Chapter 4 - Facilitators and relevant factors

4.3 Internet governance - Overview

Internet governance, defined as the development and regulation of the Internet through shared principles, norms and programs, is a continuous and complex process. The Internet is governed in what is called a ‘bottom up multi-stakeholder model’ rather than a purely intergovernmental approach. This multi-stakeholder approach has allowed the Internet to flourish, helping innovation and making the Internet as we know it today. However this approach has brought with it very real challenges for law enforcement.

IPv4 to IPv6

The number of available IPv4 addresses is rapidly diminishing. Migration to the IPv6 protocol – which offers a virtually unlimited number of IP addresses - is in progress but likely to take a considerable amount of time to implement. This means that, during this transition period – which may last several years or more – alternative ways to assign IP addresses are deployed by operators in order to ensure the continuity of Internet traffic in a growing market. The intermediate solution known as a ‘Carrier Grade Network Address Translation Gateway’ (CGNAT), is now being used by Internet service operators in the EU.

The ability to link users to an IP address is crucial in the context of a criminal investigation. Where the CGNAT is used, multiple devices are connected on a local network with only one single IP address. Potentially, this technology enables providers to link thousands of users per IPv4 address and the ability to identify individual users is therefore significantly impaired. The identification of users would require the retention of this data and its provision to LE by Internet operators.

Criminal exploitation

The role of the Domain Name System (DNS) in translating domain names into IP addresses can be exploited by criminals in various ways:

• DNS hijacking – used by hackers to redirect or ’hijack’ the DNS addresses to bogus DNS servers for the purpose of injecting malware into a user’s PC, promoting phishing scams, advertising on high traffic websites, and any other related form of criminal activity.
• Fast flux – a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. In this scheme the DNS records change frequently, often every few minutes, to point to new bots, giving the botnet a robust hosting infrastructure.
• Cybersquatting – the crime of exploiting famous trademarks by registering similar domain names. The increase of the range of generic Top-Level Domains (gTLDs) and of the Domain Name Tasting [158] facilitates criminals who have more chances to create bad-faith domain names infringing copyright laws, and then reselling them to the legitimate trademark owner.

Transmission Control Protocol/Internet Protocol (TCP/IP) is the protocol ruling Internet traffic and can also be abused by cybercriminals in attacks such as Denial of Service (DoS) attacks via SYN flooding, TCP sequence number prediction to generate counterfeit packets in a TCP connection and access the target host using a normal TCP/IP connection, or TCP session hijacking - the exploitation of a valid computer session to gain unauthorised access to information or services in a computer system.

IP addresses, Internet Protocols (IPs)

IP protocols present similar vulnerabilities, even though the IPv6 was conceived to replace the fourth version in a safer way by using Internet Protocol Security (IPsec) technology. Both IPs can be affected by four additional threats [159], briefly summarised below:

• Sniffing of sensitive information, where criminals are capturing network traffic between e.g. a user and a website by exploiting technical weaknesses of how IPv4 and IPv6 communicate with each other.
• An application layer attack is a form of Denial-of-Service attack, in which the attacker disables specific functions or features as opposed to an entire network. It is often used against financial institutions for specific targeted purposes. This type of attack can be used to disrupt transactions and access to databases by looking like legitimate traffic on the network.
• Rogue devices such as routers, which use IPv6 auto-configuration to assign IPv6 addresses to all the other devices on the network without the user’s awareness. Traffic can be diverted to the rogue router which can then copy the detailed information, delete it or be used in man-in-the-middle attacks.
• Man-in-the-middle attacks, in which the criminal makes two parties believe they are talking to each other over a private connection while all traffic is actually controlled by the criminal, are enabled by IP and DHCP-spoofing. DHCP uses a broadcast message from the client when it initially boots up, allowing a rogue DHCP server to attempt to respond to the host before the valid DHCP server is able to. This allows the rogue server to set critical connectivity settings, including default gateway and DNS server, thus enabling man-in-the-middle attacks.

The Domain Name System WHOIS lookup allows users to lookup any generic domain, such as .com .org to find out the registered domain owner. Criminals can misuse/abuse WHOIS data in a number of ways:

• Improper use of others’ WHOIS data: use of publicly accessible personal data to spam, to harm (malware delivery) or to harass individuals;
• Giving false WHOIS credentials to Registrars to avoid identification, in order to conduct illegal or harmful Internet activities (hosting child abuse sexual images, advanced fee fraud, online sale of counterfeit pharmaceuticals);
• Using of the private domain registration (domain names registered via privacy or proxy services or offshore) to obscure the perpetrator’s identity.