" where Cisco had remote
access to people's routers, when they upgraded them to new firmware. There
were some Snowden revelations about Cisco routers being backdoors as well,
although without specifically putting the same on Cisco, just on NSA putting
the backdoors in Cisco's factory, with which I'm _sure_ Cisco had no relation.

~~~
fragmede
I make no claims of whether or not Cisco at large is in bed with the NSA, but
you must admit a government mole secretly working in the factory to install
backdoored firmware is _not_ the same thing as the NSA going to Cisco's CEO
and 'convincing' Cisco that installing backdoored firmware at the factory is
in their best interests.

------
grobinson
Seeing as North Korea only have 3 allocated address blocks, 175.45.176.0/22,
210.52.109.0/24 and 77.94.35.0/24 they only have approx. 1530 globally
reachable IP addresses. However, North Korea must have more than ~1530 hosts.
Does this mean that they use some kind of NAT, or is their number of internet
connected hosts just that small?

Is there any information about the intranet in North Korea? Do they have a
private class A network that everyone in the country is connected to with
their own DNS servers, routers, etc which are unreachable from the rest of the
internet?

~~~
palunon
Only a small number of authorized persons and high ranking government officers
have access to the Internet in North Korea, so I guess it is that small.

The common people have access to the Kwangmyong, which is an IP network not
physically connected to the Internet.

------
chubot
What are some good books/resources on things like "allocated" and "assigned"
IP addresses? i.e. Internet governance, and IP in general? Where is he getting
the data like: "inetnum: 175.45.176.0 - 175.45.179.255 ..."?

Also are there tools that take a list of services on ports and map it to
likely hardware/OS?

I have been programming for a long time but somehow I missed out on this kind
of networking knowledge. Are most people who know this stuff network
engineers?

~~~
yourad_io
> Where is he getting the data like: "inetnum: 175.45.176.0 - 175.45.179.255
> ..."?

You're missing `whois`[1]. The wikipedia page is very informative.

If you give it an IP, it will give you "ownership" status of that particular
IP, and then its containing netblocks ("outwards").

Example: (my favourite IP)

    
    
        $ whois 5.9.6.9
        % Information related to '5.9.6.0 - 5.9.6.31'
    
        inetnum:        5.9.6.0 - 5.9.6.31
        netname:        HETZNER-RZ16
        descr:          Hetzner Online AG
        descr:          Datacenter 16
        country:        DE
    
        --8<--
    
        % Information related to '5.9.0.0/16AS24940'
    
        route:          5.9.0.0/16
        descr:          HETZNER-RZ-FKS-BLK5
        origin:         AS24940
        mnt-by:         HOS-GUN
        source:         RIPE # Filtered
    

It gives you more things like contact information, abuse contact details, etc.

With a domain, it looks up the domain registration information.

If you ever script around whois, be prepared for loads of surprises, such as:

* Structure & format variations per provider (can be different on a TLD level)

* Some TLDs may not provide that information in a whois format at all:
    
    
        $ whois test.gr
        This TLD has no whois server, but you can access the whois database at
        https://grweb.ics.forth.gr/whois_en.jsp
    

[1] [http://en.wikipedia.org/wiki/Whois](http://en.wikipedia.org/wiki/Whois)

~~~
chubot
OK thanks... I've used whois before, but yeah the output has been a bit
confusing to me. I think I usually use it with a host name, and using it with
an IP gives different info.

I am interested in how the databases that 'whois' queries are populated... the
Wikipedia page looks like it will have some good pointers.

~~~
yourad_io
You may also be interested to know that this database is open[1]:

> We produce daily snapshots which are available to the public. You can find
> these files at our FTP site at: ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz

> or split by object type at: ftp://ftp.ripe.net/ripe/dbase/split

> These daily snapshots exclude the object types: person, role, organisation
> and mntner. For data protection reasons, personal data is not available in
> bulk format. [1]

To avoid confusion, that isn't just Europe (whose Regional Internet Register
is RIPE NCC) but contains other continents/RIR data.

[1] [https://www.ripe.net/data-tools/db/faq/faq-db/can-i-
download...](https://www.ripe.net/data-tools/db/faq/faq-db/can-i-download-the-
ripe-database)

------
richardkeller
The author notes that they picked up an MacBook Air during one of the scans.
Probably unrelated, but interesting nevertheless, is that Kim has been seen
using Apple products [1], specifically an iMac. Perhaps the author came across
Kim's own notebook?

[1]
[http://www.telegraph.co.uk/technology/apple/10619703/North-K...](http://www.telegraph.co.uk/technology/apple/10619703/North-
Korean-computers-get-Apple-makeover.html)

------
j2kun
I was surprised to see a hit from the DPRK on my blog about math and
programming. I wonder what the reasons were, though chances are it was an
irrelevant search hit.

