Confronting Address Space Hijackers

Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."

Maybe someone could explain this

[Slashdotess]

Maybe someone could explain this? How does the whole buying and selling of IPs work?

Re:Maybe someone could explain this

you can buy them from microsoft, visit the msn sales site.

Re:Maybe someone could explain this

[robslimo]

Serveral ways.

(1) Official, legit way: become a member (fees required) of your RIR (Regional Internet Registry or something similar). Apply for assignment of unallocated space. Example is this fee schedule from APNIC
The downside here is that you can't get (and pay for) just a few addresses.

(2) Common, legit way: sign up for some kind of service package with an ISP and ask for however many IP addresses you want. You generally pay monthly or annually based on your service agreement and number of IP addresses.
The downside here is that those IP addresses aren't really yours. Your ISP just let's you use them and handles the routing for you. In some cases, you ISP doesn't even 'own' them... their upstream just lets them use the IP addresses.

(3) Hijack them. (a) start announcing bogus routes and hope no one notices very soon. (b) Hijack a RIR (ARIN, RIPE, APNIC, etc) tech/admin handle for an unused or under utilized netblock and then start announcing routes (you're a little more likely to be trusted this way).

Re:Maybe someone could explain this

Its hard to announce a bogus route that most ASs can see these days. Lots of backbones only permit announcements into their AS that match what is in a routing registry (e.g. radb.org)

Re:Maybe someone could explain this

[NoMoreNicksLeft]

(4) Build a new global, routed network using private address space with VPN software. Keep other people from hijacking it this network....

Re:Maybe someone could explain this

[Cramer]

Technically, IANA owns all IPv4 addresses (and maybe IPv6 too). Everyone else is leasing them from someone up the tree to IANA. As a general rule, address space not leased from a RIR is not portable -- meaning it's not yours to be subdivided all over the internet.

PROFIT!

[rkz]

1) Start a fake business

2) forge some documents

3) steal more IPs than the whole of china has

4) sell to spammers

5) PROFIT!!!!

(note, ??????? step not required)

Re:PROFIT!

Hell, I'd just sell all those IP's to China, I'm sure they'd appreciate it.

Re:PROFIT!

Same thing.

Re:PROFIT!

Don't forget to patent your process to make even more money!

Uh huh, yep

[Hamstaus]

Right... "borrowed". And that "guy I met in the van in the back alley" was just letting me "borrow" that plasma screen TV for $500.

Re:Uh huh, yep

[abigor]

How do you drink a monkey?

Re:Uh huh, yep

How do you drink a monkey?

One gulp at a time. The tricky part is getting him into the blender...

Re:Uh huh, yep

[bev_tech_rob]

Put it in a blender and hit 'Liquefy' :)

Re:Uh huh, yep

[3waygeek]

Put it in one of these, add an appropriate amount of rum, and enjoy.

Re:Uh huh, yep

[bovilexics]

And on a related note, I would also like to know how to drink a recipe?

Is that like trying to smell the color nine (which, obviously, is difficult)

Re:Uh huh, yep

[whathappenedtomonday]

obviously, you havenÂt yet listened to the square root of color nine. wait till you get to feel the scent of color nineÂs breath :)

http://www.doctorhugo.org/synaesthesia/e-kes.htm

Re:Uh huh, yep

[Erik+Hensema]

The block was used by a spammer. Spammers actually think that stealing makes a good business plan.

Re:Uh huh, yep

Very carefully.

Re:Uh huh, yep

[FurryFeet]

Nine smells like shit. That is because, you know, seven eight him.
*Ducks and runs for cover*

Hijackers?

[stanmann]

YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys would be happy to put in a bid.

A little curious.

[Sheetrock]

How the hell can't you be a little suspicious of somebody offering you a Class C for $500 on the condition that you only use a small part of it? What, did it fall off a truck?

Re:A little curious.

isn't /16 a class B?

Re:A little curious.

[loucura!]

You mean you've never found a Class C in the middle of the street? I guess I should stop selling those things... but $500 buys a lot of beer...

Re:A little curious.

a /16 is a class B

Re:A little curious.

[Gleep]

Yeah, that too me would automatically ring the Bullshit alarm. Also, who is this guy to tell me how much of this /16 i can use when i just "bought" it from him? Complete bullshit.

Re:A little curious.

Yes, and my cat's breath smells like catfood.

Re:A little curious.

[bovinewasteproduct]

I don't know of a single ISP that will route a single class C anymore. The routing tables are just too full to handle small blocks like that.

I've got a legal class C that I got way back in 1991 or '92. I use it for my internal network, but it's worthless to me for the net at large...

BWP

Re:A little curious.

[digitalsushi]

Upstreams will grandfather you if you're ancient- we have 8 /24s that all get announced. Granted, we're working on renumbering but that's a lot of people to call- a multi year backburner project. New allocations, however, won't be announced unless they're a /20 or bigger... (thats 4,096 IP addresses in a row)

Re:A little curious.

[tigress]

Sorry to be anal, but classful routing hasn't been used (by clueful people) for years now. Even then, a /16 would be the equivalent of a "B" class. Also, remember that the classes were limited to certain ranges, such as A-classes being 1.* to 127.*, B being 128.* to 191.* and so on. Anything dividing a classful block into something smaller would be a so called "subnet" (ever wondered where that name came from?).

Unfortunately, a certain networking hardware company still insists on teaching classful addressing, despite CIDR having been available for something like ten years now.

Re:A little curious.

[Tumbleweed]

> but $500 buys a lot of beer...

Dude, you PAY for beer? I heard that there's a 'Linux' beer that's free...you should check it out.

Re:A little curious.

Speakeasy will.

Re:A little curious.

[geekoid]

I would, but a lot of people have no dea how that works, or its cost. So it sounds like a good deal.

I go to this site called Amazon.com, and I get book real chaep, somtine half off. should I assume there selling stollen merchindise?

I don't actuall use Amazon, but I think you get my point.

Re:A little curious.

[loucura!]

...

It wasn't +5 funny... jeez

Re:A little curious.

[illumin8]

Hate to break it to you, but /16 is a class B, not a class C...

Re:A little curious.

[istartedi]

I heard that there's a 'Linux' beer that's free

Yes, and it's very popular in the 3rd world. Of course this is Linux were talking about here. It doesn't come in a bottle. It comes in a burlap sack, and you have to configure it yourself, but it's definitely free.

Re:A little curious.

[PurpleFloyd]

Classful routing terminology is still a useful form of shorthand. If you tell me that MIT has a Class A block, I know immediately that they have a network space the size of Asia, but if you tell me they've got an 8 bit block, I have to pause and think about it for a half second.

As for Cisco teaching classful addressing, that's justifiable. If the terminology is still in use among network folk, Cisco isn't doing a good job if they certify people who don't know how to communicate with their peers. Also, I can tell you that the CCNA exam did have several CIDR questions on it. Certifying someone as a network tech means testing all the knowledge they should know to do their job well. Since classful routing is still in the wild, network techs should know how to deal with it.

Re:A little curious.

[prockcore]

> but $500 buys a lot of beer...

Dude, you PAY for beer? I heard that there's a 'Linux' beer that's free...you should check it out.

Hah! Everyone knows that Linux is free as in speech, not free as in beer.

Re:A little curious.

[bovinewasteproduct]

yeah, but I was offnet for about a year and well....

Re:A little curious.

[Alioth]

Have you ever noticed that the Cisco logo looks like a pair of tits? Need to wonder now? :-)

Re:A little curious.

[xmundt]

Yea, but, it is also strained through the kidneys of a bunch of Anonymous Cowards first
pleasant dreams

Re:A little curious.

[Cramer]

That space is referred to as "the swamp" (and for good reason.) That space should still be globally routable. My BGP tables have thousands of /24's in there (even from Sprint who publicly state /20 is as small as they go.) And SAVVIS is sending things as small as /29's -- their inbound filter will allow us to send them /32's!

Re:A little curious.

[thogard]

The tables aren't too full. When there are 2^32 entires in the routing tables, then they will be full but not a day before then.

The problem with routing tables is the way they work. For a small outfit, the world appears as inside and maybe two outbound links. You can precalculate where a packet for each address would go and build a huge bit table so you can make that decisions quickly. That table doesn't even need to be built on the router.

The problem is we are using routers that have a long history and we are paying for it. If AIAN simply said they are going to be handing out /24 with no consolidation then everyone would have to make sure their routers could cope with 16 million entries. If a router has 11 interfaces to the outside world (which is quite a few), then it needs nearly 8 megabytes of memory to hold the table to figure out where the packets are suppoed to go. So why can't my cisco with 64 meg deal with the current route tables? The answer is that its being very stupid about how it manages route data. Add in the fact that IANA is full of a bunch of morons that think Cisco can do no wrong and you end up with the current situation.

AT&T had a router that did this very thing 1/2 a decade ago. It could pick the interface that a packet was suppoed to go to in under 3 nanoseconds which was faster than anything Cisco could do. Of course if they used cache tag ram, it could have done it in a fraction of that time.

Re:A little curious.

[tigress]

The problem is not Cisco teaching classful addressing. I'm not complaining about that. The problem is Cisco teaching classful addressing as if it's THE technology, the one they SHOULD use, instead of teaching CIDR and also state that people used to (and some still do) used Classful adressing, which works like This...

I've met I don't know how many CCNAs that, while they're aware of something called CIDR, they are too stuck into their mindset of classfulness, "borrowing bits" and other legacy concepts that it takes longer to retrain them than it'd take to train someone from scratch.

Someone he met online...

[mingot]

The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online.

That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.

Re:Someone he met online...

[Bull999999]

But officer, I didn't steal them, I just borrowed them without permission!

This is why we need IPv6

[wfberg]

Oh.. no it's not..

Re:hijackers?

hiÂjack also highÂjack Audio pronunciation of hijacker ( P ) Pronunciation Key (hjk) Informal
tr.v. hiÂjacked, hiÂjackÂing, hiÂjacks

1.
1. To stop and rob (a vehicle in transit).
2. To steal (goods) from a vehicle in transit.
3. To seize control of (a moving vehicle) by use of force, especially in order to reach an alternate destination.
2.
1. To steal from as if by hijacking.
2. To swindle or subject to extortion.

Falls under number 2, section 2

In related news...

ps reports some process hijacking large parts of my machines address space. Confronting the problem using a quick /sbin/pidof X | xargs kill has somehow not proven to be a viable solution either...

Re:hijackers?

[coyote-san]

I'm pretty sure that usage follows earlier usage to describe stealing a rig and cargo from a trucker, and is entirely appropriate in this case since it involves the unauthorized redirection of a transportation mechanism from one purpose to another without permission by the owner(s).

Re:Hijackers?

Sitting on that quantity of Unused IP adresses is just as criminal

So, is sitting on that massive supply of toilet paper I bought at Sam's the other day for, ah, emergencies?

dog bites man

[jbaltz]

This has been on NANOG for at least a month now...

all the more reason

[poison_reverse]

.... to get ipv6 of the ground - u wonthave to steal ip's cuz everyone man woman child and animal will have their own with plenty left over!

Re:all the more reason

[robslimo]

I don't think you understand. Spammers hijack the netblocks because network admins block email (and sometimes all) traffic from known spam IP addresses and netblocks. The spammers steal someone else's netblock to spew out their garbage. Then it's up to the rightful owners of the netblock to clear the collateral damage to their own networks and the spammers move on.

Look at this:

Spam supporting ISP ServInt is announcing routes for the netblock containing this IP: 203.25.208.131
traceroute shows that IP being handled by ServInt in Mclean, VA, USA.

That netblock belongs to:

inetnum: 203.25.208.0 - 203.25.223.255
netname: GREENWAY-AU
country: AU

descr: BRISBANE QLD
descr: AUSTRALIA 4000

Re:all the more reason

You forgot toasters. I have a full LAN of all sorts of toasters waiting for IPv6.

Does LA county even need a public /16?

[realdpk]

Judging by the article, LA county was using that /16 for internal routing only. I understand that they probably got it when it was easy to get, but do they really still need it? On that note, how much IP space that is allocated is actually in use? I heard something like 25%..

Re:Does LA county even need a public /16?

Think that's bad?

Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.

Mercedes Benz needs 16777216 addresses??!!

Oh wait, I shouldn't include the broadcast addresses .0 and .255.255.255, so that's only 16777214 addresses. My bad. Seems reasonable.

