Attribution Growing Challenges For LEAs Unit Chief Donald Codling (Retired) Federal Bureau of Investigation (FBI) Cyber Division 3 October 2013 Unit Chief.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

Marla Azinger, Frontier Communications
IPv6: Application perspective Zaid Ali Chairman/President SFBAY ISOC
Sofía Silva Berenguer lacnic.net Paramaribo - Surinam IPv4 Exhaustion And IPv6 Deployment.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Canadian*- US Law Enforcement Internet Governance Cooperative Efforts April 19, 2010 Marc Moreau Royal Canadian Mounted Police Robert Flaim Federal Bureau.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Mod 9 – IP Addressing Part 2 CIS151 Paul Morris MHCC.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
1 CS 4396 Computer Networks Lab The Internet. 2 A Definition On October 24, 1995, the FNC unanimously passed a resolution defining the term Internet.
* The Internet’s genesis - Defense Department project to create a network that could survive a nuclear conflict * The first users - Government agencies.
Norman SecureSurf Protect your users when surfing the Internet.
1 The Internet Introductory material. An overview lecture that covers Internet related topics, including a definition of the Internet, an overview of its.
Middleboxes & Network Appliances EE122 TAs Past and Present.
Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.
Saumil Shah IEOR 190G 3/19/08.  Vonage is a VoIP(voice over IP) company that provides telephone service via a broadband connection.  In order to use.
Ch.9 – IP Addressing Part 2 CCNA 1 version 3.1 Rick Graziani Spring 2005.
The Internet, World Wide Web, and Computer Communication.
Extending Traditional Desktop Office Communication Systems Chuck Harden, System Analyst Nick Kwiatkowski, System Analyst.
Policy Proposal 109 Standardize IP Reassignment Registration Requirements ARIN XXV 18 April, 2010 – Toronto, Ontario Chris Grundemann.
Chapter 4. After completion of this chapter, you should be able to: Explain “what is the Internet? And how we connect to the Internet using an ISP. Explain.
Networks Computer Technology. Network A computer network, or simply a network, is a collection of computers and other hardware components interconnected.
1.1 What is the Internet What is the Internet? The Internet is a shared media (coaxial cable, copper wire, fiber optics, and radio spectrum) communication.
Networking Components Presented by Jaisson Mailloux LTEC 4550 Network Systems Administration.
Module 11: Remote Access Fundamentals
World IPv6 Launch When?  Beginning 6 June 2012 What?  IPv6 is part of regular business, on by default, no special configuration.
IPv6 – What You Need To Know Tom Hollingsworth CCNP,CCVP,CCSP, MCSE.
CSIS  We need to create some logic to the environment  We want to keep like devices together  We want to make money leasing the use of the space.
APNIC Depletion of the IPv4 free address pool – IPv6 deployment The day after!! 8 August 2008 Queenstown, New Zealand In conjunction with APAN Cecil Goldstein,
Next Gen Funding Dick Dickinson Senior Director, Public Safety TCS Inc October 13, 2009.
NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.
Addressing Issues David Conrad Internet Software Consortium.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Planning the Addressing Structure Working at a Small-to-Medium Business.
1 The Internet Introductory material. An overview lecture that covers Internet related topics, including a definition of the Internet, an overview of its.
INTERNET. Objectives Explain the origin of the Internet and describe how the Internet works. Explain the difference between the World Wide Web and the.
1 Shared Transition Space Victor Kuarsingh & Stan Barber July 27, 2011.
NETWORKING COMPONENTS Buddy Steele Assignment 3, Part 1 CECS-5460: Summer 2014.
Internet Basics. What is it? RESOLUTION by The Federal Networking Council (FNC): "Internet" refers to the global information system that -- (i) is logically.
1 The Internet Introductory material. An overview lecture that covers Internet related topics, including a definition of the Internet, an overview of its.
Summer Intern Showcase Hello, I am Utkarsh Goel Division: PDG Department: Foundry Web Experience Title: Research Engineer Hiring Manager: Moritz.
Introduction to Computing Slides By ADEELA MUSTAFA.
Post IPv4 “completion” Making IPv6 incrementally deployable by making it backward compatible with IPv4. Alain Durand.
From World IPv6 Day to World IPv6 Launch: This time it’s for real Andrei Robachevsky
Topic 6, Lesson 3: The Internet Computer Communications and Networking.
IPv6 Deployment Survey Summary of the results from the global Regional Internet Registry (RIR) community during June 2013, and compared with those from.
Networks Unit 5 Digital Literacy Computer Technology (S3 Obj 2-1, 2-2 & 2-3)
Introduction to Networks. When Personal Computers first appeared in business, software programs were designed for a single user. However as computers.
 client  client/server network  communication hardware  extranet  firewall  hacker  Internet  intranet  local area network (LAN)  Network 
NT1210 Introduction to Networking
IPv6 Adoption Status and Scheduling for Sustainable Development 24 July 2012 Nate Davis Chief Operating Officer, ARIN.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Planning the Addressing Structure
Internet Service Providers and types of internet connections
4.3 Network Layer Logical Addressing
Chapter 05 Exam Review CCNA Discovery 01 – Computer and Network Fundamentals Presented by: Phillip Place Cisco Academy Instructor Lake Michigan College.
Internet Protocol Address
CONNECTING TO THE INTERNET
Introducing To Networking
KX-HTS Step by Step Guide SIP Phone Registration (Remote)
Ken Gunnells, Ph.D. - Networking Paul Crigler - Programming
CIS 82 Routing Protocols and Concepts Chapter 11 NAT
NT1210 Introduction to Networking
Planning the Addressing Structure
Planning the Addressing Structure
Planning the Addressing Structure
От Всемирного Дня к Всемирному Запуску IPv6. В этот раз по-настоящему
Chapter 11: Network Address Translation for IPv4
IPv6 Allocation Service in JPNIC
Presentation transcript:

