This beautiful exfiltration technique of actively sending packets to an IP address that will be routed on a link you can passively eavesdrop on -- in this case, a satellite link -- is one that appears in the leaked Snowden documents: (warning, classified document) https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/...
I've done a significant amount of research on these threat actors. Despite the high tech exfiltration method and nation state support, researchers were still able to easily find their infrastructure. Satellite communications were encrypted via self-signed ssl certificates. Using internet scanning, we could track their IP addresses and associated domains using the SHA-1 of their certificate (map certificate to hosting IP). Happy to answer questions, but you can also read more here. https://blog.passivetotal.org/snakes-in-the-satellites-on-go...
Are these satellites in geosynchronous orbit? If not, and you've got a copy of the malware, you ought to be able to narrow the location of the C&C server using its orbit and a correlation analysis of when the malware receives comms from the C&C. Depending on the orbit, I'll bet you could bracket it to a few degrees. Since the attackers can't stop answering C&C calls or their network collapses, merely publishing that you're doing such a search might be enough to disrupt their operations.
Then again, maybe this blog post was just such an announcement.
EDIT: I'm willing to bet that satellite downlink performance degrades in bad weather, so even if the sats are in geo-sync, you can just wait for inclement weather to mask a region of the cone.
Yes. Satellites in other orbits require tracking antennas. A typical one has a four-figure cost at the very least. And if you need uninterrupted connection, you need to have at least two of them, one for tracking the one that sets, and another for tracking the one that rises.
> I'm willing to bet that satellite downlink performance degrades in bad weather
Ku band, as deployed, is highly resilient to bad weather. The SNR will drop, sure, but it will be well above the threshold where it will be unintelligible to the receiver. These things are designed with worst weather conditions in mind. If ever you lost satellite tv during bad weather, that's due to your antenna shaking because of the wind, not rainfade.
DVB-S2 in particular supports adaptive coding modulation (ACM). The standard supports between 4psk and 32psk which can be changed by the ground station when fade is detected in their reference terminals scattered around the footprint region.
You can't really do that for TV links where the bandwidth allocation is more-or-less constant, but you can definitely change modulation for data links which are actually designed to handle such fluctuations in available bandwidth.
>If ever you lost satellite tv during bad weather, that's due to your antenna shaking because of the wind, not rainfade.
Huh, my observations have been different. I lose TV even before the rain and wind starts (trees make any wind quite visible), just because the dense dark rain clouds are blocking the signal path. The rain typically starts a couple minutes later.
For digital TV there's an incentive to maximize bandwidth. So they're going to trade off signal:noise to get 99.99% (1-10 minutes/mo), but not 99.99999%. Especially since as you say, the wind will result in some signal interruptions anyway!
> So they're going to trade off signal:noise to get 99.99%, but not 99.99999%.
Depends on where you are in the footprint as well, but of course, totally forgot about the suits.
I should have said it's entirely possible to make Ku withstand the worst weather conditions known to mankind, which is not the case for Ka.
Trivia: Ku stands for K-under, and Ka stands for K-above, where K-band is IIRC something between 18-27 GHz. Electromagnetic transmissions in this spectrum are absorbed by water vapour, so it's a very bad idea to use this spectrum for satellite. Again IIRC, above 70Ghz, the atmosphere stops being radio-transparent.
Ka is way more efficient, but you need a ground station, a satellite and modems that are built from ground up to cope with rainfade. The tricks that work with Ku won't work with Ka.
Yes, very likely. I used to install and service satellite TV systems. You probably have low signal strength to begin with. If not, perhaps there is a tree that only blocks the signal when it's windy.
I once had a customer that lost signal in the rain. After much investigation, I found a splice in the cable...in the gutters, which filled with water when it rained.
>If ever you lost satellite tv during bad weather, that's due to your antenna shaking because of the wind, not rainfade.
I wonder if thats why at my old job I was required to go onto the roof of a four story building to check the dish. The dish sat on old railway ties on a wavy roof.
