TOP SECRETWCOMINTWREL TO USA. AUS. CAN. GBR NZLW2O32OTO8 Network Shaping 101 by- Derived From: 1-52 Dated: 20070108 Declassify On: 20320108 TOP SECRET VCOMINT TO USA. AUS. CAN. GBR. NZL 20320108 TOP TO USA. AUS. CAN. GBR. This presentation is classified: TOP TO USA, AUS, CAN, GBR, NZL Derived From: 1-52 Dated: 20070108 Declassify On: 20320108 TOP TO USA. AUS. CAN. GBR. What This Will Cover • • • • • Caveats Example network we will work with What shaping would look like for that network Basic shaping problems A bit more advanced shaping problems Initial caveats • To understand how to do shaping, and why it does/doesn’t work sometimes, you have to go back to networking basics • To get the most of this presentation, you should already understand how IP’s, CIDR’s and Autonomous Systems (ASN) work • Some ips/facts are just made up. This presentation uses Yemennet as our target network. This info is outdated and incomplete. Don’t use any of this information for any real analysis You’re gonna talk about Layer 2 shaping right? • • No It is extremely situational and only worth talking about if you are in a position where you have the right kind of access. • Until then, Layer 3 shaping is where it’s at (in my opinion) Example network - Yemen • • Yemen has 1 ASN (AS12486) We’ll pretend it has 6 upstream providers – Mobily (AS35819) – TATA (AS6453) – FLAG (AS15412) – PCCW (AS3491) – STC (AS39386) – SPRINT (AS1239) AS12486 This network owns the following IP ranges: 46.35.64.0/19, 89.189.64.0/19, 46.35.72.0/21, 109.74.32.0/20, 46.32.80.0/21, 109.74.40.0/21, 63.168.168.0/23, 109.200.160.0/19, 63.171.18.0/23, 109.200.168.0/21 So, when we reference AS12486, you can assume it includes any IP address that falls within any of the above ranges. 6453 TATA 39386 STC 35819 Mobin 12486 Yemennet 6453 TATA 35819 Mobin The rest of the Internet 3491 PCCW 12486 Yemennet 39386 STC 1239 SPRINT Okay, so traffic for Yemen has to go through 1 of 6 providers, so? Armed with this high-level knowledge of Yemen’s connectivity, think about what that means: – Yemennet has to have a router that connects it’s own network with it’s upstream providers. That router is going to have a unique interface and IP address for each connection. – That router has to use physical cables to connect between Yemennet and each upstream provider (think big Transnational undersea fiber cables). – Yemennet *CAN* control which upstream provider it sends data *OUT* of the country through (because it controls the router that’s sending the data out). – Yemennet *CAN NOT* control which provider the data comes back *IN* to the country through, because that is left to BGP routing tables out on the Internet. 6453 TATA 35819 Mobin The rest of the Internet 39386 STC ill?l 12486 Yemennet 1239 SPRINT 6453 TATA 35819 Mobin The rest of the Internet 39386 STC 12486 Yemennet 1239 SPRINT Next, let’s visualize the physical connections between Yemennet and its upstream providers. You can see here which cables are used. So to recap: • You understand the logical connectivity of Yemennet (who it has to go through to get to the Internet) • You grasp the physical connectivity of Yemennet (you know which fiber cables physically connect it to the rest of the world) • You know that Yemennet can choose which provider it sends data *OUT* through • Big Internet BGP routing tables can dynamically choose which link data comes back *IN* to Yemennet through • There are a couple more things to know before we talk about shaping… About that router that connects Yemennet to it’s peers… • Remember how I mentioned that router has a different interface and unique IP address for each upstream provider? That router will have at least 7 interfaces (one for each upstream, and one connected to the rest of it’s network). • The connection between the router and an upstream provider has to use IPs that are in the same subnet (normally it’s a /30 subnet, which consists of 2 usable IPs). • This means that one of the two