Re:Does LA county even need a public /16?

[bballad]

Out of all of the companies listed I only see 3 mabey 4 that need a class A the rest should(and probably are) use local only addresses for their internal mahines and have small footprints to the web.

Re:Does LA county even need a public /16?

I could only imagine that LA county does not need that much space. It is an artifact when address space was easy to come by.
Just like my company has just started switching offices over to using part of the /16 our UK brethren acquired. Imagine, these guys somehow got a /16, and their facility only has approx 25 servers and 100 workstations total. They do no kind of virtual hosting on those servers either.
What kills me is the hoopla over the shortage of address space and all the companies using public addresses internally only. My office here in the US has two class C blocks used as completely private space. I've asked to look into being good netizens and returning the allocations. Nope, we paid for it, why give it back? Oh, because we never needed it??

Re:Does LA county even need a public /16?

[HaeMaker]

Allocaitons are made for organizations that need globally unique IP addresses, not necessarily connected to the Internet.

IBM owns 9.0.0.0/8, none of it is connected to the Internet. They use globally unique addressing in their internal network for private connections to other organizations, without fear of collisions.

This is typically no longer done and the IANA recommends you use a random range from private IP space from now on, except in rare cases.

Re:Does LA county even need a public /16?

[crow]

Note that that list is old, listing both HP and Compaq as having Class A networks. Does this mean that HP now has two class A blocks? Or is the list old, with much of that space having been reallocated?

Re:Does LA county even need a public /16?

[borroff]

Anyone notice that Compaq and HP have merged? Do they need 3.2 million addresses now?

Re:Does LA county even need a public /16?

[Lord_Slepnir]

I wouldn't worry about Mercedes Benz using that many addresses. There are legit uses, like putting a wireless computer in cars that they make, and then providing service to maps or GPS or AIM or whatever.

What I would worry about is Apple. I doubt there are 16 million Apple computers in existance, let alone at apple inc.

And I'd keep an eye on Ford. The day that Ford puts a [working] wireless computer into each car, we'll all be on IPv8

Re:Does LA county even need a public /16?

Anyone notice that Compaq and HP have merged? Do they need 3.2 million addresses now?

No, they need 33 million ;)

Re:Does LA county even need a public /16?

[petrilli]

BBN actually has 2 natural Class A addresses (4/8 and 8/8), which were transfered to GTE Internetworking, then Genuity, then to Level 3 during the acquisition. Very long story, but you kinda get to assign whatever you need when you get to be AS1 as well. Anyway, 4/8 is heavily divided up and assigned out to customers as well as being used for the internal network. During the integration by Level3, my understanding is that a lot of these will be renumbered into 4/8 from the Level3 blocks, just as Level3 will likely renumber to AS1. It's simply easier, and has a bit of cachet.

8/8, on the other hand, has never been used as far as I know, but is held in reserve, because simply getting that kind of address space flexibility is impossible in this day and age. Yeah, probably not the "right thing," to do, but there it is.

Re:Does LA county even need a public /16?

8/8, on the other hand, has never been used as far as I know, but is held in reserve, because simply getting that kind of address space flexibility is impossible in this day and age.

Well, chances are, given the subject of this story, it has been or soon will be used ;) Sounds like prime real estate for hijackers. Flexibility indeed.

Re:Does LA county even need a public /16?

[Gerald]

Mercedes Benz needs 16777216 addresses??!!

Probably not. Would they be delivering value to their investors by giving them back? Definitely not.

Re:Does LA county even need a public /16?

[perp]

Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.

I don't know where this list came from, but it's not complete. NortelNetworks still owns the old Bell Northern Research Class A (47.0.0.0/8).

Re:Does LA county even need a public /16?

[Yuan-Lung]

Does it make sense for some people to have multiple mensions while some others can't find a place to live?
Does it make sense for a small group people to hug a huge chunk of the worlds, while the others starve?
But hey, that's how the world works, for now and the foreseeable future, anyways.

Re:Does LA county even need a public /16?

[A5un]

Plus some more from Bay Networks I assume.

Re:Does LA county even need a public /16?

[muzzmac]

Fuckem. I'm going to start using 9.0.0.0/8 internally so one day they can deal with a clash.

Find that in your due diligence!

Re:Does LA county even need a public /16?

[Florian+Weimer]

IBM owns 9.0.0.0/8, none of it is connected to the Internet. They use globally unique addressing in their internal network for private connections to other organizations, without fear of collisions.

IBM is so special that they can't use 10.0.0.0/8 like everybody else?

(Actually, the assignment predates the reservation of 10/8, so that's not a valid complaint. Unfortunately, renumbering is infeasible, even in this case.)

Re:Does LA county even need a public /16?

[Zeinfeld]

--Mercedes Benz needs 16777216 addresses??!!
Probably not. Would they be delivering value to their investors by giving them back? Definitely not.

I don't have an issue with Chrysler, IBM and the rest having mondo IP addresses. They did not design the system, they did not create the problem.

I do have an issue with MIT's behavior. It is kind of like, we will design a system with an obvious flaw but that will not matter because we have fixed things so that we won't be affected by the flaw.

The Internet design was not the farsighted exercise now claimed. They were only building a system for higher education and a few partners and only in the US. The address allocation looks reasonable in that context.

At the moment there are plenty of IPv4 addresses left. There are several /8 blocks entirely unused. It does not make sense to spend millions to reclaim a small number of addresses while there are still unused ones.

At some point however China is going to start having real scarcity problems. I doubt that IBM, HP and the rest will be hanging onto their /8's long. China can always threaten to allocate them and advertise the routes. Think through the recourse that the original owners would have at that point.

Re:Does LA county even need a public /16?

[crapulent]

What's even worse is when you look at how few actual web sites are actually hosted in those "legacy class A" spaces. I've heard that, for example, GM has tons of ancient robotics and other embedded applications that are running on hard coded IPs in their allocated space. Not that they're publicly visible, just that no one really ever considered a scarcity of IP addresses in the past.

Here's a great link that shows where web servers are in relation to the various class A (/8) address spaces. As you can see, they're mostly clumped in small zones, with a large majority of the IP space marked as either reserved or not in use for the "public" internet.

To some degree I'd say the scarcity of IP addresses is somewhat manufactured. While you don't want to go willy-nilly allocating large blocks, at some point you have to recognise the genuine need and start unreserving some space. Also, some concensus should be reached on all those "legacy" blocks that aren't being used efficiently.

Re:Does LA county even need a public /16?

yup, 15 and 16. The plan is to migrate to 16.

Re:Does LA county even need a public /16?

[weeboo0104]

Mercedes Benz also includes Daimler-Chrysler. Actually, I was surprised not to see General Motors on that list. The computing infrastructure of the automotive companies is amazing.

Re:Does LA county even need a public /16?

[LucidityZero]

It's a good list, but a few things are wrong:

PSINet has been gone for quite a while now. I don't know who owns their space now, though.

DoD owns two class A's.

Genuity owns a class A.

Re:Does LA county even need a public /16?

[cesspool]

im suprised there is no Microsoft on that list...

Re:Does LA county even need a public /16?

[pacman+on+prozac]

You forgot halliburton.

They obviously need a class A to run their 200 or so websites.

/me slaps cheney around a bit with a large <VirtualHost> directive.

Re:Does LA county even need a public /16?

[dago]

in fact, according to IANA, which are responsible for the IP adress space,

HP got space from Compaq which also got the ones from Digital

015/8 Jul 94 Hewlett-Packard Company
016/8 Nov 94 Digital Equipment Corporation

and from whois, compaq has a small /16 (161.114.0.0/16)

they may have other network ranges from acquisitions, so ...

Re:Does LA county even need a public /16?

So is that more than Asia with its 3 billion people?

Re:Does LA county even need a public /16?

Don't forget digital equipment's old class a.. that makes 3

Re:Does LA county even need a public /16?

[pne]

I once spent a couple of days in a company that used 6.0.0.0/8 for their private intranet... I wonder what the DoD thought of that.

Re:Does LA county even need a public /16?

Compaq and HP? That's two Class A's under the control of the evil Ms. CEO. One should be summarily cancelled and reallocated ASAP (where HP does not determine what's AP!).

Wot, you mean that ...

[binaryDigit]

That Class A block that I bought on ebay from the guy from Nigeria who spammed me via SMS isn't legit? I better quickly cancel that wire transfer of money to his cousin, you know, the finance minister until I can check out his story about the president dieing in a plane crash and leaving all that money that he was going to invest in helping Quark get its native OSX version done.

Re:Wot, you mean that ...

No need to invest in Quark...

It's done.

Sounds like something Enron would do...

I'd never heard of Enron before they started running TV ads about how they sub-rented "unused bandwidth" from multi-nationals during their off-hours.

It wouldn't surprise me that this is one scam that they would have tried to pull.

I don't know about the rest of the world, and IANAL, but I rather suspect that any member in good standing of the Communications Bar would be able to make a very strong case about willful interference with a communications system.

Next thing you know, they'll be lighting OPDF. (Other People's Dark Fibre)

Signed communications to the registries

[Malc]

It won't guarantee that this won't happen, but signed communications would help. Private keys can be stolen though, but I suspect that takes more effort. A public key should be included in the registry application, or with whois record, or in some other private DB at the registry. I guess this would be the opposite of PGP encrypted mail where the private key is used to decrypt rather than encrypt.

Re:Signed communications to the registries

[jd]

Typically, namespace admins offer you three choices for changing the owner:

• PGP/GPG-signed request
  
• Other form of authenticated request
  
• Plain, unauthenticated e-mail, snail mail or fax
  

Methinks it's time for option 3 to go, and options 1 and 2 to be combined.

Either that, or can someone give me a Class C to play with? I promise not to spam anyone.

Re:Signed communications to the registries

[Florian+Weimer]

Unfortunately, your proposal is completely irrelevant. In the cases I know, the communication channel between the ISP and ARIN was not compromised. The ISP just sent bogus data, acting on forged customer requests.

There isn't any cryptographic protocol that can solve such a problem, and that's why S-BGP and other "secure" BGP successors are almost completely irrelevant. Cryptography is not the answer to all attacks.

Re:Signed communications to the registries

[Jerk+City+Troll]

What the fuck are you talking about? Have you even the slightest comprehension of how the protocols PGP uses work?

Please, I emplore you to go read this introduction and maybe supplement it with this document before your brain conjours up another thought.

You do have the right idea, however. Public key authentication is useful for so many things and this is one of them. Basically, all parties involved have public and private key pairs established before any transactions take place. After that, all messages for transactions are then signed so the sender can prove their identity to the recipient. If the signature of the message is invalid, the message is ignored. The adversary in this case, spammers, are probably not sophisticated enough to acquire the private key of either party (assuming good cryptographic policy is adhered to) or solve the factoring dillema on which public key cryptography is based.

It all comes down to authentication. If you have a system in place where a message can be authenticated, you have that much more security. If not, you get situations like these where the stakes are high and forgeries are nearly trivial.

Re:Signed communications to the registries

[Malc]

Yes I do know how PGP works. I was only had the encryption process in my head when I wrote that message, not signing.

Fraud is common

[msobkow]

With the still-ongoing cases over domain theft and fraud, is it at all surprising that it's also active in areas like IP block assignments?

I get SPAM with faked reply-to, sent-by, and domain names. Most hacks against my systems are from IP addresses that don't resolve back to a valid domain.

The only shock here is that someone was dumb enough to think they could get a /16 for only $500.

Re:Fraud is common

[gorbachev]

"The only shock here is that someone was dumb enough to think they could get a /16 for only $500."

He wasn't dumb at all. He knew exactly what he was doing, i.e. stealing IP space so that he could send his porn spam and host the porn sites at IP space that wouldn't easily track back to him.

It's just that, in typical spammer fashion, he lied to the reporter who called him about it. And in typical reporter fashion, the reporter believed him without verifying the facts.

Proletariat of the world, unite to kill spammers

Re:Fraud is common

What? I got a 127/8 for only $250! I just can't get it routed right now.

Re:Fraud is common

[ What? I got a 127/8 for only $250! I just can't
get it routed right now. ]

I can fix your problem for $100, I've got lots of
192.168/16 right here!

Re:Fraud is common

[poot_rootbeer]

Most hacks against my systems are from IP addresses that don't resolve back to a valid domain.

