Confronting Address Space Hijackers 334
Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."
PROFIT! (Score:4, Funny)
2) forge some documents
3) steal more IPs than the whole of china has
4) sell to spammers
5) PROFIT!!!!
(note, ??????? step not required)
Great Firewall of China is a special case (Score:3, Insightful)
Uh huh, yep (Score:5, Funny)
Re:Uh huh, yep (Score:4, Funny)
Re:Uh huh, yep (Score:3, Funny)
And on a related note, I would also like to know how to drink a recipe?
Is that like trying to smell the color nine (which, obviously, is difficult)
Hijackers? (Score:5, Interesting)
Re:Hijackers? (Score:2, Redundant)
Can they do that? As I understood, ARIN only lets you sub-allocate ip space to entities you provide service for (say, downstream ISPs, etc). So unless the county becomes an ISP, I don't think this is feasible. It's been a while since I last dealt with ARIN (bending over backwards to obtain an extra
Sitting on that quantity of Unused IP adresses is just as criminal.
Agreed. They should return all
Re:Hijackers? (Score:4, Informative)
It's not that simple.
The way I understand it, you can't just give back some of your addresses. You have to give back the entire block and then go through the whole lengthy application process to get a new block. Which means there will be a significant amount of time during which you have no addresses. And when you finally do get them, you'll have to renumber your network, because you won't get back addresses from the block you gave up. And if ARIN decides that you don't actually "need" as many addresses as you want to keep, you're SOL.
And if your network grows, you have to go through all the red tape of justifying your request for another/larger block.
The fact that you did the internet a service by surrendering a lot of unused addresses in the first place doesn't figure into thesedecisions.
For anybody who has a legacy class-B (or even class-A) block, it just doesn't pay to go through all the work, only to find yourself screwed in six months when you find that your new allocation wasn't big enough.
Re:Hijackers? (Score:2)
Re:Hijackers? (Score:5, Funny)
Re:Hijackers? (Score:2)
Re:Hijackers? (Score:2)
Re:Hijackers? (Score:3, Informative)
I guess none of you are old enough to remember when it was called "Soda Pop." Both "soda" and "pop" are simplifications of the longer term. "Pop" does tend to be used more in the east and midwest, and "soda" more on the west coast.
Re:Hijackers? (Score:3, Informative)
This is true if by "true" you mean "completely wrong." Soda pop is not made with bicarbonate of soda. You ever taste that stuff? There's a reason there is no "Arm & Hammer Cola." Yuk! Pop's made with CO2, plain and simple.
Some stuff that's made by fermentation, like root beer, get their CO2 from little critters, but it's still CO2.
Re:Hijackers? (Score:3, Funny)
It's like having "Emergency Pants."
"You never know."
Re:Hijackers? (Score:5, Insightful)
I do agree with you here, but... ever heard about natural selection ?
IPv4 addresses have been designed in a time when there were at most a dozen people expecting IP to be used by more than a million users in the future. Just like the w2k bug (failed to) prove, old things should eventually die so that new ones can take the free slot. Yup, just like spammers should die so that other people may use those IP slots, but I digress.
IPv6 is here and would resolve the problem. This requires a huge switch however, and people won't be ready for it unless natural selection proves IPv4 hopelessly doomed.
So let spammers accumulate IPv4 addresses just a little more
Re:Hijackers? (Score:2, Insightful)
But honestly, is a large enough fraction of the user community going to be upset enough to change this? Probably not. Right now, businesses seem more than willing to shell out for a small CIDR address space, and NAT the internal addresses. Until there's a customer revolt, there's no reason for a monopoly to be overthrown.
A little curious. (Score:5, Funny)
Re:A little curious. (Score:5, Funny)
Re:A little curious. (Score:2)
I've got a legal class C that I got way back in 1991 or '92. I use it for my internal network, but it's worthless to me for the net at large...
BWP
Re:A little curious. (Score:3, Informative)
Re:A little curious. (Score:5, Funny)
Dude, you PAY for beer? I heard that there's a 'Linux' beer that's free...you should check it out.
