Detecting on IP taps
Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Detecting on IP taps

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    3

    Exclamation Detecting on IP taps

    [gloworange]IP TAP[/gloworange] There is an private IP (wire tap) that appeared recently in the connection BETWEEN my computer/hub and my ISP's DNS servers. The IP is 10.zzz.zzz.zzz. It had never been there and I know it does not belong there. This is called an IP TAP.

    Normally my trace from home goes...
    xxx.xxx.xxx.xxx Hosting Service Name
    yyy.yyy.yyy.yyy Hosting Service Name

    Now it goes....
    xxx.xxx.xxx.xxx Hosting Service Name
    10.zzz.zzz.zzz (private use)
    yyy.yyy.yyy.yyy Hosting Service Name

    That PRIVATE USE label IP does not belong there; it is a PASS THROUGH SERVER also called a "Black Box" by most. My firewall is quite secure, and I sweep daily for any form of "spyware" or virus that may be on my computer; this IP TAP is a threat to our First & Fourth Amendment Rights.

    The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

    10.0.0.0 - 10.255.255.255 (10/8 prefix)
    172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.

    Anyone that decides to use any IP addresses out of the address space defined above "can do
    so without any coordination with IANA or an Internet registry". The address space can thus
    be used by many enterprises and law enforcement agencies. Addresses within this private
    address space will only be unique within the enterprise, or the set of enterprises which
    choose to cooperate over this space so they may communicate with each other in their own
    private internet. This allows the law enforcement agency that created the IP TAP to scan the
    data stream for keywords or IP addresses and access that data from remote or centralized
    locations.

    ANY IP NUMBER FROM THE SEGMENTS LISTED ABOVE IS TO BE CONSIDERED COMPLETELY SUSPECT unless you actually know what the numeric IP address you are accessing or originating from/thru is a private one and should be listed that way.

    HOW DO YOU DETECT SUCH TAPS?
    What you do is simply get a program like the VisualRoute Trace program from visualware (at
    http://www.visualware.com/visualroute/index.html) then you learn what is normal between you and your DNS servers. If one of the groupings above shows, then you have been tapped whether legally or illegally. Once it appears whatever you have been sending and receiving has already been recorded from the instant it became active.

    =====
    If this is in the wrong forum, please move it to where it needs to be in order to be seen; this is my first post on this site as I normally prefer to remain silent. AW

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Interesting post; however, something bothers me about this. It is NOT necessary to place a box that routes between two segments in order to tap the segment and it strikes me as kind of odd that something that is meant to observe and trace would be so blantantly placed in the open. The easiest thing to do would be to have a machine with two NIC's, one with a private address (or no address if the OS lets you), one with a real address. You set the switch between the two segments to mirror all ports to the one that the NIC with address is assigned and you in effect have a passive tap that is, unless you have access to some device doing the routing on either sie (to detect the MAC of the passive device), undetectable.

    I would think that the FBI would at least be savy enough to do this...

    What are the chances that instead your ISP added another internal router ? It is perfectly legal to have things inside your AS with reserved IP addresses and perfectly legal to have your entire network routed with reserved addresses. What is illegal is to advertise those networks out to the rest of the world. So long as you have a device capable of NAT at your internet connection, you can do whatever you want inside your network....even illegal NAT (where you take a reserved IP range, say microsoft's, and use it on the inside but NAT it on the outside to a legitamate one...

    Dunno, seems to me like there are other possibilities...

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Banned
    Join Date
    Jun 2002
    Posts
    458
    Perhaps this is the first implementation of project echelon. Perhaps now the internet as we know it is coming to an end, I doubt, but who knows? And I heard that the privately reserved IP addresses wouldn't work if they were connected to the internet, or that they wouldn't work correctly, because of their IP addresses. Cool post though, thanks for the info.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    oops, serious typo: mirror all ports to the one that the NIC with address -->
    mirror all ports to the one NIC that has NO address

    Normally wouldn't post about a typo, but that was a pretty critical point...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Banned
    Join Date
    Jun 2002
    Posts
    458
    And also, I prefer neotrace. It is nice, gets the job done and works in conjunction with the other programs like the neo-somethng firewall to offer more complete protection and detection. It does cost money though, so there is a downside.

  6. #6
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    Ummm, where did you get this information from? You can PM me if you want, I am just trying to figure this out. A 10.# is non-routable, so it shouldn't work, unless you dial into that box. It may also be a box inside your isp that is used as a router for firewall purposes. You will get a "private use" message every time you hit a reserved ip addy (10.x, etc.) When I do a traceroute from this machine, I get a private address before I even get to my router because of some goofy crap the last guy here was testing.

    A pass through server is just a machine that sends on information. Much like a proxy server.

    A "black box" is normally set up in promiscus (spelling) mode, so you will not see it on a traceroute. It works like a keystroke logger pulling anything from your connection, but you can't see it. If you are on a modem, then to find a "black box" you look for something installed in your dmark, or you hack the phone company and see what they have set up. On a broadband connection, you can only tell if you can detect a box in promiscus mode, and see what it is grabbing.

    I am not saying you are wrong, I am just trying to figure this out....
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  7. #7
    Junior Member
    Join Date
    Jan 2002
    Posts
    3
    I should have pointed out that I had done a fair bit of homework on this before I posted; I just narrowed down what I had learned so far to the basis - my error, I should have given you everything.

    This "unit" is placed on the IN side of the broadband server not on the OUT (post-server) side; this allows access to the exact IP Address everything originates from without having to strip away any additional server generated addresses. It is quite an idea; but it had to be assigned some IP address so it could be accessed and to allow data to pass through oblivious to its interception, like if it was just another server on the route. I'll even give you the IP address of the thing... 10.228.200.1 I have it well memorized. So far I have not been able to get it to respond to id requests or anything, so let me know if you do. AW

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am having a hard time following what you are saying. I know for a fact that, so long as it is in your ISP's internal network, that they can use any IP addresses they want, including the private ones, and any combination thereof (however, using addresses assigned to someone else will give you major headaches if you ever need to connect to them...).

    I do remember that way back when, windows 95 in combo with certain drivers would freak out over private addresses, but I haven't seen anything like that in years and can say that routers (for example cisco) do not care if the address is private or not, if they have a route for it, they route it (unless an access-list instructs them not to), ditto with firewalls, ditto with normal machines. It is very very common nowadays for a company to have their entire network devoted to private network address space that is not translated until it leaves the company network (or ISP).

    For all I know you could be 100% correct in that it is a TAP; however, the only thing I was trying to say is that there are other possibilities. I know when we have tested equipment (or programs, etc, and we needed a quicky test LAN/segment) on our WAN/LAN we have inserted devices in the middle of two routable IP addresses that had private addresses on either side and suffered 0 side effects...had nothing to do with snooping on anyone...

    Have you tried to telnet/http/ftp to the device, it might at least tell you nicely what it is (of course, then again it might not )

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If the setup that I previously mentioned was used, with a box that has two NICs, it would be possible to monitor anything that goes across the wire by attaching to the segment before any proxy servers/firewalls. By have the traffic passively mirrored traffic to the addressless interface of the NIC that is in promiscous mode, it is not necessary to sit in the middle of segment and pass traffic (try it and you will see). It would then be possible to monitor the traffic going by from the other IP address, unbeknownst to everyone else...


    With a setup like this, I can take a binary dump of all traffic that passed by in a given time frame and entirely reconstruct every session that went by (assuming it was unencrypted), including files, usernames, passwords, emails, etc.

    neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    It is inside your broadband server (ie your router)??? well, that would be the same as a phone tap. Those are either wireless (transmit through air waves) or they phone home... You still wouldn't be able to see it, because it would be in promiscus mode. If it is a tap, and it has a 10. number, then it would still have to phone home, because no one could access it remotely, because they can't access a 10. number (ok, yeah there's firewalking, get over it) Anyway, it still doesn't seem right.

    Now if you are saying that it is in the server that you connect to, then its still the same thing. Thats like a tap on the dmark. You actually dialup to that machine...(in a sence). Sounds more like it is a router sitting there for everyone that uses a cable modem in your area...

    Can you give some links or something on where you did your "homework"?
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •