Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life: WaPo

This is a very technical article relating to some strange activities regarding Pentagon internet addresses suddenly being diverted to some shell company in Florida.

Or at least I think that's what it is about, it is certainly not an article aimed at explaining technical things to a mainstream audience, so it's hard to tell what's going on. Anyone with greater technical nous than the average Android user (i.e. me) like to explain whether this is deeply sinister or just a bit of routine housekeeping?

It's paywall so I will quote it here:

After decades of not using a huge chunk of the Internet, the Pentagon has given control of millions of computer addresses to a previously unknown company in an effort to identify possible cyber vulnerabilities and threats​


By
Craig Timberg and
Paul Sonne
April 24, 2021 at 7:19 p.m. GMT+7

While the world was distracted with President Donald Trump leaving office on Jan. 20, an obscure Florida company discreetly announced to the world’s computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the U.S. military.

What happened next was stranger still.
The company, Global Resource Systems LLC, kept adding to its zone of control. Soon it had claimed 56 million IP addresses owned by the Pentagon. Three months later, the total was nearly 175 million. That’s almost 6 percent of a coveted traditional section of Internet real estate — called IPv4 — where such large chunks are worth billions of dollars on the open market.

The entities controlling the largest swaths of the Internet generally are telecommunications giants whose names are familiar: AT&T, China Telecom, Verizon. But now at the top of the list was Global Resource Systems — a company founded only in September that has no publicly reported federal contracts and no obvious public-facing website.

As listed in records, the company’s address in Plantation, Fla., outside Fort Lauderdale, is a shared workspace in an office building that doesn’t show Global Resource Systems on its lobby directory. A receptionist at the shared workspace said Friday that she could provide no information about the company and asked a reporter to leave. The company did not respond to requests for comment.

The only announcement of Global Resources Systems’ management of Pentagon addresses happened in the obscure world of Border Gateway Protocol (BGP) — the messaging system that tells Internet companies how to route traffic across the world. There, messages began to arrive telling network administrators that IP addresses assigned to the Pentagon but long dormant could now accept traffic — but it should be routed to Global Resource Systems.

Network administrators began speculating about perhaps the most dramatic shift in IP address space allotment since BGP was introduced in the 1980s.

“They are now announcing more address space than anything ever in the history of the Internet,” said Doug Madory, director of Internet analysis for Kentik, a network monitoring company, who was among those trying to figure out what was happening. He published a blog post on the mystery Saturday morning.

The theories were many. Did someone at the Defense Department sell off part of the military’s vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?

An answer, of sorts, came Friday.

The change is the handiwork of an elite Pentagon unit known as the Defense Digital Service, which reports directly to the secretary of defense. The DDS bills itself as a “SWAT team of nerds” tasked with solving emergency problems for the department and conducting experimental work to make big technological leaps for the military.

Created in 2015, the DDS operates a Silicon Valley-like office within the Pentagon. It has carried out a range of special projects in recent years, from developing a biometric app to help service members identify friendly and enemy forces on the battlefield to ensuring the encryption of emails Pentagon staff were exchanging about coronavirus vaccines with external parties.

Brett Goldstein, the DDS’s director, said in a statement that his unit had authorized a “pilot effort” publicizing the IP space owned by the Pentagon.
“This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space,” Goldstein said. “Additionally, this pilot may identify potential vulnerabilities.”

Goldstein described the project as one of the Defense Department’s “many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.”

The specifics of what the effort is trying to achieve remain unclear. The Defense Department declined to answer a number of questions about the project, and Pentagon officials declined to say why Goldstein’s unit had used a little-known Florida company to carry out the pilot effort rather than have the Defense Department itself “announce” the addresses through BGP messages — a far more routine approach.

What is clear, however, is the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses. Madory said his monitoring showed the broad movements of Internet traffic began immediately after the IP addresses were announced Jan. 20.

Madory said such large amounts of data could provide several benefits for those in a position to collect and analyze it for threat intelligence and other purposes.

The data may provide information about how malicious actors operate online and could reveal exploitable weaknesses in computer systems. In addition, several Chinese companies use network numbering systems that resemble the U.S. military’s IP addresses in their internal systems, Madory said. By announcing the address space through Global Resource Systems, that could cause some of that information to be routed to systems controlled by the U.S. military.

The data could also include accidental misconfigurations that could be exploited or fixed, Madory said.
“If you have a very large amount of traffic, and someone knows how to go through it, you’ll find stuff,” Madory added.

Russell Goemaere, a spokesman for the Defense Department, confirmed in a statement to The Washington Post that the Pentagon still owns all the IP address space and hadn’t sold any of it to a private party.

Dormant IP addresses can be hijacked and used for nefarious purposes, from disseminating spam to hacking into a computer system and downloading data, and the pilot program could allow the Defense Department to uncover if those activities are taking place using its addresses.

