Iran Has Shut Off its Internet

Iran has gone pretty much entirely offline in the wake of nationwide protests. This is the best article detailing what's going on; this is also good.

AccessNow has a global campaign to stop Internet shutdowns.

TITLE EDITED TO REDUCE CONFUSION.

Posted on November 20, 2019 at 6:52 AM • 41 Comments

Comments

dannyNovember 20, 2019 8:50 AM

Poor choice of words on that title Mr. Schneier. At first I thought the entire internet was out due to some Iranian hacker(s). Then I realized is theirs.

On the other hand, as slow as politicians are to catch with technologies, they do understand that internet is a resource. What amazes me is that governments around the world has not done it sooner and allowed us to have it so far. Splinternet will become the norm in near future and current internet, as broken as it is with ads and invasion of privacy will become an utopia for those future times.

Clive RobinsonNovember 20, 2019 8:58 AM

@ Bruce,

What ever the --political-- reason is, I've been expecting this for a while now.

Russia plans to shut it's self behind what will become another "Great China Firewall" supposadly as a test in the very near future. No doubt if it works it will become permanent if the test gors well.

And there is a growing que of other nations that want to do the same or similar.

The simple fact is the early days of the Internet are now long gone digital surveillance is not optional it's a requirment not for just for the national jurisdictional network entities, but extra jurisdictional entities in other nations as well.

Up untill a decade ago the basic network topology followed that of the older telephone network but the even older the telex network before it.

Since then there have been ever increasing signs that national governments want rather more autonomy than they have been given. Things came to a head at the 2014 Doha meeting of the UN ITU World Radio Conference. Which the US only just managrd to scrap a maybe status quo on.

Now half a decade later at the current WRC that is due to end this week it's become clear the status quo can not be maintained.

Amongst other things driving the split is the US behaviour over 5G which they may paint as an "Evil China" issue publically but is actually a pissing contest over who controls the digital future.

Because few Western Governments have put the required resources into their communications industry, like so much before it from colout TV's and Transistor Radios in the 1960's the inovation in the market has moved to where it is better resourced, which has been to the likes of the Far East, and more recently the BRIC countries.

Now the game is effectively lost and there is no clear incentive from the First World Western Nations for keen minds to stay, they are following the provided resources.

It's not as though there have not been abundently clear warnings this was going to happen from the early 1990's but despite the warnings being made clear as would be the consequences large Corporate managment have been seduced over to the Far East by cheap labour, only to find they are now effrctively stuck there, and now many "locals" know their yrade secrets have set themselves up in competition.

So the dark clouds of what could well be a "Perfect Storm" have crossed well over the horizon. Do we in the West maintain the same course to even more troubled seas or do we change course and put the effort into avoiding the storm?

Way0kNovember 20, 2019 10:29 AM

Please forgive my ignorance. I am aware that certain local mesh networks can be maintained throughout catastrophic events- but is there a method designed yet to reliably maintain secure connectivity beyond borders - as necessitated by actions such as this report? Something that is affordable? Wouldn't a few distributed satellite links work (Or are com satellites far too locked down now)?
Thank you in advance for any links/insights.W0K

DraganM November 20, 2019 11:00 AM

Shutting internet down may have minimal effect internally. Without blocking other means of communication internally, blocking internet can not do too much.
Major effect is in blocking outside interference within or spread of news outside of the country, with latter being not realistically too effective. People always find a way, and will continue to do so.
Knowing what you know about politics, mass surveillance, CIA, Five Eyes and related activities, is shutting external traffic not expected, logical and desired solution for countries under assault?

Petre Peter November 20, 2019 12:17 PM

In the 21st century cutting off access to the Internet is a clear human rights violations. Amnesty International should be all over this, if they are allowed in the country that is. Also, human rights violations should lead to economic sanctions in an effort to make those in power listen.

Impossibly StupidNovember 20, 2019 12:34 PM

@Clive Robinson

Russia plans to shut it's self behind what will become another "Great China Firewall" supposadly as a test in the very near future.

Good. All I ever see coming from them (and about 50 other countries, including Iran) on my servers is wave after wave of attack. My life would get easier if they completely cut themselves off. Western countries should respect their wishes to disconnect from the Internet. Would any Americans even notice if a reciprocal firewall was put in place for these nations?

Since then there have been ever increasing signs that national governments want rather more autonomy than they have been given.

They don't want that autonomy for good reasons, though. The common MO here (and usually throughout history) is that people want to split off because they want to do bad things that are harmful to the social well being. It would be shocking to see the resurgence of a healthy patriotism.

mouthNovember 20, 2019 1:17 PM

Through services like twitter, instagram (very popular in Iran) etc the US is monitoring Iranians. As things stand this could be the reason for the shutdown.

