This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rick_Hellawell
Participant
‎2018-04-24 06:11 AM

Geoprotect country not same as RIPE?

Hi, Geo Protect question.

Running R77.30

geo protect block log identifies hosts in 109.248.9.0/24 as Russian. RIPE has it registered as a UK range. How does that work? where does Checkpoint get its country list from?

Many Thanks

Rick Hellawell  

11 Replies
PhoneBoy
Admin
Admin
‎2018-04-24 05:37 PM

We have a process for troubleshooting these sorts of issues: IPS Geo Protection reports the wrong country 

TP_Master
Employee
Employee
‎2018-04-25 12:30 AM

Hi Rick

We use MaxMind as our vendor for GeoIP. They may or may not be in sync with up-to-date RIPE information. Moreover they update the DB once a month..

Rick_Hellawell
Participant
‎2018-04-25 06:12 AM
In response to TP_Master

Hi Ofir, looking back through the logs, Checkpoint Geo protect thinks this range is Russian back in November so I don't think it is a DB update issue. i don't know what other insight you might have as to why Geoprotect/Maxmind disagrees with RIPE, Where would MaxMind get its info from?

thanks

Rick

0 Kudos
TP_Master
Employee
Employee
‎2018-04-25 08:17 AM
In response to Rick_Hellawell

How can you tell that it wasn't Russian back in November?..

0 Kudos
TP_Master
Employee
Employee
‎2018-04-25 08:22 AM
In response to TP_Master

I can actually assure you that in the past this subnet was marked as Russian. (checked)

Rick_Hellawell
Participant
‎2018-04-25 08:50 AM
In response to TP_Master

Hi Ofir,

Sorry I said it was Russian back in Nov. 

Addresses from this subnet started getting blocked by Geoprotect on our firewalls on 6th Oct 2017. Nothing in logs before that.

So this is the question - why does Checkpoint Geoprotect think it is Russian when both RIPE and MaxMind think it is UK? 

Thanks

Rick

0 Kudos
PhoneBoy
Admin
Admin
‎2018-04-25 09:06 AM
In response to Rick_Hellawell

I recommend opening a TAC case so we can investigate.

Contact Support | Check Point Software 

0 Kudos
Rick_Hellawell
Participant
‎2018-04-25 07:54 AM

Hi Ofir,

MaxMind thinks this IP subnet is UK as well.

regards

Rick

0 Kudos
Yuri_Slobodyany
Collaborator
‎2018-04-26 01:57 AM

The whole GeoIP industry stands on incorrectness of RIPE/APNIC/etc records. Who would need to pay for this info if he could just query RIPE whois server? Smiley Happy

There are few leading suppliers of such information with many others smaller ones (frequently just reselling the same databases), major ones are MaxMind, Digital Envoy/Digital Element (used by F5) and Neustar.  

The research paper from 2011 https://www.caida.org/publications/papers/2011/geocompare-tr/geocompare-tr.pdf  estimates that about 90% of information in GeoIP dbs corresponds to the RIPE WHOIS records, from my experience I'd say it is a bit less today. After all, the country/contact record in the RIPE db is managed by the pool owner/maintainer, so if I am a LIR requesting some IP pool from RIPE I can set country to whatever I want on their website, there is no validation on the RIPE side for correctness. 

Few reasons to register incorrect country for your IP pool:

- You are selling VPN/Anonymizing services to provide access to the services limiting IPs by their country association: Netflix, Hulu, ESPN, Vevo etc

- You/your end clients are doing business with the countries which are not friendly to yours: e.g. Israel software company selling its products/support  to the Saudi Arabia clients (not a problem on Israel side but is very much a problem on Saudi side)

- You are government affiliated No Such Agency that needs to conduct its Internet covert activity un-attributed

- You are spammer/malicious net admin trying to hide your tracks of illegal deeds.

- There are more of course.

How do they do it ? In many ways, some are pure technical some are not:

- Start with whois, the easiest step 

- Traceroute from different points: if whois says network is in UK but from London server your trace goes via providers in China raises suspicion .

- Recording history of country changes in RIPE over time, so if a network has been 20 years in RU and suddenly becomes UK network - suspicious

- Most reliable one: they just buy information from data brokers, say you buy at some website a product coming from IP registered to US, but your credit card is issued in Uganda, then your IP is marked as probably in Uganda and not US. The same goes with every web based registration service  - you pay say with Paypal that states you are in USA, but delivery address of your purchase is in Argentina.

Now regrading the particular network in question - 

- 109.248.9.0/24 is part of a class B 109.248.0.0/16 belonging to NetArt Group s.r.o. a Russian company, + for the Russian connection

- the AS number to which it belongs 58222 is registered with a UK company Solar Invest, searching Google for the company we have SOLAR INVEST UK LIMITED - Filing history (free information from Companies House)  a company of a one man with assets of 100 GBP, + for suspicious 

- this AS number advertises just 2 class C networks https://bgp.he.net/AS58222#_prefixes  + for suspicious activity (getting your own AS number to advertise just 512 IP addresses ??) 

- the founder of this company Mr Valentine O'Sullivan has just one Facebook account with lots of friends 80% of which are either fake accounts or/and Russian persons accounts, + for Russian connection, + for suspicious activity.

- the network is advertised via Hisense hosting company in Bulgaria which has a one page website done by 5-year old, + for suspicious

- IPs from this pool are listed many times in black lists of many kinds 109.248.9.114 is blacklisted !  , + for suspicious

- from my London server I have pings of ~ 40 msec, highly improbable the destination is in UK, very probable it is in Russia :
# ping 109.248.9.10
PING 109.248.9.10 (109.248.9.10) 56(84) bytes of data.
64 bytes from 109.248.9.10: icmp_seq=1 ttl=48 time=39.6 ms
64 bytes from 109.248.9.10: icmp_seq=2 ttl=48 time=40.4 ms

So the bottom line this network most probably is in Russia.

 

https://www.linkedin.com/in/yurislobodyanyuk/
Rick_Hellawell
Participant
‎2018-04-26 02:38 AM
In response to Yuri_Slobodyany

Hi Yuri,

That is a seriously comprehensive reply, many thanks. All is now clear.

Fake news, fake IPs - who can you trust these days??

Thanks again

Rick

Yuri_Slobodyany
Collaborator
‎2018-04-26 04:58 AM
In response to Rick_Hellawell

Thanks, you're welcome.

Unfortunately all this Offensive Security/IT stuff went today so mainstream with lots of money invested that indeed you do not know whom/if to trust anymore. Legitimate/registered companies/Governments are buying whole IP pools/ASes, set up BGP peerings just to be able to spoof their source/hijack unallocated networks etc.     

https://www.linkedin.com/in/yurislobodyanyuk/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events