Slashdot Mirror
Confronting Address Space Hijackers
Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."
a /16 is a class B
This has been on NANOG for at least a month now...
I am the Lorvax, I speak for the machines.
Hijacking an IP block is cheap, and it bypasses conservation measures imposed by the regional registries: to get a large allocation legally, one must first demonstrate an immediate need for the space; it's not enough to want it. Then you have to pay the registry as much as $10,000 in fees
RTFA!! RTFA!!!
a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).
Links:
In your face hijacking
Current list of possible bogus bgp routes
Oh, well.
Perhaps we ought to go to what we had with DNS domains back before Verisign privatized: you create a PGP public key and register it when you get your block, and from there on out any requests to change information about that block are only valid if they're signed with that key (or after some very stringent checks if you claim you've lost the key). That'd make it more difficult for hijackers to change the registration information.
I don't think you understand. Spammers hijack the netblocks because network admins block email (and sometimes all) traffic from known spam IP addresses and netblocks. The spammers steal someone else's netblock to spew out their garbage. Then it's up to the rightful owners of the netblock to clear the collateral damage to their own networks and the spammers move on.
Look at this:
Spam supporting ISP ServInt is announcing routes for the netblock containing this IP: 203.25.208.131
traceroute shows that IP being handled by ServInt in Mclean, VA, USA.
That netblock belongs to:
inetnum: 203.25.208.0 - 203.25.223.255
netname: GREENWAY-AU
country: AU
descr: BRISBANE QLD
descr: AUSTRALIA 4000
For those who aren't ccna: /16 = netmask 255.255.0.0
255 addresses x 255 networks - 2 (network and broadcast) = 65023 IP addresses
That's a whole hunka lotta internet...
Karma: Chameleon (mostly due to the fact that you come and go).
Upstreams will grandfather you if you're ancient- we have 8 /24s that all get announced. Granted, we're working on renumbering but that's a lot of people to call- a multi year backburner project. New allocations, however, won't be announced unless they're a /20 or bigger... (thats 4,096 IP addresses in a row)
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Allocaitons are made for organizations that need globally unique IP addresses, not necessarily connected to the Internet.
IBM owns 9.0.0.0/8, none of it is connected to the Internet. They use globally unique addressing in their internal network for private connections to other organizations, without fear of collisions.
This is typically no longer done and the IANA recommends you use a random range from private IP space from now on, except in rare cases.
That's not uncommon for groups that got IP space in the 80's. Back in the days of classful routing, one got a /16 if one had more than 254 and less than 16534 hosts on their network.
/16 hanging off a 128k ISDN link up until recently.
I know a hospital in Toronto that had a
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
What's a cursory web search? Beats me. I do know, however, what a dictionary.com search is.
TCP/IP was designed to be end-to-end, so the recommendation for many years was to assign "real" addresses to all internal hosts. Nobody was really thinking of firewalls, NAT, etc -- the future was Every Host On The Internet.
You can't accuse someone of "hording" when they were following ARIN's recommendations.
Serveral ways.
(1) Official, legit way: become a member (fees required) of your RIR (Regional Internet Registry or something similar). Apply for assignment of unallocated space. Example is this fee schedule from APNIC
The downside here is that you can't get (and pay for) just a few addresses.
(2) Common, legit way: sign up for some kind of service package with an ISP and ask for however many IP addresses you want. You generally pay monthly or annually based on your service agreement and number of IP addresses.
The downside here is that those IP addresses aren't really yours. Your ISP just let's you use them and handles the routing for you. In some cases, you ISP doesn't even 'own' them... their upstream just lets them use the IP addresses.
(3) Hijack them. (a) start announcing bogus routes and hope no one notices very soon. (b) Hijack a RIR (ARIN, RIPE, APNIC, etc) tech/admin handle for an unused or under utilized netblock and then start announcing routes (you're a little more likely to be trusted this way).
It's not that simple.
