Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confronting Address Space Hijackers

Posted by timothy on from the insert-sound-effects dept.

Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."

24 of 334 comments (clear)

  1. Maybe someone could explain this by Slashdotess · · Score: 1, Interesting

    Maybe someone could explain this? How does the whole buying and selling of IPs work?

  2. Hijackers? by stanmann · · Score: 5, Interesting

    YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys would be happy to put in a bid.

    --
    Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
  3. Someone he met online... by mingot · · Score: 4, Interesting

    The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online.

    That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.

  4. Signed communications to the registries by Malc · · Score: 4, Interesting

    It won't guarantee that this won't happen, but signed communications would help. Private keys can be stolen though, but I suspect that takes more effort. A public key should be included in the registry application, or with whois record, or in some other private DB at the registry. I guess this would be the opposite of PGP encrypted mail where the private key is used to decrypt rather than encrypt.

  5. Whole block, or specific ones? by Matrix272 · · Score: 2, Interesting

    There are a few posts about specific unused IP's being stolen, while the used ones went on working as normal... is that what happened, or did what's-his-name in Northern California take over the whole class C, similar to taking over a domain? If it was the latter, I'm surprised nobody's tried it before... given that it's really not extremely difficult to move a domain from one person to another, it can't be too hard to do the same for a block of IP's.

    So is it certain IP's that weren't being used, or a large block of IP's that were just read internally from the servers and directed to where the servers thought they should go?

    --
    "It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
  6. I've got an easy solution to THIS one... by Greyfox · · Score: 4, Interesting
    Charge the recipients of the space with fraud, theft of property and services and possibly forgery as well and send them to jail for a long time. They in effect comissioned the theft of that space and should be held responsible.

    The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  7. Legit IP space should be easier to get by sjhwilkes · · Score: 5, Interesting

    ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.

    Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.

    The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.

    Simon

  8. LA County needs a whole class B subnet? by HornyBastard77 · · Score: 3, Interesting
    Just what is a single county doing with 65,534 IP addresses in the first place?

    IPv6 may alleviate the current IP scarcity and the worldwide divide that it creates, but till that kicks in(and it doesn't look like it will anytime soon), ARIN et al need to take a closer look at this IP hoarding. Till that happens, this hijacking of IP space might be a good solution for ISPs in China, India, etc.

    1. Re:LA County needs a whole class B subnet? by capnjack41 · · Score: 4, Interesting
      My old university has all of 149.150.x.x. There's about 10,000 students & faculty, and each machine used to occupy a single public IP. Now, they have several private VLAN's (10.x.x.x), so now only every building has an IP (well, a few addresses). So between regular Internet access, plus servers, etc., there's probably a couple hundred IP's in use...out of 65534! Aces.

      I'd also like to know if companies like IBM, GE, and such really use all of their class A's; or of the US DoD really uses their multiple class A's (at least 3 that ARIN would let me check before they started denying my frequent requests -- that's at least 50 million addresses)

    2. Re:LA County needs a whole class B subnet? by Large+Green+Mallard · · Score: 2, Interesting

      My university (which I don't represent here, include stddisclaimer.h etc) has a Class B, but we actually use almost all of it..

      because Australia pays so much for internet traffic, everything must be accountable for, so each student who wants internet access has a dialup with a static ip, and each desktop machine has a world routable static ip from the class B (which is in turn routed internally into class A and CIDR blocks)

      And Apple uses it's 17.0.0.0/8.. it has hundreds of offices around the world thousands and thousands of machines.. CIDR is all well and nice, but if you don't know how big a given location is going to be, just assigning an appropriate number of Class C blocks to it from your class A makes things less painful.

  9. Re:Does LA county even need a public /16? by Anonymous Coward · · Score: 5, Interesting
    Think that's bad?

    Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.

    Mercedes Benz needs 16777216 addresses??!!

    Oh wait, I shouldn't include the broadcast addresses .0 and .255.255.255, so that's only 16777214 addresses. My bad. Seems reasonable.

  10. interesting by dbrummer · · Score: 2, Interesting

    That's pretty odd how someone can just hijack a /16 like that. A /16 is a lot of IP addresses, not really easy to sort of overlook it. Usually something that big is already allocated by the users ISP and announce via BGP. I wonder how these guys were able to go behind the BGP allocations and announce it on there own. I know most ISP's won't allocate a block of IP addresses if it is already being advertised by another peer. Dan

    1. Re:interesting by wcdw · · Score: 2, Interesting

      *Way* too many corporations use routable IP blocks for internal networks, yet NAT those addresses going out the primary router. In order to prevent spoofing attacks, these address blocks are usually segregated at the primary router(s)/firewall(s).

      The "outside" of this setup doesn't care about routing for this subnet - all internal routing for those IPs is handled by an inside box / separate set of rules. It also doesn't broadcast BGP info for the inside network.

      At best, the incoming BGP would be perceived as a DoS attack - except that there is no DoS, and hence little reason to check. I'm willing to bet that few, if any, security administrators in such situations do more than block - and possibly log - these packets.

