Slashdot Mirror
Confronting Address Space Hijackers
Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."
You mean spam like this?
ask.slashdot: As a linux user my anus frequently bleeds due to the number of thin, crooked, uncircumcised, abnormally pink wangs that are shoved in there on a constant basis. What do other openly users of linux like me do to prevent blood stains on their dank, dirty, wear-to-work-every-day blue jeans?
Imagine a Beowulf cluster of goatse.cx guys doing Natalie Portmanâ(TM)s grits.
In Soviet Russia...bite me!
I LIKE goatse.cx and I cannot lie
You other brothers canâ(TM)t deny
...hijackers taking over large allocations of IPv4 space...
hijackers?? hijackers are people who sneak guns on airplanes and demand that old prison buddies that they used to know be let out of jail... these people sound more like con artists to me.
OMFG have you seen the Halo 2 trailer it's like slow and it's telling you all the stuff you did in the first one then the music kicks in and and the chief comes out and gets a gun the earf is on fire and chief is like fuck this im jumping and HE JUMPS PUT OF TEH SPACESHIP with angels singing and he lands on the bad guys and that annoying ai lady is like GO GET EM TIGER! WILDCAT IS ON TEH SPOKE!!!~`1 and theres less polys but rawkin bumb mappings you can view this on a special MICROSOFT xbox disk that comes with EB games store.
Maybe someone could explain this? How does the whole buying and selling of IPs work?
1) Start a fake business
2) forge some documents
3) steal more IPs than the whole of china has
4) sell to spammers
5) PROFIT!!!!
(note, ??????? step not required)
There is no god
Right... "borrowed". And that "guy I met in the van in the back alley" was just letting me "borrow" that plasma screen TV for $500.
I moderate "-1, Fool"
YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys would be happy to put in a bid.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
There's a lack of addresses and still these things happen?
Martin
How the hell can't you be a little suspicious of somebody offering you a Class C for $500 on the condition that you only use a small part of it? What, did it fall off a truck?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online.
That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.
Oh.. no it's not..
SCO employee? Check out the bounty
ps reports some process hijacking large parts of my machines address space. Confronting the problem using a quick /sbin/pidof X | xargs kill has somehow not proven to be a viable solution either...
...does anyone else here fantasize about tit-fucking Jennifer Connolly? Or taking her up the Hershey Expressway?
This has been on NANOG for at least a month now...
I am the Lorvax, I speak for the machines.
.... to get ipv6 of the ground - u wonthave to steal ip's cuz everyone man woman child and animal will have their own with plenty left over!
_+_+__+_+_+_+_+_+_+++
when i moo u moo - just like that
Judging by the article, LA county was using that /16 for internal routing only. I understand that they probably got it when it was easy to get, but do they really still need it? On that note, how much IP space that is allocated is actually in use? I heard something like 25%..
That Class A block that I bought on ebay from the guy from Nigeria who spammed me via SMS isn't legit? I better quickly cancel that wire transfer of money to his cousin, you know, the finance minister until I can check out his story about the president dieing in a plane crash and leaving all that money that he was going to invest in helping Quark get its native OSX version done.
I'd never heard of Enron before they started running TV ads about how they sub-rented "unused bandwidth" from multi-nationals during their off-hours.
It wouldn't surprise me that this is one scam that they would have tried to pull.
I don't know about the rest of the world, and IANAL, but I rather suspect that any member in good standing of the Communications Bar would be able to make a very strong case about willful interference with a communications system.
Next thing you know, they'll be lighting OPDF. (Other People's Dark Fibre)
It won't guarantee that this won't happen, but signed communications would help. Private keys can be stolen though, but I suspect that takes more effort. A public key should be included in the registry application, or with whois record, or in some other private DB at the registry. I guess this would be the opposite of PGP encrypted mail where the private key is used to decrypt rather than encrypt.
With the still-ongoing cases over domain theft and fraud, is it at all surprising that it's also active in areas like IP block assignments?
I get SPAM with faked reply-to, sent-by, and domain names. Most hacks against my systems are from IP addresses that don't resolve back to a valid domain.
The only shock here is that someone was dumb enough to think they could get a /16 for only $500.
I do not fail; I succeed at finding out what does not work.
There are a few posts about specific unused IP's being stolen, while the used ones went on working as normal... is that what happened, or did what's-his-name in Northern California take over the whole class C, similar to taking over a domain? If it was the latter, I'm surprised nobody's tried it before... given that it's really not extremely difficult to move a domain from one person to another, it can't be too hard to do the same for a block of IP's.
