Hacker News new | past | comments | ask | show | jobs | submit login
Scans of North Korean IP Space (nknetobserver.github.io)
372 points by djcapelis on Dec 20, 2014 | hide | past | web | favorite | 111 comments

So they seem to have at least some commercial software and hardware made by American companies. Given that the US cannot trade with NK that means either 1) the companies broke the embargo or 2) they bought through a 3rd party or 3) the software is pirated/stolen/

I'll assume #1 isn't true since it would be stupid for those companies to do that for so little money.

#2 has interesting implications about trade embargoes. Unless everyone in the world participates, it seems like all an embargo does is add complexity and middle-men to the transaction. For example, if they legally acquired the software and hardware through a Chinese or Russian reseller, then all that happened was the Chinese or Russians took a cut.

#3 interestes me because what happens there? Ok, they are using clearly stolen software, now what? Are there any consequences?

No idea about NK. But re: #2 - I believe that sort of trade is regularly transacted with Iran through resellers in UAE/Dubai. US companies with overseas subsidiaries. They are legally separate companies. The goods are manufactured in Asia and never touch US soil. The employees are citizens of a country without restricted trade. The end result is the same - what are essentially US-backed goods make their way to a country with enforced economic sanctions, but without violating US law or OFAC regulations.

I can't find it right now, but I've read that U.S. companies cannot do business with other companies that are within 2 degrees of separation from a state sponsor of terror under some crazy penalties. In other words, if I make a widget, sell it to somebody in Dubai who sells it to the North Koreans, I can be held responsible unless I break off business ties with my Dubai customer. So they'd likely need to be going through 2 or 3 middlemen for a reliable source. It's hard to enforce though, once your good go through Dubai and Beijing or wherever the U.S. ability to track a chain of ownership becomes impossible.

Exactly. Even if your product was bought on US soil, sold on eBay to someone outside of the U.S., and then sold to the 4th party via the black market or 2nd hand market again, now it's legal that a NK spy picks it up. That's the same effect as saying "I picked up this US Dell computer from a recycle shipment from US to China last week." Yeah a lot of electronics are "re-used" that way oversea.

The U.S. government is aware of this but for as long as their US companies are never directly selling to NK the sanction is enforced from the US's perspective. This including banks cannot do transaction (via multiple middlemen? yes sure! Money laundering, but the FBI will be looking at it).

Is this not a __good__ thing for the Americans since the NSA backdoored most Cisco routers (http://www.infoworld.com/article/2608141/internet-privacy/sn...). Much better the North Koreans running Cisco routers which they have backdoored then a Chinese competitor such as Huawei, which could be much harder to attack?

Even if number 2 happens often, the embargo would still be effective in that North Korea would have to spend more for the embargoed goods. Adding complexity to a transaction is not a small thing.

There is a huge market (In the Billions of dollars) for used technology hardware - I've seen some warehouses that had over $500million dollars (at list price) of used Networking and Server equipment. I can't believe it would be particularly difficult for places like Cuba, North Korea, etc... to purchase a bunch of containers of Cisco Routers or HP servers and have them routed through cut-out countries before final shipping to them.

Exactly! Which means the embargo isn't doing anything but enriching the cut-out countries.

It's making it more expensive for the embargoed to get goods.

> I've seen some

Please elaborate! If you're comfortable with it of course.

These guys (who I've worked with back when they were NHR) have massive warehouses of used equipment that you purchase for 70-80% off list. They sell about $250mm worth of equipment each year.


Here is their distribution center: https://www.curvature.com/DistributionCenter

Carrying inventory valued at $200mm.

You'd be surprised. There's a guy in San Jose with two giant warehouses full of Atari products.


The actual hardware might easily slip by an embargo but not the service contracts. If you look at a typical IT contract, usually over 50% of the cost is in maintenance. This alone seems to justify an embargo as effective.

Third party support is still available. Many people with secondhand Cisco equipment, but no contract (and therefore no CCO login) rely on their own network of contacts to share things like firmware updates with them.