A person familiar with the pilot effort, who agreed to speak on the condition of anonymity because the program isn’t public, said it is important for the Defense Department to have “visibility and transparency” into its various cyber resources, including IP addresses, and manage the addresses properly so they will be available if and when the Pentagon wants to use them.
“If you can’t see it, you can’t defend it,” the person said.

Lori Rozsa in Plantation, Fla., and Alice Crites contributed to this report.
 

Whining Civvy

War Hero
Where does the "deeply sinister" part come from?
 
Where does the "deeply sinister" part come from?
You tell me, the implication of the timing in the article heading led me, and most readers I would suspect, to believe that something very odd happened, billions of dollars worth of internet addresses belonging to the government suddenly routed to a shell company in Florida. I think most lay people not versed in the finer details of the internet and the Pentagon reading the heading and the lead paras would assume something fishy was going on.

The reader is then taken on a technical discussion (which according to several commenters on the article is inaccurate) before being told there's nothing untoward at all and that it's all perfectly routine.

That is why I posted the article, to learn from more knowledgeable posters whether this is sinister (as implied in the WaPo heading) or indeed perfectly routine (as stated in the article, well sort of, questions remain).

I am not looking for a Trump GRRR! discussion I was hoping for an explanation, perhaps you can't enlighten me but maybe others can.
 
I was a coder, and always regarded networking as “white man’s magic” (a phrase probably not allowed nowadays) but I did pick up the basics.

I see nothing politically or financially sinister in the report (at the moment). For example, I believe MOD bought the world rights to all IP addresses beginning with a particular number and we let a third party manage that. MOD doesn’t actually need all those addresses.

On tbe basis that a simple reason is often the most likely option, this may just be the Pentagon outsourcing the management of those IP addresses or deciding it doesn’t need all the addresses it has.

But there is always the option that this is cyber-warfare related. By nature, internet traffic is not fussy which route it takes (although you can force it to take prescribed routes). It’s like travelling from Edinburgh to London: you can take the train, you can drive down the A1, you can get a bus to Edinburgh airport, fly to Heathrow then jump on the tube. Or you can get a train to Glasgow, bus to Prestwick, fly to New York, have your bags searched, then fly to Gatwick before jumping on the Gatwick express.

Internet traffic takes whatever route is available at that precise moment unless told otherwise.

If you can get internet traffic routed through addresses you control, you can interrogate that traffic. Similarly, if you can get your traffic only routed via addresses you control, your traffic cannot be interrogated by foreign powers. Bringing billions of previously unused addresses back into play brings lots of new potential routes.
 

Zhopa

War Hero
If you can get internet traffic routed through addresses you control, you can interrogate that traffic. Similarly, if you can get your traffic only routed via addresses you control, your traffic cannot be interrogated by foreign powers. Bringing billions of previously unused addresses back into play brings lots of new potential routes.

This appears to be the intent, at least from parsing the DoD announcements. Translating very loosely, the addresses that have been released are ones that notionally exist, but were never in use - except for internal, demonstration, education, or nefarious purposes. So if you suddenly are able to tap into everything using them, you see a whole lot of activity you weren't meant to, which is obviously helpful.

But that still leaves the question of why they have done it through a dodgy front company, which even if all is legit and above board still looks "deeply sinister" as @Mike Barton says. In effect it draws a lot more attention to what they are doing, which may not have been the intended outcome.
 

OneTenner

LE
Book Reviewer
This appears to be the intent, at least from parsing the DoD announcements. Translating very loosely, the addresses that have been released are ones that notionally exist, but were never in use - except for internal, demonstration, education, or nefarious purposes. So if you suddenly are able to tap into everything using them, you see a whole lot of activity you weren't meant to, which is obviously helpful.

But that still leaves the question of why they have done it through a dodgy front company, which even if all is legit and above board still looks "deeply sinister" as @Mike Barton says. In effect it draws a lot more attention to what they are doing, which may not have been the intended outcome.
Looks to me like it's been done to harvest statistical data over a wider range than they could previously use to trace sources and patterns to expose 'bad actors' using a third party (which for IP 'ownership' can be a one person company) will be to adjust the Whois records so that automated scans do not exclude the range due to government ownership. It's a bit like the old 'honeypot' computers beloved of antivirus companies but on a much bigger scale.
I don't see anything 'sinister' at all, government business rolls on 24 hours a day regardless of who's name is above the door
 
But that still leaves the question of why they have done it through a dodgy front company, which even if all is legit and above board still looks "deeply sinister" as @Mike Barton says. In effect it draws a lot more attention to what they are doing, which may not have been the intended outcome.
Isn’t that the American way? The US government has a history of setting up obscure companies to provide future deniability.

It’s just harder to do it without being noticed nowadays.

Without wishing to be confrontational, what makes people think this is so sinister? Is it a ”Trump grrrr” thing?
 
It's not that interesting really.

They're announcing the IPs on behalf of the DoD. Pretty normal sailing for a comms provider to announce on behalf of an owner (if you have your own netblock your data centre will announce them for you).