Re:A little curious. (Score:4, Interesting)
Unfortunately, a certain networking hardware company still insists on teaching classful addressing, despite CIDR having been available for something like ten years now.
Re:A little curious. (Score:5, Informative)
As for Cisco teaching classful addressing, that's justifiable. If the terminology is still in use among network folk, Cisco isn't doing a good job if they certify people who don't know how to communicate with their peers. Also, I can tell you that the CCNA exam did have several CIDR questions on it. Certifying someone as a network tech means testing all the knowledge they should know to do their job well. Since classful routing is still in the wild, network techs should know how to deal with it.
Someone he met online... (Score:4, Interesting)
That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.
Re:Someone he met online... (Score:2)
This is why we need IPv6 (Score:5, Funny)
Does LA county even need a public /16? (Score:5, Insightful)
Re:Does LA county even need a public /16? (Score:5, Interesting)
Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.
Mercedes Benz needs 16777216 addresses??!!
Oh wait, I shouldn't include the broadcast addresses .0 and .255.255.255, so that's only 16777214 addresses. My bad. Seems reasonable.
Re:Does LA county even need a public /16? (Score:5, Interesting)
IBM (Score:2)
Re:Does LA county even need a public /16? (Score:3, Interesting)
Re:Does LA county even need a public /16? (Score:5, Insightful)
Does it make sense for a small group people to hug a huge chunk of the worlds, while the others starve?
But hey, that's how the world works, for now and the foreseeable future, anyways.
Re:Does LA county even need a public /16? (Score:4, Informative)
Here's a great link that shows where web servers are in relation to the various class A (/8) address spaces. [whois.sc] As you can see, they're mostly clumped in small zones, with a large majority of the IP space marked as either reserved or not in use for the "public" internet.
To some degree I'd say the scarcity of IP addresses is somewhat manufactured. While you don't want to go willy-nilly allocating large blocks, at some point you have to recognise the genuine need and start unreserving some space. Also, some concensus should be reached on all those "legacy" blocks that aren't being used efficiently.
Some of those are ISPs or have good reasons (Score:4, Informative)
AT&T and BBN are ISPs, so they've got legitimate uses for large amounts of address space. (In AT&T's case, they got lucky, because while they were late getting into the ISP business, the Class A was a leftover from the Bell Labs Cray's Hyperchannel LAN, which for some reason had insisted on having a Class A network and couldn't be subnetted
The Interop Show Network has always been special. For you young folks out there (:-), Interop used to be an engineering conference where vendors actually tested interoperability and worked on implementation bugs, as opposed to being primarily marketing-related, and back in ~1990, not everything knew how to do variable-length subnetting or CIDR or whatever, and the show needed real internet addresses, not just RFC1918, because it was connected to the Real Internet.
Auto companies have been an early developer of networking technology - there was all that ISO MAP/TOP stuff in the Mid-80s, and they were one of the big players in getting IPSEC to be a practical technology where equipment from multiple vendors actually interoperated as opposed to a custom thing for spooks and occasional banks. (That also affected the Crypto Export Regulations Wars of the 90s.) At least in the US, automobile manufacturing isn't really done by big monolithic integrated companies which could use 10.x intranets - it's done by a wide mesh of manufacturers of parts, subassemblies, components, random little job shops, etc., as well as the big companies that stamp out metal and assemble it into cars, rather like the computer and software industry except with a lot more metal shipped around, and they need registered address space to be able to talk to each other cleanly. I'm not sure that Mercedes needs all that space, but the industry certainly does.
As of December 2001, the biggest hog of Class A addresses was the US government, including the military and its friends like Halliburton. Also Eli Lilly had a Class A then...
Re:US bias, anyone? (Score:5, Interesting)
And I'd suspect that they got the
But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.
