Embed Size (px)
Citation preview
Attribution Growing Challenges For LEAs
Attribution Growing Challenges For LEAs
Unit Chief Donald Codling (Retired)Federal Bureau of Investigation (FBI)
Cyber Division3 October 2013
Unit Chief Donald Codling (Retired)Federal Bureau of Investigation (FBI)
Cyber Division3 October 2013
What is Carrier Grade Network Address
Translation?
What is Carrier Grade Network Address
Translation?• Network Address Translation (NAT):
– Used in private networks (home, small business, to manage networks through private IPv4 addresses;
• Carrier Grade NAT (CGN):
– places a NAT between the access network and the Internet
– allows a single public IPv4 address to be used to support multiple customers.
• CGN is not new but much more pervasive:
– Used for many years in developing nations and by mobile providers faced with explosive growth of customers without access blocks of IPv4 addresses
• Impact: NO ATTRIBUTION
• Network Address Translation (NAT):
– Used in private networks (home, small business, to manage networks through private IPv4 addresses;
• Carrier Grade NAT (CGN):
– places a NAT between the access network and the Internet
– allows a single public IPv4 address to be used to support multiple customers.
• CGN is not new but much more pervasive:
– Used for many years in developing nations and by mobile providers faced with explosive growth of customers without access blocks of IPv4 addresses
• Impact: NO ATTRIBUTION22
IPv4 - IPv6 transitionIPv4 - IPv6 transition
• Until recently all that was needed for subscriber information was an IP address - not now
• IPv6 deployment is not fast enough– Many devices still not IPv6 capable, i.e., CPEs, routers,
TVs, etc. • IPv4 addresses are almost gone
– ARIN: no more IPv4 within a year– RIPE NCC and APNIC: no IPv4
• Transition period has begun:– Carrier Grade NAT – use one IPv4 for multitude of users– Differentiation is source port– divide 65535 source ports over ? subscribers
• Until recently all that was needed for subscriber information was an IP address - not now
• IPv6 deployment is not fast enough– Many devices still not IPv6 capable, i.e., CPEs, routers,
TVs, etc. • IPv4 addresses are almost gone
– ARIN: no more IPv4 within a year– RIPE NCC and APNIC: no IPv4
• Transition period has begun:– Carrier Grade NAT – use one IPv4 for multitude of users– Differentiation is source port– divide 65535 source ports over ? subscribersDestination
IPDest Port
Source IP Source port
Message body ...
IPv4-address attribution with CGNIPv4-address attribution with CGN
Web Server193.58.4.34
Internet content provider
IPv4 Private10.0.12.218
Carrier Grade NAT
Internetservice provider
3 End userLAN routerModem
IPv4 Private 10.0.12.220
2 End userLAN routerModem
IPv4 Private 10.0.12.219
5 End userLAN routerModem
IPv4 Private 10.0.13.222
4 End userLAN routerModem
IPv4 Private 10.0.13.221
IPv4 Public 81.247.28.219
Internet
IPv4 Public 81.247.28.220
End userLAN routerModem
1
Results of FBI CGN SurveyResults of FBI CGN Survey
– Received 142 responses– Almost 200 cases affected– Majority of service providers (mostly mobile) are
unable to provide subscriber data to legal requests– Cases involve cyber intrusions, armed robbery,
child abduction and exploitation , wire fraud, fugitives, etc.
– Case impacts:• Subjects not apprehended – Deadly fugitives,
pedophiles• Cases delayed – lengthy circumvention via
other methods• Cases closed – never able to start case
effectively• Reduction of charges
– Received 142 responses– Almost 200 cases affected– Majority of service providers (mostly mobile) are
unable to provide subscriber data to legal requests– Cases involve cyber intrusions, armed robbery,
child abduction and exploitation , wire fraud, fugitives, etc.
– Case impacts:• Subjects not apprehended – Deadly fugitives,
pedophiles• Cases delayed – lengthy circumvention via
other methods• Cases closed – never able to start case
effectively• Reduction of charges
Sample Response to CGN IP Address
Sample Response to CGN IP Address
• IP address 000.000.116.166 is allocated to XYZ Co. and/or Service Provider Corporation in conjunction with XYZ Wireless. These blocks of IPs are used by XYZ Wireless for internet access and web-based applications for wireless devices (such as web-enabled cell phones and aircards). Requested wireless IP assignment records are not created or retained in the normal course of business and XYZ is unable to isolate or identify any individual account or device.
• IP address 000.000.116.166 is allocated to XYZ Co. and/or Service Provider Corporation in conjunction with XYZ Wireless. These blocks of IPs are used by XYZ Wireless for internet access and web-based applications for wireless devices (such as web-enabled cell phones and aircards). Requested wireless IP assignment records are not created or retained in the normal course of business and XYZ is unable to isolate or identify any individual account or device.
