Confronting Address Space Hijackers

Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."

PROFIT!

[rkz (667993)]

1) Start a fake business

2) forge some documents

3) steal more IPs than the whole of china has

4) sell to spammers

5) PROFIT!!!!

(note, ??????? step not required)

Uh huh, yep

[Hamstaus (586402)]

Right... "borrowed". And that "guy I met in the van in the back alley" was just letting me "borrow" that plasma screen TV for $500.

Re:Uh huh, yep

[abigor (540274)]

How do you drink a monkey?

Hijackers?

[stanmann (602645)]

YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys [slashdot.org] would be happy to put in a bid.

Re:Hijackers?

[koh (124962)]

Sitting on that quantity of Unused IP adresses is just as criminal.

I do agree with you here, but... ever heard about natural selection ?

IPv4 addresses have been designed in a time when there were at most a dozen people expecting IP to be used by more than a million users in the future. Just like the w2k bug (failed to) prove, old things should eventually die so that new ones can take the free slot. Yup, just like spammers should die so that other people may use those IP slots, but I digress.

IPv6 is here and would resolve the problem. This requires a huge switch however, and people won't be ready for it unless natural selection proves IPv4 hopelessly doomed.

So let spammers accumulate IPv4 addresses just a little more ;)

Re:Hijackers?

[TheCrazyFinn (539383)]

Considering that at MIT, Pop machines and Coffee Makers have IP's, they just might be using a reasonable amount of their /8

Re:Hijackers?

[shamino0 (551710)]

Agreed. They should return all the unused IP space for re-allocation.

It's not that simple.

The way I understand it, you can't just give back some of your addresses. You have to give back the entire block and then go through the whole lengthy application process to get a new block. Which means there will be a significant amount of time during which you have no addresses. And when you finally do get them, you'll have to renumber your network, because you won't get back addresses from the block you gave up. And if ARIN decides that you don't actually "need" as many addresses as you want to keep, you're SOL.

And if your network grows, you have to go through all the red tape of justifying your request for another/larger block.

The fact that you did the internet a service by surrendering a lot of unused addresses in the first place doesn't figure into thesedecisions.

For anybody who has a legacy class-B (or even class-A) block, it just doesn't pay to go through all the work, only to find yourself screwed in six months when you find that your new allocation wasn't big enough.

A little curious.

[Sheetrock (152993)]

How the hell can't you be a little suspicious of somebody offering you a Class C for $500 on the condition that you only use a small part of it? What, did it fall off a truck?

Re:A little curious.

[loucura! (247834)]

You mean you've never found a Class C in the middle of the street? I guess I should stop selling those things... but $500 buys a lot of beer...

Re:A little curious.

[Tumbleweed (3706)]

> but $500 buys a lot of beer...

Dude, you PAY for beer? I heard that there's a 'Linux' beer that's free...you should check it out.

Re:A little curious.

[tigress (48157)]

Sorry to be anal, but classful routing hasn't been used (by clueful people) for years now. Even then, a /16 would be the equivalent of a "B" class. Also, remember that the classes were limited to certain ranges, such as A-classes being 1.* to 127.*, B being 128.* to 191.* and so on. Anything dividing a classful block into something smaller would be a so called "subnet" (ever wondered where that name came from?).

Unfortunately, a certain networking hardware company still insists on teaching classful addressing, despite CIDR having been available for something like ten years now.

Re:A little curious.

[PurpleFloyd (149812)]

Classful routing terminology is still a useful form of shorthand. If you tell me that MIT has a Class A block, I know immediately that they have a network space the size of Asia, but if you tell me they've got an 8 bit block, I have to pause and think about it for a half second.

As for Cisco teaching classful addressing, that's justifiable. If the terminology is still in use among network folk, Cisco isn't doing a good job if they certify people who don't know how to communicate with their peers. Also, I can tell you that the CCNA exam did have several CIDR questions on it. Certifying someone as a network tech means testing all the knowledge they should know to do their job well. Since classful routing is still in the wild, network techs should know how to deal with it.

Someone he met online...

[mingot (665080)]

The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online.

That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.

This is why we need IPv6

[wfberg (24378)]

Oh.. no it's not.. </kneejerk>

Does LA county even need a public /16?

