[woah]

These IP addresses were unused for a very long time, so using them on internal networks worked fine. Once the Floridian company in the article started announcing them, gateway routers on the Chinese internal networks may have started sending their traffic to Florida.

[pgn674]

Ohh, I think I see. So instead of (or in addition to) creating internal subnets inside 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, they set up subsets inside DoD's 11.0.0.0/8 etc., and it worked out because there were no external BGP announcements for those ranges. But now that there are, if they did not explicitly configure their border gateways to route those ranges inside their networks, the traffic may now leak out to DoD's pilot effort.

[jasonhansel]

Maybe DoD is trying to catch security flaws caused by traffic intended for their own internal networks accidentally reaching the public internet? Advertising those IPs publicly and logging all traffic could be a good way of detecting such bugs in DoD systems.

[freeflight]

From the article:

> What is clear, however, is the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses. Madory said his monitoring showed the broad movements of Internet traffic began immediately after the IP addresses were announced Jan. 20.

> Madory said such large amounts of data could provide several benefits for those in a position to collect and analyze it for threat intelligence and other purposes.

It's interesting how this is framed as something "defensive in nature", when it's yet another massive funnel for data being slurped up by a US government agency.

If China or Russia would suddenly reroute a ton of traffic from outside their countries, to their respective government agencies, I doubt anybody would believe a benign "Just checking our security!" explanation.

[ev1]

> If China or Russia would suddenly reroute a ton of traffic from outside their countries, to their respective government agencies

It is their IP space. It is entirely on your incompetent network staff if you are stealing IPs that are 1) not yours, 2) in use, 3) not in your country for internal use and on top of that, not rejecting external routes to it.

It is not "rerouting a ton of traffic", the traffic was destined toward them in the first place.

[Galanwe]

These IPs have been unused since so long, that using these for private networks is absolutely not uncommon.

Somehow the discussion seem to point to China and Russia, but I know a ton of EU companies that use these ranges.

[freeflight]

You can debate semantics all you want, it doesn't change the reality of the situation and how the problem of IPv4 address exhaustion is very real and not just down to "incompetent network staff".

The DoD sitting on all that unused address space actively contributed to that problem and now it's exploiting band-aid fixes around it to once again play data kranken of the world under the guise of "We are just fighting APT!".

[bombcar]

It’s pretty clear that the DoD realizes how close they were to being forced to sell all that IP space off and wouldn’t have even been able to say “we’re using it” as it wasn’t routed.

[alisonkisk]

Look, if you want to come someone's IP address for your internal network, that's fine, what you do in your private network is your business. But don't blame the owner when they say "hi, I exist" and you forgot to configure your routers to ignore them. It's not the DoD's fault that other netops didn't bother break the rules in a safe way.

[xwolfi]

Reading what the DOD said "officially" it appears that maybe they were just looking to see if these IP could be registered, simply.

It sounds a bit weird they would have needed 170+M ips to get a good attack sample from the internet if the ip are contiguous, a few thousands would have sufficed. It sounds very weird to expect "China" to suddenly route Xi's dirty videos and why not Iran, Japan, everyone suddenly routing craps there, it's not very targetted and would cost quite a bit to read all the potential tcp packets that got lost by bad WAN vs LAN priority decisions in routers.

Also, it's one shot, so why now ? They would have just lost a huge weapon, if true, in a very public manner, for no particular visible threat, not precise target and at great cost possibly.

I'm okay to believe this was possibly just an inventory/activation exercise because someone noticed they owned stuff they can't use until they register them.

[dannyw]

It also explains the lack of public commentary.

[jasonhansel]

Indeed. Publicly commenting on it would expose the potential vulnerability (i.e. the accidental leakage of traffic onto the public internet).

[capableweb]

Not sure. If the government is doing something large-scale in public (like construction projects [or maybe global IP routing]), they should communicate what is happening before doing it, in order to not phase people.

[kelnos]

Eh, I wouldn't be surprised if an org like the Pentagon is secretive about things that aren't really necessary to be secrets. It's just kinda in their nature to be that way (kinda like Apple's default-secrecy about products and features).

(Also, sorry to be That Guy, but this one always gets to me: in the sense you've used it, it's "faze", not "phase".)

[dunmalg]

I used to work in intelligence. "Secrecy creep" has long been a serious problem inside DoD. How information get classified has largely been left up to low level federal bureaucrats, people my father used to angrily refer to as "big haired women from Mississippi". Basically, they are low level federal office drones, with minimal knowledge about the actual content of classified programs, who re left to determine how they are classified. They start with the core information of a project and classify it "Top Secret". Then they take all the peripheral information of that project and classify it TS as well, just to be safe, because it might overlap with the core info, but they have no clue because they're a GS-4 clerk from Boogerville with a high school diploma. Later as more content is generated in a program, stuff peripheral to the previous peripheral data, which realistically should be classified "Confidential" at most, it too gets classified as TS because of its proximity to the previously over-classified peripheral data. Lather-Rinse-Repeat for a few decades and you have huge swathes of widely known, utterly inconsequential information classified Secret or Top Secret.

[ajross]

Right, because if there's anything the Pentagon has been known for over the past seven decades or so it's clear publication and transparent disclosure of all its large scale classified projects so as not to phase the public.

[hujun]

it is very unlikely to for a company like Alibaba not configuring their BGP right

[zeusk]

Have you seen the talk about AI with Jack Ma and Elon?

I wouldn't be surprised.

[Jach]

FWIW Ma seems significantly smarter than he showed during that event when you look at translations of his Chinese (speaking or written). But in any case, even an incompetent CEO can still have competent IT.