Since when does using an IP address oblige me to use DNS as well?

Back in my day we used bang-paths in our email addresses and we LIKED it that way, dadgummit!

Re:Fraud is common

[DustMagnet]

If he is anything like other spammers we've heard from, he probably thinks it's moral for him to do this. It's the people blocking him he blames.

Re:Fraud is common

[Florian+Weimer]

With the still-ongoing cases over domain theft and fraud, is it at all surprising that it's also active in areas like IP block assignments?

Procedures for DNS registrations and customer/ISP/ARIN communications are somewhat different. (In fact, IP WHOIS and DNS WHOIS server completely different purposes, DNS WHOIS is just for the lawyers.)

But it's not hardly suprising that such plots are successful. Spotting forgery requires skillful people with a suitable time budget, but it's hard to pay them in the current market.

Whole block, or specific ones?

[Matrix272]

There are a few posts about specific unused IP's being stolen, while the used ones went on working as normal... is that what happened, or did what's-his-name in Northern California take over the whole class C, similar to taking over a domain? If it was the latter, I'm surprised nobody's tried it before... given that it's really not extremely difficult to move a domain from one person to another, it can't be too hard to do the same for a block of IP's.

So is it certain IP's that weren't being used, or a large block of IP's that were just read internally from the servers and directed to where the servers thought they should go?

Re:Whole block, or specific ones?

I need some help choosing a new computer, a computer which will match my "lifestyle".

First, a few facts about me,

• 26 years old
• Effeminate
• Gay
• "bareback rider"
• HIV positive
• San Francisco resident
• love quiche, brie, and croissants.
• Streisand's biggest fan

What kind of computer should I buy? Would Apple Mac be a good choice?

It would only be fair....

That this guy would end up in jail and that big guy in the cell next door merely "borrows" his ass for a pack of cigarettes.

Re:It would only be fair....

You have to admit...

<sarcasm>Rape is FUNNY! </sarcasm>

MAYBE YOU COULD RTFA

Hijacking an IP block is cheap, and it bypasses conservation measures imposed by the regional registries: to get a large allocation legally, one must first demonstrate an immediate need for the space; it's not enough to want it. Then you have to pay the registry as much as $10,000 in fees

RTFA!! RTFA!!!

what a riot

and said he paid $500 for it to a guy he met online."

That's like saying, "Fucktard6969 on IRC said that the software he's hooking me up with is legit"

Re:what a riot

[trelanexiph]

Fucktard6969 won't work on most irc servers as the default NICKLEN is 9

Re:Gee

[Angry+White+Guy]

This only happens when there is a lack of addresses.
Why go throuh all the trouble if there are an abundance?

I've got an easy solution to THIS one...

[Greyfox]

Charge the recipients of the space with fraud, theft of property and services and possibly forgery as well and send them to jail for a long time. They in effect comissioned the theft of that space and should be held responsible.

The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.

Re:I've got an easy solution to THIS one...

[anonymous+loser]

The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job.

But the guy selling the block already has plenty of documentation that verifies his story; that's how he got the addresses transferred to him in the first place. Are you saying every admin that wants to buy a couple of addresses needs to do more work than the company routing the traffic just to verify everything is legit?

Re:I've got an easy solution to THIS one...

[Greyfox]

If you're just paying "some guy" through paypal, YES! That's the internet equivalent of buying equipment out of the back of a van. No responsible corporate acquisitions person would do that without more checking. Why should acquiring IP addresses be any different?

I'm not saying that Joe Average Windows User should have to do research to make sure that the IP he's using from his ISP is legit. I'm saying that the network administrator for that ISP should. It should be pretty easy to check to see when the IPs were last transferred, who they were acquired from and especially whether the company you're dealing with is legitimate.

The circumstances of the transfer should have aroused suspicions on the part of the people acquiring the IP addresses, as much so as if stolen computers were being bought out of the back of a van. In such circumstances, "I thought it was legit" is not a valid argument (in my view.)

Re:I've got an easy solution to THIS one...

[woverly]

At least one of the hijacked addresses might have been used in a critical infrastructure homeland security role, therefore we could lock up the hijackers without charging them with anything! Send them to Guantonimo. Hold them indefinately. That would be an eye-opener for the spammers.

The point?

[_Sharp'r_]

What's the point of stealing IPs to spam? Haven't these guys ever heard of wardriving for IPs?

These guys really need some serious technical help...

(Yes, not meant seriously for those law/spam enforcement types out there!)

Re:The point?

Spam is shady, but what about scammers? I know someone hijacked someones machine and used it to send out Nigerian scam messages. You can send the police halfway across the globe to look at an IP address and have nothing there but delted log files.

Re:The point?

With 65000~ addresses...you have much more to work with then stealing Grandma's single IP down the street...

Re:The point?

[PPGMD]

Don't give them any ideas.

*Goes to double check my security on my WiFi networks*

Aha! Noone will get though my Cisco flaming wall of poop!

Re:The point?

[user32.ExitWindowsEx]

Cisco flaming wall of poop? You use RFC1149 wireless stuff from Cisco?

Re:The point?

[PPGMD]

Nah, I just have my wireless outside my LAN, I have a Cisco PIX 501 between the internet and my WiFi and my LAN. If my WiFi needs to use LAN resources (other than FTP for file storage) I just use a VPN.

I'm too cheap to buy Cisco WiFi products, but their firewall are in my price range.

I submitted this...

[robslimo]

a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).

Links:
In your face hijacking

Current list of possible bogus bgp routes

Oh, well.

Re:I submitted this...

Shut up before I stick my man meat up your ass and spin you like a propellor.

Re:I submitted this...

From the parent's links:

Rita Lee Marketing Inc
901 Parkview Drive
King of Prussia, PA 19406
Lee, Rita funnelcake@rock.com
Lee, Rita gallopinto@rock.com
781.394.5655

I suggest tar and feather.

Re:I submitted this...

[int2str]

Wow! Thanks for posting those articles here. The first one is a very good, if scary read. The domains and IPs mentioned in the article should be familiar to anyone (like myself) using DNS blacklists.

Looks like spammers have upped the bar in this "battle" quietly.

I hope IP hijacking will be prevented soon. Up until now I had no idea this was even possible.

Cheers,
André

Re:I submitted this...

haha, that was funny

but i'm stilly only going to laugh anonymously

Re:I submitted this...

[Florian+Weimer]

The sad thing is that you cannot automatically verify BGP announcements because most of the out-of-band routing registries are incomplete or full of data which is mainly of historic interest.

Re:I submitted this...

I submitted this... (Score:5, Informative) by robslimo (587196) on Wednesday June 11, @03:11PM (#6174123) a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).

Well that's because the editors were still in a drunken stupor and/or busy playing some FPS when you submitted it.

Frankly I think that's the only explaination for the general idiocy of Slashdot's editors lately

Re:I submitted this...

[blibbleblobble]

The discussions for this are all on NANOG

So yes, the issues of renumbering, routing, address-allocation and 'are IPs property' are getting discussed at length with more technical detail than slashdot

Re:I submitted this...

[robslimo]

Yeah. I started finding out about it around 2 or 3 weeks ago when I larted a spam email. Traceroute and whois at APNIC had showed conflicting info, so I asked about the legitimacy of ownership of a particular IP address in nanae. There I discovered an on-going discussion on hijacked netblocks and was referred to NANOG.

At NANOG, the hijackings discussed are 3-fold: netblocks, RIR handles and ASN's.

This is definitely the newest front in the fight against spam. The level of organization and the sheer audacity of the subversion of the network at a fundamental level is a little scary.

I think we're going to see some significant changes in (a) how network admins treat backbone routes and (b) how the RIRs treat netblock allocation.

hijack domain names, now public IP address'

[Brigadier]

first off, why has someone no looked into revamping the system by which we organize the net. Quite frankly with the emphaisis on internet business a domain or address is more important than realestate. Internet real estate should be treated and documented with the same ferver and detail as real estate.

Re:hijack domain names, now public IP address'

[Zeinfeld]

first off, why has someone no looked into revamping the system by which we organize the net.

Because there is no system to organize the net.

Many of the gatekeepers have their own peculiar political agendas. IETF was set up originally to provide the absolute minimum of process in order to be credible wrt the OSI stack folk.

The problem with the way IETF was set up is that the real purpose of the process is to prevent anyone doing anything the IETF establishment don't like. That is the real reason there are no votes. If you have votes then the proletariat might decide to overrule the establishment.

The internet has major structural security problems. There is no security in either DNS or BGP and no viable proposal to fix them. Both problems have been captured by factions that are holding them hostage for other reasons. DNSSEC is being held hostage by a faction that wants to change the way the DNS infrastructure is managed. BGP has been captured by people whose real interest is deploying IPSEC.

BGP already has a certain degree of security built in. The BGP messages can be authenticated using an MD5 based MAC. There are a couple of problems with this approach, I don't like the algorithm for a start but it is a simple matter to substitute in HMAC-SHA1. The other problem is that there is no mechanism for establishing the keys.

It would be a simple matter to add a key agreement to BGP. There are several proposals for provably secure key agreement mechanisms that are considerably simpler and more robust than IPSEC. This would provide the same degree of security as IPSEC would but without the need to mess with the router software. The key management could be done by a completely separate box that updates the routers.

But why do the sensible thing when you have an opportunity to use a problem as an excuse to ram through your own private agenda?

Legit IP space should be easier to get

[sjhwilkes]

ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.

Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.

The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.

Simon

Re:Legit IP space should be easier to get

[bill_mcgonigle]

So, what is the right way to deal with this problem?

I'd like to setup a redundant internet connection across multiple ISP's for my data center (colo isn't an option for medical data), but, as far as I can tell, I need to get a large netblock to get a BGP advertisement. I don't need a large netblock, though, I just need the redundancy.

I could have one of my ISP's do a classless CIDR thingy for me, but then I'm back to depending on an ISP's connection, sorta defeating the point of having the redundant connection.

The answer seems to be "you can't unless you're a really big company", a design flaw if true.

Re:Legit IP space should be easier to get

Why is this a design flaw? If you don't have 16,000 (or more) hosts depending on you, why should you be treated as a standalone, self-sustaining section of the Internet?

If redundancy is all you want, there are lots of ways to accomplish it. You don't need your own provider-independent IP space for redundancy.

Re:Legit IP space should be easier to get

[bill_mcgonigle]

If you don't have 16,000 (or more) hosts depending on you, why should you be treated as a standalone, self-sustaining section of the Internet?

Why not? Ideally, every network would be able to be addressed and found independently. Maybe today's technology doesn't support it, but just because something is the status quo doesn't mean it's the ideal situation. Back in the day (way back) everybody had static routes to everybody else. Now large corporations are required to get traffic anywhere. We've ceeded control of the Internet to Corporate America. There's certainly potential for conflict of interest here.

If redundancy is all you want, there are lots of ways to accomplish it. You don't need your own provider-independent IP space for redundancy.

Alright, well, don't keep it a secret then. I need real-time redundancy among providers that doesn't rely on any one upstream provider. I thought that's what BGP was for.

Re:Legit IP space should be easier to get

Ideally, every network would be able to be addressed and found independently. Maybe today's technology doesn't support it, but just because something is the status quo doesn't mean it's the ideal situation. Back in the day (way back) everybody had static routes to everybody else.

The line for scale has to be drawn somewhere. For example, a home network containing 4 hosts: globally routeable independent connections to that doesn't scale well. Such a thing wouldn't be a standalone self-sustaining section of the Internet anyway -- it's just an endpoint.

Now large corporations are required to get traffic anywhere. We've ceeded control of the Internet to Corporate America. There's certainly potential for conflict of interest here.

That's a good point.

I need real-time redundancy among providers that doesn't rely on any one upstream provider. I thought that's what BGP was for.

The situation you're describing is not redundant -- it's full multihomed independent routing. All of your connections would be used in a full deployment case, not just one. I'm not saying this isn't desireable; I'm just pointing out that it isn't simple redundancy.

For example, you could use 1:1 NAT with a block from each provider. The downside is that you appear as several different addresses, not just one, and there is no IP-level transparency in case of failure. You did say "real-time", so perhaps something like this doesn't meet your timing requirements, but it is redundant.

In any case, I certainly encourage you to go with the most robust system you can obtain. This is just commentary on redundancy.