Re:US bias, anyone? (Score:2)
Considering that DaimlerChrysler is the result of the merger between Daimler Benz and Chrysler, and much of the board is american, as well as most of their manufacturing presence, one can call them an American company as much as a German one. Determining the actual pro
Re:US bias, anyone? (Score:2)
Early-Adopter Bias, actually (Score:3, Insightful)
Re:Does LA county even need a public /16? (Score:5, Informative)
IBM owns 9.0.0.0/8, none of it is connected to the Internet. They use globally unique addressing in their internal network for private connections to other organizations, without fear of collisions.
This is typically no longer done and the IANA recommends you use a random range from private IP space from now on, except in rare cases.
Re:Does LA county even need a public /16? (Score:4, Funny)
Find that in your due diligence!
Wot, you mean that ... (Score:4, Funny)
It's OK... (Score:5, Funny)
Sounds like something Enron would do... (Score:3, Insightful)
It wouldn't surprise me that this is one scam that they would have tried to pull.
I don't know about the rest of the world, and IANAL, but I rather suspect that any member in good standing of the Communications Bar would be able to make a very strong case about willful interference with a communications system.
Next thing you know, they'll be lighting OPDF. (Other People's Dark Fibre)
Signed communications to the registries (Score:5, Interesting)
Re:Signed communications to the registries (Score:2)
Methinks it's time for option 3 to go, and options 1 and 2 to be combined.
Either that, or can someone give me a Class C to play with? I promise not to spam anyone.
Re:Signed communications to the registries (Score:2)
There isn't any cryptographic protocol that can solve such a problem, and that's why S-BGP and other "secure" BGP successors are almost completely irrelevant. Cryptography is not the answer to all attacks.
Fraud is common (Score:4, Insightful)
With the still-ongoing cases over domain theft and fraud, is it at all surprising that it's also active in areas like IP block assignments?
I get SPAM with faked reply-to, sent-by, and domain names. Most hacks against my systems are from IP addresses that don't resolve back to a valid domain.
The only shock here is that someone was dumb enough to think they could get a /16 for only $500.
Re:Fraud is common (Score:3, Insightful)
He wasn't dumb at all. He knew exactly what he was doing, i.e. stealing IP space so that he could send his porn spam and host the porn sites at IP space that wouldn't easily track back to him.
It's just that, in typical spammer fashion, he lied to the reporter who called him about it. And in typical reporter fashion, the reporter believed him without verifying the facts.
Proletariat of the world, unite to kill
Whole block, or specific ones? (Score:3, Interesting)
So is it certain IP's that weren't being used, or a large block of IP's that were just read internally from the servers and directed to where the servers thought they should go?
It would only be fair.... (Score:4, Funny)
what a riot (Score:2, Funny)
That's like saying, "Fucktard6969 on IRC said that the software he's hooking me up with is legit"
I've got an easy solution to THIS one... (Score:5, Interesting)
The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.
Re:I've got an easy solution to THIS one... (Score:2)
But the guy selling the block already has plenty of documentation that verifies his story; that's how he got the addresses transferred to him in the first place. Are you saying every admin that wants to buy a couple of addresses needs to do more work than the company routing the traffic just to verify everything is legit?
Re:I've got an easy solution to THIS one... (Score:2)
I'm not saying that Joe Average Windows User should have to do research to make sure that the IP he's using from his ISP is legit. I'm saying that the network administrator for that ISP should. It should be pretty easy to check to see when the IP
The point? (Score:5, Funny)
These guys really need some serious technical help...
(Yes, not meant seriously for those law/spam enforcement types out there!)
I submitted this... (Score:5, Informative)
Links:
In your face hijacking [merit.edu]
Current list of possible bogus bgp routes [cidr-report.org]
Oh, well.
Legit IP space should be easier to get (Score:5, Interesting)
Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.
The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.
Simon
Re:Legit IP space should be easier to get (Score:2)
I'd like to setup a redundant internet connection across multiple ISP's for my data center (colo isn't an option for medical data), but, as far as I can tell, I need to get a large netblock to get a BGP advertisement. I don't need a large netblock, though, I just need the redundancy.
