The Shape Of The Internet

One of the perennial problems in this field is the antiquated notion of jurisdiction, as well as increasing pressure on Westphalian Sovereignty. JP and I touched on this during our November 5th appearance on The View Up Here.  The topic is complex and visual, so this post offers some images to back up the audio there.

Regional Internet Registries

Regional Internet Registries
Regional Internet Registries

The top level administrative domains for the network layer of the internet are the five Regional Internet Registries. These entities were originally responsible for blocks of 32 bit IPv4 addresses and 16 bit Autonomous System numbers. Later we added 128 bit IPv6 addresses and 32 bit Autonomous System numbers as the original numbers were being exhausted.

When you plug your home firewall into your cable modem it receives an IP address from your service provider and a default route. That outside IP is globally unique, like a phone number, and the default route is where any non-local traffic is sent.

Did you ever stop to wonder where your cable modem provider gets their internet service? The answer is that there is no ‘default route’ for the world, they connect at various exchange points, and they share traffic there. The ‘default route’ for the internet is a dynamic set of not quite 700,000 blocks of IP addresses, known as prefixes, which originate from 59,000 Autonomous Systems.

The Autonomous System can be though of as being similar to an telephone system country code. It indicates from a high level where a specific IP address prefix is located. The prefix can be thought of as an area code or city code, it’s a more specific location within the give Autonomous System.

There isn’t a neat global map for this stuff, but if you’re trying to make a picture, imagine a large bunch of grapes. The ones on the outside of the bunch are the hosting companies and smaller ISPs, who only touch a couple neighbors. The ones in the middle of the bunch touch many neighbors and are similar in position to the big global data carriers.

Domain Name Service

Once a new ISP has circuits from two or more upstream providers they can apply for an Autonomous System number and ask for IP prefixes. Those prefixes used to come straight from the RIRs, but any more you have to be a large provider to do that. Most are issued to smaller service providers by the large ones, but the net effect is the same.

Having addresses is just a start, the next step is finding interesting things to do. This requires the internet’s phone book – the Domain Name System. This is how we map names, like, to an IP address, like There is also a reverse DNS domain that is meant to associate IP addresses with names. If you try to check that IP I just mentioned it’ll fail, which is a bit funny, as that’s not us, that’s kremlin[.]ru.

Domain Name Registrars & Root DNS Servers

How do you get a DNS name to use in the first place? Generally speaking, you have to pay a Registrar a fee for your domain name, there is some configuration done regarding your Start Of Authority, which is a fancy way of saying which name servers are responsible for your domain, then this is pushed to the DNS Root Servers.

There are nominally thirteen root servers. That doesn’t mean thirteen computers, it means there are twelve different organizations manage them (Verisign handles two), and their addresses are ‘anycast’, which means they originate from multiple locations, while the actual systems themselves are hidden from direct access. This is sort of a CDN for DNS data, and it exists due to endless attacks that are directed at these systems.

Verisign’s two systems are in datacenters on every continent and have over a hundred staff involved in their ongoing operation.

Layers Of Protection

And then things start to get fuzzy, because people who are in conflict will protect both their servers and their access.

Our web server is behind the Cloudflare Content Distribution Network. There are other CDNs out there and they exist to accelerate content as well as protect origin servers from attack. We like this service because it keeps our actual systems secret. This would be one component of that Adversary Resistant Hosting that we don’t otherwise discuss here.

When accessing the internet it is wise to conceal one’s point of origin if there may be someone looking back. This is Adversary Resistant Networking, which is done with Virtual Private Networks, the Tor anonymizing network, misattribution services like Ntrepid, and other methods that require some degree of skill to operate.

Peeling The Onion

Once you understand how all the pieces fit together there are still complexity and temporal issues.

Networked machines can generate enormous amounts of data. We previously used Splunk and recently shifted to Elasticsearch, both of which are capable of handling tens of millions of datapoints per day, even on the limited hardware we have available to us. Both systems permit time slicing of data as well as many other ways to abstract and summarize.

Data visualization can permit one to see relationships that are impenetrable to a manual examination. We use Paterva‘s Maltego for some of this sort of work and we reach for Gephi when there are larger volumes to handle.

Some of the most potent tools in our arsenal are RiskIQ and Farsight. These services collect passive DNS resolution data, showing bindings between names and IP addresses when they were active. RiskIQ collects time series domain name registration data. We can examine SSL certificates, trackers from various services, and many other aspects of hosting in order to accurately attribute activity.


The world benefits greatly from citizen journalists who dig into all sorts of things. This is less than helpful when it comes to complex infrastructure problems. Some specific issues that have arisen:

  • People who are not well versed in the technologies used can manage to sound credible to the layman. There have been numerous instances where conspiracy theorists have made comical attribution errors, in particular geolocation data for IPs being used to assert correlations where none exists.
  • There is a temporal component that arises when facing any opponent with even a bit of tradecraft and freely available tools don’t typically address that, so would-be investigators are left piecing things together, often without all of the necessary information.
  • Free access to quality tools like Maltego and RiskIQ are both intentionally limited. RiskIQ in particular cases problems in the hands of the uninitiated – a domain hosted on a Cloudflare IP will have thousands of fellows, but the free system will only show a handful. There have been many instances of people making inferences based on that limited data that have no connection to objective reality.