I had to jump from one roof to another it was an L-shaped part of the roof where two buildings joined. I jumped onto a slanted icy roof in winter with a 50 foot drop to a parking lot.
Their best bet is to have multiple mobile C&C centers doing a random traverse around the cone and using some sort of scheme to decide who answers which calls - a consistent hashing scheme would work.
Of course, those paths would probably follow major roads, reducing the solution space to find a mobile adversary -- they aren't going to be roaming over open fields / not all points are equally probable.
It's an interesting cat-and-mouse problem, to be sure, but the blue team has far more computing power.
Ok, that is pretty interesting. I wonder if this will lead to an encrypted signal or deeper analysis of the uplink firewall logs.
I would guess you would defeat this once you know the C&C is operating by doing traffic correlation on 'bad' connections (connections which should not exist given the failed TCP handshake). Presuming you have core router access at the ISPs then you would tell your sniffer to capture all traffic after a C&C sequence detect and then work it backward to correlate related traffic. It would require participation on the part of the ISPs.
Proper reverse path filtering would also work. The C&C servers should not be able to spoof the IP of the legitimate satellite internet user to reply to the eavsdropped packets. One day.
I don't get it. It is impossible to identify who receives the packets but TCP/IP requires an acknowledgement that the packets have been received before sending more packets. Surely the C&C could be tracked from this acknowledgement? Or were they using UDP?
For this to work you need:
1. satellite client decoy system that drops packages (not deny)
2. satellite client listening system
3. an other network connection that allowed source spoofing.
If you are contacted on the decoy system you just send the syn+ack packet with the other network with a spoofed address. You will be able to receive all the responses on the satellite connection and send all the responses on the source spoofing network connection.
I too wondered about it, unless the communication is 100% unidirectional they must have some means of disguising the source of outgoing packets, probably involving at least source IP spoofing.
The last time I had read about this technique was in 2010. [1] Those slides are a very good explanation. Back then I thought about it as a way to either sniff confidential data from the downlink or as a way to have an anonymous internet connection provided your ISP doesn't filter spoofed ips. Very interesting to see it used in the wild and for a C&C.
Dan Goodin has been writing articles about technology for many years now. How does he manage to keep doing so in such utterly incomprehensible fashion? I mean, I get that it's not intended for an audience of seasoned network engineers, but I don't see how it would leave a layman with a useful impression, either...
I don't understand how this allowed them to conceal their location. Surely whatever connection was being used to send commands could be traced back to the attackers. Could someone explain why this isn't the case?
The spoofed traffic theoretically could be traced back, but at the level of internet routing it would impose a huge cooperation and monitoring requirements on a number of networks. (As we can presume the origin network that's letting spoofed traffic onto the internet isn't going to notice, and/or would be uncooperative to someone investigating the source of the traffic.)
And that monitoring would have to have been active while the traffic spoofing was ongoing. If an ISP has confidence that incoming traffic is spoofed they'll just drop the packets instead of routing. So we're now talking about storing metadata on traffic for after-the-fact analysis, which could be prohibitively expensive considering the amount of traffic transiting networks, and has privacy implications.
So this has to be some sort of state sponsored hacking right? I can't think of a non government group who would have the knowledge, money, or motivation to research this just to mask their origin when there are far simpler ways of receiving transactions (ie. bitcoin)
Take a look at these slides [1] They're for 2010. Hardware needed? Around 70$. Knowledge? With those instructions, anyone. For the uplink you need to be able to spoof your IP which would require to find an adequate ISP [2]
I briefly pretended to be a criminal, mostly for fun. (Most readers will go "Uh huh" at this, but it was just a game.)
Say you're developing the next Silk Road. Say you have perfect opsec, and you never reveal any personal info. What are your risks?
The #1 risk is discovery of your physical location. Before every action, you must ask yourself: Will the next keystroke get me caught?
It takes immense discipline. I think rtm could probably do it if he put his mind to it. Maybe tlb. Few others seem to have the personality for this.
