Attribution
Growing Challenges For LEAs
Unit Chief Donald Codling (Retired)
Federal Bureau of Investigation (FBI)
Cyber Division
3 October 2013
What is Carrier Grade Network
Address Translation?
• Network Address Translation (NAT):
– Used in private networks (home, small business, to manage
networks through private IPv4 addresses;
• Carrier Grade NAT (CGN):
– places a NAT between the access network and the Internet
– allows a single public IPv4 address to be used to support
multiple customers.
• CGN is not new but much more pervasive:
– Used for many years in developing nations and by mobile
providers faced with explosive growth of customers without
access blocks of IPv4 addresses
• Impact: NO ATTRIBUTION
2
IPv4 - IPv6 transition
• Until recently all that was needed for subscriber information was an
IP address - not now
• IPv6 deployment is not fast enough
– Many devices still not IPv6 capable, i.e., CPEs, routers, TVs, etc.
• IPv4 addresses are almost gone
– ARIN: no more IPv4 within a year
– RIPE NCC and APNIC: no IPv4
• Transition period has begun:
–
–
–
–
Carrier Grade NAT
use one IPv4 for multitude of users
Differentiation is source port
divide 65535 source ports over ? subscribers
Destination IP
Dest Port Source IP
Source port
Message body ...
IPv4-address attribution with CGN
Internet
service provider
Carrier Grade NAT
1
End user
LAN router
Modem
2
End user
LAN router
Modem
3
4
5
End user
LAN router
Modem
End user
LAN router
Modem
End user
LAN router
Modem
IPv4 Private
10.0.12.218
IPv4 Public
81.247.28.219
IPv4 Private
10.0.12.219
Internet
content provider
Web Server
193.58.4.34
IPv4 Private
10.0.12.220
IPv4 Private
10.0.13.221
IPv4 Private
10.0.13.222
Internet
IPv4 Public
81.247.28.220
Results of FBI CGN Survey
– Received 142 responses
– Almost 200 cases affected
– Majority of service providers (mostly mobile) are
unable to provide subscriber data to legal requests
– Cases involve cyber intrusions, armed robbery, child
abduction and exploitation , wire fraud, fugitives, etc.
– Case impacts:
• Subjects not apprehended – Deadly fugitives,
pedophiles
• Cases delayed – lengthy circumvention via other
methods
• Cases closed – never able to start case effectively
• Reduction of charges
Sample Response to CGN IP
Address
• IP address 000.000.116.166 is allocated to XYZ Co.
and/or Service Provider Corporation in conjunction with
XYZ Wireless. These blocks of IPs are used by XYZ
Wireless for internet access and web-based
applications for wireless devices (such as web-enabled
cell phones and aircards). Requested wireless IP
assignment records are not created or retained in the
normal course of business and XYZ is unable to isolate
or identify any individual account or device.
CGN Working Group
•
•
•
•
Convened 7 times since June 2011
Last meeting on March 27th at Cisco, San Jose, CA
Goal: CGN attribution solutions and IPv6 deployment
Participants:
– US/Canadian Law Enforcement (FBI, Royal Canadian Mounted
Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ)
– Government Agencies (Department of Commerce, Department
of Defense, Industry Canada)
– Providers (Sprint, AT&T, T-Mobile, Rogers, Videotron, Verizon,
Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier
Communications)
– Vendors (Juniper, Alcatel, Cisco, A10)
– Content Providers (Amazon, Google, Microsoft)
– Manufacturers (Apple, Linksys)
CGN Attribution
What needs to happen:
1.Law Enforcement:
– Furnish/request more information to providers
2.Content providers (Google, Facebook, etc., need to log
source port
3.Application providers (Microsoft IIS, Apache) enable
default or easy-to-switch-on source port logging
4.IPv6 deployment
What’s on the horizon?
–
–
–
–
–
ISPs (wire line only) state they have begun to develop solutions
Some content providers log source port
IETF RFCs for logging, i.e., Deterministic, RADIUS ??
Greater IPv6 deployment
Legislation?
CGN Legal Requests
• New information law enforcement will need
when serving providers with legal orders for
single subscriber attribution:
1. Source/Destination IP address;
2. Source port number;
3. Exact time of the connection (within a
second)
4. Radius Logs?
5. Netflow/IPFIX ?
Content Providers
• Enable source port logging (proxy,
firewall, web)
• IETF RFC 6302
• Modify transaction records to include
source port
• Include source port in response to
historical records request.
• Many big content providers log source
port – Facebook is notable exception
Application Provider
Microsoft/Apache
Microsoft Request
1. White Paper: Benefits to the users of source port, ease of
installing source port logging
2. Code: Source port logging functionality within GUI
3. Microsoft Tech Link
4. Statistical Validation of Source Port Logging Implementation
Apache Request
1. httpd.config file: LogFormat "%t %h %{remote}p %l %u \"%r\"
%>s %b" common
2. Submitted 21 September 2013 on:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53919&list
_id=89136
Other Attribution Concerns
• TOR
• Proxy Servers
• FREENET
• Poor WHOIS data
• Bullet Proof Hosting
• Hidden Lynx –”Advanced Hacker guns for
Hire”
• Hosting in ‘unfriendly jurisdictions’
Questions ?
Email: drcodling@gmail.com
Telephone: +1-703-232-9015