Clive RobinsonNovember 20, 2019 1:18 PM

@ Impossibly Stupid,

Good. All I ever see coming from them (and about 50 other countries, including Iran) on my servers is wave after wave of attack.

Well... It might not be good.

If as many claim the criminal element that frequents the Internet outside of Russia but are from Russia, are sanctioned by the Russian Government. Then it is highly unlikely that the Russian Government will "bottle them up".

As the old saying has it, if you have to have them in the boat you would rather they p155ed out of the boat than p155 in...

cmeierNovember 20, 2019 2:10 PM

Satellite TV from outside Iran is available in Iran. Some enterprising expat will figure out how to offer satellite internet. What is the quote? "The Internet perceives censorship as damage and routes around it."

Clive RobinsonNovember 20, 2019 2:15 PM

@ WayOk, ALL,

Something that is affordable? Wouldn't a few distributed satellite links work (Or are com satellites far too locked down now)?

This Government lock down may only work out to be "one way" at best...

Because there are "no fee to connect and recieve" satellites pumping education weather and some news information out.

Othernet used to be on L-Band but have since moved to Ku-Band where the antenna can be quite small, amd hidden quite easily.

https://othernet.is

https://en.wikipedia.org/wiki/Othernet

Whilst the do sell receivers for less than 60USD, they also have published designs by a number of people. Whilst others use their own designs to receive and process the information (most 10-12GHz LNB's output a signal that an RTL SDR dongle previously used for L-Band will work with),

https://m.youtube.com/watch?v=KCewB_PuvDk

However if you want "interactive Internet" the rapid deployment of high bandwidth entertainment systems on transportation such as planes and cruise ships means that access through other satellite providers like Inmarsat are dropping in price. Whilst not cheap you can get upload and download bandwidth suitable for sending "broadcast TV".

gordoNovember 20, 2019 2:33 PM

Regarding the thread title, it is Iran's internet that Iran has shut off. I imagine it is merely an information operation in response to an information operation.

SpaceLifeFormNovember 20, 2019 2:43 PM

@ Impossibly Stupid

"Good. All I ever see coming from them (and about 50 other countries, including Iran) on my servers is wave after wave of attack."

Remember, attribution is hard.

Are you certain that those packets really originated from where you think they did?

Impossibly StupidNovember 20, 2019 4:36 PM

@Clive Robinson

If as many claim the criminal element that frequents the Internet outside of Russia but are from Russia, are sanctioned by the Russian Government. Then it is highly unlikely that the Russian Government will "bottle them up".

And? Just because a defense isn't perfect doesn't mean it isn't worth doing, especially if it forces the attacker to be more exposed on the "outside". It's not like, for example, foreign meddling in the 2016 election got a free pass simply because it used Facebook as a puppet.

As the old saying has it, if you have to have them in the boat you would rather they [spit] out of the boat than [spit] in...

Minor edit, just in case the mods take offense. :-)

The problem is that the Internet is not a vast, empty ocean. It is crowded with boats, and you're surrounded by 100 baddies looking to spit in for every one you have looking to spit out. The right solution is not an arms race, but to stop all the spitting.

@SpaceLifeForm

Remember, attribution is hard.

No, it isn't. That's the same tired excuse war criminals and sociopathic cloud providers always trot out when they want to use innocents as human shields. "Hey, careful, you don't want to blame this on me and the company I keep, because we're just following orders!" If I'm attacked by 3.130.4.179 (and I just was as I'm making this reply), it is easy to attribute that to Amazon's 3.128.0.0/9, and act accordingly.

Are you certain that those packets really originated from where you think they did?

Yes, I am. It's not individual packets that trigger action, but traffic at layers after handshakes have connected both ends. If you're going to attempt to trot out some "behind 7 proxies" nonsense, understand that my job is to secure my servers, not track down any root geopolitical factions that pull the strings of vast global criminal organizations. Or, put another way, I leave it to Amazon to police their own network; if they have no interest in doing that, then they too should be bounced off the Internet.

Jesse ThompsonNovember 20, 2019 4:50 PM

I think this is starting to sound a little bit like Greg Egan's novel Zendegi.

If that pattern holds, then doubtless folks will get their hands on a ton of really handy smartphones with phenomenal interference-resistant wireless-mesh hardware and time-delayed message re-broadcast software built in to keep the spice (social networking, digital gossip) flowing despite government interventions, which in turn will help to mobilize and organize cells of various resistance movements.

But wake me when we've got VR bouncy castles. Those sound fun. ;)

Clive RobinsonNovember 20, 2019 9:26 PM

@ Impossibly Stupid,

And? Just because a defense isn't perfect doesn't mean it isn't worth doing, especially if it forces the attacker to be more exposed on the "outside".

What "defence"?

If the Russian Government blocks packets originating in Russia getting out how do you see that as a defence?

Because it is not defending anything Russian inside it's blocking perimiter is it?

It is in effect either imprisoning Russian criminals inside the Russian jurisdictional networks which does not solve the criminal problem, only "bottles it up". Or it effectively blocks those non Russian criminals who are currently using Russian jurisdictional networks to hide their point of origin.

It would only become a defence in the second case. As @SpaceLifeForm has implied with,

    Are you certain that those packets really originated from where you think they did?

That is, when the closed perimiter stops criminals outside of Russia using Russian jurisdiction networks as a relay to hide their actuall point of origin. The attackers would have to fake their origin in a different way.

One of the big mistakes "insider attackers" make is having the point of origin of their attack "inside" any perimiter security. It's a common basic OpSec error that leads to them being identified, something I've pointed out since the 1990's[1].

If you follow the logic of you calling it a "defence" through, you will see that you will not be "politically popular" in these days of stage managed cries of "It's Russia wot dunit". Because implicitly you are saying that Russia is not the origin of the attacks, mearly a staging post and thus they are dropping off of the Internet to defend not just those inside their jurisdictional networks from attack by outsiders, but also their international name...

And you might well be right in that respect. It's part of the reason I indicated it might not be good. That is if those who attack you are using Russian jurisdictional networks as staging posts, then that current convenience will be denied to them when Russia throws the switch. Thus the attackers will have to find another way to hide their origin, thus they might well make mistakes by which they may be identified.

Let's put it this way, if I were an attacker, I would already have a number of mitigation plans not just in place, but up and running and I would be slowly migrating my fake point of origin to some other jurisdictions networks.

So whilst you might see the number of attacks from Russia decline, you will potentially see them rise from some other "apparent" point of origin.

But the reason I indicated it might actually be worse for you is that if forced to make one set of changes, the attackers might well make several changes... That is in effect "upgrading their attacks" which would mean you would be facing a changed landscape requiring you to make changes to your defence strategies as well. As that is likely to be a "reactive not proactive" set of changes it implies that there will be a learning curve which might also give rise to a "window of opportunity" or advantage to the attackers.

It's not something that worries me on a "personal" basis. As I've indicated before my personal network is not connected to the Internet or any other external communications. That is to attack me they would have to have "hands on physical access", which implies a whole different level of attacker with resources to match, not a run of the mill cyber-criminal.

[1] I can still remember the realy supprised looks on peoples faces when I gave a talk in summer 2000 to students and their proffessors from all over Europe --which included Russian's as well-- when I pointed it out. You could "see the penny drop" in not just the students eyes. Something I still see today when I mention "Outsiders should look like insiders, and insiders should look like outsiders" as "Basic OpSec" which is why you have to be caitious with attribution getting on for a third of of a century now... The reason I remember that particular talk well was, because of an answer I gave to a question from one of the proffessors, it was about another security issue and I replied "When Bill Gates says, I have to put a five pin DIN socket in the back of my head, I know it's time for me to retire". A point that is getting perilously close nearly two decades later. It was one of those pivotal moments, where subconcious thoughts crystallized whole and shockingly clear in my mind, and as part of it it "hit me in the gut" hard.

Though these days I suspect it won't be anything as secure as five pin DIN socket we used to have last century for "user input". No it will be something more like an RFID or NFC embedded with realy flawed or backdoored security (by command) that just can not be patched...

Gerard van VoorenNovember 21, 2019 2:08 PM

I have to say that the moderation is hard here.

All I did was saying that it's thank to Trump that Iran now has to stop the internet and my message got blocked.

(and probably is gonna be blocked again)

Impossibly StupidNovember 21, 2019 5:30 PM

@Clive Robinson

If the Russian Government blocks packets originating in Russia getting out how do you see that as a defence?

Uh, how do you not? Someone who used to be able to attack you with impunity now no longer can. Sounds like a pretty solid defensive move to me.

Because it is not defending anything Russian inside it's blocking perimiter is it?

It is, to the extent that external agents are also likely attacking Russian assets. But that's not my main concern.

It is in effect either imprisoning Russian criminals inside the Russian jurisdictional networks which does not solve the criminal problem, only "bottles it up".

Again, and? Who else is better equipped to deal with criminals but those who have jurisdiction over them? Let Russians solve Russian problems; isn't that what autonomy is all about?

Or it effectively blocks those non Russian criminals who are currently using Russian jurisdictional networks to hide their point of origin.

Again, good. Nobody should be running an insecure network. Nobody should expect some external admin to be able to effectively police misuse of their internal network. It's another Russian problem that Russians need to solve.

If you follow the logic of you calling it a "defence" through, you will see that you will not be "politically popular" in these days of stage managed cries of "It's Russia wot dunit".

I don't care about any of that. Whether it's Russia or one of the other 50 countries that seem to be major sources of attacks, or the one-off attack that came in today from 94.199.18.198 (can't recall ever seeing a TJ country code in the logs before), I can't be bothered to play politics or try to track it back any further to some shadowy "point of origin" organization.

Because implicitly you are saying that Russia is not the origin of the attacks, mearly a staging post and thus they are dropping off of the Internet to defend not just those inside their jurisdictional networks from attack by outsiders, but also their international name...

I'm certainly willing to give anyone the benefit of the doubt when it comes to failures in securing their network. But, then, they do have to admit those failures and take steps to correct them, and that's something that I just don't see happening anywhere from anyone.

I mean, it's not like Amazon is buying up ads declaring to the world that their cloud hosts are being used to attack my (and countless other) servers. Every abuse contact I've dealt with in the past decade seems to have the mission not of ending abuse, but making excuses that allow them to keep cashing the abuser's checks.

Let's put it this way, if I were an attacker, I would already have a number of mitigation plans not just in place, but up and running and I would be slowly migrating my fake point of origin to some other jurisdictions networks.

Good. They should be bounced off the open Internet, too. You as an attacker should have to be working hard to keep being a terrible person. It's sad civilization is degrading to the point where this is something that needs to be championed.

So whilst you might see the number of attacks from Russia decline, you will potentially see them rise from some other "apparent" point of origin.

Only if Russia (et al.) doesn't care enough to police their network to expose the "origin" they see. Or, put another way, I have only once ever had an organization contact me to point the blame for abuse elsewhere. Everyone who isn't the source is welcome to provide evidence of network traffic that demonstrates it. This is science and technology we're talking about, not some hush-hush backroom political machinations.

But the reason I indicated it might actually be worse for you is that if forced to make one set of changes, the attackers might well make several changes... That is in effect "upgrading their attacks" which would mean you would be facing a changed landscape requiring you to make changes to your defence strategies as well.

That's not worse, that's better! I already have escalating countermeasures planned (and/or ready) to fight abuse. I'm not going to rush to use them, though, because an arms race is a waste of those resources. If it's the attacker that is forced to spend first, that's a win for me, especially when their efforts aren't even enough to breach my current defenses. For example, it is endlessly amusing to see hosts scanning my web server for things like PHP exploits (I don't use PHP, of course), because it means my system can automatically drop those insecure networks into the firewall, meaning they won't be the source of any future attacks that I could possibly be vulnerable to.

As that is likely to be a "reactive not proactive" set of changes it implies that there will be a learning curve which might also give rise to a "window of opportunity" or advantage to the attackers.

While that could be the case, that is not my approach. For example, about 15 years ago I came up with some anti-spam techniques that allow me to track who leaked my email address and stop junk mail from even reaching my server; I still have two levels of escalation that are essentially left unused because spammers haven't gotten more sophisticated in that time because "anti-spammers" have settled for hiding spam traffic as their "solution" to the problem. Likewise, while I can't claim I have perfect security otherwise, I know for a fact that other fruits out there are hanging so much lower than mine that my risk of being a target is slim; it doesn't worry me enough to keep me awake at night.

Clive RobinsonNovember 21, 2019 7:31 PM

@ Impossibly Stupid,

Uh, how do you not?

Very easily.

By definition a defense is something you do to protect your self.

You have no control over what Russia does in the way of connecting or not connecting to the Internet. Likewise you have no control over what attackers do in response to what Russia does.

So tell me,

    How do you see it as a defense?

That aside what Russia is doing is for a small group within Russia and it's all about "politics" from their point of view as it is with most countries governments. So like it or not politics is intruding like the proverbial camels nose.

In the main you and I agree on what we as individuals have to do to protect ourselves. In my case I've chosen "Splendid isolation over participation" for my personal network, whilst you have chosen to still participate at some level.

This is most likely because we have different risk/reward metrics. What I do privately on my personal network does not require communications at any significant level and most certainly not interactively. Thus "energy gapping" with a securely controlled method of crossing is all I personaly need to do.

However proffessionaly with other networks I don't own the situation is different the risk/reward metric is skewed towards some limited connectivity by those that do. However those who own the networks have some notion that near full connectivity for everyone is some kind of business enabler or panacea (it's not nor is it ever likely to be).

Whilst it's fairly routine to protect against the 9 out of 10 attackers that are at what we used to once call the "script kiddy" level, there are others.

As I've pointed out in the past the "What smells like a duck..." notion can lead us astray. That is what looks like a "brain dead script kiddy" attack may be something entirely different. A case in point is when an attacker is using it to enumerate your network. Some years ago now there was the "Honeynet Project" a part of which was to set up virtual hosts on a single machine to act as a combined sacrificial goat and tar pit. The aim being to catch new zero-day attacks so they could be analyzed etc.

Well new zero-days are valuable, so as an attacker the last place you would want to use it would be on a Honeynet virtual host. Thus as an attacker you would want to identify a honeynet so you could avoid them, the question arising would be "How?". Well the thing about a virtual host is it shares hardware with other virtual hosts. As such hardware would have a common clock even if the times were set differently on each virtual host they would all "drift in sync". Hosts on individual hardware having different hardware clocks would drift at different rates.

As an attacker you can use quite a few script kiddy attacks in what appears to be a brain dead fashion, but is in reality a way that will reveal the host hardware clock drift. Thus as a defender you have no idea on examining your log files what the attacker is actually doing, just what you think they are most likely doing via Occam's Razor which is being a brain dead script kiddy. Rather than what it is realy going on which is enumerating yout network to see if it is a honeynet or not.

SpaceLifeFormNovember 21, 2019 8:32 PM

@ Impossibly Stupid


Consider: I'm a very large backbone network, with lots of routers. Lots. And lots of servers hanging off the side of those routers. Lots.


I can *originate* all kinds of sessions.

I can control the routing, via BGP and physical network.

You are the server. I am the commander.

Why do you believe that I can not control those tcp sessions?

Why would you believe that I can not forge the source ip address, and because I can control the route, still want to believe the socket actually reflects reality?

I can make your socket end look like my socket end came from *ANYWHERE*.

AbdjinNovember 22, 2019 11:50 AM

It's easy for Wired to wring its hands about how bad thing are in Iran and other "authoritarian" countries, but the truth is that the US government would love to have this power. Remember Obama's push for a kill-switch in 2011? The only reason they didn't get it is because US corporations don't want their infrastructure to be designated as "critical," because then they have to spend a lot of money in compliance.

https://www.cnet.com/news/internet-kill-switch-bill-will-return/

Nationwide protests are certainly a national security emergency. And Wired (and the ACLU, and everybody else) wouldn't be so moralistic in their criticism if Internet-organized protests were turning violent and causing threats damage to their own businesses or personal safety.

We do need to decentralize the web. But let's not delude ourselves about "freedom" in the US, what with all the deplatforming and corporate censorship going on. It doesn't matter that it's not the government that's going it, when we basically live in a digital Company Town.

LampedoNovember 22, 2019 1:35 PM

Internetz ? With modern computer methods, packet data over radio, etc., it is clear, that in principle, we don’t need no stinking internetz.

Clive RobinsonNovember 22, 2019 3:12 PM

@ Lampedo,

... packet data over radio, etc., it is clear, that in principle, we don’t need no stinking internetz.

Whilst you can send data over the radio, one of the reasons the radio spectrum is getting auctioned off at very high prices by government treasuries is that the radio spectrum has limited bandwidth.

Thus the way to carry all the data that people want to consume is to severely limit the range of the transmissions. It's why the "cellular network" is called what it is.

Obviously the more data people want the higher the frequency of the radio channel, and the smaller the cell size. Which is why there is so much of a rumpus with regards 5G and talks of using millimetric wavelengths that have trouble getting through windows let alone walls.

On proposal is to put nano cells on street lights thus the cell size is in yards.

Impossibly StupidNovember 22, 2019 4:32 PM

@Clive Robinson

By definition a defense is something you do to protect your self.

No, it isn't. Perhaps your British definition of the word is as wacky as the spelling? A defense need not be active or personalized. A banking website's encryption is a defense against my account being hacked. A distant levee may be a defense against my land being flooded. The airbag in my car is a defense against injury in an accident. There are countless ways I am defended that are not the result of any action on my part.

You have no control over what Russia does in the way of connecting or not connecting to the Internet. Likewise you have no control over what attackers do in response to what Russia does.

Immaterial. I have no control over mountains or oceans, but they are still barriers that defend me from potential attackers. I have no control over armies or navies, but some of them protect my rights just as certainly as others seek to take them away. Please think more deeply about the matter.

So like it or not politics is intruding like the proverbial camels nose.

It's not an issue of love or hate. As I said, I simply do not care about those things. The actions I take against abuse do not rely on the abuser cooperating with me or even acting in their own best interest. Until the day comes when Russia (or Iran or any other foreign network) actually provides me something of value online, their connectivity or lack of connectivity is no concern of mine. As it stands, they are the source of attacks, and thus a net negative, and thus it is to my advantage if they self-select to withdraw from the open Internet.

@SpaceLifeForm

Consider: I'm a very large backbone network

But you are not. I'm pretty sure 100% of the attacks I have coming in are not operating at that high a level of compromise. I just don't do anything that would draw enough attention to put resources in motion that result in rerouting major portions of the Internet to come after me. Save those fanciful notions for Bruce's next movie plot contest.

Why do you believe that I can not control those tcp sessions?

Because your exposure in doing so would be too great for the rewards. Like I said, I see things like scans for PHP exploits. I see things like scans for Raspberry Pi's connected to the Internet that are still using the default account password. Even if I were vulnerable to such attacks, all you'd end up getting ahold of is a basic server that is a cookie cutter copy of just about what every cloud provider is offering.

Why would you believe that I can not forge the source ip address, and because I can control the route, still want to believe the socket actually reflects reality?

I'll believe it when I see it. At this point, I have no evidence that the routing of any random host like mine is being manipulated. When it has happened, it's been on the scale of targeting the Google's of the world, not just to make it look like a common dictionary attack on a low-end host falsely came from China (or wherever).

I can make your socket end look like my socket end came from *ANYWHERE*.

No, you can't. Prove me wrong. Let me know which log file to look at.

SpaceLifeFormNovember 22, 2019 6:02 PM

@Impossibly Stupid

"I'll believe it when I see it"

You will not see it.

There will be no evidence in your server logs.

There will be no smoking gun.

None. Sorry. But such is life in the world of ip.

WeatherNovember 22, 2019 6:53 PM

@Impossibly Stupid

You can change SRC,DST IP port numbers new CRC checksums etc, you can go into DNS, if your severs running a DNS, I can replied quicker the root servers, if you change your wan by one, and set it in procmicious mode, you can be sent a lot of there stuff if it isn't a /32 .
It doesn't need to be targeted 6.6.6.6 can point anywhere after its come through my network, you only now that I said I can find 6.6.6.6

Clive RobinsonNovember 22, 2019 10:00 PM

@ Impossibly Stupid,

A banking website's encryption is a defense against my account being hacked.

Curious you would try to use that as an argument.

It's not your "account" the bank is protecting but "to a very limited extent all the banks accounts, to protect it's legal reputation thus liability". That is the bank cares not a "flying fig" for your bank account contents, just how it can blaim you / externalise it's risk to avoid any liability, thus "it's the banks defense" not yours. That has been obvious for so long now that is why most "insurers of last resort" offer limited protections against bank defaults.

Oh, with regards

Perhaps your British definition of the word is as wacky as the spelling?

Defence is the British spelling according to Merriam-Webster, and defense is the US spelling according to Collins, and this Web Site is in the US... Defense/defence is a noun that is used as a "possessive noun" that is "His defense" "She was in defense" "The team defense". That is it is something that belongs to some one or thing that is "mounting a defense against an adversary". By your description Russia is your adversary not your ally, therefor any advantage their behaviour might aford you is not under your control, therefore it's not in your possession, so by definition "it's not your defense", because "it's your adversary Russia's defense".

randomiranianNovember 23, 2019 12:26 PM

@Impossibly Stupid

All I ever see coming from them (and about 50 other countries, including Iran) on my servers is wave after wave of attack. My life would get easier if they completely cut themselves off.

Except it wouldn't. Worst attacks are state-backed and will continue. The government will only lockout mostly benign internet users.

Impossibly StupidNovember 23, 2019 1:24 PM

@SpaceLifeForm

You will not see it.

There will be no evidence in your server logs.

There will be no smoking gun.

Oh, please! Halloween was 3 weeks ago. More to the point, this is a security blog; save your paranoid fearmongering for some corner of the Internet where people are less aware of how the Internet actually works in reality. If you can't negotiate a connection with my sshd server (or whatever) to the stage where it will log your attempt, you're not a significant threat beyond maybe a DoS attack.

@Weather

You can change . . .

Followed by more spooooooky nonsense like SpaceLifeForm was pushing. Like I said, the day-to-day reality of online abuse does not rise to the worst-case-scenario level that you're beating the drum for. Yeah, the Internet was designed and implemented with just a liiiiiiitle too much inherent trust, but it still takes more resources to exploit those flaws than is warranted for anything other than a high-value target.

It doesn't need to be targeted 6.6.6.6 can point anywhere after its come through my network, you only now that I said I can find 6.6.6.6

You, too, must put your money where your mouth is. Tell me which log I should be looking at to see your traffic from 6.6.6.6. No more campfire stories trying to scare the clueless children like SpaceLifeForm is doing. And, seriously, hats off to you if you intentionally chose to spoof a DoD network block.

@Clive Robinson

Curious you would try to use that as an argument.

Which is why I encouraged you to think about things more rather than rushing to post a reply.

thus "it's the banks defense" not yours

I never claimed it was mine. It is a defense and, like hostile networks disconnecting from the open Internet, I recognize it is useful to me in keeping myself secure. As I said, the world is full of such ready defenses; I wonder what keeps you from seeing them, especially when you say that you yourself choose to stay substantially disconnected as a means of protection.

Defense/defence is a noun that is used as a "possessive noun"

It certainly can be used that way, but I never did. I also provided you with many examples of defensive measures that aren't possessed by anybody.

By your description Russia is your adversary not your ally, therefor any advantage their behaviour might aford you is not under your control, therefore it's not in your possession, so by definition "it's not your defense", because "it's your adversary Russia's defense".