Why the change? Who knows. It could be to see what traffic stumbles across them now it's live. It could be to show they are using them as there will be pressure to return them if they are not used. It could be part of a plan to sell them off (in blocks IP addresses are worth about $8-$15 each).
 

OneTenner

LE
Book Reviewer
Sell off of obsolete comms?

Obsolete to the Pentagon doesn’t mean obsolete to you and me.
Class A IPv4 addresses are very much not obsolete, these will have been assigned as part of DARPAnet, now they're actually doing something useful with them by exposing them to a public gateway.
 

AlienFTM

MIA
Book Reviewer
I am not a network specialist.

I got as far as IPv4.

IPv4 is Internet Protocol version 4. It's part of TCP/IP (Transport Control Protocol), generally referred to simply as IP. It's the traditional IP format you're currently thinking of, for example 192.168.0.1. The maximum addressibility is 256.256.256.256. This gives a finite number of IP addresses. The internet has long since blown that maximum. IPv6 is I believe now the standard. It involves four banks of four hexadecimal digits, an unimaginably greater number of unique addresses.

However. Most hardware was built for IPv4. ISPs jump through hoops to provide users with a dynamic IPv4 address, which refreshes periodically if not in constant use. The same IPv4 address can be issued elsewhere when you stop using it. Some even older systems need a static TCP/IP address. Owners of blocks of addresses are defined by the high level qualifier. Thus an address beginning 9. indicated(s) IBM; 9.20 indicates IBM Hursley.

But it's all archaic.

Acquiring swathes of IPv4 addresses? Frankly, here, meh.

I'm reminded of the SCO/Caldera fiasco. Short version: Said company bought an old version of Unix, then claimed the rights to all Unix, all flavours, all derivatives, and took the world to court to claim backdated licence payments. Including IBM.

Within a few years, SCO/Caldera were a bled dry husk, and periodically someone would forward a link round IBM about the latest update. And IBM laughed, then carried on normal jogging, having swept away the pesky fly.

I suspect it will end up a non-story. But I refer the reader to my opening line.

Edit. Link.

 
I was a coder, and always regarded networking as “white man’s magic” (a phrase probably not allowed nowadays) but I did pick up the basics.

The biggest lie in my CCNA text book was "Sub-Netting Made SImple"

First time I dealt with that, a mate (who was a very good national level network engineer) found me drinking wine from the bottle with papers and scibblings of subnetting spread all over the desk I was working on.

He did say that once you've done it manually for the test, use a on-line calculator like everyone else.
 

Splitz

Old-Salt
Interesting, but I am in no way techie enough to work out the implications. The only link with Trump would seem to be the date it happened, and that could well be coincidental. If I were in a position to investigate I'd leave the techie stuff to those who know what they're doing and start asking questions about the shell company; who formed it, who are its directors, what other directorships and positions do they hold etc.
 

theoriginalphantom

MIA
Book Reviewer
It's all down to space lizards.
 

civvy

Old-Salt
With the widespread adoption of Network Address Translation and the growing takeup of IP6 there isn't really a need to hoard loads of IP4 addresses anymore.

As an aside, sometime early this century, we were checking the internet facing side of our network for any nefarious activity. We found an IP address that we didn't recognise so spidey senses went into overdrive. Even to the extent of lifting the comms room floor to make sure nothing foreign had been installled down there. Sitting down with a pen and paper and taking account of the subnet mask it evetually dawned that the address in question was the broadcast address of that subnet.

Why did a team of skilled network engineers miss that? Well, IP4 addresses were very short at that time and we had been allocated a very non standard subnet. Plus we didn't use the broadcast address but our ISP did.

The downside... Every time we had a PEN test the testers would pick up this address and the board of directors would have kittens. I got seriously fed up with explaining it every bloody time.
 
The biggest lie in my CCNA text book was "Sub-Netting Made SImple"

First time I dealt with that, a mate (who was a very good national level network engineer) found me drinking wine from the bottle with papers and scibblings of subnetting spread all over the desk I was working on.

He did say that once you've done it manually for the test, use a on-line calculator like everyone else.
That was the reason why I gave up on my IT degree with the OU - as it was making me utterly miserable I thought ‘no way am I doing this for a living’. I know I can code - and even Amazon Web Services were impressed, but sod that for a game of soldiers.
 
Looks to me like it's been done to harvest statistical data over a wider range than they could previously use to trace sources and patterns to expose 'bad actors' using a third party (which for IP 'ownership' can be a one person company) will be to adjust the Whois records so that automated scans do not exclude the range due to government ownership. It's a bit like the old 'honeypot' computers beloved of antivirus companies but on a much bigger scale.
I don't see anything 'sinister' at all, government business rolls on 24 hours a day regardless of who's name is above the door

I was thinking world's biggest honeypot/tarpit too.

Tarpot? Honeypit?
 

Latest Threads

Top