Re:Legit IP space should be easier to get

ARIN's IPv4 policy page suggests you only need to be in the range of 2000 - 4000 hosts to get Provider-Independent space. Where does the 16,000 figure come from?

That is definitely not cool

[LearningHard]

It is a big enough pain in the rear to get allocated ipv4 space without having people steal it out from under you. Hopefully one day before I die the migration to ipv6 will occur and namespace will be plentiful to all. Of course jokers like these will probably steal the addresses anyway for other uses.

Re:Hijackers?

[secolactico]

they should consider selling or renting them out to raise some funds

Can they do that? As I understood, ARIN only lets you sub-allocate ip space to entities you provide service for (say, downstream ISPs, etc). So unless the county becomes an ISP, I don't think this is feasible. It's been a while since I last dealt with ARIN (bending over backwards to obtain an extra /19) so this might not be the case.

Sitting on that quantity of Unused IP adresses is just as criminal.

Agreed. They should return all the unused IP space for re-allocation.

Re:I'm just wondering...

Link me a picture and I'll give it some thought.

LA County needs a whole class B subnet?

[HornyBastard77]

Just what is a single county doing with 65,534 IP addresses in the first place?

IPv6 may alleviate the current IP scarcity and the worldwide divide that it creates, but till that kicks in(and it doesn't look like it will anytime soon), ARIN et al need to take a closer look at this IP hoarding. Till that happens, this hijacking of IP space might be a good solution for ISPs in China, India, etc.

Re:LA County needs a whole class B subnet?

[capnjack41]

My old university has all of 149.150.x.x. There's about 10,000 students & faculty, and each machine used to occupy a single public IP. Now, they have several private VLAN's (10.x.x.x), so now only every building has an IP (well, a few addresses). So between regular Internet access, plus servers, etc., there's probably a couple hundred IP's in use...out of 65534! Aces.

I'd also like to know if companies like IBM, GE, and such really use all of their class A's; or of the US DoD really uses their multiple class A's (at least 3 that ARIN would let me check before they started denying my frequent requests -- that's at least 50 million addresses)

Re:LA County needs a whole class B subnet?

[TheCrazyFinn]

That's not uncommon for groups that got IP space in the 80's. Back in the days of classful routing, one got a /16 if one had more than 254 and less than 16534 hosts on their network.

I know a hospital in Toronto that had a /16 hanging off a 128k ISDN link up until recently.

Re:LA County needs a whole class B subnet?

[Dynedain]

A single county with over 9.6 million people living in it. That requires a huge amount of civil services, and hence a lot of computers.

Re:LA County needs a whole class B subnet?

I'm not sure how many employees LA county has, but the county contains 9.6 million people, almost 1/3rd of california's popuplation. LA county is a VERY large operation.

Re:LA County needs a whole class B subnet?

TCP/IP was designed to be end-to-end, so the recommendation for many years was to assign "real" addresses to all internal hosts. Nobody was really thinking of firewalls, NAT, etc -- the future was Every Host On The Internet.

You can't accuse someone of "hording" when they were following ARIN's recommendations.

Re:LA County needs a whole class B subnet?

[arunkv]

Slightly off-topic, but how can I get a whole range of IPv6 addresses allocated to me? Is there some procedure to do this?

Re:LA County needs a whole class B subnet?

[Large+Green+Mallard]

My university (which I don't represent here, include stddisclaimer.h etc) has a Class B, but we actually use almost all of it..

because Australia pays so much for internet traffic, everything must be accountable for, so each student who wants internet access has a dialup with a static ip, and each desktop machine has a world routable static ip from the class B (which is in turn routed internally into class A and CIDR blocks)

And Apple uses it's 17.0.0.0/8.. it has hundreds of offices around the world thousands and thousands of machines.. CIDR is all well and nice, but if you don't know how big a given location is going to be, just assigning an appropriate number of Class C blocks to it from your class A makes things less painful.

Re:LA County needs a whole class B subnet?

[poofmeisterp]

I worked for GE. I can tell you with certainty that each business unit (GE Plastics, GE Aircraft, etc) uses about 10 or 20 public addresses, TOPS. There aren't that many business units. I can't remember how many and I'm too lazy, but it's in the neighborhood of 10 or less.
Yeah... sounds like they need a class B to me *laugh*

Re:LA County needs a whole class B subnet?

[avoisin]

Actually, I hear that the DoD needs about 280 million addresses, and that number increases slightly each year.

BTW, I've been getting these weird "electricity" type neck pains lately ...

Re:LA County needs a whole class B subnet?

[rrkap]

Los Angeles county has nearly 10 million residents and 92,714 employees who serve them, so, yeah, 65,534 IP addresses seems reasonable.

Re:LA County needs a whole class B subnet?

[Aardpig]

Wouldn't surprise me. Take the case of my University, which has X.Y/16 (no, I'm not dumb enough to specify what X and Y are). The physics department alone takes up the X.Y.1.0/24 to X.Y.10.0/24 subnets (IIRC), and these subnets are almost full up. That's around 4% of the whole class B allocation just for one department.

Suppose you have a 1024-node Beowulf cluster (had to get that in somewhere!), and you need a public address for each node, then you have already used approx 4/256 = 1/64th of your total address space. Hence, nowadays it's not that difficult to fill up a class B.

Of course, why you want every node of your cluster to have a public address is a totally different matter...

Re:LA County needs a whole class B subnet?

[cookiepus]

... my University, which has X.Y/16 (no, I'm not dumb enough to specify what X and Y are)

They are variables to put in place of real numbers. There, I said it.

It's OK...

[hawthorne]

You can buy 10.x.x.x from me if you like - only $0.01 per IP address

Re:It's OK...

[jellomizer]

Ill sell you a nice 192.168.x.x to the highest bidder

Re:It's OK...

I inquired, but my ISP mumbled something about some other customer, and offered me 172.16.0.0/12 instead. I'm just not sure a /12 is going to be enough for my future needs, ya know...

Re:It's OK...

You can buy 10.x.x.x from me if you like - only $0.01 per IP address

Apparently the above is hilarious (+5 Funny). Would someone please explain it to those of us not in the business?

Thanks

Re:It's OK...

It's a non-routing IP address. 192.168/16 is another favorate non-routing range. Most (nearly all?) routers drop these, so they are free for internal use.

Re:It's OK...

[bigjocker]

Apparently the above is hilarious (+5 Funny). Would someone please explain it to those of us not in the business?

The 10.x.x.x network not public (non routing), so anyone can use it for private networks.

Also, at the price $0.01 per IP that gives a total of $0.01 * 255 * 255 * 255 = $165,813.75

Private network: a network that is not directly connected to the Internet, thus avoinding possible clashes if anybody else is using the same addresses. These networks connect to the Internet using proxies/gateways/etc that do have a public -valid- addresses.

Re:It's OK...

The 10.x.x.x network not public (non routing), so anyone can use it for private networks.

Thanks, now I get the joke. I didn't think it would be private because someone else mentioned that IBM owned 9.0.0.0 (by which I assumed they meant 9.x.x.x) and I thought they meant for use on the public side, (but now I guess it is for private use) and I knew about 192.168/16, so I didn't think there would be holes like this. Is it really just a big patchwork mess?

Re:It's OK...

[SmittyTheBold]

192.186.x.x, 10.x.x.x, and 172.[16-31].x.x are all reserved for private, internal routing by anyone. Those addresses are not legal on the public internet, and most routers know to drop traffic with those addressees. Since they don't get routed, it's perfectly safe for separate people to be using the same address without worries of conflicts.

Re:It's OK...

[SmittyTheBold]

You can buy 10.x.x.x from me if you like - only $0.01 per IP address

Cool, can I get 10.11.12.13?

And do you take PayPal?

Re:It's OK...

Unfortunately not all ISPs are that clueful.

Here's a neat trick if you have Qwest IP service through Denver: traceroute to 172.16.1.1. Then gape in horror at what actually happens.

I'll go one better

[SquadBoy]

I have a whole bunch of 10.0.0.0/8 address spaces for sale. :)

Re:I'll go one better

[dbc]

Ummm... maybe you meant to post this to EBay? Here, the best you can get for it is "+5 Funny". On EBay....

PROFIT!!!

Tony Soprano will be hiring you!

[MushMouth]

Doesn't this smell like a future standard mob type scam... I mean you used to be able to buy VCR's that "fell off a truck", now you can get subnets!

Re:Tony Soprano will be hiring you!

[Tumbleweed]

"You know, it'd be a shame if something were to happen to that subnet..."

Maybe he's legit

[NeB_Zero]

maybe he wasn't stealing them for spam, maybe he had alot of computers and just wanted to comply with his states Super-DMCA ???

Re:Gee

[The+Kiloman]

I had the same reaction. From the article:

"There's anything up to 100 of these blocks out there on the loose," estimates Richard Cox.

Where can I get one? I was just saying to myself the other day, 'my 15-system home network REALLY needs some routable address space.' And my bonus check for this quarter just came in... what great timing!

Only the beginning

[globalar]

This problem will grow with more address space. Though the value of individual addresses will diminish in the future with IPv6, it is important to keep virtual property lines clear. This needs to be handled now. Exceptions made are only going to lead to problems in the future.

Re:WILDCAT IS ON TEH SPOKE

But does it run on my X-Box linux router ?

Re:Hijackers?

[mjmalone]

Amen to that, so many IP addresses are wasted. MIT, for example, has a /8... Somehow I doubt they are using over 16,000,000 IP addresses...

Possible solution

[Todd+Knarr]

Perhaps we ought to go to what we had with DNS domains back before Verisign privatized: you create a PGP public key and register it when you get your block, and from there on out any requests to change information about that block are only valid if they're signed with that key (or after some very stringent checks if you claim you've lost the key). That'd make it more difficult for hijackers to change the registration information.

Re:Possible solution

[LostCluster]

Other than the fact that this isn't going to fully solve the problem. If somebody configures devices (any IP-addressed devices of any kind) with IP addresses that don't belong to them, their routers will broadcast the fact that they're on the path that leads to that IP space to any upstream routers that are willing to listen. Hopefully, the ISP's routers will be smart enough to know that the IP address space doesn't belong there... However if you they trick either the ISP's staff or just the ISP's routers in to thinking the IP space really belongs to them, the ISP is going to carry the false claims through all of their their routers, and if two machines with the same IP address exist on the Internet like this they'll start getting traffic meant for the other and neither of them works very well. Having an authoritative and hard-to-crack source for who really owns the IP space would be nice, but you've also got to upgrade router specs so that everybody looks at that source in order for it to do anything, that's not so easy.

Re:Possible solution

[Todd+Knarr]

Most of the big bandwidth providers don't just automatically accept any IP blocks you advertise. They want to know beforehand what blocks you'll be using. If you can't alter someone else's netblock registration to reflect your information, it makes it a lot harder to fake out the provider. Either you have to go to the trouble of forging all your documentation to look like the real owner or as soon as the provider you're trying to use checks the registration they'll see that the info for the owner of the block doesn't match what you've provided and a big red flag goes up. That stops the problem before it ever makes it into the routing table. Plus, all the provider has to do is also drop a line to the registered owner giving them all the hijacker's information and asking why the hijacker is trying to hijack those addresses and the hijacker is now in some very hot water.

Re:Possible solution

[Florian+Weimer]

Fortunately, filters usually prevent you from announcing arbitrary address space via BGP (some ISPs run RIP on CPE and their customers can steal address space from each other, but that's a different, local problem).

However, I fear that you can get quite far with forged BGP announcements if your upstream (and the upstream's upstream 8-) doesn't apply any filters. We are definitely heading for interesting times (but this isn't news).

Re:Possible solution

[LostCluster]

Most of the big bandwidth providers don't just automatically accept any IP blocks you advertise.

Most major e-mail servers are properly secured so that only authorized users may send e-mail through them.

However, a few small-time servers acting as open relays can still make quite the mess of spam...

Re:Possible solution

[Todd+Knarr]

This isn't about e-mail, it's about IP address blocks and how routes to networks are propagated through BGP from your routers through your NSP to the backbones.

Re:Possible solution

[LostCluster]

It's an analogy... the point is that properly designed systems on a network work correctly, but a small handfull systems that trust everything they hear without thinking about it mixed with a few evil-doing people can cause annoyances for everyone...

Re:Hijackers?

Somehow I doubt they are using over 16,000,000 IP addresses...