~~~
kbart
Might as well be an infected PC wandering around looking for vulnerabilities
(i.e. recent Wordpress comment hack). When I was developing Internet facing
device, I had seen tons of scans, loging attempts etc. daily.

------
imperialdrive
Fantastic read - and amazing amount of thought put into taking on this
research, and it's fascinating to read. I just started using nmap this year,
now I'm tempted to perform similar wide scans. I'm curious how to managed
keeping your IP from being blocked? Or, did you use a different EC2 instance
each time?

~~~
laumars
My advice would be "don't". There are quite significant potential legal
ramifications for scanning other peoples infrastructure and thus you could
land yourself in a lot of trouble if you're not careful.

This isn't to say that nmap (and it's ilk) are not useful diagnostic tools.
But I'd recommend you leave the scanning to infrastructure you either own or
have the owners consent - at least for now while you're still learning the
tools.

~~~
hobs
Agreed, if you want to scan the entire internet, you better be someone like
fyodor, and even then the authorities will probably come a knocking.
[https://www.youtube.com/watch?v=Hk-21p2m8YY](https://www.youtube.com/watch?v=Hk-21p2m8YY)

------
sysk
As a side note, I recently learned that it was possible to scan the whole
Internet in a few hours on a regular connection:
[https://www.youtube.com/watch?v=UOWexFaRylM](https://www.youtube.com/watch?v=UOWexFaRylM)

------
alexivanovs
It seems strange the the author implies us to do some searching through the
findings, but really, he has already given away most of what you can find...

EDIT: where did I imply that this is about SONY? Have any of you who commented
back on this, have actually checked the actual findings? They're yearly dated
records, it seems very hard to believe that he only observed them prior to
writing his piece.

P.S. - I do think it's a very good technical report, though I don't recall
saying it's not.

~~~
yourad_io
As I understand it, the author is saying: "I got this data; this is what I got
out of it & my read on it; why don't you have a play with it as well."

------
forensichell
#NorthKoreaOffline

[http://www.NorthKoreaOffline.com](http://www.NorthKoreaOffline.com)

------
drippingfist
Maybe the DDOS is just a distraction.

------
dylanerichards
Redirect

------
ll123
Countdown until North Korea starts nuclear war with us after a vigilante
counter hacks them

------
gojomo
Be cybercareful! You may have just cyberstarted a cyberwar!

Also, note that when the next forensic analysis of some hack occurs, the
scanning IPs have now "communicated with IPs associated with North Korea". So
any future activity of your IPs may be attributed to NK, by the FBI/etc.

------
billions
There is no way North Korea had the sophistication to hack SONY. Hacking
requires knowledge of the latest security vulnerabilities. It's impossible to
develop good hackers on such a censored network.

~~~
tireded
> There is no way North Korea had the sophistication to hack SONY.

Hacking doesn't necessarily require sophistication.

> Hacking requires knowledge of the latest security vulnerabilities.

Again, no.

> It's impossible to develop good hackers on such a censored network.

Also no. I can imagine being on a heavily censored network being a prime
breeding ground for great hackers. Either way, if I were a nation state
sponsoring a hack I would presumably give uncensored access to my hack team.

~~~
scastillo
Totally. Indeed the times i have been more driven and successfull at hacking
something, has been on the most restricted environments looking for freedom.
bypassing the proxy for example trough icmp tunnels... when you already have
the freedom there is less passion to hack something

~~~
billions
If you try to break rules in NK, you're dead. Hacking culture and exploration
doesn't fit in under a communist regime. No place to practice = no way to
become a pro.

