[pgn674]

"several Chinese companies use network numbering systems that resemble the U.S. military’s IP addresses in their internal systems"

I don't think I've heard of this before. What does it mean? Does China operate a disconnected BGP network? Or do they have some modified protocol, or what?

[nanliu]

Alibaba for example use DoD address ranges for their management servers running Alicloud services. They assumed since nothing in their cloud platform would connect to those addresses they can use these them to alleviate IPv4 shortage. In Alicloud, the customer have the right to use any RFC1918 addresses, so they had to be creative since they didn’t have sufficient IPv4 addresses.

[sterlind]

but if they're not filtering BGP announcements for those ranges (however unlikely), and the GFW isn't blocking traffic out to those addresses (even more unlikely), and the internal metrics were high (super unlikely), I guess it'd slurp out all the traffic? maybe this was a weird smash-and-grab.

[Aperocky]

You'd be surprised, but GFW is a blacklist not a whitelist, as such the blocked domains and/or IPs are a very small subset of all public addresses out there.

[kijin]

Even with a blacklist, a large and contiguous range like 11.0.0.0/8 won't be particularly difficult to block or reroute.

[moonchild]

I'd imagine that, with the advent of ipv6, it would have to be.

[woah]

These IP addresses were unused for a very long time, so using them on internal networks worked fine. Once the Floridian company in the article started announcing them, gateway routers on the Chinese internal networks may have started sending their traffic to Florida.

[pgn674]

Ohh, I think I see. So instead of (or in addition to) creating internal subnets inside 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, they set up subsets inside DoD's 11.0.0.0/8 etc., and it worked out because there were no external BGP announcements for those ranges. But now that there are, if they did not explicitly configure their border gateways to route those ranges inside their networks, the traffic may now leak out to DoD's pilot effort.

[jasonhansel]

Maybe DoD is trying to catch security flaws caused by traffic intended for their own internal networks accidentally reaching the public internet? Advertising those IPs publicly and logging all traffic could be a good way of detecting such bugs in DoD systems.

[freeflight]

From the article:

> What is clear, however, is the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses. Madory said his monitoring showed the broad movements of Internet traffic began immediately after the IP addresses were announced Jan. 20.

> Madory said such large amounts of data could provide several benefits for those in a position to collect and analyze it for threat intelligence and other purposes.

It's interesting how this is framed as something "defensive in nature", when it's yet another massive funnel for data being slurped up by a US government agency.

If China or Russia would suddenly reroute a ton of traffic from outside their countries, to their respective government agencies, I doubt anybody would believe a benign "Just checking our security!" explanation.

[ev1]

> If China or Russia would suddenly reroute a ton of traffic from outside their countries, to their respective government agencies

It is their IP space. It is entirely on your incompetent network staff if you are stealing IPs that are 1) not yours, 2) in use, 3) not in your country for internal use and on top of that, not rejecting external routes to it.

It is not "rerouting a ton of traffic", the traffic was destined toward them in the first place.

[Galanwe]

These IPs have been unused since so long, that using these for private networks is absolutely not uncommon.

Somehow the discussion seem to point to China and Russia, but I know a ton of EU companies that use these ranges.

[freeflight]

You can debate semantics all you want, it doesn't change the reality of the situation and how the problem of IPv4 address exhaustion is very real and not just down to "incompetent network staff".

The DoD sitting on all that unused address space actively contributed to that problem and now it's exploiting band-aid fixes around it to once again play data kranken of the world under the guise of "We are just fighting APT!".

[xwolfi]

Reading what the DOD said "officially" it appears that maybe they were just looking to see if these IP could be registered, simply.

It sounds a bit weird they would have needed 170+M ips to get a good attack sample from the internet if the ip are contiguous, a few thousands would have sufficed. It sounds very weird to expect "China" to suddenly route Xi's dirty videos and why not Iran, Japan, everyone suddenly routing craps there, it's not very targetted and would cost quite a bit to read all the potential tcp packets that got lost by bad WAN vs LAN priority decisions in routers.

Also, it's one shot, so why now ? They would have just lost a huge weapon, if true, in a very public manner, for no particular visible threat, not precise target and at great cost possibly.