Oh, I dunno, maybe their media research lab people need that many IP addresses to fake out the Agent programs in the matrix--after all, what better way to connect than via multi-link?

Re:Hijackers?

[TheCrazyFinn]

Considering that at MIT, Pop machines and Coffee Makers have IP's, they just might be using a reasonable amount of their /8

other items for sale:

[JDizzy]

The Brooklyn Bridge, the New York Sewer system.

Send me a check for $500 and they will be yours!

Re:other items for sale:

Does that include shipping and handling?

Re:Hijackers?

[koh]

Sitting on that quantity of Unused IP adresses is just as criminal.

I do agree with you here, but... ever heard about natural selection ?

IPv4 addresses have been designed in a time when there were at most a dozen people expecting IP to be used by more than a million users in the future. Just like the w2k bug (failed to) prove, old things should eventually die so that new ones can take the free slot. Yup, just like spammers should die so that other people may use those IP slots, but I digress.

IPv6 is here and would resolve the problem. This requires a huge switch however, and people won't be ready for it unless natural selection proves IPv4 hopelessly doomed.

So let spammers accumulate IPv4 addresses just a little more ;)

interesting

[dbrummer]

That's pretty odd how someone can just hijack a /16 like that. A /16 is a lot of IP addresses, not really easy to sort of overlook it. Usually something that big is already allocated by the users ISP and announce via BGP. I wonder how these guys were able to go behind the BGP allocations and announce it on there own. I know most ISP's won't allocate a block of IP addresses if it is already being advertised by another peer. Dan

Re:interesting

[wcdw]

*Way* too many corporations use routable IP blocks for internal networks, yet NAT those addresses going out the primary router. In order to prevent spoofing attacks, these address blocks are usually segregated at the primary router(s)/firewall(s).

The "outside" of this setup doesn't care about routing for this subnet - all internal routing for those IPs is handled by an inside box / separate set of rules. It also doesn't broadcast BGP info for the inside network.

At best, the incoming BGP would be perceived as a DoS attack - except that there is no DoS, and hence little reason to check. I'm willing to bet that few, if any, security administrators in such situations do more than block - and possibly log - these packets.

And, unfortunately, corporations with lots of IP addresses have little motivation to give them up. My last employer owned two /24s - total usage less than 100 boxes. The DMZ boxes had routable IP addresses in one /24 which were NAT'ed to routable IPs in the other /24 by the primary gateway! Of course, this same company was still using remnants of another /24 they haven't owned in many years (for internal production boxes) -- THAT makes for some interesting routing. ;)

Re:interesting

[wcdw]

I hate replying to my own replies. :-)

The ISP which owns the block will transfer it to the new ISP because the new ISP says it has the paperwork. Neither ISP really cares - it's just a circuit and a routing table change to them - they actually coordinate on the BGP changes. And legitimate transfers of IP blocks does happen all the time. The actual owner doesn't care (at first) because they are not affected by the change.

Let's not forget...

...about the squatters:

http://www.slasdot.org
http://www.slahsdot.org
http://www.slahdot.org
http://www.lsashdot.org
http://www.slashdto.org

255x255!!!??

[numbski]

For those who aren't ccna: /16 = netmask 255.255.0.0

255 addresses x 255 networks - 2 (network and broadcast) = 65023 IP addresses

That's a whole hunka lotta internet...

Re:255x255!!!??

[shamilton]

That's just completely wrong. It could be as many as 65534 usable addresses. Networks certainly needn't be on octet boundaries.

Re:255x255!!!??

[skroz]

Unless you're using it as a single /16, of course. In which case you only have one network and one broadcast address, so you have 65534 addresses.

Re:255x255!!!??

[numbski]

Err, yeah, low caffeine intake today. :P

256 x 256 useable addresses, not addresses x networks. Right idea, wrong numbers. To think I actually *passed* that test too.

Not to mention it's probably far fewer addresses because it's probably been vlsm'ed to death in order to make more money.

Re:255x255!!!??

[wcdw]

But it's still a far cry from "enough virtual real estate to serve the City of Angeles". ;)

Re:255x255!!!??

[Florian+Weimer]

255 addresses x 255 networks - 2 (network and broadcast) = 65023 IP addresses

Interesting, but completely meaningless calculation -- and you forgot to account for the gateway in each subnet, which usually takes another IP address.

If you are short of IP addresses, just put the whole /16 onto one interface, and you can use 65533 addresses for hosts.

Re:255x255!!!??

[Mysticalfruit]

Personally I think this discussion would be way cooler if we just took that "address" word out of the title...

Personally, I like "Confronting Space Hijackers" way better.

When they finally come out with a real solution to subnet boosting, I'll be busy playing Duke Nukem Forever connected to a public server with an IPv6 address...

Re:Hijackers?

[mjmalone]

Hah. It's been a while since a slashdot post actually made me laugh out loud ;)

OT: What is a "multinational?"

[Adam+J.+Richter]

some big multinationals have had /16's pulled out from under them

I have done a cursory web search and haven't been able to find a definition of a "multinational", which I assume from this context is a multinational business, as opposed to, say, "big multinational" meaning a fat person with citizenship in more than one country.

Are all businesses with web sites that do not exclude orders outside of their home countries "multinationals?" How about a business that has a physical office in another country? How about a business that wholly owns a subsidiary incorporated in another country? Does a business have to be corporation in order to be a "multinational?" I would be interested in any reasonably authorative references.

Re:OT: What is a "multinational?"

[PukkaStoryTeller]

What's a cursory web search? Beats me. I do know, however, what a dictionary.com search is.

Re:OT: What is a "multinational?"

You must have graduated from a US high school; a school system renowned for it's high quality.

county abuse

Why does a county need that many address.... Just how many external address does one county need.
Toss your county behind a proxy/firewall and use the 10. net to provide local address. Now you can get small group of address for your viable machines.

Solution

[LittleGuy]

Arm DNS Registrars with guns and tazers

Ask users to take off shoes before mass e-mailing

Round up geeks and other suspicious technical people as 'persons of interest' to secure undisclosed locations...

Wait, these guidelines are from Homeland Security.

Re:Solution

Nobody expects Homeland Security, this is because our weapon is surprise. Our one weapon is surprise, and fear. Two. Two weapons are surprise, fear, and a complete disregard for civil liberties.

Confronting these hijackers - Daytime TV style

[Torgo's+Pizza]

You know, sometimes I think the answer to "confronting" these pigs is to not use the courts, but use Jerry Springer.

Jerry: Today on our show, we have people who have stolen IP addresses to send SPAM. Why did you do it Larry?

Larry: Jerry, it's an addiction I have. I just feel the need to tell everyone that by sending money to my friend in Nigeria, they can get a stimulating diplomia and have investment opportunities in appendage lengthening. Is that so wrong? Audience boos.

Jerry: Not everyone agrees with you. Let's bring out a system administrator whose IP you hijacked.

SysAdmin: Appears from backstage. Upon seeing Larry, rushes him fists raised. You stupid #$@&! I'll kill you! I'll kick your fsking @$$! Throws chair. Is restrained by large bald stagehand. You stole my IP! I'll get you!

Re:Confronting these hijackers - Daytime TV style

[lmfr]

"You stole my IP!"

SCO is really getting into our heads...

Re:Hijackers?

[Tumbleweed]

But what if you want every node of each of those Beowulf clusters to have its own public IP address? :)

It's like having "Emergency Pants."

"You never know."

Re:Hijackers?

[borroff]

It's really a symptom of a monoploy economy for IP address blocks. No one is keeping the distributor honest, so market inequities do not get resolved. Hoarding can then exist.

But honestly, is a large enough fraction of the user community going to be upset enough to change this? Probably not. Right now, businesses seem more than willing to shell out for a small CIDR address space, and NAT the internal addresses. Until there's a customer revolt, there's no reason for a monopoly to be overthrown.

Re:US bias, anyone?

How many of the companies listed are not from the US? Funny that you picked a non-US company to make fun of then... Oh, and in case that argument comes up: Mercedes Benz is among the bigger ones in the list.

If I had to guess (and it's only a guess, my European friend)

HP, Apple, AT&T, Compaq, GE, IBM, and PSINet's current owner each have more computers online than Mercedes. It's not about the $ size of the company -- it's about the online presence (IP allocation, after all).

That being said, I wasn't trying to single out Mercedes. I was just using them as perhaps the worst example. The point is virtually NO company needs a /8 allocation. Many GOVERNMENTS/COUNTRIES don't need a /8 allocation!!.

16+Million IP addresses is just over the top.

MOD PARENT UP

How is a quote from the linked article that explains in excruciating detail the grandparent's question a "Troll"?

Re:US bias, anyone?

[TheCrazyFinn]

DaimlerChrysler (Mercedes Benz is a nameplate, not a company) is most assuredly a US company, it's also a German company.

And I'd suspect that they got the /8 via Chrysler (Which was heavily involved with DARPA at the time IP was being rolled out, primarily for the M1 Abrams program).

But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.

You too can have your own /16..

[Elk_Moose]

Get Yours Now on Ebay!

Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!

Re:You too can have your own /16..

[mesach]

Just a quick look at his 170 positive feedback...

its all clothing, Womens infact. now he just happens to acquire a /16?

I need to get in and find that Ebay Wholesale CD that they are selling there, maybe I can find me a /16 somewhere

Re:You too can have your own /16..

[mesach]

after taking a closer look at their feedback

they were buyers of the clothing, and the 3 items that i was able to look at that they were sellers...

2 were routers, and one was invalid.

Re:You too can have your own /16..

Heh. I bid $500. What the heck, right? I could sure use 'em...

Re:You too can have your own /16..

[returnoftheyeti]

That cant be real, the guy has an MSN email account. And whats up with that Grandfathered clause?

Re:You too can have your own /16..

[force10]

I reported this idiot (Ebay seller) to ARIN, they responded back that he was NOT legit, and that they are persuing the matter. The auction was removed.

I hope they string him up by his toes!!!!

IBM

[metamatic]

Well, for IBM that's only about 55 IP addresses per employee, worldwide... Not entirely unreasonable.

Re:IBM

[Politburo]

It's completely unreasonable. 95% of their IP use can be handled by private addresses, if not more.

Re:IBM

[darthtuttle]

Consider that their Global Services group provides services to a lot of large companies and you see where the IP addresses go. Plus I bet IBM has one of the largest computer to employee ratios in the world. Plus their mainframes can run a few thousand instances of an OS so there's a bunch of IP addresses.

RAND CORP

My friend scanned 21.0.0.0...and he disappeared the next day ;(

Re:US bias, anyone?

Mercedes Benz is a subsidiary of DaimlerChrysler. And since the DaimlerChrysler headquarters is obviously in Germany, it doesn't make sense to call them a US company. Get your facts straight.

Re:US bias, anyone?

[TheCrazyFinn]

Mercedes benz, like Chrysler, Jeep, Dodge and the late lamented Plymouth and Eagle are all Nameplates (This is a technical term from the Auto industry, for Brands that are different from the name of the company that actually builds the cars).

Considering that DaimlerChrysler is the result of the merger between Daimler Benz and Chrysler, and much of the board is american, as well as most of their manufacturing presence, one can call them an American company as much as a German one. Determining the actual providence of a multinational is difficult.

forex: Nissan is actually a French company (independant subsidiary of Renault)

Get your facts straight.

Mercedes... this is why they have all those IPs

Mercedes has been thinking for quite some time that ever car they sell will have an IP address. The idea being that Mercedes will offer free Internet/Media services to their cars along with remote diagnostics information. So ya, maybe it seems like a lot of addresses but they are trying to do something with it.

Re:Hijackers?

[Exantrius]

Just like the w2k bug (failed to) prove,

Did anyone else see this and wonder "which one?"

alternatively, did anyone see it and say "Ha! Stupid MS!" /ex

Re:US bias, anyone?

Determining the actual providence of a multinational is difficult.

Each (multinational) company is formally registered in one country. This is not some loose idea, but is indeed important in many ways, in particular in legal areas. Hence, it does make sense to call DaimlerChrysler a German company. Also note that the merger was more like 60-40, and not 50-50.

Interestingly, you call Nissan a french company yourself, so you seem to buy into the same concepts as I do, even though you don't say so outright ;)

Re:Hijackers?

[stanmann]

You know, I just realized he meant Y2K bug. I saw it, and just read w2k and boggled at the thought of a windows bug proving anything.