So is it certain IP's that weren't being used, or a large block of IP's that were just read internally from the servers and directed to where the servers thought they should go?
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
That this guy would end up in jail and that big guy in the cell next door merely "borrows" his ass for a pack of cigarettes.
Hijacking an IP block is cheap, and it bypasses conservation measures imposed by the regional registries: to get a large allocation legally, one must first demonstrate an immediate need for the space; it's not enough to want it. Then you have to pay the registry as much as $10,000 in fees
RTFA!! RTFA!!!
That's like saying, "Fucktard6969 on IRC said that the software he's hooking me up with is legit"
The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
What's the point of stealing IPs to spam? Haven't these guys ever heard of wardriving for IPs?
These guys really need some serious technical help...
(Yes, not meant seriously for those law/spam enforcement types out there!)
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).
Links:
In your face hijacking
Current list of possible bogus bgp routes
Oh, well.
first off, why has someone no looked into revamping the system by which we organize the net. Quite frankly with the emphaisis on internet business a domain or address is more important than realestate. Internet real estate should be treated and documented with the same ferver and detail as real estate.
ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.
Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.
The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.
Simon
It is a big enough pain in the rear to get allocated ipv4 space without having people steal it out from under you. Hopefully one day before I die the migration to ipv6 will occur and namespace will be plentiful to all. Of course jokers like these will probably steal the addresses anyway for other uses.
IPv6 may alleviate the current IP scarcity and the worldwide divide that it creates, but till that kicks in(and it doesn't look like it will anytime soon), ARIN et al need to take a closer look at this IP hoarding. Till that happens, this hijacking of IP space might be a good solution for ISPs in China, India, etc.
You can buy 10.x.x.x from me if you like - only $0.01 per IP address
I have a whole bunch of 10.0.0.0/8 address spaces for sale. :)
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Doesn't this smell like a future standard mob type scam... I mean you used to be able to buy VCR's that "fell off a truck", now you can get subnets!
maybe he wasn't stealing them for spam, maybe he had alot of computers and just wanted to comply with his states Super-DMCA ???
This problem will grow with more address space. Though the value of individual addresses will diminish in the future with IPv6, it is important to keep virtual property lines clear. This needs to be handled now. Exceptions made are only going to lead to problems in the future.
How many trolls (all types) are geeks in denial? Let's face reality, fokes.
Perhaps we ought to go to what we had with DNS domains back before Verisign privatized: you create a PGP public key and register it when you get your block, and from there on out any requests to change information about that block are only valid if they're signed with that key (or after some very stringent checks if you claim you've lost the key). That'd make it more difficult for hijackers to change the registration information.
The Brooklyn Bridge, the New York Sewer system.
Send me a check for $500 and they will be yours!
It isn't a lie if you belive it.
That's pretty odd how someone can just hijack a /16 like that. A /16 is a lot of IP addresses, not really easy to sort of overlook it. Usually something that big is already allocated by the users ISP and announce via BGP. I wonder how these guys were able to go behind the BGP allocations and announce it on there own. I know most ISP's won't allocate a block of IP addresses if it is already being advertised by another peer.
Dan
...about the squatters:
http://www.slasdot.org
http://www.slahsdot.org
http://www.slahdot.org
http://www.lsashdot.org
http://www.slashdto.org
For those who aren't ccna: /16 = netmask 255.255.0.0
255 addresses x 255 networks - 2 (network and broadcast) = 65023 IP addresses
That's a whole hunka lotta internet...
Karma: Chameleon (mostly due to the fact that you come and go).
I have done a cursory web search and haven't been able to find a definition of a "multinational", which I assume from this context is a multinational business, as opposed to, say, "big multinational" meaning a fat person with citizenship in more than one country.
Are all businesses with web sites that do not exclude orders outside of their home countries "multinationals?" How about a business that has a physical office in another country? How about a business that wholly owns a subsidiary incorporated in another country? Does a business have to be corporation in order to be a "multinational?" I would be interested in any reasonably authorative references.
Why does a county need that many address.... Just how many external address does one county need.
Toss your county behind a proxy/firewall and use the 10. net to provide local address. Now you can get small group of address for your viable machines.
How many of the companies listed are not from the US? Funny that you picked a non-US company to make fun of then... Oh, and in case that argument comes up: Mercedes Benz is among the bigger ones in the list.