After I terminated my employment at Cisco Systems, some of my departmental coworkers started a consulting business to provide services related to the products that we used to work on, including maintenance services that duplicate and compete with professional services offered by Cisco itself.

I'm also earning a living as a thirdparty support provider, but not for Cisco products. All of my customers have been denied support by the original vendors for economic reasons (can't afford it) or corporate decisions to discontinue support. In addition to my own experience operating and reverse engineering the products I support, I have benefited from corporate leaks of documents and binaries as well as being passed material from paying customers.

I even generate licenses on my own for products that aren't sold anymore, without permission of the original vendors, but they know about it and haven't requested that I stop.

Therefore, I am certain that anyone subject to a government embargo would be able to procure these services from a third party or hire a local hacker to take care of these things.

#3 Dictates consequences for sure, http://www.NorthKoreaOffline.com

#NorthKoreaOffline #TangoDown #ChristmasParty

Cisco products are made in China.

Fascinating. Has anyone ever penetrated the NK intranet via an internet-facing machine, to do a thorough analysis? I've read a few articles [1] but never a detailed analysis of what's available.

[1] http://www.fastcolabs.com/3036049/what-its-like-to-use-north...

The generally old-school services available and minimal turnover suggests to me that the official IP space is entirely controlled by a few NK government entities (maybe one of the universities?) and the real NK IP space is dispersed among Chinese allocations/assignments. Is there any way to know how representative these results are of overall NK Internet usage?

That's possible, but the general consensus is this (FTA):

"The country is said to have a fairly large internal domestic internet disconnected from the rest of the world. Most citizens with access to computers are only allowed to access this network, not the global computer network the rest of us connect to."

That is, absolutely, the official IP space is assigned to government and government-affiliated institutions. The rest of the local internet isn't in the Chinese address space, though; it's instead on a disconnected network with its own address space allocations, which may overlap with addresses in the rest of the world's IPv4 instance.

I've been to North Korea and confirm this is accurate. They have an internal intranet with message boards etc. Pretty dated.

Also when Indian contractors were brought in to work on the pyramid hotel in Pyongyang I was told that they had a special network provided by NK government which curiously had full access to everything e.g. Facebook etc.

No, I meant, it seems unlikely that the sum total, grand total, whole kit and kaboodle of all NK Internet activity is solely confined to the tiny handful of easily attacked, easily monitored IP addresses officially assigned to NK. Completely ignoring the intranet, I would expect there to be a great deal of NK Internet activity which is occurring in Chinese IP ranges.

Despite the controversial topic, I think it is interesting to see what one can conclude about a country from freely available information (even though the nmap'ing might have been illegal, I'm not sure about laws regarding nmap anymore).

And one can try to imagine if the alleged 100TB went that way.

No it surely did not.

N Korea however has rather free movement of people/cargo with china, limited to govt official/cargo.

I'm pretty sure N Korea did it.

Anyone have an idea how much bandwidth NK has? How easy would it be for a large botnet to DDoS the whole country?

  Anyone have an idea how much bandwidth NK has? How easy 
  would it be for a large botnet to DDoS the whole country?

How ironic would that be? Anonymous gathers up all its 4chan script kiddies to LOIC NK, to save the face of a company that has systematically treated its customers like criminals, namely those script kiddies with their DRM'ed Playstations and Audio CDs and DVDs, whilst fancifully offering up their credit card details online to be hacked and dumped on black hat card trader websites.

Oh, yep. Sign me up to some of that illegal shit. /end sarcasm.

I genuinely find the suggestion to attack an entire countries internet infrastructure to be a poor idea, whoever they are.

Ok, but you can also consider it from a theoretical point of view and try to think of the ramifications rather than simply dismiss it as impractical. Personally my hacker side finds the idea intriguing and I hope someone could answer this question.

Agreed it is an interesting theoretical question.

But, sometimes theoretical questions have shaky moral ground, and more importantly, put stupid ideas in stupid people's heads.

Adam and Eve is probably the classic example.