I'm okay to believe this was possibly just an inventory/activation exercise because someone noticed they owned stuff they can't use until they register them.

[dannyw]

It also explains the lack of public commentary.

[jasonhansel]

Indeed. Publicly commenting on it would expose the potential vulnerability (i.e. the accidental leakage of traffic onto the public internet).

[capableweb]

Not sure. If the government is doing something large-scale in public (like construction projects [or maybe global IP routing]), they should communicate what is happening before doing it, in order to not phase people.

[kelnos]

Eh, I wouldn't be surprised if an org like the Pentagon is secretive about things that aren't really necessary to be secrets. It's just kinda in their nature to be that way (kinda like Apple's default-secrecy about products and features).

(Also, sorry to be That Guy, but this one always gets to me: in the sense you've used it, it's "faze", not "phase".)

[ajross]

Right, because if there's anything the Pentagon has been known for over the past seven decades or so it's clear publication and transparent disclosure of all its large scale classified projects so as not to phase the public.

[hujun]

it is very unlikely to for a company like Alibaba not configuring their BGP right

[zeusk]

Have you seen the talk about AI with Jack Ma and Elon?

I wouldn't be surprised.

[Jach]

FWIW Ma seems significantly smarter than he showed during that event when you look at translations of his Chinese (speaking or written). But in any case, even an incompetent CEO can still have competent IT.

[Godel_unicode]

There are lots of examples of this type of "squat space" being used for largely internal addressing in addition to rfc 1918 space:

https://teamarin.net/2015/11/23/to-squat-or-not-to-squat/

[Havoc]

Why would you do that though when there are perfectly fine internal address ranges available?

[Godel_unicode]

I suspect there are a decent number of network engineers who think it's funny to use DoD IPs for their internal network, especially given what their logging system will probably tell them by default.

If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.

[XorNot]

The main reason (I've done this at a bank previously) is when you need to ensure you don't overlap with other internal IP (RFC1918 was represented everywhere and routeable internally) and when you're trying to dodge 99% of your engineer's default Docker configs to reduce support request load.

In that case there's never any chance it'll be needed by people using the public internet there, and never any chance it'll be used suddenly by a deployed internal service somewhere else from an outside vendor.

[trulyme]

Default Docker configs are atrocious. Most devs/devops don't even know that when it creates a network, it takes a /16 ip range out of 172.[17-31].0.0/16 or 192.168.[0-240].20/20 by default. It is just a matter of time before a restart makes it collide with an existing network range. It does skip networks defined on local interfaces at least, but this only means that devs don't learn about this landmine on their own machines, nuking production instead.

The default should reserve a single ip range and simply fail (with a nice message) if more are needed.

[imwillofficial]

I always hated seeing “FBI Surveillance Van”

Made me wanna climb out of my FBI Surveillance Van and have a word with them.

[leesalminen]

Ha! “Unmarked white van” is the WiFi name at my local dog daycare. I got a good laugh.

[dwarfsandstuff]

My wifi is called nsa_net

[Denvercoder9]

Two things that come to mind are running out of private address space (a /8 isn't that large), or wanting address space that doesn't clash with other private networks (e.g. to ensure a VPN doesn't overlap with home networks). There's probably more reasons.

[VLM]

> running out of private address space

Classic merger "solution".

Company A uses 10/8 Company B uses 10/8, company A buys company B and orders new subsidiary B to renumber into 11/8 "All you have to do is change every first octet to 11"

[sk1ppy]

Merger after merger after merger followed by a massive adoption of public cloud (using Direct Connect/Express Route for hybrid connectivity) has led at least two very large FinServs I worked for adopting CGNAT (100.64/10) for parts of their internal networks.

In both cases RFC1918 was used throughout their global network and while not fully used, had become highly fragmented over time.

[woleium]

or, you know, use NAT to do so :)

[kenniskrag]

or upgrade to ipv6 :)

[WanderPanda]

how would nat help in this case?

[twic]

In our case, we were setting up VPN tunnels to a partner, who for some reason required that the addresses on our side should (appear to be) public IP addresses. So we couldn't use 10/8 or 192.168/16 in (that part of) our network.

They didn't actually need the addresses to be routable from the public internet (that was the whole point of the VPN). I think the requirement was really a way of making sure they were unique. I'm sure they had several partners who used 10/8 internally.

