Slashdot Mirror
Confronting Address Space Hijackers
Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."
YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys would be happy to put in a bid.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online.
That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.
It won't guarantee that this won't happen, but signed communications would help. Private keys can be stolen though, but I suspect that takes more effort. A public key should be included in the registry application, or with whois record, or in some other private DB at the registry. I guess this would be the opposite of PGP encrypted mail where the private key is used to decrypt rather than encrypt.
The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.
Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.
The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.
Simon
IPv6 may alleviate the current IP scarcity and the worldwide divide that it creates, but till that kicks in(and it doesn't look like it will anytime soon), ARIN et al need to take a closer look at this IP hoarding. Till that happens, this hijacking of IP space might be a good solution for ISPs in China, India, etc.
Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.
Mercedes Benz needs 16777216 addresses??!!
Oh wait, I shouldn't include the broadcast addresses .0 and .255.255.255, so that's only 16777214 addresses. My bad. Seems reasonable.
Sorry to be anal, but classful routing hasn't been used (by clueful people) for years now. Even then, a /16 would be the equivalent of a "B" class. Also, remember that the classes were limited to certain ranges, such as A-classes being 1.* to 127.*, B being 128.* to 191.* and so on. Anything dividing a classful block into something smaller would be a so called "subnet" (ever wondered where that name came from?).
Unfortunately, a certain networking hardware company still insists on teaching classful addressing, despite CIDR having been available for something like ten years now.
Note that that list is old, listing both HP and Compaq as having Class A networks. Does this mean that HP now has two class A blocks? Or is the list old, with much of that space having been reallocated?
DaimlerChrysler (Mercedes Benz is a nameplate, not a company) is most assuredly a US company, it's also a German company.
/8 via Chrysler (Which was heavily involved with DARPA at the time IP was being rolled out, primarily for the M1 Abrams program).
And I'd suspect that they got the
But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!
BBN actually has 2 natural Class A addresses (4/8 and 8/8), which were transfered to GTE Internetworking, then Genuity, then to Level 3 during the acquisition. Very long story, but you kinda get to assign whatever you need when you get to be AS1 as well. Anyway, 4/8 is heavily divided up and assigned out to customers as well as being used for the internal network. During the integration by Level3, my understanding is that a lot of these will be renumbered into 4/8 from the Level3 blocks, just as Level3 will likely renumber to AS1. It's simply easier, and has a bit of cachet.
8/8, on the other hand, has never been used as far as I know, but is held in reserve, because simply getting that kind of address space flexibility is impossible in this day and age. Yeah, probably not the "right thing," to do, but there it is.
This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.
The problem isn't limited to blacklists, either. Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters will also be affected, to a degree.
So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.
To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.
How would one LEGITIMATELY go about this. The article mentions grey market brokers, but how would one go about getting rid of an IP-block they actually own? Or can they even be legally transfered?
Roving Web-Teleoperated Robot
I'm part of the IP Admin group of a large international ISP and have seen this firsthand. New customers routinely ask us to route space, and sometimes it's difficult to tell if it's theirs or not what with all the mergers, acquisitions and renaming of companies. There's definitely more scrutiny of these requests than there was a year ago.
A few months ago spammers started to hijack IP space that was registered to companies that are now out of business, which means that most likely nobody is going to notice what they've done.
After a while it's almost like getting squatters' rights - I've been using it and nobody else has a real claim to it, so it's mine.