Attribution Growing Challenges For LEAs Unit Chief Donald Codling (Retired) Federal Bureau of Investigation (FBI) Cyber Division 3 October 2013 What is Carrier Grade Network Address Translation? • Network Address Translation (NAT): – Used in private networks (home, small business, to manage networks through private IPv4 addresses; • Carrier Grade NAT (CGN): – places a NAT between the access network and the Internet – allows a single public IPv4 address to be used to support multiple customers. • CGN is not new but much more pervasive: – Used for many years in developing nations and by mobile providers faced with explosive growth of customers without access blocks of IPv4 addresses • Impact: NO ATTRIBUTION 2 IPv4 - IPv6 transition • Until recently all that was needed for subscriber information was an IP address - not now • IPv6 deployment is not fast enough – Many devices still not IPv6 capable, i.e., CPEs, routers, TVs, etc. • IPv4 addresses are almost gone – ARIN: no more IPv4 within a year – RIPE NCC and APNIC: no IPv4 • Transition period has begun: – – – – Carrier Grade NAT use one IPv4 for multitude of users Differentiation is source port divide 65535 source ports over ? subscribers Destination IP Dest Port Source IP Source port Message body ... IPv4-address attribution with CGN Internet service provider Carrier Grade NAT 1 End user LAN router Modem 2 End user LAN router Modem 3 4 5 End user LAN router Modem End user LAN router Modem End user LAN router Modem IPv4 Private 10.0.12.218 IPv4 Public 81.247.28.219 IPv4 Private 10.0.12.219 Internet content provider Web Server 193.58.4.34 IPv4 Private 10.0.12.220 IPv4 Private 10.0.13.221 IPv4 Private 10.0.13.222 Internet IPv4 Public 81.247.28.220 Results of FBI CGN Survey – Received 142 responses – Almost 200 cases affected – Majority of service providers (mostly mobile) are unable to provide subscriber data to legal requests – Cases involve cyber intrusions, armed robbery, child abduction and exploitation , wire fraud, fugitives, etc. – Case impacts: • Subjects not apprehended – Deadly fugitives, pedophiles • Cases delayed – lengthy circumvention via other methods • Cases closed – never able to start case effectively • Reduction of charges Sample Response to CGN IP Address • IP address 000.000.116.166 is allocated to XYZ Co. and/or Service Provider Corporation in conjunction with XYZ Wireless. These blocks of IPs are used by XYZ Wireless for internet access and web-based applications for wireless devices (such as web-enabled cell phones and aircards). Requested wireless IP assignment records are not created or retained in the normal course of business and XYZ is unable to isolate or identify any individual account or device. CGN Working Group • • • • Convened 7 times since June 2011 Last meeting on March 27th at Cisco, San Jose, CA Goal: CGN attribution solutions and IPv6 deployment Participants: – US/Canadian Law Enforcement (FBI, Royal Canadian Mounted Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ) – Government Agencies (Department of Commerce, Department of Defense, Industry Canada) – Providers (Sprint, AT&T, T-Mobile, Rogers, Videotron, Verizon, Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier Communications) – Vendors (Juniper, Alcatel, Cisco, A10) – Content Providers (Amazon, Google, Microsoft) – Manufacturers (Apple, Linksys) CGN Attribution What needs to happen: 1.Law Enforcement: – Furnish/request more information to providers 2.Content providers (Google, Facebook, etc., need to log source port 3.Application providers (Microsoft IIS, Apache) enable default or easy-to-switch-on source port logging 4.IPv6 deployment What’s on the horizon? – – – – – ISPs (wire line only) state they have begun to develop solutions Some content providers log source port IETF RFCs for logging, i.e., Deterministic, RADIUS ?? Greater IPv6 deployment Legislation? CGN Legal Requests • New information law enforcement will need when serving providers with legal orders for single subscriber attribution: 1. Source/Destination IP address; 2. Source port number; 3. Exact time of the connection (within a second) 4. Radius Logs? 5. Netflow/IPFIX ? Content Providers • Enable source port logging (proxy, firewall, web) • IETF RFC 6302 • Modify transaction records to include source port • Include source port in response to historical records request. • Many big content providers log source port – Facebook is notable exception Application Provider Microsoft/Apache Microsoft Request 1. White Paper: Benefits to the users of source port, ease of installing source port logging 2. Code: Source port logging functionality within GUI 3. Microsoft Tech Link 4. Statistical Validation of Source Port Logging Implementation Apache Request 1. httpd.config file: LogFormat "%t %h %{remote}p %l %u \"%r\" %>s %b" common 2. Submitted 21 September 2013 on: https://issues.apache.org/bugzilla/show_bug.cgi?id=53919&list _id=89136 Other Attribution Concerns • TOR • Proxy Servers • FREENET • Poor WHOIS data • Bullet Proof Hosting • Hidden Lynx –”Advanced Hacker guns for Hire” • Hosting in ‘unfriendly jurisdictions’ Questions ? Email: drcodling@gmail.com Telephone: +1-703-232-9015