Avoiding questions because of theoretical potential outcomes of people knowing the answer is neither good nor useful. Knowledge is not implicitly dangerous or immoral.

Also, in this particular case, it seems that the people interested in that sort of thing could figure it out anyway. Obscurity isn't security.

I disagree with junto, game theory; the probability of it happening is feasible. What's not to say it hasn't happened before?

> Knowledge is not implicitly dangerous or immoral

Good phrase!

Sometimes I feel like half of my HN comments are about this guy, but Aaron Sorkin (writer/creator of A Few Good Men, The West Wing, The Social Network, and recently The Newsroom) wrote this line in a not-very-successful TV show 15 years ago called Sports Night, which is the same phrase but slightly nicer, and has stuck with me.

Dan is a TV host who did a Variety Fair interview in which he was semi-pro drug legalisation.

> Dan: The validity of your read on what most of the country thinks notwithstanding, Stanley.... Actions are immoral. Opinions are not. And I won't apologize for mine. Discussion is good, and for those of us fortunate enough to be the subject of magazine articles, it may be our responsibility from time to time to try and raise the level of debate.

Adam and Eve is a work of fiction.

which was the point.

Thanks for pointing this out. I could quite easily have invoked Godwin's Law and used gas chambers as an example, but I chose the fictional example instead. It seems that many people missed that, since I appear to be getting down voted for it.

Wish I could downvote.

I am genuinely curious. I am not suggesting anyone attack them.

It's not about Sony per say, its the fact that they fucked with Americans, which as a country, wasn't a good idea, im all about #northkoreaoffline

I'm not sure what the intent of this post was, but why would we want to harm the people of North Korea when they are already oppressed by their government. I believe that most of the people living there just want to live in peace like the rest of us.

The people being oppressed do not have internet access. Internet access is reserved for the upper echelons in NK.

They should stand up and fight til the last man standing, at least if they want their internets back

They wouldn't run the botnet from their servers. Most botnets are slave machines that have been exploited with malware...

I don't really see how this tells us anything interesting. You would see pretty similar results no matter where you scanned, with the exception of the Red Star OS stuff.

That's interesting by itself. One could expect something unusual in NK.

Kudos for resisting the temptation to login to that macbook's VNC server. Or at least, kudos for not telling us about it.

Kudos for pointing it out to us, then.

My webpage get a few visits from NK every week. A bit curious wether this is common. Anyone else seeing this in their logs?

We looked at our web stats for the past year recently and found we'd had visits from every country except two, NK being one of the two not logged. (I forget the other, and I don't recall what definition of "all the countries" was used.)

So I'm thinking not common. Anyone else seen or conspicuously not seen hits from NK?

I looked a bit closer at my web server logs and the IP addresses matched one of the ranges described in the blog post. My application is translated to Korean by end-users, and reading the logs I see that the user downloaded it, read some tutorials in the documentation and some months later downloaded the latest version. I'm not sure why it surprised me that there visitors from NK when I saw it yesterday, it makes sense when I think about it. I already know that my software happens to be used by governments in several dictatorships (yay for open source.)

Well look what the author did: just scan the whole country. And I personally know people who scanned the whole Internet on certain ports (so that's not that big a deal). I would be surprised if North Korea didn't do entire Internet sweeps themselves.

That's why I wondered if other people saw the same pattern.

Not sure why they would sweep the Internet themselves though. If they want to know what OS:es are used there's already statistics for that.

Small correction: VMware authd runs on the host machine, not the guest. That's actually a Windows machine running VMware Workstation.

I was surprised they're using Cisco. Some Chinese hardware (Huawei ?) would make more sense : both are back-doored, but at least the Chinese are kind of allies.

Up until recently, Cisco was pretty well in bed with the Chinese government.

They're pretty much the reason Huawei et al are taken seriously in the networking hardware demographic -- a massive personnel, training, and IP transfer (legitimate or otherwise).

do you have any link with info about cisco backdooring?