[GekkePrutser]

There's also 172.16/12 :) But yeah I agree. If you're running a VPN for a large company it's kinda hard to avoid such conflicts.

In my work we use 10.0.0.0/8 but of course some people use the same at home even though 192.168/16 is way more common. In general I find 172.16/12 the least common in the field.

[simondotau]

I personally use a range towards the end of the 172.16/12 reservation for my home network for exactly this reason. Ever since I made the change five years ago I’ve never suffered any conflicts when running a VPN in or out.

[bombcar]

Virtually nobody realizes 172.17-172.31 are available.

And many are surprised to find that there are 172.* that are routable.

[jamiek88]

I know the old Apple extreme and time machine routers used to default to 10 rather than 192 ever since then I’ve kept my internal routing within that block.

It just looks nicer to me which shows the power of Apple and how easily I am influenced.

[mrweasel]

I like the 172.12/16 to company network, especially small companies with limited support resources. Getting employees on VPN is much simpler as virtually no home routers use that range.

[bombcar]

A trick is to use something in the 10 range but not /8 - 10.185.203/24 will work on a 10/8 network (assuming no actual host overlap) as it’s more specific and will route first.

Still gives you fun issues though.

[Taniwha]

In my case I got a class C around about 1992 (back then that was the only way to get on the internet), at some point the ISP above my ISP claimed it as theirs without telling me .... I still use it internally why should I change?

[icedchai]

Is it "directly assigned" to you in whois? I got mine around 1993.

[mrkstu]

In the case of a managed service provider I worked for, using non-announced gov/mil space allowed us to inject routes for monitoring purposes into the MPLS vrfs of our customers so we could poll the routers without using our own public space.

[TechBro8615]

Way back when, I was working at a startup with little clue what I was doing. Long story short, I setup a VPN network to connect 600 devices through 8 wifi routers to a VPC. I used 11.0.0.0/8 because I didn't want to bother sorting through the conflicts with 10.x, 192.168.x, and 172.x which were all used at various places throughout the chain (e.g. the routers on 192, some upstream services on 10.x and 172.)

All I had to do to make it work, IIRC, was add an ip routing rule to prioritize our internal routing for traffic on 11.0.0.0/8 instead of sending it over the default interface.

This solution worked fine, but it broke in weird ways and I remember one time I did arp -a on one of the Amazon boxes and saw some DoD registered addresses, which was a little alarming, but I just chalked it up to my not understanding the details.

[twic]

I did the same with 51/8 back when that was owned by the UK Department of Work and Pensions but not publicly routable.

[walrus01]

Lots of less clueful network operators worldwide have used the DoD /8 IP blocks internally, under the impression that they'll never show up in the global v4 routing table, essentially for the same purposes that people would use the 10/8 RFC1918 blocks.

[jeroenhd]

Some of those less-cluefull operators include Juniper and Azure[1], Cisco[2][3], and probably many other companies. When Cloudflare put its 1.1.1.1 DNS server into use, it started receiving huge amounts of packets destined to unroutable addresses because the 1.0.0.0/8 space was (mostly?) unused.

If you configure your routers correctly, none of these IP addresses should resolve, anyway. If something in your network is intentionally dialing the department of defence, you probably have some kind of problem at hand. In theory this might become a huge problem, but in practice it probably won't.

[1]: https://www.juniper.net/documentation/en_US/vmx/information-...

[2]: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017/pdf...

[3]: https://security.stackexchange.com/questions/157682/why-does...

[LinuxBender]

I know of a couple companies that used 1.0.0.0/8 as their internal VPN/WAN network. Myself and others explained why this could be problematic but we were ignored. It's actually mostly fine as long as you 1) never need to reach that network and 2) block traffic in that network from leaving your edge network and 3) triple-check that you have blocked that network from ever being announced from your routers. Downside being you have to double or triple NAT to reach anything in that network. Hamachi uses or used 25/8 ministry of defense as their VPN network.

[ev1]

T-Mobile used or uses UK MoD space also for NAT.

[walrus01]

Juniper and Cisco are equipment vendors, not ISPs. If the DOD /8s are used in some documentation examples, that's a whole other thing.

