The Operation Funnel Vulnerability of the U.S. Military
Exhibit C: Risky address funneled internet services: seven, and still counting
Feb. 21, 2003Risky internet behavior of identified U.S. military locations was documented in recent world exclusive Net Census reports revealing the major role of the U.S. military in the recent SQL Slammer worm attack on the internet. The U.S. military played three key roles in this internet crisis -- as victim, as a potent agent propagating the worm and finally as helper in controlling the internet traffic jam.
The practice of internet address funneling by certain U.S. military computer networks was dubbed "Operation Funnel" by Net Census, which presented the "smoking guns" evidence in early February.
Now the scope of Operation Funnel is further documented with evidence that the operation may include more than seven separate internet services and is deployed at less than 10 percent of U.S. military installations.
Legend: Columns: TLD, top level domain; other, U.S. mixed; non-US, all other countries. In almost all cases, the TLD indicates a single entity responsible for the entire IP address range. If not, the "other" category was assigned. In a few cases, if one entity was responsible for 3/4 of the address range, that range was categorized with its TLD. Rows: n x.y/16, number of internet address ranges. An x.y/16 block contains over 64,000 internet addresses between x.y.0.1 and x.y.255.254. % Total, percent of total x.y/16 ranges (n = 11381). n responses, number of TCP connections established (see Table 2) (n = 98709). resp./(x.y/16) = (n responses) / (n x.y/16). % DNS, percent of connecting internet addresses with successful reverse DNS lookup of host name. The absolute values of the n responses and resp./(x.y/16) rows depend only on sample size; however, comparisons among the columns are valid.
As previously reported, 5.3% of 11,381 responsive x.y/16 address blocks in the Net Census database carry the ".mil" top level domain (TLD) for their host computers.
Note that the non-US address blocks (n = 5465) comprise less than half of the worldwide total found to be responsive to TCP protocol connection requests. Table 1 also shows that only 3% of the connecting internet addresses in .mil domains sport available DNS names, the lowest percent among the other U.S. domains or any other country considered as a whole, as previously reported. Available host names are most common in the .net, .com, .edu and other U.S. categories. These .mil domains -- just 5.3 percent of all similar address blocks worldwide -- account for a remarkable 48.8% -- about half -- of all listening ports for common internet services on earth.
It's my party. I'll cry (or eat half the ice cream) if I want to. In this subset of the Net Census database, seven or more categories of internet services with .mil domans appear to display dramatic levels of internet address funneling (blue in Table 2).
Legend: Columns: see Table 1. Rows: Each row is an independent sample of established TCP connections using randomly selected IP addresses. Row Totals are sample sizes. Row labels are service protocol: port. The sql:1433 values represent sampling before the SQL Slammer worm episode. Table entries are percents of row Totals (right column). Comparisons among table entries across both rows and columns are valid and would be evaluated for statistical significance with one- and two-sample t tests for the difference in probabilities (the percents) respectively.
Specifically, U.S. military installations represent 65.8% of worldwide totals for sql database services prior to the SQL Slammer worm attack. These data emphasize the importance of further analysis of the scope of this so-called Operation Funnel. The worm attack demonstrated the liability it represents for the overall function of the internet for all participants and countries.
The U.S. military itself has in effect asserted that its role in this episode was extensive by shutting down essentially all general internet access to its sql servers after the worm attack.
Thus, Operation Funnel is classified as a general internet security vulnerability by Net Census and therefore merits careful study to determine its nature and scope.
Maybe by "dumb luck", the sql database service was both the worse offender in internet address funneling at about two thirds of associated IP addresses worldwide (Table 2) and perhaps the first instance demonstating the nature of the Operation Funnel vulnerability.
The issue is not only that a bug may exist in software which can be exploited, but also whether internet address funneling is deployed to magnify the negative consequences when malicious scanning intruders seek access.
In addition to the enormous .mil sql (port 1433) presence, Table 2 lists a whopping 58.0% for http proxy (port 8080), 54.6% for ssh (port 22), 53.5% for socks (port 1080), 50.3% for telnet (port 23), 46.4% each for ftp (port 21) and https (port 443) and 32.0% for smtp (port 25), of all such activity internationally.
Notice that commonly used services on the internet, such as smtp, ftp and https, have the lower percents, as would be expected, since these are percents of overall internet presence per service. In other words, a constant ratio of internet addresses per host computer may be used by these funneling installations. Thus, the same rules for packet routing may be used for all of the services to implement the insecure funneling.
With the "short list" of fully identified funneling address blocks and associated operators (see below), it should be possible to calculate the funneling ratio used based on a few reasonable assumptions. Note: Net Census already has the "short list" but further analysis is required to weed out possible false positives.
Seldom are research results in any field of science this dramatic and clear. It appears that the designers and operators of Operation Funnel -- whatever its objectives were -- had no concern at all about "secrecy", "maintaining a low profile", or "blending in with the crowd". The internet behavior of Operation Funnel stands out like a sore thumb to any serious internet observer.
Wear orange tuxedo to party: Jim Carrey character in "Dumb & Dumber" The one third of all internet addresses accepting incoming email (smtp; 32.0%) may be "normal" for U.S. military domains since the organization is very large and many participants are away from home. Table 3 may clarify this issue and provide another perspective on the results reported above.
Legend: Columns: see Table 1. Rows: Each row is an independent sample of established TCP connections using randomly selected IP addresses as in Table 2. Table entries are ratios scaled in percentage units of observed / expected connection events where 100 indicates number observed = number expected (by random distribution of the data). One advantage of this presentation is that each table entry can be evaluated somewhat independently of the others. Note: The statistical significance of the results has not yet been calculated, but the color-coded high (green) and low (pink) response rates are probably highly significant in a statistical sense given the sample sizes.
Tables 2 and 3 contain much information beyond the scope of this report, except to provide context. However, note that the .edu, .com and .org columns, by their definition with the large address block size, contain larger organizations. The .net, .us and other columns contain a variety of entities, such as internet service providers, smaller .com's and state government units. Regarding .mil smtp servers (port 25) for email, Table 3 shows that the observed frequency is little more than the expected frequency based on row, column and table totals. However, the large number of smtp connections increase those totals. Inspection of the raw data shows multiple smtp banners with the same host name within single Operation Funnel address blocks. This appearance of apparent "clones" is rarely seen in any other x.y/16 internet address ranges.
In contrast, U.S. military internet addresses responding to ports associated with seven protocols -- ftp, ssh, telnet, https, socks, http proxy and sql (before Jan 25, 2003) -- are all clearly greater than expected.
U.S. military Operation Funnel score card: seven, and still counting. The "other" rows in Tables 2 and 3 sum results from other services (ports), many of which also show elevated values. This mixture appears to contain other services with marked address funneling and maybe some with below expected values as well. A further breakdown of these "other" ports is pending.
The results presented also provide benchmarks for profiling internet address ranges and networks. For example, the patterns of internet services offered by the domains shown vary more than might be expected, given the coarse-grained level of analysis presented. Thus, variations within a domain type (columns in Tables 2 and 3), might be expected to "cancel each other out" to some extent. Hence, the variation in patterns observed is noteworthy.
This report focuses on the U.S. military (.mil) values and a forthcoming update will break down the .mil IP address blocks into funneling and non-funneling categories. This will provide a more detailed look at the vulnerability. Thus, there will be three categories of .mil networks: (1) Operation Funnel deployment locations, (2) non-funneling "normal" military address blocks and (3) no responses observed and not included in the present sample or report.
Operation Funnel may be deployed at less than one quarter of the some 600 .mil address blocks. In some cases, dozens of address blocks are assigned to a single U.S. military installation. This "short list" may be of use to appropriate authorities -- military or government officials, elected officials, established news media, internet authorities, etc -- who have a constructive role to play and may contact Net Census.
A profile of funneling agents may be used to detect other parties in the U.S. or elsewhere who may be engaging in this insecure internet practice. Thus, internet authorities can be alerted to the risks presented to internet users overall and perhaps persuade "offenders" to refrain from unjustified IP address funneling. Further, links between the responsible entities in the "short list" may clarify the who, when and where in the design and operation of Operation Funnel. If appropriate authorities wish to discuss the security issues in the Funnel program, they will need to know to whom queries should be directed.
To finish developing this profile and hence, funnel-detection method, other internet response variables in the Net Census database can also be used. Hopefully, even smaller domains engaged in this practice can be readily identified. It is already clear, for example, that some address blocks in U.S. government (e.g., sandia.gov) and other domains (e.g., saic.com) are also address funnelers, at risk of becoming fumblers, as identified U.S. military networks did in the SQL Slammer worm visitation.
Copyright © 2003 Global Services
Original publication: Feb. 21, 2003Back to Net Census