[realdpk (116490)]

Judging by the article, LA county was using that /16 for internal routing only. I understand that they probably got it when it was easy to get, but do they really still need it? On that note, how much IP space that is allocated is actually in use? I heard something like 25%..

Re:Does LA county even need a public /16?

[by Anonymous Coward]

Think that's bad?

Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.

Mercedes Benz needs 16777216 addresses??!!

Oh wait, I shouldn't include the broadcast addresses .0 and .255.255.255, so that's only 16777214 addresses. My bad. Seems reasonable.

Re:Does LA county even need a public /16?

[crow (16139)]

Note that that list is old, listing both HP and Compaq as having Class A networks. Does this mean that HP now has two class A blocks? Or is the list old, with much of that space having been reallocated?

Re:Does LA county even need a public /16?

[Yuan-Lung (582630)]

Does it make sense for some people to have multiple mensions while some others can't find a place to live?
Does it make sense for a small group people to hug a huge chunk of the worlds, while the others starve?
But hey, that's how the world works, for now and the foreseeable future, anyways.

Re:Does LA county even need a public /16?

[crapulent (598941)]

What's even worse is when you look at how few actual web sites are actually hosted in those "legacy class A" spaces. I've heard that, for example, GM has tons of ancient robotics and other embedded applications that are running on hard coded IPs in their allocated space. Not that they're publicly visible, just that no one really ever considered a scarcity of IP addresses in the past.

Here's a great link that shows where web servers are in relation to the various class A (/8) address spaces. [whois.sc] As you can see, they're mostly clumped in small zones, with a large majority of the IP space marked as either reserved or not in use for the "public" internet.

To some degree I'd say the scarcity of IP addresses is somewhat manufactured. While you don't want to go willy-nilly allocating large blocks, at some point you have to recognise the genuine need and start unreserving some space. Also, some concensus should be reached on all those "legacy" blocks that aren't being used efficiently.

Some of those are ISPs or have good reasons

[billstewart (78916)]

Currently? Looks like Stanford gave theirs back in ~2000. About 60% of the Class A space is unused now.

AT&T and BBN are ISPs, so they've got legitimate uses for large amounts of address space. (In AT&T's case, they got lucky, because while they were late getting into the ISP business, the Class A was a leftover from the Bell Labs Cray's Hyperchannel LAN, which for some reason had insisted on having a Class A network and couldn't be subnetted :-)

The Interop Show Network has always been special. For you young folks out there (:-), Interop used to be an engineering conference where vendors actually tested interoperability and worked on implementation bugs, as opposed to being primarily marketing-related, and back in ~1990, not everything knew how to do variable-length subnetting or CIDR or whatever, and the show needed real internet addresses, not just RFC1918, because it was connected to the Real Internet.

Auto companies have been an early developer of networking technology - there was all that ISO MAP/TOP stuff in the Mid-80s, and they were one of the big players in getting IPSEC to be a practical technology where equipment from multiple vendors actually interoperated as opposed to a custom thing for spooks and occasional banks. (That also affected the Crypto Export Regulations Wars of the 90s.) At least in the US, automobile manufacturing isn't really done by big monolithic integrated companies which could use 10.x intranets - it's done by a wide mesh of manufacturers of parts, subassemblies, components, random little job shops, etc., as well as the big companies that stamp out metal and assemble it into cars, rather like the computer and software industry except with a lot more metal shipped around, and they need registered address space to be able to talk to each other cleanly. I'm not sure that Mercedes needs all that space, but the industry certainly does.

As of December 2001, the biggest hog of Class A addresses was the US government, including the military and its friends like Halliburton. Also Eli Lilly had a Class A then...

Re:US bias, anyone?

[TheCrazyFinn (539383)]

DaimlerChrysler (Mercedes Benz is a nameplate, not a company) is most assuredly a US company, it's also a German company.

And I'd suspect that they got the /8 via Chrysler (Which was heavily involved with DARPA at the time IP was being rolled out, primarily for the M1 Abrams program).

But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.

Re:Does LA county even need a public /16?

[HaeMaker (221642)]

Allocaitons are made for organizations that need globally unique IP addresses, not necessarily connected to the Internet.