networks will have to sacrifice an IP address to put on the other end of the connection (most of the time it’s the bigger network that gives up an IP address to assign to the customer side’s router). • So, if we were to use the connection with SPRINT for example, here’s what it might look like… 6453 TATA The rest of the Internet 35819 Mobin 7 12486 Yemennet 39386 STC Router on Yemen?s end of the connection: 144.232.234.150 a, 1239 SPRINT Router on Sprint?s end of the connection: 144.232.234.149 6453 TATA 35819 Mobin Theiresrtrotime?gmem?t 12486 Yemennet 39386 STC 1239 SPRINT Router on Sprint?s end of the Router on Yemen?s end of the connection: 144.232.234.150 connection: 144.232.234.149 The rest of the Intern FLAG side: 62.216.145.129 Yemen side: 62.216.145.130 PCCW side: 63.218.252.185 Yemen side: 63.218.252.186 15412 FLAG 3491 PCCW 6453 TATA TATA side: 66.198.126.9 Yemen side: 66.198.126.10 39386 STC STC side: 84.235.108.17 Yemen side: 84.235.108.18 35819 Mobil 1239 SPRINT Sprint side: 144.232.234.149 Yemen side: 144.232.234.150 Mobin side: 86.51.2109 Yemen side: 86.51 .2.110 12486 Yemennet WARNING! WARNING! • In the following slides when I talk about SSO collection capabilities, I am completely MAKING UP: – SIGADs – Case notations – Which cables are collected – Where SSO’s collection capabilities are • I am MAKING UP this info for the sake of this lesson. • For info on what SSO’s capabilities are for your own target, you will have to go talk to them yourself. WARNING 2! WARNING 2! • For the sake of this example, I am assuming that all of Yemennet’s International links are equal. By that I am making the assumptions that: – An equal amount of traffic is going in/out each link – Yemennet is not doing anything to manipulate traffic going over specific links – All links are actually active, and are not just backups or down due to maintenance or cable breaks… • With that out of the way… So now you have a good idea about Yemen’s connectivity… • • Now time to overlay it with SIGINT collect… Without going into how to do this yourself, work with SSO to determine which of those links we can passively collect. • Let’s pretend that they have capabilities to collect the Yemen-Sprint link and the Yemen-FLAG link, but have no capabilities on the rest. • Once again, this is only PRETEND for the sake of this lesson. SIGAD: US-9999 CASN: YM234500000 15412FLAG . 3491 PCCW 6453 TATA 39386 STC 12486 Yemennet SIGAD: US-8888 CASN: YM567800000 The rest of the lnterne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin 1239 SPRINT 12486 Yemennet 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil 1239 SPRINT 12486 Yemennet 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil 1239 SPRINT 12486 Yemennet SIGAD: US-9999 CASN: YM234500000 15412 Fug 6453 TATA :22: 3491 PCCW 39386 STC 12486 Yemennet SIGAD: US-8888 CASN: YM567800000 Now that you’re an expert on Yemennet, let’s talk about shaping • The purpose of “shaping” is taking traffic that wouldn’t normally go through one of our passive links, and *making* it go through one of our passive links, so we can collect it and get it into the SIGINT system. • Before we talk about how to shape traffic on Yemennet, let’s explore a couple different scenarios in which we would consider shaping as a solution…they will be shaping traffic OUT of Yemennet, and shaping traffic INTO Yemennet. Shaping traffic OUT of Yemennet • For this scenario, you have an access (probably CNE) inside of Yemennet, and you want to make that access send traffic, but make sure it goes out over a link that is passively collected by SSO. • You need a DESTINATION on the Internet where you can send data to, where you know it will go over 1 of the 2 links we can collect. • Earlier I mentioned that Yemennet can control which links they send data OUT. This is true, Yemennet has that control, however, you, as an end-user on their network do *NOT* have that control. • So, how can you control which link your traffic