Slashdot Mirror
Confronting Address Space Hijackers
Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."
YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys would be happy to put in a bid.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online.
That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.
It won't guarantee that this won't happen, but signed communications would help. Private keys can be stolen though, but I suspect that takes more effort. A public key should be included in the registry application, or with whois record, or in some other private DB at the registry. I guess this would be the opposite of PGP encrypted mail where the private key is used to decrypt rather than encrypt.
The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.
Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.
The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.
Simon
Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.
Mercedes Benz needs 16777216 addresses??!!
Oh wait, I shouldn't include the broadcast addresses .0 and .255.255.255, so that's only 16777214 addresses. My bad. Seems reasonable.
I'd also like to know if companies like IBM, GE, and such really use all of their class A's; or of the US DoD really uses their multiple class A's (at least 3 that ARIN would let me check before they started denying my frequent requests -- that's at least 50 million addresses)
Note that that list is old, listing both HP and Compaq as having Class A networks. Does this mean that HP now has two class A blocks? Or is the list old, with much of that space having been reallocated?
DaimlerChrysler (Mercedes Benz is a nameplate, not a company) is most assuredly a US company, it's also a German company.
/8 via Chrysler (Which was heavily involved with DARPA at the time IP was being rolled out, primarily for the M1 Abrams program).
And I'd suspect that they got the
But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!
This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.
The problem isn't limited to blacklists, either. Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters will also be affected, to a degree.
So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.
To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.