IBM owns 9.0.0.0/8, none of it is connected to the Internet. They use globally unique addressing in their internal network for private connections to other organizations, without fear of collisions.

This is typically no longer done and the IANA recommends you use a random range from private IP space from now on, except in rare cases.

Re:Does LA county even need a public /16?

[muzzmac (554127)]

Fuckem. I'm going to start using 9.0.0.0/8 internally so one day they can deal with a clash.

Find that in your due diligence!

Wot, you mean that ...

[binaryDigit (557647)]

That Class A block that I bought on ebay from the guy from Nigeria who spammed me via SMS isn't legit? I better quickly cancel that wire transfer of money to his cousin, you know, the finance minister until I can check out his story about the president dieing in a plane crash and leaving all that money that he was going to invest in helping Quark get its native OSX version done.

It's OK...

[hawthorne (220575)]

You can buy 10.x.x.x from me if you like - only $0.01 per IP address

Sounds like something Enron would do...

[by Anonymous Coward]

I'd never heard of Enron before they started running TV ads about how they sub-rented "unused bandwidth" from multi-nationals during their off-hours.

It wouldn't surprise me that this is one scam that they would have tried to pull.

I don't know about the rest of the world, and IANAL, but I rather suspect that any member in good standing of the Communications Bar would be able to make a very strong case about willful interference with a communications system.

Next thing you know, they'll be lighting OPDF. (Other People's Dark Fibre)

Signed communications to the registries

[Malc (1751)]

It won't guarantee that this won't happen, but signed communications would help. Private keys can be stolen though, but I suspect that takes more effort. A public key should be included in the registry application, or with whois record, or in some other private DB at the registry. I guess this would be the opposite of PGP encrypted mail where the private key is used to decrypt rather than encrypt.

Fraud is common

[msobkow (48369)]

With the still-ongoing cases over domain theft and fraud, is it at all surprising that it's also active in areas like IP block assignments?

I get SPAM with faked reply-to, sent-by, and domain names. Most hacks against my systems are from IP addresses that don't resolve back to a valid domain.

The only shock here is that someone was dumb enough to think they could get a /16 for only $500.

Re:Fraud is common

[gorbachev (512743)]

"The only shock here is that someone was dumb enough to think they could get a /16 for only $500."

He wasn't dumb at all. He knew exactly what he was doing, i.e. stealing IP space so that he could send his porn spam and host the porn sites at IP space that wouldn't easily track back to him.

It's just that, in typical spammer fashion, he lied to the reporter who called him about it. And in typical reporter fashion, the reporter believed him without verifying the facts.

Proletariat of the world, unite to kill

Whole block, or specific ones?

[Matrix272 (581458)]

There are a few posts about specific unused IP's being stolen, while the used ones went on working as normal... is that what happened, or did what's-his-name in Northern California take over the whole class C, similar to taking over a domain? If it was the latter, I'm surprised nobody's tried it before... given that it's really not extremely difficult to move a domain from one person to another, it can't be too hard to do the same for a block of IP's.

So is it certain IP's that weren't being used, or a large block of IP's that were just read internally from the servers and directed to where the servers thought they should go?

It would only be fair....

[by Anonymous Coward]

That this guy would end up in jail and that big guy in the cell next door merely "borrows" his ass for a pack of cigarettes.

I've got an easy solution to THIS one...

[Greyfox (87712)]

Charge the recipients of the space with fraud, theft of property and services and possibly forgery as well and send them to jail for a long time. They in effect comissioned the theft of that space and should be held responsible.

The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.

The point?

[_Sharp'r_ (649297)]

What's the point of stealing IPs to spam? Haven't these guys ever heard of wardriving for IPs?

These guys really need some serious technical help...

(Yes, not meant seriously for those law/spam enforcement types out there!)

I submitted this...

[robslimo (587196)]

a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).

Links:
In your face hijacking [merit.edu]

Current list of possible bogus bgp routes [cidr-report.org]

Oh, well.

Legit IP space should be easier to get

[sjhwilkes (202568)]

ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.

Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.

The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.

Simon

LA County needs a whole class B subnet?

[HornyBastard77 (667965)]

Just what is a single county doing with 65,534 IP addresses in the first place?