It's mutual. That's why I said it would be good manners to implement a reciprocal firewall for China or any other nation that doesn't want an open Internet. I frankly don't understand why you continue to belabor the point; just admit your narrow view of what a defense can be is wrong and get on with your life, secure in the knowledge that you can now be more secure because your thinking about defensive measures has radically expanded.

WeatherNovember 23, 2019 1:54 PM

@Impossible stupid
If I'm in the same netmask as you, say basic setup a home user connected to broadband, I'm signed up to the same provider, I can change my router to a static IP, yours, set it to forward it to the Land side, then a computer on the Land can be set to procmious mode, it drops packets not rejects them.
I now see your traffic and can get SRC,DST port with syn,back numbers I can beat who you are talking to, thuse I can close a connect, inject mitm general with TCP, with DNS since I replied first, and I just needed to know, what a sniffer showed I can use raw sockets to point you over to England, but then I do a loopback send to you're and my IP, so your syn,acks get out of order from the real replied.

Logs to look forward, msec delay between replies in tshark, instead of secs,a lot of you dropping packets with out of order, but DNS will only have one.

This can all be automatic.

Clive RobinsonNovember 23, 2019 4:23 PM

@ ,

I also provided you with many examples of defensive measures that aren't possessed by anybody.

Oh dear, yet more of your assumptions, a "possesive noun" does not imply "possessed by anybody" it's more general than that.

A "defense" is not just the property of people, it's any object or entity, which is what all your examples were, if you go back and look at them.

But importantly even when you own an object or command an entity you might not benifit from it's defensive properties. The understanding of this is generaly taught to those in the military when learning the lessons of command and tactics.

But it's not just me telling you why Russia's defense is not your defense, even though I mentioned it, @randomiranian has pointed it out yet again,

    Except it wouldn't. Worst attacks are state-backed and will continue. The government will only lockout mostly benign internet users.

So to quote you, why don't you admit that your,

view of what a defense can be is wrong and get on with your life

Because it's an argument you are loosing slowely but inevitably. But worse it's also a limiting factor on your ability to "think forward" or strategically, which is also made clear by what others are telling you such as @SpaceLifeForm and @Weather.

As I've mentioned befor the only thing you know on the Internet is at the point you can instrument. For home users that's generally the LAN side of the gateway device they use, which they can not see beyond. It's why in the past I have described the "Garden Path" use of routers to help increase peoples defensive capabilities.

Have a look at the conversation on this page about the NSA Traffic Shaping,

https://www.schneier.com/blog/archives/2017/07/more_on_the_nsa_2.html#c6756142

SpaceLifeFormNovember 23, 2019 4:56 PM

@Clive, @Weather

Sometimes, myms are actually pretty accurate

Notice that the Telco Industry dude vanished, after I concluded that he worked for China.

(It was actually pretty easy, BTW. No MITM required)

Impossibly StupidNovember 24, 2019 5:01 PM

@Clive Robinson

Oh dear, yet more of your assumptions

I'm not the one making assumptions or non-falsifiable claims. The onus is on you to clarify your straw man arguments. Any reader who isn't blinded by motivated reasoning can ponder the examples I've given and come to their own conclusion whether or not being distanced from an adversary on some dimension (specifically under discussion, a disconnected Internet) can serve as a mutual defense regardless of who "controls" it.

But it's not just me telling you why Russia's defense is not your defense, even though I mentioned it, @randomiranian has pointed it out yet again,

They, like you, seem to have missed the fact that I was talking about Russia being completely off the Internet. Of course it would be less useful as a defense if a nation cut off everything but state-approved attacks. But even that supports my point about establishing reciprocal firewalls. After all, what's the point of allowing any traffic from a nation that mainly connects to the Internet in order to launch cyberattacks?

Because it's an argument you are loosing slowely but inevitably. But worse it's also a limiting factor on your ability to "think forward" or strategically, which is also made clear by what others are telling you such as @SpaceLifeForm and @Weather.

Hardly. Just because a lot of anonymous commenters all parrot the same faulty line of reasoning as you doesn't give it merit. I will continue to maintain that it is reasonable for me to block hosts/networks/nations based on the IP address the traffic appears to be coming from. I will continue to maintain that nobody is using the extreme measures being described by your ilk just so that they can do yet another failed scan for WordPress exploits on my server. As I have noted, I do think forward, but I don't act on unlikely thoughts of foolish paranoia.

I'm going to keep putting IP ranges from Iran in my firewall when I see attacks from their hosts in my logs. Same goes for Russia and China and the other 50+ nations that are being a continual threat to me while providing no value in return. Nobody has demonstrated a commonplace attack vector via spoofed IP addresses, nor have you made any convincing argument why traffic should be allowed by any of the nation-states that could have been the target of such spoofing. If you actually think you've got a winning argument on your hands, I'm done with you.

