Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
The Internet

Proxy Services Feast On Ukraine's IP Address Exodus (krebsonsecurity.com) 53

Posted by BeauHD from the behind-the-scenes dept.
An anonymous reader quotes a report from KrebsOnSecurity: Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America's largest Internet service providers (ISPs). The findings come in a report that examines how the Russian invasion has affected Ukraine's domestic supply of Internet Protocol Version 4 (IPv4) addresses. Researchers at Kentik, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven't changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.

For example, Ukraine's incumbent ISP Ukrtelecom is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik's Doug Madory they were forced to sell many of their address blocks "to secure financial stability and continue delivering essential services." "Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began," Ukrtelecom told Madory.

Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs -- Amazon (AS16509), AT&T (AS7018), and Cogent (AS174). Another Ukrainian Internet provider -- LVS (AS43310) -- in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T. Ditto for the Ukrainian ISP TVCOM, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and Microsoft.

Proxy Services Feast On Ukraine's IP Address Exodus More | Reply

Proxy Services Feast On Ukraine's IP Address Exodus

Comments Filter:

  • And put Russia out of its Vladolf Putlery?

    • And put Russia out of its Vladolf Putlery?

      If that's really the goal, then we should stop dilly dallying and fully support the Ukrainians who have not only wiped out the Russian Black Sea fleet and done serious damage to the 12 mile land bridge to Crimea for both rail and automobiles, but have wiped out a large portion of Russia's strategic bomber fleet capable of launching nuclear missiles at us. The Ukrainians are doing all the fighting and dying for their own democracy, and ruining Russia in the process. Why can't we fully support them? Oh right,

    • Often, party hardliners are the ones pushing him to imperialism. And, even if the Russian people were to have a free election, it’s there culture to want strong-men as leaders, even the leader places no value on their lives and sends most of them to the imperialistic front to die.

  • And with it routing tables increase in size again (Score:5, Interesting)

    by thegarbz ( 1787294 ) on Friday June 06, 2025 @05:23AM (#65431242)

    The IPv4 address space was never designed to be broken up the way it is done today. Why is much of the world still stuck on that ancient technology?

    • Re: (Score:1)

      by AmiMoJo ( 196126 )

      Probably because IPv6 is crap. It's just not intuitive or easy to work with.

      • For the most part it works the same as legacy ip just with a bigger address space.
        Once you factor in the various workarounds legacy ip needs to keep hobbling along, then v6 is actually massively simpler.

        • Re:And with it routing tables increase in size aga (Score:5, Insightful)

          by AmiMoJo ( 196126 ) on Friday June 06, 2025 @09:25AM (#65431524) Homepage Journal

          Another issue with IPv6 is the size of the local subnet makes it difficult to fully scan. There are times when it is possible, but it's not guaranteed. I'm not keen on losing the ability to scan all local clients on the network. I'm not convinced that SLAAC is good enough either.

          It doesn't seem well suited to embedded systems either. For example the computation of a local link address has crytographic requirements that are not trivial to implement on small systems. It required a high quality PRNG with storage, and a flawed implementation could cause multiple collisions that need to be resolved on packed networks. I see the potential for some fun there.

          The other big barrier to adoption is devices that only support IPv4. Those will ensure that we won't see many IPv6 only networks for a very, very long time. All the while IPv4 has to be around for those, and is working reasonably well for most people, they are unlikely to invest time and effort into IPv6.

          • Re: (Score:2)

            by Bert64 ( 520050 )

            You're assuming a legacy approach of scanning sequential addresses (which is wasteful in any case). If it's actually your subnet then you can determine the live addresses by viewing the NDP table of the switch/router and then scan the active addresses. If you're someone malicious coming from outside then you can't do this.
            This is an improvement, there is no downside here since you've made it harder for external attackers, but can still scan your own network easily.

            You don't need to compute a random link-loc

            • Re: (Score:2)

              by AmiMoJo ( 196126 )

              Unfortunately most consumer grade routers don't seem to display the NDP table at all.

              This is the kind of thing I'm talking about. In theory it should be easy. In practice you need to learn a lot of new ways of doing things, and you quickly find that your hardware isn't really up to the task because the developer only enabled IPv6 as an afterthought, to tick a box.

              EUI-64 is fine if you don't care about privacy, and if the MAC address is never going to change. Okay, you aren't supposed to use the numeric addr

              • Re: (Score:2)

                by Bert64 ( 520050 )

                Poor hardware is poor hardware, nothing to do with the protocol. There is huge amounts of poor legacy hardware out there too, online forums are full of complaints of isp-supplied routers devoid of any features.

                "If you don't care about privacy"?
                Link-local addresses are just that - LOCAL... They will not be seen by anyone outside of the local VLAN. Guess what's also visible within the same VLAN? That's right, the MAC address. So you could go to all the effort of generating a random link-local address, and you

                • Re: (Score:2)

                  by AmiMoJo ( 196126 )

                  I'm saying that poor hardware is part of the reason why adoption hasn't been as good as it could have.

                  Multicast DNS is another example. Until Windows 11 it wasn't supported (except for printers in Windows 10). Crap and slow implementations (it took Microsoft 21 years to adopt Multicast DNS) are why IPv6 is slow to be adopted.

                  Part of that is the implementor's fault. Part of that is because the documentation was crap and it was such a departure from IPv4. There is plenty of blame to go around.

                  • Re: (Score:2)

                    by Bert64 ( 520050 )

                    The reason for slow adoption is a combination of laziness, fear of progress and "it works for me, fuck everyone else" attitude of those who have large legacy allocations.

                    Poor hardware is poor hardware, there is lots of poor legacy hardware too.

                    Legacy IP is extremely harmful to developing countries you have extra costs of address purchases and CGNAT, with a customer based that has less ability to afford high subscription fees. This is offset slightly by low expectations of the customers who *expect* the serv

        • Once you factor in the various workarounds legacy ip needs to keep hobbling along, then v6 is actually massively simpler.

          Maybe it is simpler, but the IETF did not think about easy migrations. The IETF let their hatred of NAT overrule developing a sensible and easy to use migration flow.

          Maybe NAT is bad, but it provides some protection to all those IoT devices.

          • Re: (Score:2)

            by Bert64 ( 520050 )

            Dual stack was the migration path...
            There's not much else you can do, legacy IP was never designed to be extensible so you have to replace it. Temporarily running it alongside the replacement was the best you were ever going to get.

            NAT is _NOT_ a security mechanism and does not provide any protection to anything. It's a kludge to restore partial connectivity in a situation where otherwise there would be none. The added complexity actually reduces security in most cases.
            If you want to protect insecure device

            • Temporarily running it alongside the replacement was the best you were ever going to get.

              I don't believe that that was the best that could be devised. The simple fact is that there are millions of networks using NAT and some better migration path should have been created for them.

              NAT is _NOT_ a security mechanism and does not provide any protection to anything.

              NAT may not be intended as a security mechanism, but it does provide some level of protection.

              The vast majority of compromised IoT devices that form botnets today have been compromised via legacy ip

              Did you ever hear of "defense in depth"?

              Aside from the ease of scanning the address space both locally and remotely

              Please explain how one would scan the address space behind a NAT router.

              the small address space also makes XSRF attacks much easier

              I'll admit to not being a security expert, but the descriptions of XSRF attacks all talk about tricking the user i

      • Probably because IPv6 is crap. It's just not intuitive or easy to work with.

        You don't need to "work with it". You just need to understand how it works, and once you do that you'll realise you were utterly silly for trying to think you need to remember a 64bit address space in the first place.

        Most people have IPv6 running at home, and they don't even realise it nor did they need to do anything to get it running.

      • Counterpoint: IPv6 is awesome, and it's unbelievably easy to work with.

        Where the fuck do you get it from that it's hard? Every single node configures itself seamlessly, and can connect to anything else on the Internet without needing proxies or clouds. The only limitations are when your ISP intentionally cripples something, and that's on the ISP, not IPv6.

        • Some people are still hung up over long addresses, as if we were still commonly typing them out.

          • Yeah, to me it looks like excuses, similar to the "Oh no, I couldn't possibly use Mastodon, I heard you have to choose a server" bullshit (This from the same people who managed to pick a phone company and ISP that wasn't the phone company, and even an email provider that wasn't the ISP, but somehow the moment it becomes a useful alternative to some social networking site that's been taken over by Nazis it's "too hard" because of the most absurd reasons.) So the IP addresses are longer? So you have to mainta

        • Re: (Score:2)

          by AmiMoJo ( 196126 )

          It's not hard, it's just awkward.

          To give you an example, my ISP supports IPv6, but only delegates a /56. There is no automatic configuration that can pick that up, you just have to know and set your router up correctly. The Sagemcom router they supplied has that set up for you, but seems to have a bug where after some indeterminate time the IPv6 addresses it dishes out stop working.

          You also need DNS to find stuff because the local address space is massive and you aren't supposed to control it. There is no g

          • > my ISP supports IPv6, but only delegates a /56. There is no automatic configuration that can pick that up, you just have to know and set your router up correctly

            Your router sucks. Since when has a /56 been a problem? My ISP only delegates a /60 which is even smaller. I've never come across a router that had a problem with that. A /56 would be awesome if unnecessary for most users (I doubt most users need more than a /64, but most ISPs give something bigger than that unless they're using mobile technolo

            • Re: (Score:2)

              by AmiMoJo ( 196126 )

              The /56 is only a problem because you need to know about it, that's all. To be fair the allocation of a /24 was only a convention with IPv4, but it was something that fairly obviously should have been discoverable in v6.

              My point about the router is that the ones that ISPs supply generally have crap implementations of IPv6, as so most SOHO ones. That is changing thanks to people like TP Link shipping a half decent OS on their base models, but these crap network devices are one of the reasons why IPv6 is larg

              • > The /56 is only a problem because you need to know about it, that's all. To be fair the allocation of a /24 was only a convention with IPv4, but it was something that fairly obviously should have been discoverable in v6.

                Why would you, an end user, need to know about it short of a bug in your router or ISP?

                The chat your router should be having, over DHCP-PD, with your ISP is along the lines of:

                Router: Give me a prefix, anything!

                ISP: Sure, here's a /56

                Router: Wow, that's 256 /64s just for me. OK, I'm jus

              • While I'm at it, I'm wondering if half your issues are because you might be, if I'm reading correctly between the lines, manually configuring the prefix rather than having your router pull it via DHCP PD (or similar.) If it's that, then that'll prevent the router from renewing the prefix, which is why your packets stop being routed.

                You have to get a router that works and is set up correctly for this. I would strongly suggest if you're technically inclined looking into OpenWRT - not because I generally reco

    • Because IPv4 addresses are akin to gold. They are useful, but their primary value lies in their scarcity. So people hoard them.

    • Re: (Score:2)

      by xack ( 5304745 )
      Both IPv4 and IPv6 are broken. You can't trust IP addresses for identification anymore because of multiple layers of NAT, VPNs and illegal proxies everywhere. Cybersecurity organisations don't care because the so called "good guys" abuse them too. I wouldn't be surprised if cryptocurrency is involved in the mess as well.

Slashdot Top Deals

Yet magic and hierarchy arise from the same source, and this source has a null pointer.

Close