[Godel_unicode]

There are lots of examples of this type of "squat space" being used for largely internal addressing in addition to rfc 1918 space:

https://teamarin.net/2015/11/23/to-squat-or-not-to-squat/

[Havoc]

Why would you do that though when there are perfectly fine internal address ranges available?

[Godel_unicode]

I suspect there are a decent number of network engineers who think it's funny to use DoD IPs for their internal network, especially given what their logging system will probably tell them by default.

If you drive around with a WiFi stumbler running, you'll run into networks with names like "UTAH DATA CENTER" and "SIPRnet", etc for the same reason.

[XorNot]

The main reason (I've done this at a bank previously) is when you need to ensure you don't overlap with other internal IP (RFC1918 was represented everywhere and routeable internally) and when you're trying to dodge 99% of your engineer's default Docker configs to reduce support request load.

In that case there's never any chance it'll be needed by people using the public internet there, and never any chance it'll be used suddenly by a deployed internal service somewhere else from an outside vendor.

[trulyme]

Default Docker configs are atrocious. Most devs/devops don't even know that when it creates a network, it takes a /16 ip range out of 172.[17-31].0.0/16 or 192.168.[0-240].20/20 by default. It is just a matter of time before a restart makes it collide with an existing network range. It does skip networks defined on local interfaces at least, but this only means that devs don't learn about this landmine on their own machines, nuking production instead.

The default should reserve a single ip range and simply fail (with a nice message) if more are needed.

[imwillofficial]

I always hated seeing “FBI Surveillance Van”

Made me wanna climb out of my FBI Surveillance Van and have a word with them.

[leesalminen]

Ha! “Unmarked white van” is the WiFi name at my local dog daycare. I got a good laugh.

[dwarfsandstuff]

My wifi is called nsa_net

[Flocular]

Yeah, sharing SSIDs isnt such a great idea. Check out https://wigle.net ... Obviously multiple people around the world use this one, but it narrows it down for dedicated people

[swader999]

Mine is your_wife_is_hot.

[ta988]

Now I know who you are.

[Denvercoder9]

Two things that come to mind are running out of private address space (a /8 isn't that large), or wanting address space that doesn't clash with other private networks (e.g. to ensure a VPN doesn't overlap with home networks). There's probably more reasons.

[VLM]

> running out of private address space

Classic merger "solution".

Company A uses 10/8 Company B uses 10/8, company A buys company B and orders new subsidiary B to renumber into 11/8 "All you have to do is change every first octet to 11"

[sk1ppy]

Merger after merger after merger followed by a massive adoption of public cloud (using Direct Connect/Express Route for hybrid connectivity) has led at least two very large FinServs I worked for adopting CGNAT (100.64/10) for parts of their internal networks.

In both cases RFC1918 was used throughout their global network and while not fully used, had become highly fragmented over time.

[woleium]

or, you know, use NAT to do so :)

[kenniskrag]

or upgrade to ipv6 :)

[ratsmack]

or maybe ask the question regarding why we're not all running ipv6.

[WanderPanda]

how would nat help in this case?

[xxpor]

If they're not actually using the whole /8 (highly likely), you can setup a 1:1 NAT. basically from network b, if you want to talk to network a, you find out the address in 11/8 that corresponds to the 10/8 address and vice versa. You can use split horizon dns to make it mostly transparent.

Every networking problem in the world can be solved with more NAT or more encapsulation :)

[chiph]

It basically maps addresses visible on one interface to those on a different interface. So you can route many addresses on 10.x to a single 10.x address that is on a different network.

https://www.cisco.com/c/en/us/support/docs/ip/network-addres...

[twic]

In our case, we were setting up VPN tunnels to a partner, who for some reason required that the addresses on our side should (appear to be) public IP addresses. So we couldn't use 10/8 or 192.168/16 in (that part of) our network.

They didn't actually need the addresses to be routable from the public internet (that was the whole point of the VPN). I think the requirement was really a way of making sure they were unique. I'm sure they had several partners who used 10/8 internally.

[GekkePrutser]

There's also 172.16/12 :) But yeah I agree. If you're running a VPN for a large company it's kinda hard to avoid such conflicts.

In my work we use 10.0.0.0/8 but of course some people use the same at home even though 192.168/16 is way more common. In general I find 172.16/12 the least common in the field.

[simondotau]

I personally use a range towards the end of the 172.16/12 reservation for my home network for exactly this reason. Ever since I made the change five years ago I’ve never suffered any conflicts when running a VPN in or out.

[bombcar]

Virtually nobody realizes 172.17-172.31 are available.

And many are surprised to find that there are 172.* that are routable.

[jamiek88]

I know the old Apple extreme and time machine routers used to default to 10 rather than 192 ever since then I’ve kept my internal routing within that block.

It just looks nicer to me which shows the power of Apple and how easily I am influenced.

[mrweasel]

I like the 172.12/16 to company network, especially small companies with limited support resources. Getting employees on VPN is much simpler as virtually no home routers use that range.

[bombcar]

A trick is to use something in the 10 range but not /8 - 10.185.203/24 will work on a 10/8 network (assuming no actual host overlap) as it’s more specific and will route first.

Still gives you fun issues though.

[Taniwha]

In my case I got a class C around about 1992 (back then that was the only way to get on the internet), at some point the ISP above my ISP claimed it as theirs without telling me .... I still use it internally why should I change?

[icedchai]

Is it "directly assigned" to you in whois? I got mine around 1993.

[mrkstu]

In the case of a managed service provider I worked for, using non-announced gov/mil space allowed us to inject routes for monitoring purposes into the MPLS vrfs of our customers so we could poll the routers without using our own public space.