Hacker News new | past | comments | ask | show | jobs | submit login
How much traffic do I get from North Korea anyway? (benjojo.co.uk)
140 points by fcambus on Oct 27, 2017 | hide | past | favorite | 18 comments

> Or to sell VPN Services?

That seems to be a major aspect. There are hundreds of VPN services. They compete on many dimensions, such as speed, security, not retaining any logs, and the number of server locations. And some of them have insane numbers of server locations.

Anyway, I've been look it this issue for a while, using ping services (such as asm.ca.com, maplatency.com and ping.pe). For HMA and VyprVPN, only about half of the servers seem to be located where claimed. And HMA claims to have one in North Korea ;)


PS - Here's a scatter plot (rtt vs km) of all HMA servers, using ping probes in Vancouver:


Anything below the blue line is physically impossible. Notable is the horizontal banding.

Oops, I didn't mean to crop the plot that much :(


Or to have a typo in the x title, but so it goes.

What I'd be really concerned about is -- how are these VPN services getting their fake locations to show up on Maxmind? Is Maxmind simply taking their word for it when they claim that one of their IP ranges is in North Korea, for instance? Or is there some deeper trickery going on?

I don't know how Avast (HMA) does it. I'm sure that there's more to it than lying to MaxMind etc. I do know that, as long as the ISPs don't object, one can announce an IP from one ISP on another. I also know that one can tunnel ISP uplinks.

HMA (Avast) claims that fnj-kp.prcdn.net is in Manpo, North Korea. MaxMind now reports that two of its IPs ( and are in Prague, Czechia. And the third ( in Seattle, WA, US. But ipinfo.io still reports North Korea for all three.

But peering is complicated. There are two ISPs in Zurich, for example, with ~25 msec rtt between them, but ~5 msec ping to other nearby cities. They just don't speak directly it seems.

I really have no idea what any of that means, but it sounds interesting and I want to understand it. Where do I start?

I'd say look up BGP (Border Gateeway Protocol,) but the wiki page buries the important parts, since it describes the protocol state machine and packet format before even attempting to give a high level picture.

AS, standing for Autonomous System, is like an ISP's name. BGP spreads routing information by rumor. For example, I start the rumor that I can route to IP addresses in, and tell my peer ISPs. They tell their peers I told them... etc. To prevent rumors from going in circles, you keep a record of every ISP in the path of spreading the rumor, and call it the AS path. (Otherwise you could never retract the rumor, as it would go in circles. BGP speakers do not accept rumors that they themselves are in the path of. (Except in cases of dirty hacks, but then only a finite number of times.))

This article describes fraudulent AS paths attached to (as I understood it) IP ranges that were legitimately owned by the people advertising them to Hurricane Electric. This is like you telling Hurricane Electric that I (the North Korean ISP) told you that I can route to, an IP address range you own, even though I told you no such thing and we are not even peers.

RFC 2650

   __=$(exec sed -n '/^ /!d;=;q' /etc/hosts);
   test ${#__} -gt 0||
   echo www.ietf.org >> /etc/hosts

Avast, NFOrce, etc. can update their BGP routing information with a routing registry probably by just sending an email with some authentication details. Apparently the veracity of provided information is not checked. The information then gets propagated to a shared routing registry database offered to the public for free by a handful of registries via WHOIS.

The blog author suggests that the inaccuracies in Maxmind may originate from fake information in WHOIS.


This paper discusses accuracy of GeoIP databases. It concludes they are between 96-98% accurate at the country-level. Maybe the database compilers would use delay measurement for the 2-4% if the inaccuracies follow some pattern, e.g. they are consitently associated with particular countries. Maybe they already use this method. I don't know.

The IP addresses in the blog, and the idea of fake VPN exit nodes, were discussed previously: http://blog.trendmicro.com/trendlabs-security-intelligence/a...

this is quite possibly the least helpful comment you could have made for someone saying a lot of it went above their head

In other news, ip based geolocation is not realiable and just guesswork.

This is a bit beyond my knowledge of TCP/IP, however, does this support Putin's assertion that hackers can make an attack appear to come from Russia when they could be based somewhere else? How much work do you have to do to make it that your IP address is from somewhere credibly in some other country?

I'd say not really. BGP based lies are hilariously easy to spot, and can be observed by any ISP in the world. When the US Intelligence community blames Russia for hacking they aren't just doing geo-ip lookups and believing what they see. Anyone with a credit card these days can rent a server in any country anyway, so origin of traffic is more or less useless.

> Anyone with a credit card these days can rent a server in any country anyway

Including North Korea? :)

It would make sense for NK to sell VPn and server space to clients fro hard currency.

You can use a service that pings (or traceroutes) a given address with multiple probes. Round-trip lightspeed is 150 km/msec. So if you see a probe location with minimum rtt on the order of 1 msec, that's about where the address is. And conversely, if you see probes at the claimed location with minimum rtt over 20 msec, be suspicious.

Ping services with many probes:




Great point!

Also, you can also have your attack derive from Russia. Russia (the government or a Russian hacker group) doesn't have to be behind the attack for it to look like its sourced from Russian internet space.

You can see a clip of a hacker you may recognize in action here (dramatised): https://www.youtube.com/watch?v=bhS-7jxBgXQ

This is mostly unrelated, but is the AARNet peering with China Telecom in this article meant to be legit or fake? I think it's meant to be legit, but I can't get past AARNet misspelling their own name - "Reasearch" (sic).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact