Posts tagged Star JV
Hot on the heels of a series of attacks that have seen its Internet connectivity severely disrupted, the DPRK appears to be adding an additional route through which it links to the global Internet.
The new link began appearing in Internet addressing tables on Monday and connects from Star, the country’s sole Internet service provider, to China Unicom Hong Kong’s network.
Most of the Internet traffic to and from the country already runs over a link from mainland China that is serviced by China Unicom. Almost exactly a year ago, a second connection was added via Intelsat satellite.
The new connection appears to provides a third way for traffic to reach the country, although much is unclear. It’s not immediately clear if it represents a third physical connection or it only happening on the network level, and at present there’s no way to know if it serves as an additional backup or will become an important connection.
Update time: 2013-04-08 03:21 (UTC) Detected by #peers: 2 Detected prefix: 188.8.131.52/24 Announced by: AS131279 (STAR-KP -- Ryugyong-dong) Upstream AS: AS10099 (HKUNICOM1-AP China Unicom (Hong Kong) Operations Limited)
Renesys, which specializes in analysis of Internet networking, confirmed it was also seeing a new path via China Unicom Hong Kong to North Korea.
“Trace routes … from providers who have chosen this new route now send their traffic to Unicom in Hong Kong whereas previously they connected elsewhere,” said Doug Madory. A trace route is a plot of each step taken by a data packet between its source and destination.
At first, only about 3 percent of Internet providers that Renesys tracks were using the new link, he said. But as Tuesday progressed in Pyongyang, there were several changes in the route that caused it to go on and off.
The connection links just one of the DPRK’s four blocks of Internet addresses.
The block in question isn’t the one that hosts North Korea’s handful of web servers — the ones that came under denial of service attack in the last few days. But it does host some computers, including an Internet gateway that serves as one of the ways traffic from inside North Korea gets to the rest of the Internet, according to NorthKoreaTech monitoring.
It’s still too early to say anything definitive about this, but its appearance after the denial of service attacks is interesting. We’ll likely be able to conclude more in the coming days.
The Internet disruption that affected North Korea’s Internet link earlier this week lasted almost two days, an Internet monitoring company said Friday.
It began just before 0100 GMT on Wednesday — that’s 10am local time — and continued for much of the next day and a half. It then took several hours for traffic levels and response times to get back to normal, said Internet network monitoring company Renesys.
The country typically relies on a link via China Unicom to connect to the rest of the world and this disappeared from global routing tables when the outage began, said Renesys. Routing tables are constantly updated virtual road maps to the Internet that are used to route data packets.
Soon after, the routing tables began showing again links into North Korea but with part of the country’s connection switched over to a back-up satellite Internet connection via Intelsat.
However, that didn’t help traffic.
Here’s a graph of latencies — the amount of time it takes a server to respond. The beginning of the outage is pretty obvious and its effect is obvious too, Latencies immediately climbed, in some cases to more than 10 times normal. What the chart doesn’t show is the connections that never succeeded.
There were a few periods when connectivity returned to near-normal levels but things didn’t begin returning until midway through Thursday GMT, which is late evening local time in Pyongyang. By Friday morning, latency was back to normal.
Renesys didn’t offer an explanation of what might have been behind the problems. KCNA has blamed the U.S. and its allies for attacking its network, although there’s no evidence either way.
This graphic shows that North Korea’s entire Internet disappeared from global routing tables at least once during the outage.
Just when you thought it couldn’t get any more bizarre than Dennis Rodman hugging Kim Jong Un, the operators of The Pirate Bay site claimed Monday that they are now running from the North Korean Internet.
The Pirate Bay is one of the Internet’s longest surviving pirate sites. It links to Bit Torrent files of thousands of movies, TV shows, songs and other multimedia and is a major thorn in the side of the commercial content industry. The actual pirated content is located on user machines, but the main website acts as a sort of index to all these bits of data across the Internet.