Attribution Growing Challenges For LEAs Unit Chief Donald Codling (Retired) Federal Bureau of Investigation (FBI) Cyber Division 3 October 2013 Unit Chief Donald Codling (Retired) Federal Bureau of Investigation (FBI) Cyber Division 3 October 2013

What is Carrier Grade Network Address Translation? Network Address Translation (NAT): – –Used in private networks (home, small business, to manage networks through private IPv4 addresses; Carrier Grade NAT (CGN): – –places a NAT between the access network and the Internet – –allows a single public IPv4 address to be used to support multiple customers. CGN is not new but much more pervasive: – –Used for many years in developing nations and by mobile providers faced with explosive growth of customers without access blocks of IPv4 addresses Impact: NO ATTRIBUTION Network Address Translation (NAT): – –Used in private networks (home, small business, to manage networks through private IPv4 addresses; Carrier Grade NAT (CGN): – –places a NAT between the access network and the Internet – –allows a single public IPv4 address to be used to support multiple customers. CGN is not new but much more pervasive: – –Used for many years in developing nations and by mobile providers faced with explosive growth of customers without access blocks of IPv4 addresses Impact: NO ATTRIBUTION 2

IPv4 - IPv6 transition Until recently all that was needed for subscriber information was an IP address - not now IPv6 deployment is not fast enough – –Many devices still not IPv6 capable, i.e., CPEs, routers, TVs, etc. IPv4 addresses are almost gone – –ARIN: no more IPv4 within a year – –RIPE NCC and APNIC: no IPv4 Transition period has begun: – –Carrier Grade NAT – –use one IPv4 for multitude of users – –Differentiation is source port – – divide source ports over ? subscribers Until recently all that was needed for subscriber information was an IP address - not now IPv6 deployment is not fast enough – –Many devices still not IPv6 capable, i.e., CPEs, routers, TVs, etc. IPv4 addresses are almost gone – –ARIN: no more IPv4 within a year – –RIPE NCC and APNIC: no IPv4 Transition period has begun: – –Carrier Grade NAT – –use one IPv4 for multitude of users – –Differentiation is source port – – divide source ports over ? subscribers Destination IPDest PortSource IPSource port Message body...

IPv4-address attribution with CGN Web Server Internet content provider IPv4 Private Carrier Grade NAT Internet service provider 3 End user LAN router Modem IPv4 Private End user LAN router Modem IPv4 Private End user LAN router Modem IPv4 Private End user LAN router Modem IPv4 Private IPv4 Public Internet IPv4 Public End user LAN router Modem 1

Results of FBI CGN Survey – –Received 142 responses – –Almost 200 cases affected – –Majority of service providers (mostly mobile) are unable to provide subscriber data to legal requests – –Cases involve cyber intrusions, armed robbery, child abduction and exploitation, wire fraud, fugitives, etc. – –Case impacts: Subjects not apprehended – Deadly fugitives, pedophiles Cases delayed – lengthy circumvention via other methods Cases closed – never able to start case effectively Reduction of charges – –Received 142 responses – –Almost 200 cases affected – –Majority of service providers (mostly mobile) are unable to provide subscriber data to legal requests – –Cases involve cyber intrusions, armed robbery, child abduction and exploitation, wire fraud, fugitives, etc. – –Case impacts: Subjects not apprehended – Deadly fugitives, pedophiles Cases delayed – lengthy circumvention via other methods Cases closed – never able to start case effectively Reduction of charges

Sample Response to CGN IP Address IP address is allocated to XYZ Co. and/or Service Provider Corporation in conjunction with XYZ Wireless. These blocks of IPs are used by XYZ Wireless for internet access and web-based applications for wireless devices (such as web-enabled cell phones and aircards). Requested wireless IP assignment records are not created or retained in the normal course of business and XYZ is unable to isolate or identify any individual account or device.