Cisco is the one that came up with the "legal intercept" backdoor IETF protocol for routers. There have also been "mistakes" where Cisco had remote access to people's routers, when they upgraded them to new firmware. There were some Snowden revelations about Cisco routers being backdoors as well, although without specifically putting the same on Cisco, just on NSA putting the backdoors in Cisco's factory, with which I'm sure Cisco had no relation.

I make no claims of whether or not Cisco at large is in bed with the NSA, but you must admit a government mole secretly working in the factory to install backdoored firmware is not the same thing as the NSA going to Cisco's CEO and 'convincing' Cisco that installing backdoored firmware at the factory is in their best interests.

I can tell you that Cisco has no scruples at all. During the course of my seven years employment at Cisco Systems, I came along on sales calls to the Chinese Government where the staff (some in police or military uniforms) were very candid to my American coworkers (a VP and two sales reps) and I about their goals of censorship and identification of troublemakers. During a visit to a SARFT operations center in central Beijing I was asked to explain some details about how Cisco hardware and software products could assist in their mission. The Chinese even mentioned Falun Gong by name and indicated that they were a source of embarrassment that had to be cleansed from the old and new media.

I don't know what came of that visit, but months later the VP nominated me to my manager for an internal award because of my assistance on that trip; I got a framed certificate and a monetary bonus (one of many I got from Cisco.)

As an American I'm rather ashamed to have participated in such.

Have you heard of the https://en.wikipedia.org/wiki/Kilgour%E2%80%93Matas_report ? If what you are saying is true then I would urge you to talk to a journalist about it.

It made news around May when Glenn Greenwald's book came out https://airvpn.org/topic/11564-fyi-nsa-actively-installed-sp...

Seeing as North Korea only have 3 allocated address blocks,, and they only have approx. 1530 globally reachable IP addresses. However, North Korea must have more than ~1530 hosts. Does this mean that they use some kind of NAT, or is their number of internet connected hosts just that small?

Is there any information about the intranet in North Korea? Do they have a private class A network that everyone in the country is connected to with their own DNS servers, routers, etc which are unreachable from the rest of the internet?

Only a small number of authorized persons and high ranking government officers have access to the Internet in North Korea, so I guess it is that small.

The common people have access to the Kwangmyong, which is an IP network not physically connected to the Internet.

It's very likely they run larger private ip space behind these IPs...

A small IP range is not relevant these days. Almost every fuckin' telco uses NAT and proxies for their mobile customers, at scale.

What are some good books/resources on things like "allocated" and "assigned" IP addresses? i.e. Internet governance, and IP in general? Where is he getting the data like: "inetnum: - ..."?

Also are there tools that take a list of services on ports and map it to likely hardware/OS?

I have been programming for a long time but somehow I missed out on this kind of networking knowledge. Are most people who know this stuff network engineers?

Some general info about IP at the global scale:

IP addresses are assigned by regional internet registries[1] (RIR) like ARIN (for North America) and APNIC (for Asia-Pacific regions). Addresses are assigned in blocks like the /22 mentioned in the article.

These prefixes are then associated with Autonomous Systems, which participate in routing. You can view routing information on looking glass servers[2] or by using a tool like Hurricane Electric's BGP toolkit: http://bgp.he.net .

For example, here's the data for Cloudflare's AS (which serves HN): http://bgp.he.net/AS13335 . You can look at the prefixes it serves and who they peer with.

[1] https://en.wikipedia.org/wiki/Regional_Internet_registry

[2] https://en.wikipedia.org/wiki/Looking_Glass_server

> Where is he getting the data like: "inetnum: - ..."?

You're missing `whois`[1]. The wikipedia page is very informative.

If you give it an IP, it will give you "ownership" status of that particular IP, and then its containing netblocks ("outwards").

Example: (my favourite IP)

    $ whois
    % Information related to ' -'

    inetnum: -
    netname:        HETZNER-RZ16
    descr:          Hetzner Online AG
    descr:          Datacenter 16
    country:        DE


    % Information related to ''

    descr:          HETZNER-RZ-FKS-BLK5
    origin:         AS24940
    mnt-by:         HOS-GUN
    source:         RIPE # Filtered
It gives you more things like contact information, abuse contact details, etc.