Last week the site said it was quitting its Swedish hosting provider, The Swedish Pirate Party, because of a legal threat and would resume via connections in Norway and Spain.
On Monday, the Pirate Bay home page showed a North Korean flag across the sails of the pirate ship that makes up its logo (see right) and claimed it was now being hosted in the country. Well, not exactly. Despite the North Korean flag on the logo, a blog post said it had been invited by “the leader of the republic of Korea.” That would be South Korea.
It would be an embarrassing faux-pas — if indeed any of this is true.
North Korea’s Internet hasn’t been used to send anything to the rest of the world beyond propaganda from state-run news outlets and the entire Internet in North Korea is tightly controlled, so it would be a surprise for the country to strike up any kind of deal with The Pirate Bay.
Plus, The Pirate Bay needs a significant amount of bandwidth — something North Korea doesn’t have.
So, is there any evidence?
When I track Internet traffic from my PC to The Pirate Bay’s website, it does appear to flow to North Korea’s Internet gateway point. What happens after that is unclear.
The above image shows traffic running from Level 3, an Internet backbone operator in the U.S., onto the network of Intelsat. The international satellite operator is one of North Korea’s two providers of Internet connectivity. From Intelsat is runs onto the North Korean Internet, denoted by the Internet address “184.108.40.206” on line 21.
But no more data is returned, so it’s difficult to plot the remainder of the path to The Pirate Bay website.
It’s possible, perhaps probable, that a hack is being used to route traffic through a North Korean computer.
Here’s the blog post, from “Kim Jung Bay”:
PRESS RELEASE, NEW PROVIDER FOR TPB
FOR IMMEDIATE RELEASE, 3 MARCH 102, 평양 (PYONGYANG).
The Pirate Bay has been hunted in many countries around the world. Not for illegal activities but being persecuted for beliefs of freedom of information. Today, a new chapter is written in the history of the movement, as well as the history of the internets.
A week ago we could reveal that The Pirate Bay was accessed via Norway and Catalonya. The move was to ensure that these countries and regions will get attention to the issues at hand. Today we can reveal that we have been invited by the leader of the republic of Korea, to fight our battles from their network.
This is truly an ironic situation. We have been fighting for a free world, and our opponents are mostly huge corporations from the United States of America, a place where freedom and freedom of speech is said to be held high. At the same time, companies from that country is chasing a competitor from other countries, bribing police and lawmakers, threatening political parties and physically hunting people from our crew. And to our help comes a government famous in our part of the world for locking people up for their thoughts and forbidding access to information.
We believe that being offered our virtual asylum in Korea is a first step of this country’s changing view of access to information. It’s a country opening up and one thing is sure, they do not care about threats like others do. In that way, TPB and Korea might have a special bond. We will do our best to influence the Korean leaders to also let their own population use our service, and to make sure that we can help improve the situation in any way we can. When someone is reaching out to make things better, it’s also ones duty to grab their hand.
Posted Today 18:45 by Kim Jung-Bay
North Korea no longer relies on a single foreign telecom company to carry its Internet traffic to and from the rest of the world.
Ever since Star Joint Venture launched the country’s first fully-fledged Internet connection in 2010, North Korean traffic has flowed across the country’s northern border and through an interconnection with China Netcom. China Netcom is one of China’s largest Internet backbone providers.
In the last few days the country’s sole Internet operator has begun using an interconnection with Intelsat, the Washington-based international satellite operator, to offer a second route to its network.
Existence of the link was revealed through analysis and monitoring of BGP (border gateway protocol) messages. These are automated announcements that constantly flow between routers and switches that make up the global Internet backbone and help determine the constantly-changing web of thousands of connections that link service providers worldwide.
Until April 4, North Korea’s Star JV network had only announced a link via China Netcom. So, when you typed “www.kcna.kp” into your browser, routers at your service provider determined the best way to reach Pyongyang knowing the last-but-one stop would be China Netcom. Now there’s a choice.
A second route via Intelsat started appearing in BGP announcements from April 5 (around 6am local Pyongyang time).
Detected prefix: 220.127.116.11/24 , Announced by AS131279 (STAR-KP -- Ryugyong-dong) Detected upstream/next hop AS: AS22351(INTELSAT Intelsat Global BGP Routing Policy)
The new route provides some backup, should China Netcom have a problem, and means users in some countries might see faster connection times to hit North Korea’s handful of websites.
NorthKoreaTech analysis of traffic to sites like KCNA from points around the globe shows the majority of connections still appear to run via China Netcom, but some are being made through Intelsat.
Star JV, the service provider formed by the country’s telecom ministry and Thailand’s Loxley Pacific, remains tight-lipped about its plans. It’s unknown if this connection is a temporary one, perhaps for an anticipated surge in traffic around the April 15th anniversary of the 100 years since the birth of Kim Il Sung, or if it will continue.
Cyber attacks against South Korean organizations have been much in the headlines in recent weeks. With each attempt to crash a web server, phish for private information or infiltrate a computer in South Korea, the country’s government points its finger of blame towards North Korea, but concrete evidence is often thin on the ground.
Investigators will typically try to trace a cyber attack by discovering the IP (Internet protocol) address from which it originated. Every computer on the Internet has such an address and discovering the source address will typically help identify the organization or service provider network from which the attack was launched.
But tracking cyber attacks is a difficult job at the best of times — attackers don’t often use their own machines but those of other people that they control through malware. In some cases they will route traffic through numerous points so it’s difficult to trace all the way back to source, and in other cases will use fake IP addresses to divert attention elsewhere.
Perhaps the North Korean hackers aren’t skilled enough to cover their tracks, so the source IP addresses can be easily caught, maybe they want the source to be clear, or perhaps North Korea is being implicated by hackers in other countries and the South Korean government is a little too eager to blame its neighbor. Without more technical information, it’s impossible to know.
There are two blocks of IP addresses that can be readily identified as North Korean.
The first is a block of 1,024 addresses that was put into use in 2010 by Star Joint Venture, the Internet service provider venture between the state-run Korea Posts and Telecommunications Co. and Thailand’s Loxley Pacific.
This is used to house all the official North Korean websites, such as KCNA, Naenara, the Voice of Korea, and Rodong Sinmun. Computers in North Korea capable of accessing the global Internet, such as those owned by resident foreigners, also use addresses in this range.
The block runs from 18.104.22.168 to 22.214.171.124.
A second, lesser known block of addresses also exists.
It contains 256 addresses and runs from 126.96.36.199 to 188.8.131.52.
Here’s what you get when you query the addresses in the “whois” directory:
inetnum: 184.108.40.206 - 220.127.116.11 netname: KPTC country: CN descr: Customer of CNC admin-c: TC254-AP tech-c: TC254-AP status: ASSIGNED NON-PORTABLE changed: firstname.lastname@example.org 20040803 mnt-by: MAINT-CN-ZM28 source: APNIC
At first glance they appear to be Chinese addresses because they are owned by China Netcom, one of China’s largest Internet service providers. But a closer look reveals they are assigned to a customer called KPTC. That’s Korea Posts and Telecommunications Co., the government-run telco.
The addresses were previously used for several North Korean websites and related Internet services including the Chesin e-mail system. Most of the services have moved to the Star JV addresses, but at least one website still uses the Chinese addresses: Chosun Expo.
They are still in use for other purposes. Scanning sometimes reveals blank or test websites that appear and disappear within a day, and there are at least three routers connected through the addresses behind which there are likely additional PCs.
A couple of new details about Star JV, the company now responsible for North Korea’s connection to the global Internet, came to light this week.
They were included in a report from the Internet Assigned Numbers Authority (IANA) about the reassignment of the country’s dot-kp domain to Star JV.