SpaceLifeFormNovember 25, 2019 1:46 PM

@Clive

LOL. Thanks for the catch.

Obviously, you caught my misdirection (which is accurate).

Hope @Weather caught it too.

JeffNovember 27, 2019 3:02 PM

I see that you deleted the message in which I pointed out that iran is protecting itself from the american nazis. So I'll say it again, the internet is the biggest spying and propaganda weapon on the planet and is controlled by you american nazis.

SpaceLifeFormNovember 27, 2019 4:22 PM

@ Impossibly Stupid

"I will continue to maintain that it is reasonable for me to block hosts/networks/nations based on the IP address the traffic appears to be coming from."

'Appears to be coming from.'

Do you not see that *Appears* is the keyword?

Just keep blocking. It won't be long before your website gets no traffic.

Then you can give your ip address(es) away.

Impossibly StupidNovember 28, 2019 10:31 AM

@SpaceLifeForm

Do you not see that *Appears* is the keyword?

Do you not realize that I specifically added that word to give your argument the best possible benefit of the doubt? Even in the fantasy world where the average script kiddie could spoof IP addresses widely and with ease, there is still no rational reason to consequently allow all abusive incoming traffic.

Just keep blocking. It won't be long before your website gets no traffic.

If you think traffic from people trying to hack you is desirable, remind me to never hire you in any technical or non-technical capacity. The simple fact is I have had zero traffic of any kind coming from Iran that sought to benefit me in any way. China, also zero. Russia, go on and guess. It's not like my list of 50+ countries was chosen at random!

Look, if you're unhappy that you're in a range that has been blocked, simply give me your IP address and I can manually remove it from the firewall. It may get automatically re-added, of course, if abuse starts occurring again. The root solution in that case is for you to demand your ISP properly police their network. Anyone who sees that as too big of a burden is better off not being on the open Internet.

SpaceLifeFormNovember 28, 2019 12:45 PM

@ Impossibly Stupid

"Even in the fantasy world where the average script kiddie could spoof IP addresses widely and with ease, there is still no rational reason to consequently allow all abusive incoming traffic."

True. No reason to continue to allow attacks.

I was talking about spoofing ip addresses, in conjunction with TCP sessions.

Spoofing IP addresses, over UDP, no problem. Never going to get a reply.

Which is how DNS Reflection attacks work.

But, if your logs show attacks from a given ip address repeatedly, fine. Block it at the firewall.

But, if the TCP session can be spoofed, upstream of your server, then you can end up in an endless whack-a-mole.

And your firewall can become a bottleneck, having to check SRC ip addresses in a huge list.

"The simple fact is I have had zero traffic of any kind coming from Iran that sought to benefit me in any way. China, also zero. Russia, go on and guess."

Then, why not just block all of those netblocks? Instead of playing whack-a-mole?

"The root solution in that case is for you to demand your ISP properly police their network."

ISPs do not do anything wrt to watching ip traffic. They only care about money.

They will periodically complain about peering agreements and bandwidth costs.

It is the big players, ex: Level3, where the spoofing can occur.

Look up Tier 1 networks

And realize that BGP is *NOT* secure.

Impossibly StupidDecember 1, 2019 4:33 PM

@SpaceLifeForm

But, if the TCP session can be spoofed, upstream of your server, then you can end up in an endless whack-a-mole.

That remains, as the saying goes, a big "if". So big, in fact, that even these nation-states like Iran, Russia, and China think the better solution is to block their citizens from accessing the Internet at all. The reality is not your proposed scenario, and it's an unscientific approach to act like it is.

Then, why not just block all of those netblocks? Instead of playing whack-a-mole?

Because I'm not a complete jerk. I follow evidence-based practices. It's very easy to implement an automated process to escalate blocking when necessary, so I see no reason to preemptively cut off absolutely everybody. It also leaves open the possibility that someone reputable in one of those 50+ countries does want to do business with me, thereby rebalancing the equation in favor of their fellow citizens.

ISPs do not do anything wrt to watching ip traffic. They only care about money.

I'm do not expect anyone to increase their surveillance (nor would I particularly want to encourage that). What I expect is that they properly act on reports of abuse due to an attack. Ideally, that would also include compensating victims for the expenses incurred. But nobody is interested in doing that because, like you said, they care more about lining their pockets. That being the case, it costs me very little to just drop their network range into my firewall. Nobody commenting here has made a strong case for doing more work than that.

And realize that BGP is *NOT* secure.

I've already acknowledged that the Internet has many fundamental security issues. That doesn't mean an unhealthy obsession of the unlikeliest attacks is anything other than paranoia. People are better served by rationally examining/addressing the vulnerabilities that are most likely to do them harm.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.