Attribution Growing Challenges For LEAs

bubblesradiographerΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

83 εμφανίσεις

Attribution

Growing Challenges For LEAs

Unit Chief Donald Codling (Retired)

Federal Bureau of Investigation (FBI)

Cyber Division

3 October 2013


What is Carrier Grade Network
Address Translation?


Network Address Translation (NAT):


Used in private networks (home, small business, to manage
networks through private IPv4 addresses;


Carrier Grade NAT (CGN):


places a NAT between the access network and the Internet


allows a single public IPv4 address to be used to support
multiple customers.


CGN is not new but much more pervasive:


Used for many years in developing nations and by mobile
providers faced with explosive growth of customers without
access blocks of IPv4 addresses


Impact: NO ATTRIBUTION

2

IPv4
-

IPv6 transition


Until recently all that was needed for subscriber information was an
IP address
-

not now


IPv6 deployment is not fast enough


Many devices still not IPv6 capable, i.e., CPEs, routers, TVs, etc.


IPv4 addresses are almost gone


ARIN: no more IPv4 within a year


RIPE NCC and APNIC: no IPv4


Transition period has begun:


Carrier Grade NAT


use one IPv4 for multitude of users


Differentiation is
source port



divide 65535 source ports over ? subscribers



Destination IP

Dest Port


Source IP

Source port

Message body ...

IPv4
-
address attribution with CGN

Web Server

193.58.4.34

Internet


content
provider

IPv4 Private

10.0.12.218


Carrier Grade NAT



Internet

service
provider

3

End user

LAN router

Modem


IPv4 Private


10.0.12.220


2

End user

LAN router

Modem


IPv4 Private


10.0.12.219


5

End user

LAN router

Modem


IPv4 Private


10.0.13.222


4

End user

LAN router

Modem


IPv4 Private


10.0.13.221


IPv4 Public


81.247.28.219


Internet

IPv4 Public


81.247.28.220


End user

LAN router

Modem


1

Results of FBI CGN Survey


Received 142 responses


Almost 200 cases affected


Majority of service providers (mostly mobile) are
unable to provide subscriber data to legal requests


Cases involve cyber intrusions, armed robbery, child
abduction and exploitation , wire fraud, fugitives, etc.


Case impacts:


Subjects not apprehended


Deadly fugitives,
pedophiles


Cases delayed


lengthy circumvention via other
methods


Cases closed


never able to start case effectively


Reduction of charges


Sample Response to CGN IP
Address


IP address 000.000.116.166 is allocated to XYZ Co.
and/or Service Provider Corporation in conjunction with
XYZ Wireless. These blocks of IPs are used by XYZ
Wireless for internet access and web
-
based
applications for wireless devices (such as web
-
enabled
cell phones and aircards).
Requested wireless IP
assignment records are not created or retained in the
normal course of business and XYZ is unable to isolate
or identify any individual account or device.

CGN Working Group



Convened 7 times since June 2011


Last meeting on March 27
th

at Cisco, San Jose, CA


Goal: CGN attribution solutions and IPv6 deployment


Participants:


US/Canadian Law Enforcement (FBI, Royal Canadian Mounted
Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ)


Government Agencies (Department of Commerce, Department
of Defense, Industry Canada)


Providers (Sprint, AT&T, T
-
Mobile, Rogers, Videotron, Verizon,
Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier
Communications)


Vendors (Juniper, Alcatel, Cisco, A10)


Content Providers (Amazon, Google, Microsoft)


Manufacturers (Apple, Linksys)









CGN Attribution

What needs to happen:

1.
Law Enforcement:


Furnish/request more information to providers

2.
Content providers (Google, Facebook, etc., need to log
source port

3.
Application providers (Microsoft IIS, Apache) enable
default or easy
-
to
-
switch
-
on source port logging

4.
IPv6 deployment

What’
s on the horizon?


ISPs (wire line only) state they have begun to develop solutions


Some content providers log source port


IETF RFCs for logging, i.e., Deterministic, RADIUS ??


Greater IPv6 deployment


Legislation?

CGN Legal Requests


New information law enforcement will need
when serving providers with legal orders for
single subscriber attribution:

1.
Source/Destination IP address;

2.
Source port number;

3.
Exact time of the connection (within a
second)

4.
Radius Logs?

5.
Netflow
/IPFIX ?

Content Providers


Enable source port logging (proxy,
firewall, web)


IETF RFC 6302


Modify transaction records to include
source port


Include source port in response to
historical records request.


Many big content providers log source
port


Facebook is notable exception

Application Provider


Microsoft/Apache

Microsoft Request

1.
White Paper: Benefits to the users of source port, ease of
installing source port logging

2.
Code: Source port logging functionality within GUI

3.
Microsoft Tech Link

4.
Statistical Validation of Source Port Logging Implementation

Apache Request

1.
httpd.config

file:
LogFormat

"%t %h %{remote}p %l %u
\
"%r
\
"
%>s %b" common

2.
Submitted 21 September 2013 on:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53919&list
_id=89136




Other Attribution Concerns


TOR


Proxy Servers


FREENET


Poor WHOIS data


Bullet Proof Hosting


Hidden Lynx


Advanced Hacker guns for
Hire



Hosting in ‘
unfriendly jurisdictions


Questions ?

Email:
drcodling@gmail.com

Telephone: +1
-
703
-
232
-
9015