Solving the location hiding problem is the first step toward doing anything untoward. It's not as simple as "just use Tails." Try to build a service and you'll discover all the reasons.
Money is the other half. I guess I may as well tell the story. You need money in certain situations, and bitcoin isn't always good enough. You need untraceable cash that you can spend online. You also need burner phones that can't be tied to your physical location in order to sign up for all the normal services. If you use Tor, you'll quickly discover that ~every service prompts you for a phone number during account creation.
I solved this in a simple way: I waited until the middle of winter, then went to goodwill and bought a bunch of clothes, old shoes, and a facemask. I stuffed all of this in a trashbag, then paid a taxi in cash to drop me a couple miles from a certain store that had both prepaid visa cards and burner phones.
For the first half of the walk, I looked like a normal person walking along at night, carrying a trashbag. I ducked into a neighborhood whose streetlights were out, and went in between two houses. It was nearly pitch black as I put on the clothes from the trashbag. I left the bag plus my old shoes hidden there, then continued for the rest of the walk to the store. I bought $400 worth of $50 gift cards and two prepaid phones, then did the whole operation in reverse.
Why? Because when your opponent is a nation-state, you have a risk of being found via any other method. You can't drive anywhere because of license plate trackers. You can't show your face at the store thanks to facial recognition. You can't wear the same outfit without being picked up on CCTV's near your home base in the same outfit that you were wearing at the store.
The same care has to be taken when activating and using the burner phones. Every usage has to be treated as an operation, not an errand, or you're caught. You have to assume one mistake => caught.
It was very satisfying having $400 in untraceable cash to set up an untraceable service, complete with an online persona with gmail, twitter, github, and every other normal service.
The reason for this level of paranoia was that in addition to being a game, one of my main ambitions has been to fight against drug cartels. I wanted to use technology to do this.
My hypothesis was that right now, the main reason cartels are so powerful is that nobody is in a position to talk. Say you're a peon in a cartel: someone who unloads the drug buses that run from Mexico to Chicago, for example. You have very valuable knowledge: what times the buses will arrive, where they're unloading, who's involved. But even if you wanted to snitch, you'd suffer a fate worse than death if you're caught. What are you going to do? Keep submitting this info as anonymous tips to the FBI's website? There's no organized resource for peons to report activities like this. That's why I wanted to build one. It's like SecureDrop for fighting cartels rather than governments.
As you can tell from me posting this casually, nothing ever came of the experiment. But if it had, I would've slept quite soundly knowing my location was untraceable even with government-level resources aimed at tracking us down.
All of this is to say that the "location problem" is very relevant to pretty much any serious activity, government or not.
> Why? Because when your opponent is a nation-state, you have a risk of being found via any other method. You can't drive anywhere because of license plate trackers. You can't show your face at the store thanks to facial recognition. You can't wear the same outfit without being picked up on CCTV's near your home base in the same outfit that you were wearing at the store.
If your threat is a nation-state, you'd also do well to avoid walking anywhere critical where you might be recorded, because of gait signature identification, but you seemed to have ignored that.
I'm not even GP but I think I can answer a lot of these. Are you maybe trying a little too hard to play devil's advocate?
- did you have a cellphone in your pocket?
After going through all of this, do you honestly think he forgot that detail?
- where did you get the cash?
That's a good question. Hopefully he withdrew a different amount of cash on a completely separate date, otherwise bank account and transactions surely could be linked.
- by talking about it you negated all the advantages you built up
He said he is only mentioning it now because he didn't actually go through with his plan i.e. he doesn't care.
- if you walk into a store wearing a facemask you run the risk of being arrested or even shot because they assume you are robbing the store
What country do you live in where you're shot for wearing a facemask? Holy shit.
- you may have left fingerprints in the store
Let's hope he wore gloves!