I could have one of my ISP's do a classless CIDR thingy for me, but then I'm back to depending on an ISP's connection, sorta defeating the point of having the redundant conn
LA County needs a whole class B subnet? (Score:3, Interesting)
IPv6 may alleviate the current IP scarcity and the worldwide divide that it creates, but till that kicks in(and it doesn't look like it will anytime soon), ARIN et al need to take a closer look at this IP hoarding. Till that happens, this hijacking of IP space might be a good solution for ISPs in China, India, etc.
Re:LA County needs a whole class B subnet? (Score:5, Interesting)
I'd also like to know if companies like IBM, GE, and such really use all of their class A's; or of the US DoD really uses their multiple class A's (at least 3 that ARIN would let me check before they started denying my frequent requests -- that's at least 50 million addresses)
Re:LA County needs a whole class B subnet? (Score:3, Interesting)
because Australia pays so much for internet traffic, everything must be accountable for, so each student who wants internet access has a dialup with a static ip, and each desktop machine has a world routable static ip from the class B (which is in turn routed internally into class A and CIDR blocks)
And Apple uses it's 17.0.0.0/8.. it has hundreds of offices around the world thousa
Re:LA County needs a whole class B subnet? (Score:3, Informative)
I know a hospital in Toronto that had a
Re:LA County needs a whole class B subnet? (Score:2)
Re:LA County needs a whole class B subnet? (Score:2, Informative)
You can't accuse someone of "hording" when they were following ARIN's recommendations.
I'll go one better (Score:4, Funny)
Maybe he's legit (Score:2, Funny)
Only the beginning (Score:3, Insightful)
Possible solution (Score:4, Informative)
Perhaps we ought to go to what we had with DNS domains back before Verisign privatized: you create a PGP public key and register it when you get your block, and from there on out any requests to change information about that block are only valid if they're signed with that key (or after some very stringent checks if you claim you've lost the key). That'd make it more difficult for hijackers to change the registration information.
Re:Possible solution (Score:3, Informative)
Re:Possible solution (Score:3, Informative)
Most of the big bandwidth providers don't just automatically accept any IP blocks you advertise. They want to know beforehand what blocks you'll be using. If you can't alter someone else's netblock registration to reflect your information, it makes it a lot harder to fake out the provider. Either you have to go to the trouble of forging all your documentation to look like the real owner or as soon as the provider you're trying to use checks the registration they'll see that the info for the owner of the blo
other items for sale: (Score:4, Funny)
Send me a check for $500 and they will be yours!
interesting (Score:2, Interesting)
Solution (Score:5, Funny)
Arm DNS Registrars with guns and tazers
Ask users to take off shoes before mass e-mailing
Round up geeks and other suspicious technical people as 'persons of interest' to secure undisclosed locations...
Wait, these guidelines are from Homeland Security.
Confronting these hijackers - Daytime TV style (Score:5, Funny)
Jerry: Today on our show, we have people who have stolen IP addresses to send SPAM. Why did you do it Larry?
Larry: Jerry, it's an addiction I have. I just feel the need to tell everyone that by sending money to my friend in Nigeria, they can get a stimulating diplomia and have investment opportunities in appendage lengthening. Is that so wrong? Audience boos.
Jerry: Not everyone agrees with you. Let's bring out a system administrator whose IP you hijacked.
SysAdmin: Appears from backstage. Upon seeing Larry, rushes him fists raised. You stupid #$@&! I'll kill you! I'll kick your fsking @$$! Throws chair. Is restrained by large bald stagehand. You stole my IP! I'll get you!
Re:Confronting these hijackers - Daytime TV style (Score:5, Funny)
SCO is really getting into our heads...
You too can have your own /16.. (Score:5, Interesting)
Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!
Re:You too can have your own /16.. (Score:2)
its all clothing, Womens infact. now he just happens to acquire a
I need to get in and find that Ebay Wholesale CD that they are selling there, maybe I can find me a
Re:You too can have your own /16.. (Score:2)
they were buyers of the clothing, and the 3 items that i was able to look at that they were sellers...
2 were routers, and one was invalid.