IPv6 may alleviate the current IP scarcity and the worldwide divide that it creates, but till that kicks in(and it doesn't look like it will anytime soon), ARIN et al need to take a closer look at this IP hoarding. Till that happens, this hijacking of IP space might be a good solution for ISPs in China, India, etc.

Re:LA County needs a whole class B subnet?

[capnjack41 (560306)]

My old university has all of 149.150.x.x. There's about 10,000 students & faculty, and each machine used to occupy a single public IP. Now, they have several private VLAN's (10.x.x.x), so now only every building has an IP (well, a few addresses). So between regular Internet access, plus servers, etc., there's probably a couple hundred IP's in use...out of 65534! Aces.

I'd also like to know if companies like IBM, GE, and such really use all of their class A's; or of the US DoD really uses their multiple class A's (at least 3 that ARIN would let me check before they started denying my frequent requests -- that's at least 50 million addresses)

I'll go one better

[SquadBoy (167263)]

I have a whole bunch of 10.0.0.0/8 address spaces for sale. :)

Only the beginning

[globalar (669767)]

This problem will grow with more address space. Though the value of individual addresses will diminish in the future with IPv6, it is important to keep virtual property lines clear. This needs to be handled now. Exceptions made are only going to lead to problems in the future.

Possible solution

[Todd Knarr (15451)]

Perhaps we ought to go to what we had with DNS domains back before Verisign privatized: you create a PGP public key and register it when you get your block, and from there on out any requests to change information about that block are only valid if they're signed with that key (or after some very stringent checks if you claim you've lost the key). That'd make it more difficult for hijackers to change the registration information.

other items for sale:

[JDizzy (85499)]

The Brooklyn Bridge, the New York Sewer system.

Send me a check for $500 and they will be yours!

Solution

[LittleGuy (267282)]

Arm DNS Registrars with guns and tazers

Ask users to take off shoes before mass e-mailing

Round up geeks and other suspicious technical people as 'persons of interest' to secure undisclosed locations...

Wait, these guidelines are from Homeland Security.

Confronting these hijackers - Daytime TV style

[Torgo's Pizza (547926)]

You know, sometimes I think the answer to "confronting" these pigs is to not use the courts, but use Jerry Springer.

Jerry: Today on our show, we have people who have stolen IP addresses to send SPAM. Why did you do it Larry?

Larry: Jerry, it's an addiction I have. I just feel the need to tell everyone that by sending money to my friend in Nigeria, they can get a stimulating diplomia and have investment opportunities in appendage lengthening. Is that so wrong? Audience boos.

Jerry: Not everyone agrees with you. Let's bring out a system administrator whose IP you hijacked.

SysAdmin: Appears from backstage. Upon seeing Larry, rushes him fists raised. You stupid #$@&! I'll kill you! I'll kick your fsking @$$! Throws chair. Is restrained by large bald stagehand. You stole my IP! I'll get you!

Re:Confronting these hijackers - Daytime TV style

[lmfr (567586)]

"You stole my IP!"

SCO is really getting into our heads...

You too can have your own /16..

[Elk_Moose (575881)]

Get Yours Now on Ebay! [ebay.com]

Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!

Spammers, scorched earth and stolen subnets

[Xeger (20906)]

This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.

The problem isn't limited to blacklists, either. Bayesian spam filters [paulgraham.com] will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters [sourceforge.net] will also be affected, to a degree.

So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.

To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.

Selling a subnet?

[Hayzeus (596826)]

How would one LEGITIMATELY go about this. The article mentions grey market brokers, but how would one go about getting rid of an IP-block they actually own? Or can they even be legally transfered?

In related news...

[Realistic_Dragon (655151)]

Executives at SCO, the RIAA, Amazon and other large companies sufered public embarrisment when it was annouced that IP was being stolen and they rushed home to see if they owned any of it to sue over.

Re:Tony Soprano will be hiring you!

[Tumbleweed (3706)]

"You know, it'd be a shame if something were to happen to that subnet..."

Re:255x255!!!??

[shamilton (619422)]

That's just completely wrong. It could be as many as 65534 usable addresses. Networks certainly needn't be on octet boundaries.