      And, unfortunately, corporations with lots of IP addresses have little motivation to give them up. My last employer owned two /24s - total usage less than 100 boxes. The DMZ boxes had routable IP addresses in one /24 which were NAT'ed to routable IPs in the other /24 by the primary gateway! Of course, this same company was still using remnants of another /24 they haven't owned in many years (for internal production boxes) -- THAT makes for some interesting routing. ;)

      --
      If you're not living on the edge, you're just taking up space!
  11. Re:A little curious. by tigress · · Score: 3, Interesting

    Sorry to be anal, but classful routing hasn't been used (by clueful people) for years now. Even then, a /16 would be the equivalent of a "B" class. Also, remember that the classes were limited to certain ranges, such as A-classes being 1.* to 127.*, B being 128.* to 191.* and so on. Anything dividing a classful block into something smaller would be a so called "subnet" (ever wondered where that name came from?).

    Unfortunately, a certain networking hardware company still insists on teaching classful addressing, despite CIDR having been available for something like ten years now.

  12. Re:Does LA county even need a public /16? by crow · · Score: 5, Interesting

    Note that that list is old, listing both HP and Compaq as having Class A networks. Does this mean that HP now has two class A blocks? Or is the list old, with much of that space having been reallocated?

  13. Re:US bias, anyone? by TheCrazyFinn · · Score: 5, Interesting

    DaimlerChrysler (Mercedes Benz is a nameplate, not a company) is most assuredly a US company, it's also a German company.

    And I'd suspect that they got the /8 via Chrysler (Which was heavily involved with DARPA at the time IP was being rolled out, primarily for the M1 Abrams program).

    But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.

    --
    "You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
  14. You too can have your own /16.. by Elk_Moose · · Score: 5, Interesting
    Get Yours Now on Ebay!

    Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!

    1. Re:You too can have your own /16.. by force10 · · Score: 2, Interesting

      I reported this idiot (Ebay seller) to ARIN, they responded back that he was NOT legit, and that they are persuing the matter. The auction was removed.

      I hope they string him up by his toes!!!!

  15. Re:Does LA county even need a public /16? by petrilli · · Score: 3, Interesting

    BBN actually has 2 natural Class A addresses (4/8 and 8/8), which were transfered to GTE Internetworking, then Genuity, then to Level 3 during the acquisition. Very long story, but you kinda get to assign whatever you need when you get to be AS1 as well. Anyway, 4/8 is heavily divided up and assigned out to customers as well as being used for the internal network. During the integration by Level3, my understanding is that a lot of these will be renumbered into 4/8 from the Level3 blocks, just as Level3 will likely renumber to AS1. It's simply easier, and has a bit of cachet.

    8/8, on the other hand, has never been used as far as I know, but is held in reserve, because simply getting that kind of address space flexibility is impossible in this day and age. Yeah, probably not the "right thing," to do, but there it is.

  16. Spammers, scorched earth and stolen subnets by Xeger · · Score: 5, Interesting

    This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.

    The problem isn't limited to blacklists, either. Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters will also be affected, to a degree.

    So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.

    To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.

    1. Re:Spammers, scorched earth and stolen subnets by gmby · · Score: 3, Interesting

      This is sad. :-(
      But! On the flip side. Can I buy a block of "scorched" IPs for cheap? To maybe host gaming servers? Lots of good profit making ways to use IPs; that don't include email.

      Point me in the right direction; I'm ready!

      --
      I don't want a pickle; I just want a Motor-Cycle! A four foot cop arrived with a five foot gun!
  17. Selling a subnet? by Hayzeus · · Score: 3, Interesting

    How would one LEGITIMATELY go about this. The article mentions grey market brokers, but how would one go about getting rid of an IP-block they actually own? Or can they even be legally transfered?

    --

    Roving Web-Teleoperated Robot
  18. Stop by darthtuttle · · Score: 2, Interesting

    I wonder how much of this kind of stuff would stop if we

    1. blocked spam at the client based on content, not by blocking IP addresses

    2. let people spam.

    If we know who and where the spammers are and let them have their own little space in the world, and didn't outright reject talking to them, they wouldn't be doing this sort of thing. The biggest problem is that the cost to download is a large multiple of the cost to upload, since you can send to a whole lot of people in one shot, but there's an easy technical solution to that (don't let people send an email to 5000 people at your server in one shot).

    Maybe it's time to treat them like the parts of the porn industry who works with filtering companies to identify them selves. Give them their own little sandbox to play in, don't threaten to shut them off, and then block them at the client side, or once they are in the mailbox, because what we are doing to fight them isn't working (as evidenced by my pile of spam despite all possilbe server side filtering techniques) and they are going to fight dirty if they can't have a chance fighting fair.

    You may now mod this down.

    --
    Darthtuttle
    Thought Architect
  19. i've seen this firsthand by Tancred · · Score: 3, Interesting

    I'm part of the IP Admin group of a large international ISP and have seen this firsthand. New customers routinely ask us to route space, and sometimes it's difficult to tell if it's theirs or not what with all the mergers, acquisitions and renaming of companies. There's definitely more scrutiny of these requests than there was a year ago.

    A few months ago spammers started to hijack IP space that was registered to companies that are now out of business, which means that most likely nobody is going to notice what they've done.

    After a while it's almost like getting squatters' rights - I've been using it and nobody else has a real claim to it, so it's mine.