This is going to keep happening... (Score:3, Insightful)
Spammers, scorched earth and stolen subnets (Score:5, Interesting)
This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.
The problem isn't limited to blacklists, either. Bayesian spam filters [paulgraham.com] will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters [sourceforge.net] will also be affected, to a degree.
So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.
To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.
Re:Spammers, scorched earth and stolen subnets (Score:3, Interesting)
But! On the flip side. Can I buy a block of "scorched" IPs for cheap? To maybe host gaming servers? Lots of good profit making ways to use IPs; that don't include email.
Point me in the right direction; I'm ready!
Re:Spammers, scorched earth and stolen subnets (Score:3, Informative)
Duh, they just as quickly UNLEARN those same addresses when the sewage stops spilling. Bayesian classifiers have NOTHING to do with "scorched earth" network blocks, and never have.
The real problem is private access_db blacklists that someone tosses an address into, and forgets about it. The next guy that takes his admin job doesn't even know it's there.
BIG Deal! (Score:3, Funny)
Selling a subnet? (Score:4, Interesting)
In related news... (Score:5, Funny)
Stop (Score:3, Interesting)
1. blocked spam at the client based on content, not by blocking IP addresses
2. let people spam.
If we know who and where the spammers are and let them have their own little space in the world, and didn't outright reject talking to them, they wouldn't be doing this sort of thing. The biggest problem is that the cost to download is a large multiple of the cost to upload, since you can send to a whole lot of people in one shot, but there's an easy technical solution to that (don't let people send an email to 5000 people at your server in one shot).
Maybe it's time to treat them like the parts of the porn industry who works with filtering companies to identify them selves. Give them their own little sandbox to play in, don't threaten to shut them off, and then block them at the client side, or once they are in the mailbox, because what we are doing to fight them isn't working (as evidenced by my pile of spam despite all possilbe server side filtering techniques) and they are going to fight dirty if they can't have a chance fighting fair.
You may now mod this down.
i've seen this firsthand (Score:3, Interesting)
A few months ago spammers started to hijack IP space that was registered to companies that are now out of business, which means that most likely nobody is going to notice what they've done.
After a while it's almost like getting squatters' rights - I've been using it and nobody else has a real claim to it, so it's mine.
Re:hijackers? (Score:2, Redundant)
Re:Gee (Score:2)
Why go throuh all the trouble if there are an abundance?
Re:Gee (Score:2, Funny)
"There's anything up to 100 of these blocks out there on the loose," estimates Richard Cox.
Where can I get one? I was just saying to myself the other day, 'my 15-system home network REALLY needs some routable address space.' And my bonus check for this quarter just came in... what great timing!
Re:all the more reason (Score:3, Informative)
Look at this:
Spam supporting ISP ServInt [servint.net] is announcing routes for the netblock containing this IP: 203.25.208.131
traceroute shows that IP be
Re:all the more reason (Score:2, Funny)
255x255!!!?? (Score:2, Informative)
255 addresses x 255 networks - 2 (network and broadcast) = 65023 IP addresses
That's a whole hunka lotta internet...
Re:255x255!!!?? (Score:5, Informative)
Re:255x255!!!?? (Score:2)
256 x 256 useable addresses, not addresses x networks. Right idea, wrong numbers. To think I actually *passed* that test too.
Not to mention it's probably far fewer addresses because it's probably been vlsm'ed to death in order to make more money.
Re:255x255!!!?? (Score:2)
Re:Maybe someone could explain this (Score:2, Informative)
(1) Official, legit way: become a member (fees required) of your RIR (Regional Internet Registry or something similar). Apply for assignment of unallocated space. Example is this fee schedule from APNIC [apnic.net]
The downside here is that you can't get (and pay for) just a few addresses.
(2) Common, legit way: sign up for some kind of service package with an ISP and ask for however many IP addresses you want. You generally pay monthly or annually based on your service agreement and number of IP addr
Re:Tony Soprano will be hiring you! (Score:5, Funny)
Re:OT: What is a "multinational?" (Score:2, Informative)