- the cabdriver has seen your face and knows your home address, you should have walked to the spot where you changed your clothes
Why does he know his home address? Taxis drive around in many cities. In most cities in Europe (regardless of size) there are taxis everywhere and also taxi parking spots, where there are usually a few taxis waiting.
- the clothes bought at the goodwill, did you pay cash for those too?
Is this a serious question? After all that other work and thinking the process through, why would he all of a sudden use a traceable ATM/credit-card?
- what happened to the clothes afterwards?
Hopefully burned. Or thrown away in a trash can far, far away. I would assume GP knows better than to throw them in his own trash.
- how did you summon the cab to your change location?
As mentioned above, taxis (in Europe at least) are everywhere. No need to summon. Just walk around for a few minutes.
- you're lucky that neither of the houses you changed next to had a dog
Why? Because the dog will bark? And? Dogs bark all the time, because there's a bird, a cat, leaves in the wind, etc.
> I'm not even GP but I think I can answer a lot of these
If you can, then he's failed even more. So no, I don't think that you can answer any of them.
The point I'm trying to make is that the best made plans of men and mice fail due to overlooking some small detail. I could easily make that list 10 times as long. One or more slip ups could allow someone to tie 1-and-1 together to make 3 and it is game over. The funniest part of this whole discussion is that it starts with utterly underestimating the enemy, which is a serious mistake right from getting out of the gate.
If you are going to do something as audacious as going up against a drug cartel you have to keep in mind that these are the kind of groups who would hesitate at absolutely nothing if they feel that you are their enemy. Informants and undercover police and other infiltrators (for instance from rival gangs) are routinely murdered, and their families too if that's how the wind blows.
Before you start on a job like that you begin with laying the groundwork over the course of several years, any step along the way that can give away the game will endanger you and those around you. This is not something you cook up one find winter evening and put in motion without some extremely careful planning and creating multiple levels of cut-outs for any kind of activity that might point at your real identity.
The only thing buying a couple of burner phones with cash is going to do is raise suspicion, it is not going to do much in terms of protecting you.
If the OP would put his plan to go after some drug related criminal organization in motion the most likely outcome of the adventure would be 3 lines on page 12 of a newspaper mentioning a disfigured body found floating in a river or a missing person report.
Life is not a video game, you do not get 3 lives and the same player does not get to try again in case of failure.
If you didn't come from a life of crime or from a life of being in law enforcement then your best strategy is to avoid at all costs to get mixed up in this sort of thing.
Even the Unabomber eventually got caught and he was a lot better at tradecraft than sillysaurus here.
I'm glad you raised these points, because it dissuades other people from trying this flippantly.
But for what it's worth, I carefully considered each of those points from the outset. I hatched the plan and spent several months preparing for it daily.
I left a lot of details out (I didn't anticipate much interest...) such as the practice operation I did prior to this. I'm glad I ran a fake one, since it revealed a lot of mistakes I would've made which would've scrubbed the operation.
Before you start on a job like that you begin with laying the groundwork over the course of several years, any step along the way that can give away the game will endanger you and those around you. This is not something you cook up one find winter evening and put in motion without some extremely careful planning and creating multiple levels of cut-outs for any kind of activity that might point at your real identity.
Anyone who's considering doing anything like this should take these words to heart.
If anyone is going to fight these people and win, it has to be one of us. That means you have to try. It's doable, but you have to be absolutely meticulous.
P.S. Still mildly hopeful you have a list of questions 10x as long.
Wait. I thought the Unabomber got caught after he made people publish his manifesto online/on TV. From what I remember from reading on the internet, his relatives identified certain key points in the manifesto and immediately tipped the FBI telling them about him and his similar ideologies.
So after all that careful work he still managed to blow it by not thinking of one obvious thing and he's been rotting in jail, ironically after he swore he would stop his bombing spree if they published his writing. He could not have been more right about that, his writings definitely made an end to his life as a domestic terrorist.