We do not have a y’all come policy in this area, we specifically seek out those who have the requisite skills to do proper analysis, who know when they are out on a limb. When we do find such an individual who has a legitimate question, we can bring a great deal of analytical power to bear.

That specific scenario happened today, which triggered the authoring of this article. We may never be able to make the details public, but an important thing happened earlier, and the world is hopefully a little safer for it.


Adversary Resistant Networking

Much like our thinking regarding Adversary Resistant Computing, we have some ideas on dealing with opponents who exhibit enough situational awareness to spot a visitor originating in a certain place, and then devise some way to cause trouble for them.

First, what hunts you?

Our taxonomy of threats from the ARC article is a bit much here. Any foe you might encounter will fall somewhere on this spectrum:

  • Simple detection via web site logging or documents seeded with some means of ‘phoning home’. Threats are doxing, civil discovery, or maybe an attempt to involve law enforcement.
  • Detection and fingerprinting for browser, OS, and the like. Threats as above, adding perhaps browser hijacking or spearphishing attempt.
  • Detection, fingerprinting, temporal analysis, and other corporate defense tactics. Threats as above, adding much more likely civil or criminal trouble.
  • Competent nation state or Five Eyes, curious and tracking large classes of anomalous behavior, watching (and interfering) in ways you can not quite imagine. Threats scale up with their perceived value of what interests you.

Second, what role does your organization play?

If you are noticed, what does your presence convey to the entity that has detected you? Are they about to get some negative press? A lawsuit? A raid by authorities? Are you a vanguard for a sanctioned intrusion or some sort of subversion of their systems? They will be doing a threat assessment on you, just as you should be doing on them.

Third, how much are you willing to give up?

You can not interact with a remote system without leaving some sort of trace. There are a variety of ways to hide, from the Tor anonymizing network, to various VPNs, to physical travel away from your normal haunts. And if you have a budget, there is realm beyond this one.

Some Real World™ scenarios:

The Tor network provides a multi-hop routing architecture, hundreds of global exits to the clearnet, and a private darknet of websites with onion addresses. Entry level opponents will be baffled by this, wary ones will simply use the Tor exit nodes list to block access, and nation states are in a position to attempt traffic correlation and other mischief.

There are many VPN providers out there. If they require you to use a binary bundle, you should turn and run. Free services that accept OpenVPN connections are profiling you, injecting ads, and likely trying to hijack your system. We trust ProtonVPN to not be doing this, and for certain other activities the very feral Cryptostorm is a good choice. The problem with each is that their exits are discoverable by anyone willing to spend $5 to $125 to explore, and once your pattern is recognized,

Tor will happily engage its network after exiting a VPN node. Some VPN providers, like Cryptostorm, offer free low speed services, and they will accept TCP connections that arrive from the Tor network. The first is good discipline if you might be facing one of those nation state opponents, the latter is a technique used to circumvent Tor access bans while still enjoying its protection.

The real hazards here are forgetting to do some certain step, say turning on a VPN, or having a a failure that in some way exposes your location. We are big fans of “fail closed networking” – if something isn’t right with your connection, it should behave in such a way that you must repair it before resuming your work.

There are tools that purport to do this for desktop operating systems; we find all of them to be less than comforting. Linux can be made to behave in this fashion, and Linux based firewalls can enforce such discipline for your entire network, including those devices which otherwise have no hope of operating safely.



Puzzling Over Boundaries

Much like the breakdown of Westphalian Sovereignty in the face of a well connected, easily traversed world, we are pondering just where the boundaries are on what we publish.

Best practices advice regarding Adversary Resistant Computing and Networking is broadly available, but highly variable in quality, and often not conditioned by real world experience. Communications Security advice is even more uneven. We might be educating bad actors by openly publishing, but the good guys are under the gun, and no white hat from inception thinks the way those of us who wear faded gray do. We’re going to put this content out there and count on the nonstop situational awareness required to truly excel keeping a lid on proliferation.

We publish studies on various groups, which can educate them in their failings, if they take the time to read. This is also conditioned on situational awareness and with information operations in particular, characterization is sterilizing sunlight. We use OSINT methods and release collected data in a form that facilitates others using it, but at this time the collection methods and software we use are not freely available.

Analytical Tradecraft is a matter of good systems and the right mindset to get teams using it effectively. There are guides out there, the CIA’s Psychology of Intelligence Analysis  being a well known example. There is no substitute for real world experience when it comes to Sanctioned Irregulars, and that is where we are strongest.

And Field Operations Tradecraft seems to be a bridge too far – we’re not in the business of teaching bad actors how to caper.

The you have it. @NetwarSystem provides a feed of posts here, from LinkedIn, and selected content from other sources. The contact page has advice on who is qualified as a customer and how to reach us. We look forward to hearing from those of you who truly need what we do.