CGN Working GroupCGN Working Group
• Convened 7 times since June 2011• Last meeting on March 27th at Cisco, San Jose, CA• Goal: CGN attribution solutions and IPv6 deployment• Participants:
– US/Canadian Law Enforcement (FBI, Royal Canadian Mounted Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ)
– Government Agencies (Department of Commerce, Department of Defense, Industry Canada)
– Providers (Sprint, AT&T, T-Mobile, Rogers, Videotron, Verizon, Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier Communications)
– Vendors (Juniper, Alcatel, Cisco, A10)– Content Providers (Amazon, Google, Microsoft)– Manufacturers (Apple, Linksys)
• Convened 7 times since June 2011• Last meeting on March 27th at Cisco, San Jose, CA• Goal: CGN attribution solutions and IPv6 deployment• Participants:
– US/Canadian Law Enforcement (FBI, Royal Canadian Mounted Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ)
– Government Agencies (Department of Commerce, Department of Defense, Industry Canada)
– Providers (Sprint, AT&T, T-Mobile, Rogers, Videotron, Verizon, Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier Communications)
– Vendors (Juniper, Alcatel, Cisco, A10)– Content Providers (Amazon, Google, Microsoft)– Manufacturers (Apple, Linksys)
CGN AttributionCGN AttributionWhat needs to happen:1.Law Enforcement:
– Furnish/request more information to providers
2.Content providers (Google, Facebook, etc., need to log source port3.Application providers (Microsoft IIS, Apache) enable default or easy-to-switch-on source port logging4.IPv6 deploymentWhat’s on the horizon?
– ISPs (wire line only) state they have begun to develop solutions
– Some content providers log source port– IETF RFCs for logging, i.e., Deterministic, RADIUS ?? – Greater IPv6 deployment– Legislation?
What needs to happen:1.Law Enforcement:
– Furnish/request more information to providers
2.Content providers (Google, Facebook, etc., need to log source port3.Application providers (Microsoft IIS, Apache) enable default or easy-to-switch-on source port logging4.IPv6 deploymentWhat’s on the horizon?
– ISPs (wire line only) state they have begun to develop solutions
– Some content providers log source port– IETF RFCs for logging, i.e., Deterministic, RADIUS ?? – Greater IPv6 deployment– Legislation?
CGN Legal RequestsCGN Legal Requests• New information law enforcement will
need when serving providers with legal orders for single subscriber attribution:1. Source/Destination IP address;2. Source port number;3. Exact time of the connection (within
a second)4. Radius Logs? 5. Netflow/IPFIX ?
• New information law enforcement will need when serving providers with legal orders for single subscriber attribution:1. Source/Destination IP address;2. Source port number;3. Exact time of the connection (within
a second)4. Radius Logs? 5. Netflow/IPFIX ?
Content ProvidersContent Providers• Enable source port logging (proxy,
firewall, web)• IETF RFC 6302• Modify transaction records to
include source port• Include source port in response to
historical records request. • Many big content providers log
source port – Facebook is notable exception
• Enable source port logging (proxy, firewall, web)
• IETF RFC 6302• Modify transaction records to
include source port• Include source port in response to
historical records request. • Many big content providers log
source port – Facebook is notable exception
Application Provider Microsoft/Apache
Application Provider Microsoft/Apache
Microsoft Request1. White Paper: Benefits to the users of source port, ease of
installing source port logging2. Code: Source port logging functionality within GUI 3. Microsoft Tech Link4. Statistical Validation of Source Port Logging
Implementation
Apache Request1. httpd.config file: LogFormat "%t %h %{remote}p %l
%u \"%r\" %>s %b" common2. Submitted 21 September 2013 on:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53919&list_id=89136
Microsoft Request1. White Paper: Benefits to the users of source port, ease of
installing source port logging2. Code: Source port logging functionality within GUI 3. Microsoft Tech Link4. Statistical Validation of Source Port Logging
Implementation
Apache Request1. httpd.config file: LogFormat "%t %h %{remote}p %l
%u \"%r\" %>s %b" common2. Submitted 21 September 2013 on:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53919&list_id=89136
Other Attribution ConcernsOther Attribution Concerns
• TOR• Proxy Servers • FREENET• Poor WHOIS data• Bullet Proof Hosting• Hidden Lynx –”Advanced Hacker
guns for Hire”• Hosting in ‘unfriendly jurisdictions’
• TOR• Proxy Servers • FREENET• Poor WHOIS data• Bullet Proof Hosting• Hidden Lynx –”Advanced Hacker
guns for Hire”• Hosting in ‘unfriendly jurisdictions’
Questions ?Questions ?
Email: [email protected]
Telephone: +1-703-232-9015
Email: [email protected]
Telephone: +1-703-232-9015