The report reveals the mission of the company and its president:
Proposed Sponsoring Organisation and Contacts
The proposed sponsoring organisation is Star Joint Venture Company, based in Pyongyang, Democratic People’s Republic of Korea. The company is a joint venture between the Korean Post and Telecommunications Corporation, a governmental enterprise; and Loxley Pacific Company Limited. The joint venture is chartered to establish modern Internet services in the Democratic People’s Republic of Korea.
The proposed administrative and technical contact is Kang Yong Su, the President of Star Joint Venture Company. The administrative contact is understood to be based in the Democratic People’s Republic of Korea.
Star JV is already beginning to deliver on the mission. In less than a year it’s connected several North Korean websites to the world (see the North Korean Website List for more). What’s actually going on inside North Korea is, as always, a little more difficult to determine.
The company has taken over providing Internet service to foreign residents in Pyongyang, according to analysis of technical data. Whether its creation has resulted in an expansion of Internet access, filtered or otherwise, to North Korean citizens or officials is impossible to tell.
The president, Kang Yong Su, remains a bit of a mystery. I’ve been unable to locate the name in previous news reports, except for a few instances that are likely different people with the same name. If anyone knows anything about him, please e-mail or add something in the comments.
North Korea’s dot-kp top-level Internet domain was reassigned after the company running it, KCC Europe, ended service and went months without replying to queries from Pyongyang, according to a report released this week.
The Internet Assigned Numbers Authority, which oversees country-level domains and the IP address system, switched control of dot-kp from the Korea Computer Center to Star Joint Venture earlier this month. Star JV is the DPRK-Thai company that’s been putting Internet connectivity into Pyongyang.
The story of the domain change and what happened with KCC Europe is covered in a piece I wrote earlier today: North Korea’s Internet domain is in new hands
Here’s the chronology of events, as outlined by IANA:
In 2010, the authoritative name servers for the .KP became completely lame, effectively stopping the top-level domain from operating. Korea Computer Center reached out to KCC Europe (KCCE), its Germany-based technical registry provider, to have service reinstated. After several months without response, Korea Computer Center terminated KCCE’s agreement to operate the .KP domain.
In the mean time, Star Joint Venture Company set to work in late 2010 to develop the requisite infrastructure in the country to support operation of the .KP domain. It was subsequently endorsed by the DPRK Ministry of Posts and Telecommunications to transfer operation of the domain from Korea Computer Center to Star Joint Venture Company.
In light of the continuing lack of operation of the .KP, KCC supported an interim change of the nameserver records for the .KP to a new set managed by Star Joint Venture Company. This interim change was conducted in December 2010 in order to restore functionality of the .KP top-level domain.
When it came time to make the official change, there wasn’t anything to dispute, said IANA.
The request to redelegate the .KP top-level domain is supported by the Ministry of Posts and Telecommunications. A letter of authorisation was transmitted jointly by Mr H.E. Ryu Yong Sop, the Minister of Posts and Telecommunications; and Mr Han U Chol, the Director-General of the Korea Computer Center.
I’ve tried several times over the last few months to contact Jan Holtermann, the German businessman behind KCC Europe, but I’ve never been able to get a response.
KCC Europe GmbH, Berlin, Bundesallee 26, 10717 Berlin. Sitz / Zweigniederlassung: Geschäftsanschrift:; Bundesallee 26, 10717 Berlin Vertretungsregelung: Ist ein Liquidator bestellt, so vertritt er die Gesellschaft allein. Sind mehrere Liquidatoren bestellt, wird die Gesellschaft durch sämtliche Liquidatoren gemeinsam vertreten. Einzelvertretungsbefugnis kann erteilt werden. Liquidator:; 2. Bokop, Jens, *27.08.1983, Berlin; Nicht mehr Geschäftsführer:; 1. Holtermann, Jan Rechtsverhaeltnis: Durch Beschluss der Gesellschafterversammlung vom 26.01.2011 ist die Gesellschaft mit Ablauf des 31.01.2011 aufgelöst.