CGN Working Group Convened 7 times since June 2011 Last meeting on March 27 th at Cisco, San Jose, CA Goal: CGN attribution solutions and IPv6 deployment Participants: – –US/Canadian Law Enforcement (FBI, Royal Canadian Mounted Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ) – –Government Agencies (Department of Commerce, Department of Defense, Industry Canada) – –Providers (Sprint, AT&T, T-Mobile, Rogers, Videotron, Verizon, Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier Communications) – –Vendors (Juniper, Alcatel, Cisco, A10) – –Content Providers (Amazon, Google, Microsoft) – –Manufacturers (Apple, Linksys) Convened 7 times since June 2011 Last meeting on March 27 th at Cisco, San Jose, CA Goal: CGN attribution solutions and IPv6 deployment Participants: – –US/Canadian Law Enforcement (FBI, Royal Canadian Mounted Police, Quebec Police, ICE, DEA, FTC, NCMEC, DOJ) – –Government Agencies (Department of Commerce, Department of Defense, Industry Canada) – –Providers (Sprint, AT&T, T-Mobile, Rogers, Videotron, Verizon, Cox, Time Warner Cable, Comcast. Qwest, Shaw, Frontier Communications) – –Vendors (Juniper, Alcatel, Cisco, A10) – –Content Providers (Amazon, Google, Microsoft) – –Manufacturers (Apple, Linksys)

CGN Attribution What needs to happen: 1. 1.Law Enforcement: – –Furnish/request more information to providers 2. 2.Content providers (Google, Facebook, etc., need to log source port 3. 3.Application providers (Microsoft IIS, Apache) enable default or easy-to-switch-on source port logging 4. 4.IPv6 deployment What’s on the horizon? – –ISPs (wire line only) state they have begun to develop solutions – –Some content providers log source port – –IETF RFCs for logging, i.e., Deterministic, RADIUS ?? – –Greater IPv6 deployment – –Legislation? What needs to happen: 1. 1.Law Enforcement: – –Furnish/request more information to providers 2. 2.Content providers (Google, Facebook, etc., need to log source port 3. 3.Application providers (Microsoft IIS, Apache) enable default or easy-to-switch-on source port logging 4. 4.IPv6 deployment What’s on the horizon? – –ISPs (wire line only) state they have begun to develop solutions – –Some content providers log source port – –IETF RFCs for logging, i.e., Deterministic, RADIUS ?? – –Greater IPv6 deployment – –Legislation?

CGN Legal Requests New information law enforcement will need when serving providers with legal orders for single subscriber attribution: 1. 1.Source/Destination IP address; 2. 2.Source port number; 3. 3.Exact time of the connection (within a second) 4. 4.Radius Logs? 5. 5.Netflow/IPFIX ? New information law enforcement will need when serving providers with legal orders for single subscriber attribution: 1. 1.Source/Destination IP address; 2. 2.Source port number; 3. 3.Exact time of the connection (within a second) 4. 4.Radius Logs? 5. 5.Netflow/IPFIX ?

Content Providers Enable source port logging (proxy, firewall, web) IETF RFC 6302 Modify transaction records to include source port Include source port in response to historical records request. Many big content providers log source port – Facebook is notable exception Enable source port logging (proxy, firewall, web) IETF RFC 6302 Modify transaction records to include source port Include source port in response to historical records request. Many big content providers log source port – Facebook is notable exception

Application Provider Microsoft/Apache Microsoft Request 1. 1.White Paper: Benefits to the users of source port, ease of installing source port logging 2. 2.Code: Source port logging functionality within GUI 3. 3.Microsoft Tech Link 4. 4.Statistical Validation of Source Port Logging Implementation Apache Request 1. 1.httpd.config file: LogFormat "%t %h %{remote}p %l %u \"%r\" %>s %b" common 2. 2.Submitted 21 September 2013 on: _id=89136 Microsoft Request 1. 1.White Paper: Benefits to the users of source port, ease of installing source port logging 2. 2.Code: Source port logging functionality within GUI 3. 3.Microsoft Tech Link 4. 4.Statistical Validation of Source Port Logging Implementation Apache Request 1. 1.httpd.config file: LogFormat "%t %h %{remote}p %l %u \"%r\" %>s %b" common 2. 2.Submitted 21 September 2013 on: _id=89136

Other Attribution Concerns TOR Proxy Servers FREENET Poor WHOIS data Bullet Proof Hosting Hidden Lynx –”Advanced Hacker guns for Hire” Hosting in ‘unfriendly jurisdictions’ TOR Proxy Servers FREENET Poor WHOIS data Bullet Proof Hosting Hidden Lynx –”Advanced Hacker guns for Hire” Hosting in ‘unfriendly jurisdictions’

Questions ? Telephone: Telephone:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.