Staying alive and free while you are making powerful enemies is hard. The Unabomber was one of the smartest terrorists ever (IQ 160+), had a really long time to prepare what he did, was a lone wolf (which is a huge advantage compared to a larger number of people) and in the end blew it completely.
I think the person you're replying to is more just poking at potential holes in the parent's post or pointing out common mistakes. I find the incredulousness that the parent would miss on a tiny detail rather odd, since it happens to people even with the best laid plans, or simple items we simply overlook. These would be pretty common and easy to forget task if you think in a mode of "in operation" versus "out of operation", and even if you are "in operation" all the time, mistakes still happen.
I've re-read the parent's post a few times and it doesn't sit quite right with me as being as secure as they make it out to be, at least not to the point that you can "[sleep] quite soundly knowing [your] location was untraceable even with government-level resources aimed at tracking us down."
Operating on two assumptions that the government was both interested in finding you and willing to spend resources, I think that the majority of the above is just security theatre. The transaction at the POS associates the pre-paid cards, the phones, and the pre-paid plans for the phone. Even if they don't buy data for the phone, if it's 3g enabled, as far as I know, this is easily traceable to some accuracy.
So even if the invidual isn't directly linked, a location, time, and purchase are all associated. This gets you CCTV of the store and a general build of the person, even if they're bundled up. From there, the blanket surveillance cameras are likely enough to get a general direction of where the individual went, and probably enough to think to check local taxis or ride shares, etc. Plus, activating the phone itself is a potential threat as there is some degree of tracking available via cell phone signals. [1]
Honestly, even if there's not a direct link, I think there's enough to get you in the ballpark for where to be looking if the assumptions about who is looking for you with what resources, and this even avoids having to use expensive and out-there methods and techniques; these are already used readily in day to day police business, and even by private corporations. Just look up stories about lost children at Disney World and see how fast they could find children with just cameras and staff on the ground during the 90's. It's even easier now with all the technology Disney includes in the experience, but with just CCTVs recording to tape, they usually had a resolution within an hour.
Seems to me it'd make more sense to just have a patsy do the errands for them and pass it along so that it goes from buyer through some agents ultimately to the user.
I withdrew $500 from an ATM, then spent several days breaking them into $20's at various tiny Mexican restaurants. No, I didn't have a phone while doing this either.
Important note: I planned on waiting a year after the operation before touching the funds to further reduce the risks.
> by talking about it you negated all the advantages you built up
There were no advantages left. I ended up so broke I had to use the $400 to pay bills. It was a sad day, but that's how things go sometimes.
Hopefully someone else here can use this info to carry the torch.
> if you walk into a store wearing a facemask you run the risk of being arrested or even shot because they assume you are robbing the store
That's why I waited until the middle of winter, when it was so cold it wasn't uncommon to be wearing a facemask.
> you may have left fingerprints in the store
I was careful to wear gloves, also bought from goodwill. Winter made this not-unusual.
> the cabdriver has seen your face and knows your home address, you should have walked to the spot where you changed your clothes
This was three years ago, and I got an important detail wrong in my comment: I did walk to the spot where I changed my clothes, then walked several more miles and hailed a cab. Not the other way around, like I originally said.
> the clothes bought at the goodwill, did you pay cash for those too?
Yes.
> what happened to the clothes afterwards?
The clothes, receipts, and everything else stayed in the trash bag, buried in the back of my closet. I never used the clothes again. Still have them, actually.
> how did you summon the cab to your change location?
After I was several miles away from home base, I walked until spotting one.
> you're lucky that neither of the houses you changed next to had a dog
The changing clothes part was easily the riskiest part of the operation. I brought a dim blue flashlight just to see. If anyone spotted me there, I would've pretended to be changing my shoes and called the whole thing off.
If you have a list of questions 10 times as long, better ask them so that someone else doesn't make any mistakes either.
> If you have a list of questions 10 times as long, better ask them so that someone else doesn't make any mistakes either.
I really do not wish to turn this thread into a basic tradecraft tutorial, besides no matter what I add there will always be more stuff that you will mess up.
The only thing I want to achieve here is that people do not follow your silly advice and get themselves killed thinking they have discovered a fool-proof recipe for taking on large and dangerous game.
I agree that most people shouldn't try this, just like most people shouldn't try to be startup founders.
But you're the foolish one if you think nobody can succeed. There are no fool-proof recipes. You do your best, prepare meticulously, and play the odds.
I've spent many years reading police reports and paying attention to how people are caught. (The annoying thing about learning craft as a lone wolf is that you have to pay attention to deplorable characters to learn the cutting-edge techniques used to catch them.) This doesn't make me smart, nor does it make me invulnerable. Leaving ego at the door is step zero.
You bet it's large and dangerous, and that's partly why I backed down. But there are ways.
It's easy to be a keyboard warrior. It's not so easy to do anything about the problems that face us.
I like you. But you're dismissive of anything you feel treads on your domain. Are you sure you're the only one who's carefully considered the issues?
If you have points, I'm sure nobody would object to this thread turning into a tradecraft workshop. Things like that are why we're all here.
> I've spent many years reading police reports and paying attention to how people are caught.
The jails are full with people who thought they were really smart. Reading police reports does not prepare you for the reality, it only gives you a theoretical knowledge of what life on the other side of the line is like. Ironically, it might be the worst possible source of input because it only shows you what did not work, it does not show you what did work because you'll never hear about those things.
> It's easy to be a keyboard warrior.
Precisely.
> But you're dismissive of anything you feel treads on your domain.
No, I'm dismissive of advice that could get people in a lot of trouble. It's funny how people will prefix even the mildest legal advice with huge disclaimers but it's perfectly ok to dish out tradecraft advice of which you admit you only have a theoretical understanding and which could easily get someone in trouble, jailed or even killed.
You might as well tell people to watch CSI for inspiration if they decide to go after the mob by their lonesome.
And no, people are not here for advice on how to start a war with organize crime on a budget, I can see how it is nice to fantasize about being some kind of vigilante super-hero but those are typically movies, not real life. In real life unless you have a powerful organization of your own behind you when you start messing with the dark side you will wind up dead. Talking tough is not going to get you points and clothes bought in a thrift store do not offer magical protection.
But every time you power up your cellphone you tell a lot of people that can be bribed where you are (burnerphones hide your identity only as long as you use them in places that are not associated with you), every time you walk out the door you leave a nice DNA trail, every time you use an app on your phone (and plenty of them just running in the background) will tell tons of people (and networks where you can buy this info for cents or even for free) where you are to within an even smaller radius and so on.
Being anonymous and staying anonymous over a long period of time are really not the same things. The risk of discovery goes up with every interaction and with the power of computers behind the party doing the search the fight is asymmetrical.
Let me give you one concrete example of how short the distance can be between being at large and the dreaded knock on the door.
Camarades.com had a bit of a problem with people stalking others and one lady in particular was taking her chances. For 10 seconds she once pointed her camera at something else than her body, a mirror in the room, which reflected part of the scene outside. That was all it took for some crazy Italian to figure out where she lived and to show up on her doorstep three days of continuous driving later. I'm sure she never saw that one coming and for you in the tech world this may seem like an 'obvious' mistake to make. But just like that you too will be making obvious mistakes, just different ones.
I appreciate the post, and you're an excellent writer. But I did address every one of your points. Cellphones have to be used with the same care as the original operation. Those 10 seconds you mention are something you can't do. If you're someone who is foolish enough to make those mistakes, you shouldn't be involved in any of this.
One thing that's helped me is to plan operations that can fail gracefully. For example, if anyone had spotted me during the op, I would've scrubbed it. No harm done. But since it was successful, I probably would have known about any mistakes that would've led to my exposure.
Note that word "probable." Once again, there's no such thing as a foolproof plan. You can only try.
None of my comments were "advice," either. They're an example that you can make progress, even if you're a lone wolf. Your first paragraph goes both ways: We don't hear about the successes.
