[liberationtech] Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life

[Yosem Companys]

Minutes before Trump left office, millions of the Pentagon’s dormant IP
addresses sprang to life
After decades of not using a huge chunk of the Internet, the Pentagon has given
control of millions of computer addresses to a previously unknown company in an
effort to identify possible cyber vulnerabilities and threats
By Craig Timberg and Paul Sonne
Apr 24 2021
<
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-
mystery/>

While the world was distracted with President Donald Trump leaving office on
Jan. 20, an obscure Florida company discreetly announced to the world’s computer
networks a startling development: It now was managing a huge unused swath of the
Internet that, for several decades, had been owned by the U.S. military.

What happened next was stranger still.

The company, Global Resource Systems LLC, kept adding to its zone of control.
Soon it had claimed 56 million IP addresses owned by the Pentagon. Three months
later, the total was nearly 175 million. That’s almost 6 percent of a coveted
traditional section of Internet real estate — called IPv4 — where such large
chunks are worth billions of dollars on the open market.

The entities controlling the largest swaths of the Internet generally are
telecommunications giants whose names are familiar: AT&T, China Telecom,
Verizon. But now at the top of the list was Global Resource Systems — a company
founded only in September that has no publicly reported federal contracts and no
obvious public-facing website.

As listed in records, the company’s address in Plantation, Fla., outside Fort
Lauderdale, is a shared workspace in an office building that doesn’t show Global
Resource Systems on its lobby directory. A receptionist at the shared workspace
said Friday that she could provide no information about the company and asked a
reporter to leave. The company did not respond to requests for comment.

The only announcement of Global Resources Systems’ management of Pentagon
addresses happened in the obscure world of Border Gateway Protocol (BGP) — the
messaging system that tells Internet companies how to route traffic across the
world. There, messages began to arrive telling network administrators that IP
addresses assigned to the Pentagon but long dormant could now accept traffic —
but it should be routed to Global Resource Systems.

Network administrators began speculating about perhaps the most dramatic shift
in IP address space allotment since BGP was introduced in the 1980s.

“They are now announcing more address space than anything ever in the history of
the Internet,” said Doug Madory, director of Internet analysis for Kentik, a
network monitoring company, who was among those trying to figure out what was
happening. He published a blog post on the mystery Saturday morning.

The  theories were many. Did someone at the Defense Department sell off part of
the military’s vast collection of sought-after IP addresses as Trump left
office? Had the Pentagon finally acted on demands to unload the billions of
dollars worth of IP address space the military has been sitting on, largely
unused, for decades?

An answer, of sorts, came Friday.

The change is the handiwork of an elite Pentagon unit known as the Defense
Digital Service, which reports directly to the secretary of defense. The DDS
bills itself as a “SWAT team of nerds” tasked with solving emergency problems
for the department and conducting experimental work to make big technological
leaps for the military.

Created in 2015, the DDS operates a Silicon Valley-like office within the
Pentagon. It has carried out a range of special projects in recent years, from
developing a biometric app to help service members identify friendly and enemy
forces on the battlefield to ensuring the encryption of emails Pentagon staff
were exchanging about coronavirus vaccines with external parties.

Brett Goldstein, the DDS’s director, said in a statement that his unit had
authorized a “pilot effort” publicizing the IP space owned by the Pentagon.

“This pilot will assess, evaluate and prevent unauthorized use of DoD IP address
space,” Goldstein said. “Additionally, this pilot may identify potential
vulnerabilities.”

Goldstein described the project as one of the Defense Department’s “many efforts
focused on continually improving our cyber posture and defense in response to
advanced persistent threats. We are partnering throughout DoD to ensure
potential vulnerabilities are mitigated.”

The specifics of what the effort is trying to achieve remain unclear. The
Defense Department declined to answer a number of questions about the project,
and Pentagon officials declined to say why Goldstein’s unit had used a
little-known Florida company to carry out the pilot effort rather than have the
Defense Department itself “announce” the addresses through BGP messages — a far
more routine approach.

What is clear, however, is the Global Resource Systems announcements directed a
fire hose of Internet traffic toward the Defense Department addresses. Madory
said his monitoring showed the broad movements of Internet traffic began
immediately after the IP addresses were announced Jan. 20.

Madory said such large amounts of data could provide several benefits for those
in a position to collect and analyze it for threat intelligence and other
purposes.

The data may provide information about how malicious actors operate online and
could reveal exploitable weaknesses in computer systems. In addition, several
Chinese companies use network numbering systems that resemble the U.S.
military’s IP addresses in their internal systems, Madory said. By announcing
the address space through Global Resource Systems, that could cause some of that
information to be routed to systems controlled by the U.S. military.

The data could also include accidental misconfigurations that could be exploited
or fixed, Madory said.

“If you have a very large amount of traffic, and someone knows how to go through
it, you’ll find stuff,” Madory added.

[snip]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20210424/874dfb2f/attachment.htm>