Re:Hijackers?

[The_K4]

Ya' can always tell the Mass/Upstate NY people, they say POP when we all know it's SODA! :)

Re:Hijackers?

[koh]

Indeed. A nasty typo escaped the previewing. The beer is to blame ;)

I guess I woudn't happen if I used MS beer, though.

This is going to keep happening...

[cheetah]

This is going to keep happening until Arin starts pushing Ipv6. The real problem is that currently getting Ipv6 costs money and doesn't get you very far. Look at it this way... currently a Ptla /32 costs $2500 a year. But people that have been sitting on Ipv4 blocks for years don't pay anything. I know of two Isp's that would like to offer Ipv6 the their customers but because they don't have their own Ipv4 netblocks they don't want to pay $2500 a year just so few of their customers have Ipv6. So instead of getting Ipv6 and moving away from Ipv4 they are forced to stay with Ipv4. I think that the situation is currently backwards to the way it should be. Arin ( and other Ipv4 providers ) should be charging next to nothing for Ipv6 netbocks ($100 or so) and slowly start charging for Ipv4 blocks each year. So for the first year charge $100 for each Ipv4 block (on top of any other fees). The second year the would charge 500 and the year after that 1000 and then 3000 and so on... Until we start charging more for Ipv4 address's than Ipv6 we will have people trying to hijack current Ipv4 netblocks... The more people that can get switched over to Ipv6 the sooner the better. If everyone was using Ipv6 this will no longer be a problem...

Re:Hijackers?

[shamino0]

Agreed. They should return all the unused IP space for re-allocation.

It's not that simple.

The way I understand it, you can't just give back some of your addresses. You have to give back the entire block and then go through the whole lengthy application process to get a new block. Which means there will be a significant amount of time during which you have no addresses. And when you finally do get them, you'll have to renumber your network, because you won't get back addresses from the block you gave up. And if ARIN decides that you don't actually "need" as many addresses as you want to keep, you're SOL.

And if your network grows, you have to go through all the red tape of justifying your request for another/larger block.

The fact that you did the internet a service by surrendering a lot of unused addresses in the first place doesn't figure into thesedecisions.

For anybody who has a legacy class-B (or even class-A) block, it just doesn't pay to go through all the work, only to find yourself screwed in six months when you find that your new allocation wasn't big enough.

Re:US bias, anyone?

[TheCrazyFinn]

Nissan is a subsidiary of Renault, which is certainly French. I would, like most people, call Nissan a Japanese company. I was just demonstrating the silliness of calling major multinationals a 'country' company.

Spammers, scorched earth and stolen subnets

[Xeger]

This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.

The problem isn't limited to blacklists, either. Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters will also be affected, to a degree.

So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.

To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.

Re:Spammers, scorched earth and stolen subnets

[gmby]

This is sad. :-(
But! On the flip side. Can I buy a block of "scorched" IPs for cheap? To maybe host gaming servers? Lots of good profit making ways to use IPs; that don't include email.

Point me in the right direction; I'm ready!

Re:Spammers, scorched earth and stolen subnets

[kindbud]

Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs.

Duh, they just as quickly UNLEARN those same addresses when the sewage stops spilling. Bayesian classifiers have NOTHING to do with "scorched earth" network blocks, and never have.

The real problem is private access_db blacklists that someone tosses an address into, and forgets about it. The next guy that takes his admin job doesn't even know it's there.

Re:Spammers, scorched earth and stolen subnets

[SmittyTheBold]

We ned something like Carfax for cars...list all the possible natural disasters and possible damage to an IP block, get a complete list of past owners and a concise list of previous uses. Get an idea of what you're getting into with a block.

Re:Spammers, scorched earth and stolen subnets

[Xeger]

In an ideal world, Bayesian filters would unlearn the suspicious hosts and for those users savvy enough to be set up with one (or for those who use Mozilla), all would be good.

The problem is, once you've got your filter trained to > 99% accuracy and you're simply not accustomed to seeing false positives, you tend to rely on it too much.

My first email address was ads@netcom.com because my initials are ADS, and I've been dealing with spam since 1995 -- needless to say I'm good at manually filtering the stuff, by now. But I receive 500 or more mails per day and 495 of them are spam on any given day. So it's almost not an option for me to oversee my Bayesian filter.

A friend of mine bought a domain of rather dubious parentage and began sending me mail from it; I didn't notice for six weeks that my filter was automatically shitcanning every thing he sent me. Part of that was my fault for not setting up an address-based whitelist and not staying current with my friend's email address. But it was still an unfortunate incident.

Though, in that particular incident, a domain name was the culprit and not an IP address, something similar could easily happen. Thus, I agree that blacklists/blocklists are a much greater problem than Bayesian filters w.r.t. scorched earth addresses, but Bayesian filters are still noticeably affected.

Re: Emergency Pants

[digitalmuse]

bwaahha! another great sluggy.com reference goes wizzing under the radar!

Re:Hijackers?

[TheCrazyFinn]

It is Pop.

Soda is what comes in the box with the cow on it(Baking Soda).

BIG Deal!

[JohnnyGTO]

When some one can tell me how to get back my ICQ # 116117 AND keep it for more then 48 hours, I be impressed

Re:Hijackers?

[ipjohnson]

Hmmm everyone I know from mass (I've lived in central mass for three years) uses soda. Maybe just maybe out past springfield they us POP.

ObOnTopicSoprano Quote

[LittleGuy]

"Fuckin' internet" - Tony, Episode 20, "D-Girl"

Not sitting here

[fm6]

They're not sitting on them. I'll bet all those IP numbers are in use, and probably there are LA County employees crying for more. Why didn't they notice that their numbers had been hijacked? Presumably they have a firewall that cuts off their address space from the rest of the Internet.

I've always thought it was dumb that public IP numbers are so widely used for networks for which public access is not only unnecessary, but actually avoided. Why spend zillions on firewall software when you can get the same effect just by using a private IP space? I guess the changeover costs are a killer.

Re:Hijackers?

Well, I use IMAP myself.

Re:Hijackers?

Don't yall know it's Coke? You yankees don't know nuthin'

Re:Hijackers?

I'm going on my ninth year in Mass. People in massachussets don't use the term POP unless they're from somewhere efurther west. Generall the Ohio area is where I imagine POP becoming the more puplar term as opposed to SODA.

Re:Hijackers?

[ipjohnson]

Yeah I grew up in NH and pop was not used either. The only place I know in the north east is out near buffalo but they are usually a little whacked anyways :)

Re:Hijackers?

[The_K4]

Pop is what I do when I want the next element in my array! :) MOOOOOOO

Oh no you don't

[geekoid]

you're not pawning those alligators off on me! You think I'm some kind of idiot?

Re:Hijackers?

I imagine that the soda machines and coffee makers have internal IP's, otherwise that'd just be silly as far as using IP's. Also, there's bound to be an easy way to get free coffee...

Re:Hijackers?

[TheCrazyFinn]

I'm no Yankee. That's for you southerners.

One Canucklehead here.

Selling a subnet?

[Hayzeus]

How would one LEGITIMATELY go about this. The article mentions grey market brokers, but how would one go about getting rid of an IP-block they actually own? Or can they even be legally transfered?

Someone hijacked my IP!!!! Help

[beacher]

Whoever he is, he's got a LOT of bandwidth. Ping/trace it and see. They even had the audacity to create a server with MY username!!!
warez.texas.net
B

In related news...

[Realistic_Dragon]

Executives at SCO, the RIAA, Amazon and other large companies sufered public embarrisment when it was annouced that IP was being stolen and they rushed home to see if they owned any of it to sue over.

Re:Hijackers?

[Florian+Weimer]

YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal.

Unfortunately, due to aggressive route filtering for the old class B space, you cannot route these IP addresses as freely as you'd have to if you'd reassign it to a couple of organisations. I agree it's annoying (hey, we are using two or three /16 for less than 20,000 hosts), but the Internet at large has far more pressing issues to deal with (combatting DoS in a scalable manner, general security accountability and so on).

Re:I submitted this... OT

[immortal]

Yea I have submited about 20+ items over the past year and all got rejected. Hell, odd movie reviews got accepted over my articles that were technology related.

I treat slashdot like a cat. Just a finicky old thing, that amusing to watch only.

Space Hijackers?

[paul248]

Terror Alert: Black
Look Out! It's time to secure the International Space Station! (I misread the headline at first)

It makes sense if you interconnect a lot

[swb]

This is pretty reasonable, since a large entity like LA County is likely to interconnect with other networks in the future (if not right now), and a globally unique address space makes that much saner.

We have an ASP provided service via a frame circuit. In its first iteration the engineer I worked with assigned me an address of 10.2.3.4 on the WAN side of the router. When I asked him what the destination network was for the services we were communicating with, he just said "10.0.0.0/8". When I told him that space was in use here as well, he said "You'll have to renumber, those are our IPs" it took an hour argument with his boss and faxes of RFC1918 to convince them otherwise.

The next iteration of this service had a different connection to a different provider who connected to the provider above. Both of these providers were using overlapping 10.0.0.0/8 space and were NATing to each other, and when the service wasn't working right it was funny/sad listening to these clowns try to dignose these double NAT'd connections. None of that would have been necessary if they had used unique address space.

Just on the phone with the guy...

[pr0ntab]

He sounds legit. IE, he got this asset from a dot-com liquidation (won't say who, not allowed), and it has a HIGH reserve. Also said he didn't think anything would come of it, as he's never seen that sort of thing on ebay before, but he'd give it a shot.

If you want it, be prepared to spend 6 figures.

Re:Hijackers?

[Fnord]

As far as I know, pop is a mostly midwest thing. I came from DC (where everyone says soda) and moved to the northwest where theres kind of a competition between midwest influence making people say pop and california influence making people say soda.

Score; -1, Wrong

[Jerk+City+Troll]

The parent poster is insightful, you are an idiot.

Unfortunately, your proposal is completely irrelevant. In the cases I know, the communication channel between the ISP and ARIN was not compromised. The ISP just sent bogus data, acting on forged customer requests.

No shit the channel was not compromised, but it was misused. So how do we solve the problem of determining if a message is authentic. *snaps fingers* I know! We use public key cryptography!

There isn't any cryptographic protocol that can solve such a problem, and that's why S-BGP and other "secure" BGP successors are almost completely irrelevant. Cryptography is not the answer to all attacks.

You are sadly mistaken. Cryptography is not just about obscuring the message, but also proving that the message is authentic.

Here's how the process works:
1. message is run through a digest
2. the digest is encrypted using the sender's private key against the recipient's public key (this is called the signature)
3. the message is sent with the signature attached
4. the recipient decrypts the signature to get the digest and performs the same digest operation on the message.
If the signature cannot be decrypted, or the digests do not match, the message cannot be authenticated.

Both parties must trust the other's public key, so they met in person and signed the other's key. before they performed any transactions. Afterwards, if they can successfully encrypt and decrypt messages to and from the other, the authentication mechanism above works.

In general, cryptography is used for authentication in all kinds of places. You know hash function is a type of cypher? Passwords are *nix systems are stored hashed. Every time you enter a password, the system runs it through a hash function (likely MD5) and compares that to what is stored on disk. MD5 sums are used to validate the authenticity of software packages. Of course, the list of sums is often authenticated as described above (using PGP/GPG).

So please, come up to speed on these things!

Re:Score; -1, Wrong

[Florian+Weimer]

No shit the channel was not compromised, but it was misused. So how do we solve the problem of determining if a message is authentic. *snaps fingers* I know! We use public key cryptography [rsasecurity.com]!

If PKIs become relevant, we're going to see attacks on CAs (and not just the rather insecure SSL browser PKI). Furthermore, there is currently no large-scale PKI which tracks who is authorized to speak for which company (let alone IP address space!).

What we see is a problem during registration, and switching to a PKI won't solve such a problem, just shift it to the CA registration. It could be argued that a one-time registration might very thorough checks faesible, but that's just theory. All bulk data processing on the net is either done by machines or by unqualified, low-paid works (that's why it's called bulk processing), and I don't see why a large-scale would be different.

And let me repeat the major problem: At some point, you have to check that a document dealing with address space allocation issues was sent by someone who is authorized to change the allocation. Even if you have digital certificate which proves the identity of the sender (a questionable assumption), you still don't know if the sender is authorized for the transaction. Given that we deal with extremely critical infrastructure, I really don't care if I can sue someone afterwards. The goal has to be to avoid processing bogus transactions in the first place.