The list of failures is long. If you don't have a meticulous personality, then these choices aren't for you. Meticulousness is more important than intelligence, though you do need a minimum level of competence to do anything.
But to insinuate that nobody anywhere can do anything is -- well, we'll let history be the judge of that.
Sure, you might look different, but you won't be more (or less) than one person. Anyone with a counter can solve that riddle, and if we're talking about state-level tracking infrastructure, CCTVs and other parts of the Panopticon are on the table.
Or you could have just bought the cards with Bitcoin. Same for phone verification. By buying the card in person you leak a ton of location information.
Agreed, though it was three years ago when BTC was less useful. Does phone verification as a service really work now? Also I wonder how many gift cards you can purchase reliably and quickly.
FWIW, it was the same idea as this article, just a 20 mile radius instead of 600. General location was going to be leaked anyway since it's impossible to use the internet without doing so. Even if you rely on Tails with perfect opsec, traffic correlation can narrow down which region you're in. It's possible to figure out your timezone based on the times of your online interactions. If this SecureDrop offshoot was to succeed, it was going to require lots of communication with the press and with users. Much of the value of the service is knowing you're not alone, and that there are people who are incorruptible and can do something with the information. (My plan was to carefully vet the info for legitimacy, carefully anonymize it, then try to contact some special agent via email once I had anything actionable.)
The only way to fight against drug cartels is to deal with the demand side.
As long as there is demand for an illegal product people will supply it. As long as there are illegal markets people will restort to using violence to resolve disputes, control the market etc.
It's supposedly part of the Turla malware system, which was already suspected of being a state sponsored system.
However, I think there are many ways to mask origin. I wonder if this particular approach is intended so it becomes difficult to even shut down the botnet's C&C.
[speculation]Using a fixed domain or ip-address for C&C let's authorities seize it and even a sequence you can predict might be predicted by someone else. This can broadcast its presence to an arbitrarily chosen IP address of the class of those going out to the satellite receivers and the C&C can filter all the traffic for this "I am here" message and can then conventionally communicate to the box - making blocking or spoof the C&C harder. [/speculation]
Lets say John lives near (200 miles away) the C&C server and that John's IP is 192.168.7.2. John is the decoy, so the malware sends requests to John's IP. John doesn't get the requests, due to his firewall blocking them, leaving these lingering open tcp connections. So the C&C server is free to finish the TCP handshake spoofing their IP to be 192.168.7.2
As far as anyone can tell they are John, but when you go to John's house to shut down the C&C server you end up at a dead end.
2) How does the C&C server complete the request. Are the hanging ports on the victim's side?
3) If the C&C server completes the connection, how do they carry on talking? Just like spoofing IPs, you can't ever get a reply. Or do they do the John decoy thing for every packet?
1) The satellite system system broadcasts to everyone (apparently poorly/not encrypted) in the area, so it isn't necessary to take over any upstream routing in order to get a hold of the incoming packets. They just arrive at your doorstep, and since you configured them to be rejected by normal clients you know you won't have to compete for the response.
2) The C&C just responds over regular land-line. (Since the satellite service is download-only, this isn't any different from the service's normal clients.)
3) The reply keeps coming back over satellite and they keep grabbing it?
I believe you are correct in your understanding. Mine was a little different. I thought this was a classic asymmetrical routing scenario on the Internet with a cool eavesdropper twist.
I'm assuming that because the sat system broadcasts unencrypted, you can sniff all the packets for all hosts on that network just like you can on a wifi network with the proper promiscuous mode receiver. An unencrypted shared broadcast medium.
So packet flow is routed inbound from victim as such
(victim SYN to decoy IP) to (internet) to (sat broadcast to geographic area decoy and attacker C&C)
But packet flow outbound from C&C to victim is handled differently via landline
(spoofed decoy IP) to (landline/internet) to (victim)
So packets come in via sat link but go out via spoofed source on a landline.