Arm DNS Registrars with guns and tazers
Ask users to take off shoes before mass e-mailing
Round up geeks and other suspicious technical people as 'persons of interest' to secure undisclosed locations...
Wait, these guidelines are from Homeland Security.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Jerry: Today on our show, we have people who have stolen IP addresses to send SPAM. Why did you do it Larry?
Larry: Jerry, it's an addiction I have. I just feel the need to tell everyone that by sending money to my friend in Nigeria, they can get a stimulating diplomia and have investment opportunities in appendage lengthening. Is that so wrong? Audience boos.
Jerry: Not everyone agrees with you. Let's bring out a system administrator whose IP you hijacked.
SysAdmin: Appears from backstage. Upon seeing Larry, rushes him fists raised. You stupid #$@&! I'll kill you! I'll kick your fsking @$$! Throws chair. Is restrained by large bald stagehand. You stole my IP! I'll get you!
Just get business class dsl (SBC) and request extra IP Addresses, it's a one time charge. I have 5 IPs and wish I would have gone ahead and got the extra 16 they made available. Now I can only add more contiguous(sp?) addresses by changing my IPs. I'm too lazy so I just keep it the way it is.
How is a quote from the linked article that explains in excruciating detail the grandparent's question a "Troll"?
Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!
Well, for IBM that's only about 55 IP addresses per employee, worldwide... Not entirely unreasonable.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
My friend scanned 21.0.0.0...and he disappeared the next day ;(
Mercedes has been thinking for quite some time that ever car they sell will have an IP address. The idea being that Mercedes will offer free Internet/Media services to their cars along with remote diagnostics information. So ya, maybe it seems like a lot of addresses but they are trying to do something with it.
This is going to keep happening until Arin starts pushing Ipv6. The real problem is that currently getting Ipv6 costs money and doesn't get you very far. Look at it this way... currently a Ptla /32 costs $2500 a year. But people that have been sitting on Ipv4 blocks for years don't pay anything. I know of two Isp's that would like to offer Ipv6 the their customers but because they don't have their own Ipv4 netblocks they don't want to pay $2500 a year just so few of their customers have Ipv6. So instead of getting Ipv6 and moving away from Ipv4 they are forced to stay with Ipv4. I think that the situation is currently backwards to the way it should be. Arin ( and other Ipv4 providers ) should be charging next to nothing for Ipv6 netbocks ($100 or so) and slowly start charging for Ipv4 blocks each year. So for the first year charge $100 for each Ipv4 block (on top of any other fees). The second year the would charge 500 and the year after that 1000 and then 3000 and so on... Until we start charging more for Ipv4 address's than Ipv6 we will have people trying to hijack current Ipv4 netblocks... The more people that can get switched over to Ipv6 the sooner the better. If everyone was using Ipv6 this will no longer be a problem...
This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.
The problem isn't limited to blacklists, either. Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters will also be affected, to a degree.
So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.
To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.
bwaahha! another great sluggy.com reference goes wizzing under the radar!
"If I wanted your input on my pet project, I'd stick my hand up your ass and use you like a sock-puppet." - Muse
When some one can tell me how to get back my ICQ # 116117 AND keep it for more then 48 hours, I be impressed
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
"Fuckin' internet" - Tony, Episode 20, "D-Girl"
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
I've always thought it was dumb that public IP numbers are so widely used for networks for which public access is not only unnecessary, but actually avoided. Why spend zillions on firewall software when you can get the same effect just by using a private IP space? I guess the changeover costs are a killer.
you guys know shit about IANA,RIR, LRIR business.
ip addresses dont cost any money.
places like icann, ripe, arin, apnic, lacnic and others dont charge money for IPs.
u get as many ips as you can reasonably justify and can prove how u gonna use them.
so that 500 bucks that fucker payed, was some bribe or some ISP or RIR charged some fees for the paperwork.
normally u have to show them a business plan and what the future in terms of network, layout, services, systems and so forth, and then u come to an agreement how many IPs you need immediately, if you can solve various services with private IPs and so forth, and how many IPs you would probably need over the next few years.
what kinda moronish article is this anyways? u people better start to learn some stuff about the RIR business and whats behind all that.
you're not pawning those alligators off on me! You think I'm some kind of idiot?
The Kruger Dunning explains most post on
How would one LEGITIMATELY go about this. The article mentions grey market brokers, but how would one go about getting rid of an IP-block they actually own? Or can they even be legally transfered?