If network operators are taking the theoretical network blocks provided in training examples and attempting to copy and paste them into real world use, that is a whole other problem with training and education. And lack of oversight by senior people who should know better at their company.

1/8 is also a whole other thing because it's a legitimately announced block controlled by, as I recall, APNIC. If it's in some peoples' 20 year old bogon folded that's their problem, not apnic's.

[ethbr0]

What IPs does the DoD actually host defense-related services on?

E.g. https://www.defense.gov/Resources/Military-Departments/A-Z-L...

[walrus01]

NIPR and SIPR don't talk to the global routing tables for v4 and v6. Generally if a DOD person needs to access commercial internet resources for things, it'll be through a separate commercial network purpose LAN, or through something like an rdp session to a Citrix thin client to do that.

[chipsa]

I think you'd be surprised. Most NIPR computers just use a regular proxy server for internet access. But example: 214 /8 is a DoD owned block, and "weather.af.mil" is on that block, and both externally and internally reachable.

[walrus01]

Not that NIPR computers don't have access to the internet - but because this isn't 1987, those individual workstations would never have public facing DoD v4 IPs. They'll always be behind some combination of NAT and firewall or as you mentioned, proxy. Certainly there could be some DoD public IP on the external interfaces of said firewalls. If I had to guess very often the public facing side of those boxes might be a commercially acquired local ISP using that ISP's IP space, and not actual DoD IP space...

[blabitty]

A lot is in the 150-160 range

[fred256]

Not just Chinese companies. I know of one FAANG company that used internal IP addresses in the 11.0.0.0/8 space (in addition to, not instead of, RFC 1918 space).

[walrus01]

Every time I've seen this it's because of inefficient and wasteful use of 10/8 internally. Like, not every tiny site or thing needs a /24. Once the wasteful use becomes entrenched as a practice, it would be very labor intensive and time-consuming to go on a renumbering plan. As compared to the effort to just use 11/8.

And then ultimately because of refusal to get over the technical hurdle of using IPv6 for internal management.

[knorker]

But have you seen inside of FAANG?

[globular-toast]

Why don't they use IPv6? Is there still a lot of hardware out there that doesn't support it? It seems perfect if it's internal only.

[snowwrestler]

Well I would hope it’s not Apple since they already own all of 17.0.0.0... one of only 7 private companies that own their own /8, as far as I know.

[motohagiography]

If that were true, depending on path inforation, any botnet or other traffic destined to those networks would end up in this new AS8003 traffic sink, which would create a map of candidate CCP assets to target on the internet.

You could do the same with any AS. I haven't looked into bgp spoofing since about '99, but it seems to have matured since then. The idea of using it as ephemeral canary/honeynet space for tracking botnet C&C traffic seems like a reasonable play.

[xwolfi]

But the internet is not just CCP vs Captain America. I mean my home network has random ips and a shit network admin, so I will also send crap data to the DOD, from Hong Kong.

You imagine the work to figure out if my tcp heartbeats between my torrent server and my nginx proxy are CCP botnets or me misconfiguring my router ? From the same place kinda ? And you imagine the amount of people we are in China that are doing shit networking but not CCP-relevant things ?

And the amount of botnets we have in China that are to scam each other that even the CCP doesn't want ? :D

[Forbo]

I once had a client who decided to use an IP block that was registered to APNIC for their internal network. Made for quite the headache as I tried to track down why there was a ton of traffic supposedly going to China and Japan. -__-

[ufmace]

Yeah, that's why the stated explanation sounds weird.

Suddenly advertise this never-used block, and you're just going to get a massive torrent of previously-internal traffic from bazillions of organizations all over the planet that used it for something internal and were slightly lazy and didn't set up their routing quite right. Probably 99.9% of it is of no use whatsoever to anyone outside that org. It's tough to imagine that anyone thought they'd get any useful information on any hostile CCP activity by doing this.

I would also expect that any department doing hostile things on the net would be at least smart enough to not let any of their internal traffic leak out like that, no matter who they actually worked for.

[photon-torpedo]

If I remember correctly, one of the large Chinese supercomputers (ex #1 in the TOP500) uses the 11.0.0.0 address space for its internal network.