I hope this makes it a little bit clearer why PKIs can't immediately solve such problems.

Re:Hijackers?

[conway]

So let spammers accumulate IPv4 addresses just a little more

So, you're basically taking an anarchist view on this -- let the current system be destroyed, and the new one will arise to take its place.
But have you considered that the first step is rather painful?

Re:Hijackers?

[Suppafly]

It is Pop.

Soda is what comes in the box with the cow on it(Baking Soda).

No, its soda, and your argument proves it. Its called soda because it's made with soda water aka bicarbonate of soda, bicarbonate of soda is aka baking soda.

Stop

[darthtuttle]

I wonder how much of this kind of stuff would stop if we

1. blocked spam at the client based on content, not by blocking IP addresses

2. let people spam.

If we know who and where the spammers are and let them have their own little space in the world, and didn't outright reject talking to them, they wouldn't be doing this sort of thing. The biggest problem is that the cost to download is a large multiple of the cost to upload, since you can send to a whole lot of people in one shot, but there's an easy technical solution to that (don't let people send an email to 5000 people at your server in one shot).

Maybe it's time to treat them like the parts of the porn industry who works with filtering companies to identify them selves. Give them their own little sandbox to play in, don't threaten to shut them off, and then block them at the client side, or once they are in the mailbox, because what we are doing to fight them isn't working (as evidenced by my pile of spam despite all possilbe server side filtering techniques) and they are going to fight dirty if they can't have a chance fighting fair.

You may now mod this down.

Re:Stop

I agree. In addition, all rapists and burglars should be given their own little part of town in each city to operate in, because as any fool knows, efforts to eradicate them haven't worked and never will; as police techniques have advanced to try to catch them, they've just simply become more sophisticated in their criminal methods.

Great post!

Re:Stop

[darthtuttle]

Um, the difference is that theres more effective methods to deal with it. When I compare all the server side and IP address based techniques versus content based techniques content based techniques were soooo much better.

Re:Hijackers?

[liverbugg]

I'm from "out past Springfield" and noone I know calls it pop. I've always thought of pop being more tword Boston, where they call water fountains "bublers"

Correction on step 2.

[Jerk+City+Troll]

The message digest is encrypted against the sender's public key so that anyone who knows and trusts the sender's public key can decrypt the digest and trust the authenticity of the message.

Where did you learn to subnet?

[qtp]

Actually it's 2^16-2=65532 usable addresses or sixteen bits minus one reserved netmask and one reserved broadcast address.

Unless you subnet it further, then you loose an additional netmask and an additional broadcast address for each subnet.

Unless there's another (more efficient) method I haven't learned.

--qtp

Re:Hijackers?

>> So let spammers accumulate IPv4 addresses just a little more

> So, you're basically taking an anarchist view on this -- let the current system be destroyed, and the new one will arise to take its place.
But have you considered that the first step is rather painful?

I don't think he prefers this route, I think he's acknowledging (humorously) that the only way to get a large-scale change to IPv6 will be a large-scale failure of v4; nothing less inconvenient will make people and companies and ... switchover, the social inertia is tooooo high.

Ha!

[SexyAlexie]

I'm already the owner of a very large net block, on my internal network. I love the 196.168.x.x range.

Re:Ha!

Stupid corny joke...

Re:Ha!

I thought I saw you in the 192.168.x.x netblock. Maybe you are on to something in the mean time.

ooo

Re:Ha!

[The+Kenman]

You can have it......I'm too busy enjoying my full class-A space of 10.x.x.x =)

Re:US bias, anyone?

[Surak]

Actually, it all depends on WHICH DaimlerChrysler you're talking about. ;)

If I'm not mistaken, I do believe that the only member of the board of DaimlerChrysler AG who is an American is Earl Graves. The rest are all German citizens.

DaimlerChrysler Motors Company, L.L.C, (DCMC, LLC) which is the Chrysler Group of DaimlerChrysler AG, is a subsidiary of DaimlerChrysler AG (DCAG). It's headquarters (along with DaimlerChrysler Corporation, the U.S. subsidiary) are in Auburn Hills, Michigan.

DCMC, LLC also has two other subsidiaries, DaimlerChrysler Canada, Inc., and DaimlerChrysler de Mexico S.A. de C.V. DaimlerChrysler Motors Company and DaimlerChrysler are American companies, while DC Mexico and DC Canada are Mexican and Canadian companies, respectively. DCAG, on the other hand, has it's headquarters in Stuttgart, Germany.

So, if you're talking about DaimlerChrysler AG (DCAG), yes, it's a German company. IF you're talkign about DaimlerChrysler Corporation or DaimlerChrysler Motors Company, L.L.C., these are American companies.

So it's more complicated than EITHER of you thought. ;)

Re:Hijackers?

[h00pla]

In eastern Mass. when I was growing up, what is now called 'soda' was called 'tonic'.

Close by

[EvilStein]

"Atrivo" is right down the street from me. Maybe I can go sell this guy a bridge or something to go along with his /16 ;)

Re:Hijackers?

[usotsuki]

Niagara Falls, NY. Half an hour from Buffalo

Most people I know say "pop". I say "soda", but I'm from further east.

-uso.

They DON'T.

I am network manager for a somewhat smaller-than-LA-County local govt, and we use exclusively RFC1918 address space on all our internal nets. We do use separate private class Bs (172.x.y.z) for each major building/campus-complex in our local govt network and separate class C's (192.168.x.y) for smaller buildings. We have but only two public routable class C nets that handle all our publicly-connected machines on separate physical networks, and only really use about one-third of that space, so yeah we are wasting *some* public address space, but due to physical location and upstream provider complications we have to do it that way.

Getting ip6 addresses

[throwaway18]

IP6 allocations are not permanent, you don't own ip6 addresses
and you can't get PI(provider independent) blocks.
To get a range of ip6 addresses you have to get them from your
ip6 gateway provider or be a big or important enough network operator
or institution.

i've seen this firsthand

[Tancred]

I'm part of the IP Admin group of a large international ISP and have seen this firsthand. New customers routinely ask us to route space, and sometimes it's difficult to tell if it's theirs or not what with all the mergers, acquisitions and renaming of companies. There's definitely more scrutiny of these requests than there was a year ago.

A few months ago spammers started to hijack IP space that was registered to companies that are now out of business, which means that most likely nobody is going to notice what they've done.

After a while it's almost like getting squatters' rights - I've been using it and nobody else has a real claim to it, so it's mine.

Re:Hijackers?

no just becasue they say the share a very simular name does not mean that they are made of the same materials. I KNOW for a fact that the POP(!) is just carbon dioxide disolved into water. Just look at any POP(!) machine. they have a booster pump to increase the water pressure to over 200 psi and then the carbon dioxide in injected in to the water, at a higher water pressure the C02 is able to neatly disolve into water. cant find the link on slashdot you can look for it and prove yourself wrong

Re:US bias, anyone?

[wfberg]

Each (multinational) company is formally registered in one country. This is not some loose idea, but is indeed important in many ways, in particular in legal areas. Hence, it does make sense to call DaimlerChrysler a German company. Also note that the merger was more like 60-40, and not 50-50.

DaimlerChrysler AG (which is the publically traded company) is registered with the SEC as being statutorily seated in Auburn Hills, MI.

Some of those are ISPs or have good reasons

[billstewart]

Currently? Looks like Stanford gave theirs back in ~2000. About 60% of the Class A space is unused now.

AT&T and BBN are ISPs, so they've got legitimate uses for large amounts of address space. (In AT&T's case, they got lucky, because while they were late getting into the ISP business, the Class A was a leftover from the Bell Labs Cray's Hyperchannel LAN, which for some reason had insisted on having a Class A network and couldn't be subnetted :-)

The Interop Show Network has always been special. For you young folks out there (:-), Interop used to be an engineering conference where vendors actually tested interoperability and worked on implementation bugs, as opposed to being primarily marketing-related, and back in ~1990, not everything knew how to do variable-length subnetting or CIDR or whatever, and the show needed real internet addresses, not just RFC1918, because it was connected to the Real Internet.

Auto companies have been an early developer of networking technology - there was all that ISO MAP/TOP stuff in the Mid-80s, and they were one of the big players in getting IPSEC to be a practical technology where equipment from multiple vendors actually interoperated as opposed to a custom thing for spooks and occasional banks. (That also affected the Crypto Export Regulations Wars of the 90s.) At least in the US, automobile manufacturing isn't really done by big monolithic integrated companies which could use 10.x intranets - it's done by a wide mesh of manufacturers of parts, subassemblies, components, random little job shops, etc., as well as the big companies that stamp out metal and assemble it into cars, rather like the computer and software industry except with a lot more metal shipped around, and they need registered address space to be able to talk to each other cleanly. I'm not sure that Mercedes needs all that space, but the industry certainly does.

As of December 2001, the biggest hog of Class A addresses was the US government, including the military and its friends like Halliburton. Also Eli Lilly had a Class A then...

Re:Hijackers?

[divide+overflow]

No, its soda, and your argument proves it. Its called soda because it's made with soda water aka bicarbonate of soda, bicarbonate of soda is aka baking soda.

I guess none of you are old enough to remember when it was called "Soda Pop." Both "soda" and "pop" are simplifications of the longer term. "Pop" does tend to be used more in the east and midwest, and "soda" more on the west coast.

I thought about this in the past...

Once i was thinking about how possible it would be to hijack ip address space.. its really easy i thought, so under my own /24 I spoofed an email from my provider's email address (actually my job) and bam! the changes were made to my arin profile. I wondered how long it would be before this leaked out. I emailed arin but got no response, not a shock to me.

Early-Adopter Bias, actually

[billstewart]

It's really an early-adopter bias, from back when 32 bits was enough for everybody, especially because Internet-connected computers were big things that supported lots of users per machine, not PCs on home networks or PDAs and cellphones on Personal Area Networks.

• There weren't firewalls or NATs to prevent local machines' addresses from being reachable by the Whole Internet, and
• there wasn't RFC1918 private address space until after the ARPANET was shut down, and
• Networks were always Class A, B, or C, and even if they were subnetted, it was still on class boundaries, and
• supernetting and CIDR didn't exist.

The Class A allocations are basically a pile of dinosaur bones, and most of the dinosaurs were either native to North America or else ate other dinosaurs that were.

But yes, the early-adopter bias is a US bias, because before the work of people like CIX, the Commercial Internet Exchange, the ARPANET was a thing run by the US government, and you could only get on it if you were a US defense contractor doing appropriate kinds of work or a University that had some appropriate government-funded research, and there was an Acceptable Use Policy that said you couldn't do commercial activities that weren't related to the Government Work you were doing (though much of the interestingness of the Internet culture evolved because there was deliberately slack enforcement, especially on universities and non-commercial-related discussions.) The rest of us had UUCP, and Usenet, and X.25, and it wasn't until ~1990 that you could reliably use email for outside-your-company business without having to worry about whether you were violating the AUP.

Re:Score; 2, Thoughtful

[Jerk+City+Troll]

If PKIs become relevant, we're going to see attacks on CAs (and not just the rather insecure SSL browser PKI).

Then those attacks will have to be quite sophisticated. PKI security is mathematically provable. Forgery, in so far as immitating someone who authorized to take a particular action, is a social engineering feat. Of course, one can always con an misinformed individual out of passphrases.

Furthermore, there is currently no large-scale PKI which tracks who is authorized to speak for which company (let alone IP address space!).

As I understand it, it was not a question of authorization but merely forgery. Someone claiming to be a person who was authorized without provided proof. I never said that PKI would solve the who can, just the who is. This case in particular was the latter of the two. Or perhaps I need to RTFA again.

All bulk data processing on the net is either done by machines

Automated authentication of authorized persons is nothing new. In fact, it's very old. :-P

And let me repeat the major problem: At some point, you have to check that a document dealing with address space allocation issues was sent by someone who is authorized to change the allocation.

OKay, now I am really wondering what is going through your head. I do not see where the major difficulty is of keeping a secure list of authorized personnel and then authenticating their messages/commands/etc. with PKI (or any other login mechanism).

