Scanning the Internet for Vulnerabilities Re: 202207272146.AYC

Abraham Y. Chen aychen at
Thu Jul 28 03:29:01 UTC 2022

Hi, John:

0) Thanks for sharing your thoughts. The IoT identification (IP address) 
versus privacy is a rather convoluted topic. It can quickly get 
distracted and diluted if we look at it by piecemeal. Allow me to go 
through an overview to convey my logic.

1) It is true that a dynamic IoT identification is harder to track down 
than a static one, thus providing some sense of privacy or security, 
theoretically. This went well with the need for dynamic practice due to 
the limited IPv4 address pool. So, this idea sank deep into most 
people's mind as inherent for the Internet.

2) It turned out that there were many ways (as you eluded to) to track 
down an IoT even with a dynamic address. There was a classical research 
paper that outlined various techniques to do so:

  To save your time, I extracted part of its conclusions as below:
  "6 Concluding Remarks ... while some commercial organizations have 
claimed that they can do it with 99% accuracy. … It’s meant for the 99 
percent of the general public who are just at home surfing. … We note 
that even if accurate IP geolocation is possible for 99% of IP 
addresses, if the remaining 1% is fixed and predictable by an adversary, 
and such that the adversary can place themselves within this subspace, 
then they can evade geolocation 100% of the time. …"

  We do not need to check its validity quantitatively, today, because 
technology has advanced a lot. However, it is probably still pretty 
accurate qualitatively, judging by how successful "targeted marketing" 
is, while how hard various perpetrators may be identified, not to 
mention physically locating one.

3) As long as the general public embrace the Internet technologists' 
promise of privacy by dynamic addressing, however, the LE (Law 
Enforcement) agencies have the excuse for exercising mass surveillance 
that scoops up everything possible from the Internet for offline 
analysis. Big businesses have been doing the same under the same cover. 
So, most people end up without privacy anyway. (Remember the news that 
German Chancellor's phone call was somehow picked up by the NSA of US? 
For anyone with a little imagination, it was a clear hint for the tip of 
an iceberg.).

4) Static communication terminal (IoT) identification practice will 
remove a significant number of entities (the 99%) from LE's monitor 
operation, enabling them to focus on the 1% as well as requiring them to 
submit justification for court order before doing so. The last part has 
disappeared under the Internet environment. See URL below for an 
example. The static IP address practice will simplify the whole game. 
That is, the LEs can do their job easier, while the general public will 
get the legally protected privacy back.


Abe (2022-07-27 23:28 EDT)

On 2022-07-24 13:57, John Curran wrote:
>> On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen<aychen at>  wrote:
>> Hi, John:
>> 1) "...  dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However,
>>     A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless.
> Abe -
> That’s correct - but that does not require having static addresses to accomplish (as you postulated earlier),
> rather it just requires having appropriately functioning logging apparatus.
>>     B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system".
> Yes, it is quite obvious that a degree of care is necessary.
>>     C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning.
> As with all enforcement, it is a question on changing to breakeven point calculation on incentives & risks
> for the would be perpetrators, and presently there’s almost nearly no risk involved.
>>     So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been disappointing for the general public.
> Indeed.
>> 2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations.
> That’s one possible approach, although before becoming too enamored with it, it is probably worth remembering]
> that the “traditional communication systems” have also suffered from similar exploits occasion (they’ve been fewer
> in number, but then again, the number of connected devices was also several orders of magnitude smaller.)
> Thanks,
> /John
> Disclaimer:  my views alone – use caution - contents may be hot!
>> ...
>> On 2022-07-24 07:27, John Curran wrote:
>>> Abe -
>>> Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can
>>> still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the
>>> requirements and various related issues.)
>>> Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated
>>> (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.)
>>> Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue
>>> the attackers to prevent recurrence.  This is non-trivial, both because of the skills necessary, the volume of
>>> attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother,
>>> that’s just the way it is…”
>>> With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound.
>>> Thanks,
>>> /John
>>> Disclaimers: my views alone – no one else would claim them.  Feel free to use/reuse/discard as you see fit.

This email has been checked for viruses by Avast antivirus software.

More information about the NANOG mailing list