With a domain, it looks up the domain registration information.

If you ever script around whois, be prepared for loads of surprises, such as:

* Structure & format variations per provider (can be different on a TLD level)

* Some TLDs may not provide that information in a whois format at all:

    $ whois test.gr
    This TLD has no whois server, but you can access the whois database at
[1] http://en.wikipedia.org/wiki/Whois

OK thanks... I've used whois before, but yeah the output has been a bit confusing to me. I think I usually use it with a host name, and using it with an IP gives different info.

I am interested in how the databases that 'whois' queries are populated... the Wikipedia page looks like it will have some good pointers.

You may also be interested to know that this database is open[1]:

> We produce daily snapshots which are available to the public. You can find these files at our FTP site at: ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz

> or split by object type at: ftp://ftp.ripe.net/ripe/dbase/split

> These daily snapshots exclude the object types: person, role, organisation and mntner. For data protection reasons, personal data is not available in bulk format. [1]

To avoid confusion, that isn't just Europe (whose Regional Internet Register is RIPE NCC) but contains other continents/RIR data.

[1] https://www.ripe.net/data-tools/db/faq/faq-db/can-i-download...

> I am interested in how the databases that 'whois' queries are populated

As rid mentioned in his comment, this information comes from RIRs, who assign IP ranges to companies and other groups that request them. The WHOIS database is simply updated when an IP prefix is created or updated. When you make a WHOIS query, the RIR server is automatically contacted and the server simply returns a plaintext reply containing all the relevant information.

For example, ARIN (the North American registry) has a whois server for looking up data on IP addresses set up here: http://whois.arin.net

In addition to the tools mentioned to perform the lookups on a specific IPs and such, I find Hurricane Electric BGP Toolkit (http://bgp.he.net) super handy for this sort of thing

Wikipedia has a great map of ports to registered and common services: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_number...

Nmap can scan and show the application and version based on various responses and req/response fingerprinting: http://nmap.org/book/vscan-examples.html

also, very conveniently under /etc/services (Linux, MacOS)

    $ grep SSH /etc/services 
    ssh		22/tcp				# SSH Remote      Login Protocol

I’d use “getent”:

    $ getent services ssh
    ssh                   22/tcp

Tried to find the Darwin equivalent, without success. (Besides looking at the file, but where's the fun in that?)

The whois utility [1] is available on most Linux distros and *nix flavours, it will give you information such as:

- Using an IP, netrange and information regarding the network owner (contact and abuse info). Gathered from the Regional Internet Registry (RIR) databases.

- Using a domain, registrant info --if public, abuse details etc..

[1] http://linux.die.net/man/1/whois

I learned these things by setting up servers. Install a few boxes and get them online without any help from a cloud provider. Everything will quickly become clear.

The author notes that they picked up an MacBook Air during one of the scans. Probably unrelated, but interesting nevertheless, is that Kim has been seen using Apple products [1], specifically an iMac. Perhaps the author came across Kim's own notebook?

[1] http://www.telegraph.co.uk/technology/apple/10619703/North-K...

I was surprised to see a hit from the DPRK on my blog about math and programming. I wonder what the reasons were, though chances are it was an irrelevant search hit.

Might as well be an infected PC wandering around looking for vulnerabilities (i.e. recent Wordpress comment hack). When I was developing Internet facing device, I had seen tons of scans, loging attempts etc. daily.

Fantastic read - and amazing amount of thought put into taking on this research, and it's fascinating to read. I just started using nmap this year, now I'm tempted to perform similar wide scans. I'm curious how to managed keeping your IP from being blocked? Or, did you use a different EC2 instance each time?

My advice would be "don't". There are quite significant potential legal ramifications for scanning other peoples infrastructure and thus you could land yourself in a lot of trouble if you're not careful.