will go out through? The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 12486 Yemennet The rest of the Intern 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil - 1239 SPRINT 12486 Yemennet The rest of the Intern 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil - 1239 SPRINT 12486 Yemennet So in order to shape traffic OUT of a network • You need to have an understanding of the network that you are starting in, who it’s upstream providers are, and what the collection capabilities are against that network. • Then you can find a destination IP address directly on the other end of that link (by looking at any of the IP ranges in that provider’s ASN). • From there, you have a higher probability that traffic will traverse a link you can passively collect. Shaping traffic INTO a network • This is a whole different animal, and probably more relevant to what people traditionally think of as “shaping” in the SIGINT sense. • There is only 1 feasible way (that I can think of) to make this work reliably. • But first, let’s go back and look at our Internet connectivity… The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin 1239 SPRINT 12486 Yemennet The rest of the Interne .3 .?53412 FLAG 3491 PCCW 3' 6453 TATA o. 5 39386 STC E. i. 35819 12486 Yemennet The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin 1239 SPRINT 12486 Yemennet traf??c The rest of the Interne A 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin 1239 SPRINT 12486 Yemennet The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin 1239 SPRINT 12486 Yemennet 0 The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin . 1239 SPRINT 12486 Yemennet The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin . 1239 SPRINT 12486 Yemennet The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin 1239 SPRINT 12486 Yemennet 6453 TATA 35819 Mobily- The rest of the Interne 15412 FLAG 3491 PCCW 39386 STC 12486 Yemennet 1239 SPRINT The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobin . 1239 SPRINT 12486 Yemennet The rest of the lnterne FLAG side: 62.216.145.129 PCCW side: 63.218.252.185 Yemen side: 62.216.145.130 Yemen side: 63.218.252.186 15412 FLAG 3491 PCCW 6453 TATA TATA side: 66.198.126.9 . STC Yemen side: 66.198.126.10 STC side: 84235108." Yemen side: 84.235.108.18 35819 1239 SPRINT i Mobin side: 86.51.2109 Sprint Side. 144.232.234.149 Yemen side; 36511110 12486 Yemen net Yemen s1de: 144.232.234.150 FLAG side: 62.216.145.129 6453 TATA TATA side: 66.198.126.9 15412 FLAG ?x PCCW side: 63.218.252.185 Q91 my 39386 STC 62.216.145.130 STC side: 84.235.108.17 62.218.252.186 35819 Mobin 66.198.126.10 - 84.235.108.18 86.51.2.110 144.232.234.150 Mobily side: 86.51.2.109 . 1239 SPRINT . Sprint side: 144.232.234.149 12486 Yemennet FLAG side: 62.216.145.129 15412 FLAG PCCW side: 63.218.252.185 Q91 my 39386 STC TATA side: 66.198.126.9 - STC side: 84.235.108.17 62.216.145.130 62.218.252.186 I 66.198.126.10 84.235.108.18 86.51.2.110 1239 SPRINT . Sprint side: 144.232.234.149 Mobily side: 86.51.2.109 12486 Yemennet FLAG side: 62.216.145.129 6453 TATA TATA side: 66.198.126.9 15412 FLAG PCCW side: 63.218.252.185 Q91 my 32386 STC ?x 62.216.145.130 STC side: 84.235.108.17 62.218.252.186 1 35819 Mobin 66.198.126.10 15%8423510818 - I :1 a 86.51.2.110 144.232.234.150 Mobily side: 86.51.2.109 . 1239 SPRINT 12486 Yemennet . Sprint side: 144.232.234.149 FLAG side: 62.216.145.129 The rest of the lnteme 6453 TATA 154 TATA side: 66.198.126.9 12 FLAG trace PCCW side: 63.218.252.185 ?x Q91 my 39386 STC STC side: 84.235.108.17 62.216.145.130 62.218.252.186 I 66.198.126.10 84.235.108.18 35819 Mobin 86.51.2.110 144.232.234.150 Mobily side: 86.51.2.109 12486 Yemennet . 1239 SPRINT . Sprint side: 144.232.234.149 FLAG side: 62.216.145.129 The rest of the lnteme 6453 TATA 154 TATA side: 66.198.126.9 12 FLAG trace PCCW side: 63.218.252.185 ?x Q91 my 39386 STC STC side: 84.235.108.17 62.216.145.130 62.218.252.186 I 66.198.126.10 84.235.108.18 35819 Mobin 86.51.2.110 144.232.234.150 Mobily side: 86.51.2.109 12486 Yemennet . 1239 SPRINT . Sprint side: 144.232.234.149 FLAG side: 62.216.145.129 trace The rest of the lnterne 6453 TATA TATA side: 66.198.126.9 15412 FLAG PCCW side: 63.218.252.185 ?x Q91 39386 STC 62.216.145.130 62.218.252.186 STC Side: 84.235.108.17 4) 66.198.126.10 1 84.235.1 08.18 35819 Mobin 86.51.2.110 144.232.234.150 Mobin side: 86.51.2.109 12486 Yemennet . 1239 SPRINT . Sprint side: 144.232.234.149 FLAG side: 62.216.145.129 6453 TATA TATA side: 66.198.126.9 15412 FLAG ?x PCCW side: 63.218.252.185 Q91 my 39386 STC 62.216.145.130 STC side: 84.235.108.17 62.218.252.186 35819 Mobin 66.198.126.10 - 84.235.108.18 86.51.2.110 144.232.234.150 Mobily side: 86.51.2.109 . 1239 SPRINT . Sprint side: 144.232.234.149 12486 Yemennet trace The rest of the Interne FLAG side: 62.216.145.129 PCCW side: 63.218.252.185 15412FLAG Q91 my 39386 STC TATA side: 66.198.126.9 STC side: 84.235.108.17 62.216.145.130 62.218.252.186 I 66.198.126.10 84.235.108.18 +86.51.2.110 144.232.234.150 1239 SPRINT 6453 TATA 35819 Mobily" . Sprint side: 144.232.234.149 Mobily side: 86.51.2.109 12486 Yemennet FLAG side: 62.216.145.129 The rest of the lnteme 6453 TATA 154 TATA side: 66.198.126.9 12 FLAG trace PCCW side: 63.218.252.185 ?x Q91 my 39386 STC STC side: 84.235.108.17 62.216.145.130 62.218.252.186 I 66.198.126.10 84.235.108.18 35819 Mobin 86.51.2.110 144.232.234.150 Mobily side: 86.51.2.109 12486 Yemennet . 1239 SPRINT . Sprint side: 144.232.234.149 Scenario – “I tried shaping one time and it didn’t work…” • As we’ve seen earlier, there are many facets that make shaping efforts unreliable • It matters whether you are trying to shape traffic OUT of a network or whether you are starting at a random place on the Internet and trying to shape traffic INTO the network • So what steps could you take? So, you might consider the following train of thought… • • • • • • First you say, “I want to do shaping through SIGAD US-9999” Then look at all of the links collected at that site (probably in BLACKPEARL) Find a World-to-Geekistan link over CASN GE010100000 (we’ll assume you also know that this is actually a Level 3-to-Geekistan link) Look at the IP space on the dest side of the link and say, “I will send my exfil to that IP space, and it should go through US-9999, CASN GE010100000.” Then you are left sorely disappointed when your exfil isn’t reliably collected. What went wrong? Let’s consider what we know so far… Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 ex?l Internet Cogent Sprint . . . . . . . .. eekistan ASN Level 3 SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 I?li - k' ASN Internet Level 3 66 's a" SIGAD US-9999 CASN GE010100000 Now to the nittier-grittier… • This following section could also be renamed the “I’m pulling my hair out in the fetal position while screaming ‘Why didn’t it work?!’” section. • The previous slides described how shaping should work at a theoretical level, following are a few reasons why it doesn’t always work in the real world. • The following issues are not all-encompassing of why shaping might not work, just a few examples. - k' ASN Internet 66 's 8" SIGAD CASN GE010100000 - k' ASN Internet 66 's 8" SIGAD CASN GE010100000 ex?l Internet 0eekistan ASN SIGAD CASN GE010100000 ex?l Internet 0eekistan ASN SIGAD CASN GE010100000 I?li - - k' ASN Internet Level 3 66 's a" SIGAD US-9999 CASN GE010100000 I?li - - k' ASN Internet Level 3 66 's a" SIGAD US-9999 CASN GE010100000 I?li - - k' ASN Internet Level 3 66 's a" SIGAD US-9999 CASN GE010100000 ex?l Internet Cogent Sprint . . . . . . . .. eekistan ASN Level 3 SIGAD US-9999 CASN GE010100000 SIGAD US-9999 CASN GE010100000 lili Internet Level 3 eeklstan ASN I SIGAD US-9999 CASN GE010100000 I?li - - k' ASN Internet Level 3 66 's a" SIGAD US-9999 CASN GE010100000 I?li - - k' ASN Internet Level 3 66 's a" SIGAD US-9999 CASN GE010100000 I?li - - k' ASN Internet Level 3 69 's a" SIGAD US-9999 CASN GE010100000