Roving Web-Teleoperated Robot
Whoever he is, he's got a LOT of bandwidth. Ping/trace it and see. They even had the audacity to create a server with MY username!!!
warez.texas.net
B
Executives at SCO, the RIAA, Amazon and other large companies sufered public embarrisment when it was annouced that IP was being stolen and they rushed home to see if they owned any of it to sue over.
Beep beep.
Yea I have submited about 20+ items over the past year and all got rejected. Hell, odd movie reviews got accepted over my articles that were technology related.
I treat slashdot like a cat. Just a finicky old thing, that amusing to watch only.
"Your having a bad day when the voices in your head put you on hold"
Terror Alert: Black
Look Out! It's time to secure the International Space Station! (I misread the headline at first)
This is pretty reasonable, since a large entity like LA County is likely to interconnect with other networks in the future (if not right now), and a globally unique address space makes that much saner.
We have an ASP provided service via a frame circuit. In its first iteration the engineer I worked with assigned me an address of 10.2.3.4 on the WAN side of the router. When I asked him what the destination network was for the services we were communicating with, he just said "10.0.0.0/8". When I told him that space was in use here as well, he said "You'll have to renumber, those are our IPs" it took an hour argument with his boss and faxes of RFC1918 to convince them otherwise.
The next iteration of this service had a different connection to a different provider who connected to the provider above. Both of these providers were using overlapping 10.0.0.0/8 space and were NATing to each other, and when the service wasn't working right it was funny/sad listening to these clowns try to dignose these double NAT'd connections. None of that would have been necessary if they had used unique address space.
He sounds legit. IE, he got this asset from a dot-com liquidation (won't say who, not allowed), and it has a HIGH reserve. Also said he didn't think anything would come of it, as he's never seen that sort of thing on ebay before, but he'd give it a shot.
If you want it, be prepared to spend 6 figures.
Fuck Beta. Fuck Dice
Unfortunately, your proposal is completely irrelevant. In the cases I know, the communication channel between the ISP and ARIN was not compromised. The ISP just sent bogus data, acting on forged customer requests.
No shit the channel was not compromised, but it was misused. So how do we solve the problem of determining if a message is authentic. *snaps fingers* I know! We use public key cryptography!
There isn't any cryptographic protocol that can solve such a problem, and that's why S-BGP and other "secure" BGP successors are almost completely irrelevant. Cryptography is not the answer to all attacks.
You are sadly mistaken. Cryptography is not just about obscuring the message, but also proving that the message is authentic.
Here's how the process works:
1. message is run through a digest
2. the digest is encrypted using the sender's private key against the recipient's public key (this is called the signature)
3. the message is sent with the signature attached
4. the recipient decrypts the signature to get the digest and performs the same digest operation on the message.
If the signature cannot be decrypted, or the digests do not match, the message cannot be authenticated.
Both parties must trust the other's public key, so they met in person and signed the other's key. before they performed any transactions. Afterwards, if they can successfully encrypt and decrypt messages to and from the other, the authentication mechanism above works.
In general, cryptography is used for authentication in all kinds of places. You know hash function is a type of cypher? Passwords are *nix systems are stored hashed. Every time you enter a password, the system runs it through a hash function (likely MD5) and compares that to what is stored on disk. MD5 sums are used to validate the authenticity of software packages. Of course, the list of sums is often authenticated as described above (using PGP/GPG).
So please, come up to speed on these things!
Join Tor today!
I wonder how much of this kind of stuff would stop if we
1. blocked spam at the client based on content, not by blocking IP addresses
2. let people spam.
If we know who and where the spammers are and let them have their own little space in the world, and didn't outright reject talking to them, they wouldn't be doing this sort of thing. The biggest problem is that the cost to download is a large multiple of the cost to upload, since you can send to a whole lot of people in one shot, but there's an easy technical solution to that (don't let people send an email to 5000 people at your server in one shot).
Maybe it's time to treat them like the parts of the porn industry who works with filtering companies to identify them selves. Give them their own little sandbox to play in, don't threaten to shut them off, and then block them at the client side, or once they are in the mailbox, because what we are doing to fight them isn't working (as evidenced by my pile of spam despite all possilbe server side filtering techniques) and they are going to fight dirty if they can't have a chance fighting fair.
You may now mod this down.