This isn't to say that nmap (and it's ilk) are not useful diagnostic tools. But I'd recommend you leave the scanning to infrastructure you either own or have the owners consent - at least for now while you're still learning the tools.

Agreed, if you want to scan the entire internet, you better be someone like fyodor, and even then the authorities will probably come a knocking. https://www.youtube.com/watch?v=Hk-21p2m8YY

As a side note, I recently learned that it was possible to scan the whole Internet in a few hours on a regular connection: https://www.youtube.com/watch?v=UOWexFaRylM

It seems strange the the author implies us to do some searching through the findings, but really, he has already given away most of what you can find...

EDIT: where did I imply that this is about SONY? Have any of you who commented back on this, have actually checked the actual findings? They're yearly dated records, it seems very hard to believe that he only observed them prior to writing his piece.

P.S. - I do think it's a very good technical report, though I don't recall saying it's not.

As I understand it, the author is saying: "I got this data; this is what I got out of it & my read on it; why don't you have a play with it as well."

Maybe the DDOS is just a distraction.



The general population doesn't know or give a shit about the torture report. The educated don't really give a shit beyond shaking their head while reading the report in the Times, or posting a link on their FB saying that it is 'shameful.' Sad, but true.

We've known about these practices for years. The Abu Ghraib scandal was 11 fucking years ago. We've known about waterboarding and Guantanamo for years as well.

All of which is to say, I think if you believe that the U.S. government needs to create a false flag operation to bury the report, you are seriously out of touch with the political reality. Public apathy will bury it for them.

This was an interesting technical article about the publicly visible networks inside a closed country. Nowhere does it mention Sony or "The Information". Your comment is probably off topic and I think a bit conspiracy crazed.

This far more relevant to HN than anything to do with the torture report.

Well, at least some of us haven't forgotten it. Not yet.

Countdown until North Korea starts nuclear war with us after a vigilante counter hacks them


Why is this Fishy? I suspect the author didn't feel comfortable dealing with this controversial topic on his main account so he made a throwaway.



You're not helping us.

Be cybercareful! You may have just cyberstarted a cyberwar!

Also, note that when the next forensic analysis of some hack occurs, the scanning IPs have now "communicated with IPs associated with North Korea". So any future activity of your IPs may be attributed to NK, by the FBI/etc.

There is no way North Korea had the sophistication to hack SONY. Hacking requires knowledge of the latest security vulnerabilities. It's impossible to develop good hackers on such a censored network.

> There is no way North Korea had the sophistication to hack SONY.

Hacking doesn't necessarily require sophistication.

> Hacking requires knowledge of the latest security vulnerabilities.

Again, no.

> It's impossible to develop good hackers on such a censored network.

Also no. I can imagine being on a heavily censored network being a prime breeding ground for great hackers. Either way, if I were a nation state sponsoring a hack I would presumably give uncensored access to my hack team.

Totally. Indeed the times i have been more driven and successfull at hacking something, has been on the most restricted environments looking for freedom. bypassing the proxy for example trough icmp tunnels... when you already have the freedom there is less passion to hack something

If you try to break rules in NK, you're dead. Hacking culture and exploration doesn't fit in under a communist regime. No place to practice = no way to become a pro.

Money can be exchanged for goods and services.


It may have been outsourced. However, they didn't contract a very talented team since they didn't hop any boxes to hide their identity better. More likely, someone unrelated to NK hacked a box inside NK and started an attack from there.

I agree with you. I learned a lot of networking because I am behind a proxy which only allows port 80 and 443.

Why are there all new accounts dismissing this stuff out of hand?

NK does not have computers.

You are making the fatal assumption that those hacker teams are actually within North Korea. The U.S. military doesn't train for jungle warfare in the United States, they often used Panama, among other places. You'd be surprised how the NKs operate. Many of their operators are based in Japan, for instance, to say nothing of training conducted in China.

NK has nuclear weapons. It sends elites to western universities. Their intranet is heavily censored, but that doesn't mean that there are no elites who have access to the wider Internet.

"It's impossible to develop good hackers on such a censored network." Really?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact