Proxy Services Feast On Ukraine's IP Address Exodus (krebsonsecurity.com) 93
An anonymous reader quotes a report from KrebsOnSecurity: Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America's largest Internet service providers (ISPs). The findings come in a report that examines how the Russian invasion has affected Ukraine's domestic supply of Internet Protocol Version 4 (IPv4) addresses. Researchers at Kentik, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven't changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.
For example, Ukraine's incumbent ISP Ukrtelecom is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik's Doug Madory they were forced to sell many of their address blocks "to secure financial stability and continue delivering essential services." "Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began," Ukrtelecom told Madory.
Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs -- Amazon (AS16509), AT&T (AS7018), and Cogent (AS174). Another Ukrainian Internet provider -- LVS (AS43310) -- in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T. Ditto for the Ukrainian ISP TVCOM, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and Microsoft.
For example, Ukraine's incumbent ISP Ukrtelecom is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik's Doug Madory they were forced to sell many of their address blocks "to secure financial stability and continue delivering essential services." "Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began," Ukrtelecom told Madory.
Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs -- Amazon (AS16509), AT&T (AS7018), and Cogent (AS174). Another Ukrainian Internet provider -- LVS (AS43310) -- in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T. Ditto for the Ukrainian ISP TVCOM, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and Microsoft.
Can we just bomb the Kremlin already? (Score:1, Flamebait)
And put Russia out of its Vladolf Putlery?
Re: (Score:3)
Neither thing is anywhere near good.
If Putey Pie is going to be assassinated, it needs to come from within, or it's going to open a whole can.
Re: (Score:3)
And put Russia out of its Vladolf Putlery?
If that's really the goal, then we should stop dilly dallying and fully support the Ukrainians who have not only wiped out the Russian Black Sea fleet and done serious damage to the 12 mile land bridge to Crimea for both rail and automobiles, but have wiped out a large portion of Russia's strategic bomber fleet capable of launching nuclear missiles at us. The Ukrainians are doing all the fighting and dying for their own democracy, and ruining Russia in the process. Why can't we fully support them? Oh right,
Re: (Score:2)
Low quality Ruskie whining detected.
Russice ite domum
Re: (Score:1)
Versus Russian Democracy? Vote Putin or don't bother? There is no Russian Democracy, it's a mafia state.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Elections have been suspended because they are at war, defending against an aggressor, sounds reasonable to me.
I'd like to see Russians not acting like pathetic peasants and demand some decent rulers. Nobody wants to live in Russia. Nobody wants to invade Russia, the culture is miserable and angry.
They are putting up new statues of Stalin. How many Russians did he have killed? The Russian people are like an abused wife going back for another black eye. You can do better.
Re: (Score:2)
Re: (Score:1)
You vacillate wildly between "lol y u no depose Putin and do democracy" and "Russians are too stupid to do democracy", but even there you've admitted the obvious that people of DPR and LPR largely identify as Russian. Your shitposting is so high-volume and low-effort that you're contradicting yourself while failing to bury the lede like you're supposed to. Great job.
Re: (Score:1)
Do you like Putin then? Tell us what you like about him, because we are all confused in the West. History has offered so many better qualified Russians who are not nearly so murderous and cruel to their own people. Do you just like authoritarian, short, bald men? Do you just like it rough?
Here's a list of journalists [wikipedia.org] killed in Russia you can call fake news. There is no democracy without a free press.
If you live in Russia, you have my pity. How long do you think it is until you are conscripted?
Russia and
Re: (Score:2)
Putin was actually involved in the soviet union's dissolution. A lot of people on the pro-Russia side (largely thinking of telegram) were unhappy the degree to which he has dragged out this conflict and avoided striking critical infrastructure like railways, especially after the recent drone attacks on air bases, which was obviously a major embarrassment.
The forced conscription shit is a lie, Russia has largely been working with reserves, and a great many signed up with the recognition that having a rabid d
Re: (Score:2)
Do you think this kind of bald-faced racism endears the left to you? Or do you, from your fever dream that I and anyone outside of your bubble is an evil russian, just really want me to stop posting, and think that saying racist shit about Russians will do it?
Re: (Score:1)
Putin's involvement in Soviet Union's dissolution was to seize power.
NATO's purpose was to defend against Russia. NATO has never invaded Russian territory, never shown an intention too. Maybe because who the fcuk wants to go there? It's a mafia state, treats its people like sh1t. If you want to live there, go ahead, in peace, maybe try to be happy, leave us out of your misery, we are not interested.
We might assume you are a proud, well off Muscovite, you haven't experienced conscription yet because that'
Re: (Score:2)
Re: (Score:1)
"We", is the not you. Putin lover.
My guess is your a MAGA boy. Nothing you enjoy better than bending over and getting shafted by some authoritative dick whilst you moan "Treat me rough TACO daddy".
You are so desperate for people to be controlled because you are so scared of them.
Go hide under your rock.
Re: (Score:2)
It only speaks to your own weakness that you feel you have no standing without needing to misrepresent your enemies as foreigners. I've only enjoyed seeing the volume of cope and desperation from the secstare goons on here--it's as if time has stopped for yoh since the 2023 counteroffensive.
God only knows how much of your life you've wasted stanning a failed project. Back to posting as AC for you! Slava cocaini, bitch.
Re: (Score:1)
Whilst you are hiding under your rock w4nking over Putin porn, learn how to speak English too, peasant. Try taking the oligarch cock out of your mouth first it's easier.
Re: (Score:3)
> with all elections suspended indefinitely, all opposing political parties banned, and all news TV outlets either shuttered or taken over by the state.
Yeah, you do know there's a war on, right? How exactly is Ukraine supposed to have democratic elections when the Russians would see polling stations as easy targets?
If Ukraine wasn't a democracy before the war started, you might have a point. But it was, and it was far, far, more democratic - as evidenced by Zelenskyy's win - than your mother Russia ever
Re: (Score:2)
Ukraine wasn't a democracy since 2014 when its leadership was deposed and new leadership was chosen from the outside. To quote Victoria Nuland, "Yats is our guy", and then by some pure luck he was instituted as a leader only weeks later.
"Yeah, you do know there's a war on, right?"
Eevry time one of you throws out this apologia, nearly word-for-word, it highlights how happy you would be for martial law and the suppression of free press in the US. That you have to strawman me as a Russian to even have the appe
Re: (Score:2)
What is your definition of "fully support"?
Arming the Ukrainians who are doing all the fighting and dying.
Re: (Score:2)
Just to be real and not a liar but you have zero evidence of any "CIA regime change" and if you say "Victoria Newland" that's just proof you have not read anything.
Re: (Score:2)
Thank you for confirming in fact you have zero evidence but you'll believe it anyway because the government is both weak and strong depending on what your narrative requires.
Because former Soviet republics have been the beacons of institutional stability right so now way they would have political turmoil without the US.
The fuck outta here, this is a child's view of how the world works...are you a Marxist Leninist too (this is exactly how they think) to complete the regardation?
Re: (Score:2)
Senator Chris Murphy in 2014: "We have not sat on the sidelines. We have been very much involved. Members of the Senate have been there. Members of the State Department have been on the Square."
This "you have no evidence" tack is sad. You even have to throw out Nuland's name (spelled wrong of course) because you know damn well her leaked call indicated the US' heavy involvement, not to mention the biolabs the US has there that she testified about to Marco Rubio. I don't know why you're always repeating the
Re: (Score:2)
damn well her leaked call indicated the US' heavy involvement
"Global superpower has preference in foreign nations politics" does not indicate "heavy involvement", whatever vague bullshit that means.
The person she talked about the US preferring didn't even win! What are we even talking about?
"No evidence" still looking strong.
Re: (Score:2)
To your credit, I thought you were being insincere but you may just be ignorant
https://en.wikipedia.org/wiki/... [wikipedia.org]
In office
31 July 2014 â" 14 April 2016
https://www.bbc.com/news/world... [bbc.com]
Nuland: [Breaks in] I think Yats is the guy who's got the economic experience, the governing experience.
Re: (Score:2)
Still no evidence, just vague assertions...
Re: (Score:2)
Well, your honor... we've got plenty of hearsay and conjecture. Those are 'kinds of' evidence.
Re: (Score:2)
Re: (Score:2)
Yeah I forgot to put my funny simpsons line that made me laugh because it applies to you.
Can't help but notice you are more concerned with my spelling and posting methods than any real evidence of this conspiracy you've lapped up with little actual evidence. I think you think that phone call 'is evidence' and while that's concerning you are one of many who are easily swayed with salacious alt media. Bleak times.
Re: (Score:2)
Ukraine has received some support. No one has "fully supported" Ukraine.
That is true.
It has nothing to do with corruption.
That is false. The prior administration was also corrupt, only a lot less corrupt than this administration.
That doesn't even make sense unless you believe the previous admin and all of Europe are also corrupt.
All of Europe? I think most politicians everywhere are corrupt, but "all" is a strong word.
As far as democracy goes, the current Ukrainian government came about as the result of CIA sponsored regime change after the pre-CIA government that the Ukrainian people elected was pro-Russian.
Whoops! You went off the rails there.
Re: (Score:1)
That is false. The prior administration was also corrupt, only a lot less corrupt than this administration.
Ha, ha, ha! [wipes tears from eyes]
We don't even know who was in charge of the prior administration.
Plenty of hardliners waiting to take his place (Score:1)
And with it routing tables increase in size again (Score:5, Interesting)
The IPv4 address space was never designed to be broken up the way it is done today. Why is much of the world still stuck on that ancient technology?
Re: (Score:3)
There are huge reasons to upgrade, billions are wasted every year working around the deficiencies of legacy ip.
a perfect shitstorm a'brewing, just you wait (Score:4, Funny)
Re: (Score:3)
The point is there are many reasons to upgrade. There are very real performance issues associated with routing the way we do it now.
Re: (Score:1)
Probably because IPv6 is crap. It's just not intuitive or easy to work with.
Re:And with it routing tables increase in size aga (Score:4, Insightful)
For the most part it works the same as legacy ip just with a bigger address space.
Once you factor in the various workarounds legacy ip needs to keep hobbling along, then v6 is actually massively simpler.
Re:And with it routing tables increase in size aga (Score:5, Insightful)
Another issue with IPv6 is the size of the local subnet makes it difficult to fully scan. There are times when it is possible, but it's not guaranteed. I'm not keen on losing the ability to scan all local clients on the network. I'm not convinced that SLAAC is good enough either.
It doesn't seem well suited to embedded systems either. For example the computation of a local link address has crytographic requirements that are not trivial to implement on small systems. It required a high quality PRNG with storage, and a flawed implementation could cause multiple collisions that need to be resolved on packed networks. I see the potential for some fun there.
The other big barrier to adoption is devices that only support IPv4. Those will ensure that we won't see many IPv6 only networks for a very, very long time. All the while IPv4 has to be around for those, and is working reasonably well for most people, they are unlikely to invest time and effort into IPv6.
Re: (Score:2)
You're assuming a legacy approach of scanning sequential addresses (which is wasteful in any case). If it's actually your subnet then you can determine the live addresses by viewing the NDP table of the switch/router and then scan the active addresses. If you're someone malicious coming from outside then you can't do this.
This is an improvement, there is no downside here since you've made it harder for external attackers, but can still scan your own network easily.
You don't need to compute a random link-loc
Re: (Score:2)
Unfortunately most consumer grade routers don't seem to display the NDP table at all.
This is the kind of thing I'm talking about. In theory it should be easy. In practice you need to learn a lot of new ways of doing things, and you quickly find that your hardware isn't really up to the task because the developer only enabled IPv6 as an afterthought, to tick a box.
EUI-64 is fine if you don't care about privacy, and if the MAC address is never going to change. Okay, you aren't supposed to use the numeric addr
Re: (Score:2)
Poor hardware is poor hardware, nothing to do with the protocol. There is huge amounts of poor legacy hardware out there too, online forums are full of complaints of isp-supplied routers devoid of any features.
"If you don't care about privacy"?
Link-local addresses are just that - LOCAL... They will not be seen by anyone outside of the local VLAN. Guess what's also visible within the same VLAN? That's right, the MAC address. So you could go to all the effort of generating a random link-local address, and you
Re: (Score:2)
I'm saying that poor hardware is part of the reason why adoption hasn't been as good as it could have.
Multicast DNS is another example. Until Windows 11 it wasn't supported (except for printers in Windows 10). Crap and slow implementations (it took Microsoft 21 years to adopt Multicast DNS) are why IPv6 is slow to be adopted.
Part of that is the implementor's fault. Part of that is because the documentation was crap and it was such a departure from IPv4. There is plenty of blame to go around.
Re: (Score:2)
The reason for slow adoption is a combination of laziness, fear of progress and "it works for me, fuck everyone else" attitude of those who have large legacy allocations.
Poor hardware is poor hardware, there is lots of poor legacy hardware too.
Legacy IP is extremely harmful to developing countries you have extra costs of address purchases and CGNAT, with a customer based that has less ability to afford high subscription fees. This is offset slightly by low expectations of the customers who *expect* the serv
Re: (Score:2)
Another issue with IPv6 is the size of the local subnet makes it difficult to fully scan.
There we have it. We've gone from IPv6 giving an endpoint to every device making it too easy to scan from outside the network, to IPv6 being too difficult to scan because of the size.
Hint: You don't need to randomly assign addresses in your entire available space. Even in IPv4 you get 16 million addresses in the 10. range which is already impossible to scan. You don't need to use this range.
If you're truly incompetent I can see how you could setup a network in a way that both relies on you scanning it, whil
Re: (Score:2)
Once you factor in the various workarounds legacy ip needs to keep hobbling along, then v6 is actually massively simpler.
Maybe it is simpler, but the IETF did not think about easy migrations. The IETF let their hatred of NAT overrule developing a sensible and easy to use migration flow.
Maybe NAT is bad, but it provides some protection to all those IoT devices.
Re: (Score:2)
Dual stack was the migration path...
There's not much else you can do, legacy IP was never designed to be extensible so you have to replace it. Temporarily running it alongside the replacement was the best you were ever going to get.
NAT is _NOT_ a security mechanism and does not provide any protection to anything. It's a kludge to restore partial connectivity in a situation where otherwise there would be none. The added complexity actually reduces security in most cases.
If you want to protect insecure device
Re: (Score:2)
Temporarily running it alongside the replacement was the best you were ever going to get.
I don't believe that that was the best that could be devised. The simple fact is that there are millions of networks using NAT and some better migration path should have been created for them.
NAT is _NOT_ a security mechanism and does not provide any protection to anything.
NAT may not be intended as a security mechanism, but it does provide some level of protection.
The vast majority of compromised IoT devices that form botnets today have been compromised via legacy ip
Did you ever hear of "defense in depth"?
Aside from the ease of scanning the address space both locally and remotely
Please explain how one would scan the address space behind a NAT router.
the small address space also makes XSRF attacks much easier
I'll admit to not being a security expert, but the descriptions of XSRF attacks all talk about tricking the user i
Re: (Score:2)
I don't believe that that was the best that could be devised. The simple fact is that there are millions of networks using NAT and some better migration path should have been created for them.
NAT is just a temporary kludge that allowed legacy ip to limp along for longer. It has nothing to do with migration.
The idea is that you'd still have a firewall to control access, but would not need the overhead of NAT.
When IPv6 was designed, it was still possible to get larger blocks of legacy address space and many places operated without NAT, so you could have true dual stack.
In fact most implementations these days are not true dual stack, they provide native v6 and partial legacy ip encumbered by nat.
Please explain how one would scan the address space behind a NAT router.
*
Re: (Score:2)
Except some of those legacy workarounds are pretty good in the end.
NAT, for example. There is NATv6, but few implement it. Why? No idea.
It's useful in that it removes dependence on an upstream IP address - when your prefix changes, all hell breaks loose. Sure we can blame poor software or hardware for this problem, but it happens. Renumbering an IP network has never been a fun process, and things don't always work. After all, I know every time my ISP gives me a new IP address because connectivity breaks - t
Re: (Score:2)
NAT, for example. There is NATv6, but few implement it. Why? No idea.
Exactly, there is NAT66 and it's rarely used - because it breaks things and adds unnecessary complexity/cost.
It's useful in that it removes dependence on an upstream IP address - when your prefix changes, all hell breaks loose. Sure we can blame poor software or hardware for this problem, but it happens. Renumbering an IP network has never been a fun process, and things don't always work. After all, I know every time my ISP gives me a new IP address because connectivity breaks - the router sees a new IP address, but the cable modem refuses to accept it, forcing me to power cycle it.
Poor software is exactly it. For a typical end user network the prefix changes, your machine gets a new autoconfig address, and anything local (if anything) that you access is still accessible via the same mdns hostname. More demanding users can get a static block, or use ULA/LL address space for local use.
Look at the public stats, millions of people are successfully using IPv6 all around the world.
I'm sure the music and movie industry are strongly pushing for it - because one of the big reasons the lawsuits ended on copyright was because a judge ruled you cannot identify a person from an IP address.Which is true from a IPv4 perspective.
T
Re: (Score:2)
NAT, for example. There is NATv6, but few implement it. Why? No idea.
NAT gives you partial connectivity, with additional headaches and cost.
The alternative to NAT44 is no connectivity at all, so NAT44 is tolerated.
The alternative to NAT66 is fully working connectivity, so there are very few instances where you'd want to suffer partial connectivity encumbered by NAT if you don't have to.
Re: (Score:3)
Probably because IPv6 is crap. It's just not intuitive or easy to work with.
You don't need to "work with it". You just need to understand how it works, and once you do that you'll realise you were utterly silly for trying to think you need to remember a 64bit address space in the first place.
Most people have IPv6 running at home, and they don't even realise it nor did they need to do anything to get it running.
Re: (Score:3)
Counterpoint: IPv6 is awesome, and it's unbelievably easy to work with.
Where the fuck do you get it from that it's hard? Every single node configures itself seamlessly, and can connect to anything else on the Internet without needing proxies or clouds. The only limitations are when your ISP intentionally cripples something, and that's on the ISP, not IPv6.
Re: (Score:2)
Some people are still hung up over long addresses, as if we were still commonly typing them out.
Re: (Score:2)
Yeah, to me it looks like excuses, similar to the "Oh no, I couldn't possibly use Mastodon, I heard you have to choose a server" bullshit (This from the same people who managed to pick a phone company and ISP that wasn't the phone company, and even an email provider that wasn't the ISP, but somehow the moment it becomes a useful alternative to some social networking site that's been taken over by Nazis it's "too hard" because of the most absurd reasons.) So the IP addresses are longer? So you have to mainta
Re: (Score:2)
It's not hard, it's just awkward.
To give you an example, my ISP supports IPv6, but only delegates a /56. There is no automatic configuration that can pick that up, you just have to know and set your router up correctly. The Sagemcom router they supplied has that set up for you, but seems to have a bug where after some indeterminate time the IPv6 addresses it dishes out stop working.
You also need DNS to find stuff because the local address space is massive and you aren't supposed to control it. There is no g
Re: (Score:1)
> my ISP supports IPv6, but only delegates a /56. There is no automatic configuration that can pick that up, you just have to know and set your router up correctly
Your router sucks. Since when has a /56 been a problem? My ISP only delegates a /60 which is even smaller. I've never come across a router that had a problem with that. A /56 would be awesome if unnecessary for most users (I doubt most users need more than a /64, but most ISPs give something bigger than that unless they're using mobile technolo
Re: (Score:2)
The /56 is only a problem because you need to know about it, that's all. To be fair the allocation of a /24 was only a convention with IPv4, but it was something that fairly obviously should have been discoverable in v6.
My point about the router is that the ones that ISPs supply generally have crap implementations of IPv6, as so most SOHO ones. That is changing thanks to people like TP Link shipping a half decent OS on their base models, but these crap network devices are one of the reasons why IPv6 is larg
Re: (Score:2)
> The /56 is only a problem because you need to know about it, that's all. To be fair the allocation of a /24 was only a convention with IPv4, but it was something that fairly obviously should have been discoverable in v6.
Why would you, an end user, need to know about it short of a bug in your router or ISP?
The chat your router should be having, over DHCP-PD, with your ISP is along the lines of:
Router: Give me a prefix, anything!
ISP: Sure, here's a /56
Router: Wow, that's 256 /64s just for me. OK, I'm jus
Re: (Score:2)
While I'm at it, I'm wondering if half your issues are because you might be, if I'm reading correctly between the lines, manually configuring the prefix rather than having your router pull it via DHCP PD (or similar.) If it's that, then that'll prevent the router from renewing the prefix, which is why your packets stop being routed.
You have to get a router that works and is set up correctly for this. I would strongly suggest if you're technically inclined looking into OpenWRT - not because I generally reco
Re: (Score:3)
Re: (Score:2)