The way I understand it, you can't just give back some of your addresses. You have to give back the entire block and then go through the whole lengthy application process to get a new block. Which means there will be a significant amount of time during which you have no addresses. And when you finally do get them, you'll have to renumber your network, because you won't get back addresses from the block you gave up. And if ARIN decides that you don't actually "need" as many addresses as you want to keep, you're SOL.
And if your network grows, you have to go through all the red tape of justifying your request for another/larger block.
The fact that you did the internet a service by surrendering a lot of unused addresses in the first place doesn't figure into thesedecisions.
For anybody who has a legacy class-B (or even class-A) block, it just doesn't pay to go through all the work, only to find yourself screwed in six months when you find that your new allocation wasn't big enough.
As for Cisco teaching classful addressing, that's justifiable. If the terminology is still in use among network folk, Cisco isn't doing a good job if they certify people who don't know how to communicate with their peers. Also, I can tell you that the CCNA exam did have several CIDR questions on it. Certifying someone as a network tech means testing all the knowledge they should know to do their job well. Since classful routing is still in the wild, network techs should know how to deal with it.
That's it. I'm no longer part of Team Sanity.
Unfortunately, your proposal is completely irrelevant. In the cases I know, the communication channel between the ISP and ARIN was not compromised. The ISP just sent bogus data, acting on forged customer requests.
No shit the channel was not compromised, but it was misused. So how do we solve the problem of determining if a message is authentic. *snaps fingers* I know! We use public key cryptography!
There isn't any cryptographic protocol that can solve such a problem, and that's why S-BGP and other "secure" BGP successors are almost completely irrelevant. Cryptography is not the answer to all attacks.
You are sadly mistaken. Cryptography is not just about obscuring the message, but also proving that the message is authentic.
Here's how the process works:
1. message is run through a digest
2. the digest is encrypted using the sender's private key against the recipient's public key (this is called the signature)
3. the message is sent with the signature attached
4. the recipient decrypts the signature to get the digest and performs the same digest operation on the message.
If the signature cannot be decrypted, or the digests do not match, the message cannot be authenticated.
Both parties must trust the other's public key, so they met in person and signed the other's key. before they performed any transactions. Afterwards, if they can successfully encrypt and decrypt messages to and from the other, the authentication mechanism above works.
In general, cryptography is used for authentication in all kinds of places. You know hash function is a type of cypher? Passwords are *nix systems are stored hashed. Every time you enter a password, the system runs it through a hash function (likely MD5) and compares that to what is stored on disk. MD5 sums are used to validate the authenticity of software packages. Of course, the list of sums is often authenticated as described above (using PGP/GPG).
So please, come up to speed on these things!
Join Tor today!
Actually it's 2^16-2=65532 usable addresses or sixteen bits minus one reserved netmask and one reserved broadcast address.
Unless you subnet it further, then you loose an additional netmask and an additional broadcast address for each subnet.
Unless there's another (more efficient) method I haven't learned.
--qtp
Read, L
Los Angeles county has nearly 10 million residents and 92,714 employees who serve them, so, yeah, 65,534 IP addresses seems reasonable.
I like my beverages with warning labels!
Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs.
Duh, they just as quickly UNLEARN those same addresses when the sewage stops spilling. Bayesian classifiers have NOTHING to do with "scorched earth" network blocks, and never have.
The real problem is private access_db blacklists that someone tosses an address into, and forgets about it. The next guy that takes his admin job doesn't even know it's there.
Edith Keeler Must Die
What's even worse is when you look at how few actual web sites are actually hosted in those "legacy class A" spaces. I've heard that, for example, GM has tons of ancient robotics and other embedded applications that are running on hard coded IPs in their allocated space. Not that they're publicly visible, just that no one really ever considered a scarcity of IP addresses in the past.
Here's a great link that shows where web servers are in relation to the various class A (/8) address spaces. As you can see, they're mostly clumped in small zones, with a large majority of the IP space marked as either reserved or not in use for the "public" internet.
To some degree I'd say the scarcity of IP addresses is somewhat manufactured. While you don't want to go willy-nilly allocating large blocks, at some point you have to recognise the genuine need and start unreserving some space. Also, some concensus should be reached on all those "legacy" blocks that aren't being used efficiently.
I am network manager for a somewhat smaller-than-LA-County local govt, and we use exclusively RFC1918 address space on all our internal nets. We do use separate private class Bs (172.x.y.z) for each major building/campus-complex in our local govt network and separate class C's (192.168.x.y) for smaller buildings. We have but only two public routable class C nets that handle all our publicly-connected machines on separate physical networks, and only really use about one-third of that space, so yeah we are wasting *some* public address space, but due to physical location and upstream provider complications we have to do it that way.
AT&T and BBN are ISPs, so they've got legitimate uses for large amounts of address space. (In AT&T's case, they got lucky, because while they were late getting into the ISP business, the Class A was a leftover from the Bell Labs Cray's Hyperchannel LAN, which for some reason had insisted on having a Class A network and couldn't be subnetted
The Interop Show Network has always been special. For you young folks out there (:-), Interop used to be an engineering conference where vendors actually tested interoperability and worked on implementation bugs, as opposed to being primarily marketing-related, and back in ~1990, not everything knew how to do variable-length subnetting or CIDR or whatever, and the show needed real internet addresses, not just RFC1918, because it was connected to the Real Internet.
Auto companies have been an early developer of networking technology - there was all that ISO MAP/TOP stuff in the Mid-80s, and they were one of the big players in getting IPSEC to be a practical technology where equipment from multiple vendors actually interoperated as opposed to a custom thing for spooks and occasional banks. (That also affected the Crypto Export Regulations Wars of the 90s.) At least in the US, automobile manufacturing isn't really done by big monolithic integrated companies which could use 10.x intranets - it's done by a wide mesh of manufacturers of parts, subassemblies, components, random little job shops, etc., as well as the big companies that stamp out metal and assemble it into cars, rather like the computer and software industry except with a lot more metal shipped around, and they need registered address space to be able to talk to each other cleanly. I'm not sure that Mercedes needs all that space, but the industry certainly does.
As of December 2001, the biggest hog of Class A addresses was the US government, including the military and its friends like Halliburton. Also Eli Lilly had a Class A then...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
No, its soda, and your argument proves it. Its called soda because it's made with soda water aka bicarbonate of soda, bicarbonate of soda is aka baking soda.
I guess none of you are old enough to remember when it was called "Soda Pop." Both "soda" and "pop" are simplifications of the longer term. "Pop" does tend to be used more in the east and midwest, and "soda" more on the west coast.
Its called soda because it's made with soda water aka bicarbonate of soda, bicarbonate of soda is aka baking soda.
This is true if by "true" you mean "completely wrong." Soda pop is not made with bicarbonate of soda. You ever taste that stuff? There's a reason there is no "Arm & Hammer Cola." Yuk! Pop's made with CO2, plain and simple.
Some stuff that's made by fermentation, like root beer, get their CO2 from little critters, but it's still CO2.
ARIN has specific guidelines for returning address space and renumbering. Basically, they give you the space you can actually prove you need with some renumbering grace period afterwhich your original allocation is revoked.
IPv4, because of the gluttonous mismanagement of IP use and poor network planning (now and in the past) there appears to be a shortage of available IP addresses.
If all (Globally) Governments, Businesses, ⦠networks were private networks using proxy-servers (and/or firewalls) with NAT and the public/free domain (class A=10.x.x.x, Bâ¦, and Câ¦) IP addresses, then many private domain IP addresses would be freed up for distribution.
Example: The Mother of All Cable company using class-A public domain (10.x.x.x) (AKA: Private Network) IP addresses could create an unlimited number of 10.x.x.x large user networks ⦠have them all talk to each other across proxy-servers (and/or firewalls) with NAT using a few routable private IP addresses to identify a âoePublic Networkâ for the internet. Designing such TCP/IP networks for quality and speed would cost (a little) more and be (a little) more complex for management and configuration, but it would work and add a little overhead (packet/routing/â¦) burden to the available bandwidth.
This method could provide some additional (but minor) network security advantages â¦.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?