Confronting Address Space Hijackers

Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."

I submitted this...

[robslimo]

a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).

Links:
In your face hijacking

Current list of possible bogus bgp routes

Oh, well.

Possible solution

[Todd+Knarr]

Perhaps we ought to go to what we had with DNS domains back before Verisign privatized: you create a PGP public key and register it when you get your block, and from there on out any requests to change information about that block are only valid if they're signed with that key (or after some very stringent checks if you claim you've lost the key). That'd make it more difficult for hijackers to change the registration information.

Re:all the more reason

[robslimo]

I don't think you understand. Spammers hijack the netblocks because network admins block email (and sometimes all) traffic from known spam IP addresses and netblocks. The spammers steal someone else's netblock to spew out their garbage. Then it's up to the rightful owners of the netblock to clear the collateral damage to their own networks and the spammers move on.

Look at this:

Spam supporting ISP ServInt is announcing routes for the netblock containing this IP: 203.25.208.131
traceroute shows that IP being handled by ServInt in Mclean, VA, USA.

That netblock belongs to:

inetnum: 203.25.208.0 - 203.25.223.255
netname: GREENWAY-AU
country: AU

descr: BRISBANE QLD
descr: AUSTRALIA 4000

Re:Does LA county even need a public /16?

[HaeMaker]

Allocaitons are made for organizations that need globally unique IP addresses, not necessarily connected to the Internet.

IBM owns 9.0.0.0/8, none of it is connected to the Internet. They use globally unique addressing in their internal network for private connections to other organizations, without fear of collisions.

This is typically no longer done and the IANA recommends you use a random range from private IP space from now on, except in rare cases.

Re:255x255!!!??

[shamilton]

That's just completely wrong. It could be as many as 65534 usable addresses. Networks certainly needn't be on octet boundaries.

Re:Hijackers?

[shamino0]

Agreed. They should return all the unused IP space for re-allocation.

It's not that simple.

The way I understand it, you can't just give back some of your addresses. You have to give back the entire block and then go through the whole lengthy application process to get a new block. Which means there will be a significant amount of time during which you have no addresses. And when you finally do get them, you'll have to renumber your network, because you won't get back addresses from the block you gave up. And if ARIN decides that you don't actually "need" as many addresses as you want to keep, you're SOL.

And if your network grows, you have to go through all the red tape of justifying your request for another/larger block.

The fact that you did the internet a service by surrendering a lot of unused addresses in the first place doesn't figure into thesedecisions.

For anybody who has a legacy class-B (or even class-A) block, it just doesn't pay to go through all the work, only to find yourself screwed in six months when you find that your new allocation wasn't big enough.

Re:A little curious.

[PurpleFloyd]

Classful routing terminology is still a useful form of shorthand. If you tell me that MIT has a Class A block, I know immediately that they have a network space the size of Asia, but if you tell me they've got an 8 bit block, I have to pause and think about it for a half second.

As for Cisco teaching classful addressing, that's justifiable. If the terminology is still in use among network folk, Cisco isn't doing a good job if they certify people who don't know how to communicate with their peers. Also, I can tell you that the CCNA exam did have several CIDR questions on it. Certifying someone as a network tech means testing all the knowledge they should know to do their job well. Since classful routing is still in the wild, network techs should know how to deal with it.

Re:Does LA county even need a public /16?

[crapulent]

What's even worse is when you look at how few actual web sites are actually hosted in those "legacy class A" spaces. I've heard that, for example, GM has tons of ancient robotics and other embedded applications that are running on hard coded IPs in their allocated space. Not that they're publicly visible, just that no one really ever considered a scarcity of IP addresses in the past.

Here's a great link that shows where web servers are in relation to the various class A (/8) address spaces. As you can see, they're mostly clumped in small zones, with a large majority of the IP space marked as either reserved or not in use for the "public" internet.

To some degree I'd say the scarcity of IP addresses is somewhat manufactured. While you don't want to go willy-nilly allocating large blocks, at some point you have to recognise the genuine need and start unreserving some space. Also, some concensus should be reached on all those "legacy" blocks that aren't being used efficiently.

Some of those are ISPs or have good reasons

[billstewart]

Currently? Looks like Stanford gave theirs back in ~2000. About 60% of the Class A space is unused now.

AT&T and BBN are ISPs, so they've got legitimate uses for large amounts of address space. (In AT&T's case, they got lucky, because while they were late getting into the ISP business, the Class A was a leftover from the Bell Labs Cray's Hyperchannel LAN, which for some reason had insisted on having a Class A network and couldn't be subnetted :-)

The Interop Show Network has always been special. For you young folks out there (:-), Interop used to be an engineering conference where vendors actually tested interoperability and worked on implementation bugs, as opposed to being primarily marketing-related, and back in ~1990, not everything knew how to do variable-length subnetting or CIDR or whatever, and the show needed real internet addresses, not just RFC1918, because it was connected to the Real Internet.

Auto companies have been an early developer of networking technology - there was all that ISO MAP/TOP stuff in the Mid-80s, and they were one of the big players in getting IPSEC to be a practical technology where equipment from multiple vendors actually interoperated as opposed to a custom thing for spooks and occasional banks. (That also affected the Crypto Export Regulations Wars of the 90s.) At least in the US, automobile manufacturing isn't really done by big monolithic integrated companies which could use 10.x intranets - it's done by a wide mesh of manufacturers of parts, subassemblies, components, random little job shops, etc., as well as the big companies that stamp out metal and assemble it into cars, rather like the computer and software industry except with a lot more metal shipped around, and they need registered address space to be able to talk to each other cleanly. I'm not sure that Mercedes needs all that space, but the industry certainly does.

As of December 2001, the biggest hog of Class A addresses was the US government, including the military and its friends like Halliburton. Also Eli Lilly had a Class A then...