Even if you have digital certificate which proves the identity of the sender (a questionable assumption)

How is that questionable? I don't think you know what you're talking about. Want to try and forge a message coming from my key? It's infeasible unless you're the NSA. If two parties meet, each verifies the identity of the other, then sign each other's keys, then The Factoring Problem must be solved or the one of the symmetric keys compromised in order for the system to break down. If the first happens, it's the end of a lot of computer security as we know it. If the second happens, the parties will generate new keys and secrets and resume.

still don't know if the sender is authorized for the transaction. Given that we deal with extremely critical infrastructure, I really don't care if I can sue someone afterwards. The goal has to be to avoid processing bogus transactions in the first place.

Once again, I still don't see how difficult it is to maintain a list of authorized personnel. Every multiuser system in the world does this.

I hope this makes it a little bit clearer why PKIs can't immediately solve such problems.

This would have been accomplished if you demonstrated why a manifest of authorized personnel is a difficult to implement or insecurable mechanism.

Re:Hijackers?

[ChuckleBug]

"Pop" does tend to be used more in the east and midwest, and "soda" more on the west coast.

Hm. I was born and raised in Seattle and nobody I know calls it soda. We say pop. Every once in a while I'll say soda just for the hell of it and I always get strange looks.

Re:Hijackers?

[ChuckleBug]

Its called soda because it's made with soda water aka bicarbonate of soda, bicarbonate of soda is aka baking soda.

This is true if by "true" you mean "completely wrong." Soda pop is not made with bicarbonate of soda. You ever taste that stuff? There's a reason there is no "Arm & Hammer Cola." Yuk! Pop's made with CO2, plain and simple.

Some stuff that's made by fermentation, like root beer, get their CO2 from little critters, but it's still CO2.

Re:Hijackers?

[divide+overflow]

Hm. I was born and raised in Seattle and nobody I know calls it soda.

Seattle? Heck, that's almost in Canada. :^)
Most everyone in California calls it soda.

Re:Hijackers?

[Cramer]

ARIN has specific guidelines for returning address space and renumbering. Basically, they give you the space you can actually prove you need with some renumbering grace period afterwhich your original allocation is revoked.

Random vs. Specific Addresses and IPv6

[billstewart]

There are probably three main reasons hijackers steal addresses like this

• To get a big space free/cheap, given IPv4 address space's semi-artificial scarcity. IPv6 really takes care of this - a /48 is big enough for almost anybody, and a /64 is enough for almost any subnet - the 2**64 addresses you get in your /64 let you use 48-bit MAC addresses to automatically address everything and still give you 16 more bits to play with.
• To target a specific address space owner for nefarious purposes. Yeah, fine, IPv6 isn't going to prevent somebody who wants to hijack Bill Gates's House's IP address or remap all of Korea's IPv4 address space through Spamcop's T1. That's a problem for other mechanisms.
• To imitate somebody random other than yourself to make tracking you down or blocking your resources harder. IPv6 isn't much help for that, but that's also a case where hijacking subnets can be more fun than hijacking whole networks (e.g. don't steal the whole /16, just announce some /19 or /24 subnets that they weren't using.)

There may be occasional games that you can play where hijacking the whole /16 is useful, e.g. doing a more credible imitation of a mis-sized ISP with a customer who's a victim of a spammer relay trojan or something, but mostly that's pretty far-edge cases.

Re:Random vs. Specific Addresses and IPv6

[thogard]

IPv6 is going to be great.
Our spam black lists will be competely useless.
Tracking spam will be much more difficult.
Effecent routers will need 4x as much memory as they do now to hold the same routes other routers will take far more memory.
You can now memory map the world as a /24. Can't do that with IPv6.

Why Public Key Isn't Always Enough

[billstewart]

Public Key signatures are really helpful for some applications, and they do cut out lots of the anklebiters, which is worthwhile in itself, though almost any password mechanism can do that. They're not a 100% solution, though - anybody who knows the password or private key can still steal the address space, like that disgruntled ex-sysadmin, and trust in a public-key mechanism is likely to reduce the amount of human oversight that goes along with accepting requests, making it easier for someone who has the key to social-engineer changes, especially things like "loans" of subnets of your address space that fell off a truck.

They also don't help the old-defunct-company problem - any address-space owner who didn't have a public key N years ago and isn't easy to find now can still be hijacked with the fake letterhead request for a public key, which is now the obvious first step before using the fake letterhead to social engineer the ISP. Pretending to own a Class A owner is hard to fake credibly - pretending to own a Class B or /19 owner is a lot easier.

I've had one friend of a friend who at least temporarily was the last-registered technical and administrative contact for a Class B that was the remains of a long-defunct technology company, and they were thinking about selling it on the legitimate market (not the spammer market), but decided that their chain of ownership through the various bankruptcy settlements was too dubious - I forget whether the space eventually got recycled by ARIN or whether the somewhat more legitimate owners of the remaining assets got it.

Re:Hijackers?

[Redman]

Next we'll be have the sack vs. bag argument.

Great Firewall of China is a special case

[billstewart]

China actually has all the space they need for now, because their censorship-happy government and several quasi-monopolistic telecom providers have kept a pretty tight control on the internet's growth there. The "Great Firewall of China" that enforces web and email censorship can keep most internet users (particularly home and small business users) behind NAT or make them use IPv6 space or whatever, and most of the people who need real Internet access are businesses that don't need much space for the outside of their firewalls, which can be efficiently aggregated by the small number of ISPs.

Japan and especially Korea are more interesting cases, because they don't have the censorship problem, they've got a much much higher fraction of their population wired, and their telecom infrastructure is much more liberalized. And besides, you don't have to sell spammers Korean address space to M4K3 M0N3Y Fa$$T!! - you can sell them lists of broken relays and proxies :-)

Credible on-line merchant.

[Brett+Johnson]

"[he] said he paid $500 for it to a guy he met online."

That must be the same guy that sold me my penis enlarger.

Re:Hijackers?

[drsmithy]

Ya' can always tell the Mass/Upstate NY people, they say POP when we all know it's SODA! :)

You're *both* wrong, it's called SOFT DRINK. :D

Re:Hijackers?

[dogfart]

Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems.

Given the dire situation of LA County, I think it is just as criminal that ARIN won't permit this. Think of the emergency medical care that could be funded by carving out some class B's and C's here.

We shouldn't be trashing the spammers for being the opportunistic farks that they are. We should be trashing ARIN for being an obstacle to leasing out unused IP addresses.

Re:Hijackers?

[dogfart]

Think of the scholarship fund MIT would have if they could sell off their unused blocks.

Every slashdot poster would have the opportunity to flunk computer science at one of the world's most prestigious universities.

Re:Hijackers?

[Suppafly]

http://www.webtender.com/db/ingred/443
http://www .sasky.com/saskycom/databases/non_alcoho lic/cold/water/soda_water.html
http://www.threadc ity.com/articles/sodapop/index.s html
http://www.google.com/search?q=soda+water

tons of websites would beg to differ with you.

While they have pure carbon dioxide now, the carbon dioxide was originally acquired by using bicarbonate of soda mixed with water to produce the co2.

Re:Hijackers?

[theTerribleRobbo]

And over here it's called 'Softdrink'.

Newfangled 'Soda Pop' grumblemumblegrr...

Nortel Re:Does LA county even need a public /16?

[yoshac]

Nortel have 47.0.0.0/8

They now have less than 40,000 employees.

And only about ~0.001% of that class A IP space is publicly accessible.

The rest is buried behind NAT/firewalls.

HP and Compaq

[amorsen]

yup, 15 and 16. The plan is to migrate to 16.

I find the decision to migrate to 16 symbolic of the merger.

Why not a whitelist?

[toker95]

Well said... I was hoping this recommending was down this thread.

As I read through the responses here regarding blacklists, Obviously it will be inherent that at least a good portion of mail administrators will quickly block the block...

Here's my 2 cents... have groups like ARIN who control the IP's and are informed as to when an IP hijacking has occurred... why don't they create a ~whitelist~ of sorts.

Effectively a centralized database of recently restored IP blocks that have been used illegally and have now been returned to rightful owners. Some will probably still continue to be blacklisted because the legitimate hosts aren't as legitimate as we'd like, but at least it would provide the oppurtunity to restore order alot easier...

note - i saw used illegally in the sense that it was hijacked, notsomuch used for spam, pr0n or others socially-negative hosting, while it may include the latter... it doesn't need to be...

Reply: A little curious..., about why that way ...

[OldHawk777]

IPv4, because of the gluttonous mismanagement of IP use and poor network planning (now and in the past) there appears to be a shortage of available IP addresses.

If all (Globally) Governments, Businesses, ⦠networks were private networks using proxy-servers (and/or firewalls) with NAT and the public/free domain (class A=10.x.x.x, Bâ¦, and Câ¦) IP addresses, then many private domain IP addresses would be freed up for distribution.

Example: The Mother of All Cable company using class-A public domain (10.x.x.x) (AKA: Private Network) IP addresses could create an unlimited number of 10.x.x.x large user networks ⦠have them all talk to each other across proxy-servers (and/or firewalls) with NAT using a few routable private IP addresses to identify a âoePublic Networkâ for the internet. Designing such TCP/IP networks for quality and speed would cost (a little) more and be (a little) more complex for management and configuration, but it would work and add a little overhead (packet/routing/â¦) burden to the available bandwidth.

This method could provide some additional (but minor) network security advantages â¦.

OldHawk777

Reality is a self-induced hallucination.

Re:Hijackers?

[jfern]

Where in upstate NY? In Ithaca everyone says SODA and not POP.

you could have had a v8

[RouterSlayer]

what, have you people been sleeping under a rock?
IPV6 is dead. and takes too much overhead and work and cost to get done.

you could have had a v8, IPV8 that is.
not only is it more compatible with ipv4, it tunnels really nicely, and all you need is a cheap gateway.

and yes, you can have ipv4ipv8 without a v6 getting in the way...

My "class-c" ipv8 address space has more addresses than comprise the entire net!

If yer all so worried..

[MasTRE]

..invest in IPv6 already! Otherwise shut it!

Re:US bias, anyone?

[chiph]

Perhaps they're looking forward to every car having it's own IP address (and NAT for addressing the multiple computer networks within the car). Before you scoff, recall that the majority of Mercedes sold come with their telematics system (Tele Aid) that can do remote diagnosis of car problems (besides the usual opening of locked doors, track the vehicles location, etc), which implies network connectivity.

Chip H.

Re:Hijackers?

[simul]

Yep, it has to get worse before it can get better. Only when we allow the old system to destroy itself will the new system emerge.

(That's why I vote Green. Maybe some day we'll realize that campaigning should be government-sponsored. How to pay for it? Make corporate donations illegal and then levy a special tax on corps. A reward system, where leaders are given bonuses for GDP growth, could be used as capitalist-directed incentives.)

Re:Hijackers?

[sjames]

Yep, and so by being ever so careful not to give out too many addresses, they make sure many times that many get horded when they are needed most.

This would be like the Salvation Army demanding that you either donate your life savings or nothing. Guess which one most will choose!

Re:Hijackers?

[ChuckleBug]

Your links were about soda water which is not soda pop. I never denied that the word soda had an historical basis. But they do not use NaHCO3 to make pop. You said soda pop "is made" with bicarb, not "it was originally made" with bicarb.

The Great Pop vs. Soda Controversy

Here is a very cool picture-graph of the entire U.S.:

http://www.popvssoda.com/

Re:Hijackers?

[divide+overflow]

I found this interesting dialect survey that plots the answers to the question "What is your generic term for a sweetened carbonated beverage?" on a US map using different colors to indicate which terms were predominant in a given region...check it out:

http://hcs.harvard.edu/~golder/dialect/staticmaps/ q_105.html

More on pop vs soda at...

[goldfndr]

http://www.popvssoda.com/

10/8?

[goldfndr]

Hmm, many addresses in 10.0.0.0 - something tells me some filters aren't working properly...

Re:10/8?

[crapulent]

You'll notice there are also hosts listed in the 127/8 range, which would appear bogus as well. But remember that a domain admin can set the DNS server that has authority for that domain to point to any IP address he chooses, and that's what this survey is based on. So there are some domains out there that resolve to 10.x.x.x or 127.x.x.x. It doesn't mean there's anything actually there.

Spam? Figures.

[Felinoid]

Dosen't it just figure stolen IP address space would be used for spam.
No doupt the 'land lord' of this rented address space sold it with spam.