Darthtuttle
Thought Architect
The message digest is encrypted against the sender's public key so that anyone who knows and trusts the sender's public key can decrypt the digest and trust the authenticity of the message.
Join Tor today!
Actually it's 2^16-2=65532 usable addresses or sixteen bits minus one reserved netmask and one reserved broadcast address.
Unless you subnet it further, then you loose an additional netmask and an additional broadcast address for each subnet.
Unless there's another (more efficient) method I haven't learned.
--qtp
Read, L
I'm already the owner of a very large net block, on my internal network. I love the 196.168.x.x range.
I'm too sexy for you.
"Atrivo" is right down the street from me. Maybe I can go sell this guy a bridge or something to go along with his /16 ;)
I am network manager for a somewhat smaller-than-LA-County local govt, and we use exclusively RFC1918 address space on all our internal nets. We do use separate private class Bs (172.x.y.z) for each major building/campus-complex in our local govt network and separate class C's (192.168.x.y) for smaller buildings. We have but only two public routable class C nets that handle all our publicly-connected machines on separate physical networks, and only really use about one-third of that space, so yeah we are wasting *some* public address space, but due to physical location and upstream provider complications we have to do it that way.
IP6 allocations are not permanent, you don't own ip6 addresses
and you can't get PI(provider independent) blocks.
To get a range of ip6 addresses you have to get them from your
ip6 gateway provider or be a big or important enough network operator
or institution.
I'm part of the IP Admin group of a large international ISP and have seen this firsthand. New customers routinely ask us to route space, and sometimes it's difficult to tell if it's theirs or not what with all the mergers, acquisitions and renaming of companies. There's definitely more scrutiny of these requests than there was a year ago.
A few months ago spammers started to hijack IP space that was registered to companies that are now out of business, which means that most likely nobody is going to notice what they've done.
After a while it's almost like getting squatters' rights - I've been using it and nobody else has a real claim to it, so it's mine.
AT&T and BBN are ISPs, so they've got legitimate uses for large amounts of address space. (In AT&T's case, they got lucky, because while they were late getting into the ISP business, the Class A was a leftover from the Bell Labs Cray's Hyperchannel LAN, which for some reason had insisted on having a Class A network and couldn't be subnetted
The Interop Show Network has always been special. For you young folks out there (:-), Interop used to be an engineering conference where vendors actually tested interoperability and worked on implementation bugs, as opposed to being primarily marketing-related, and back in ~1990, not everything knew how to do variable-length subnetting or CIDR or whatever, and the show needed real internet addresses, not just RFC1918, because it was connected to the Real Internet.
Auto companies have been an early developer of networking technology - there was all that ISO MAP/TOP stuff in the Mid-80s, and they were one of the big players in getting IPSEC to be a practical technology where equipment from multiple vendors actually interoperated as opposed to a custom thing for spooks and occasional banks. (That also affected the Crypto Export Regulations Wars of the 90s.) At least in the US, automobile manufacturing isn't really done by big monolithic integrated companies which could use 10.x intranets - it's done by a wide mesh of manufacturers of parts, subassemblies, components, random little job shops, etc., as well as the big companies that stamp out metal and assemble it into cars, rather like the computer and software industry except with a lot more metal shipped around, and they need registered address space to be able to talk to each other cleanly. I'm not sure that Mercedes needs all that space, but the industry certainly does.
As of December 2001, the biggest hog of Class A addresses was the US government, including the military and its friends like Halliburton. Also Eli Lilly had a Class A then...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Once i was thinking about how possible it would be to hijack ip address space.. its really easy i thought, so under my own /24 I spoofed an email from my provider's email address (actually my job) and bam! the changes were made to my arin profile. I wondered how long it would be before this leaked out. I emailed arin but got no response, not a shock to me.
- There weren't firewalls or NATs to prevent local machines' addresses from being reachable by the Whole Internet, and
- there wasn't RFC1918 private address space until after the ARPANET was shut down, and
- Networks were always Class A, B, or C, and even if they were subnetted, it was still on class boundaries, and
- supernetting and CIDR didn't exist.
The Class A allocations are basically a pile of dinosaur bones, and most of the dinosaurs were either native to North America or else ate other dinosaurs that were.But yes, the early-adopter bias is a US bias, because before the work of people like CIX, the Commercial Internet Exchange, the ARPANET was a thing run by the US government, and you could only get on it if you were a US defense contractor doing appropriate kinds of work or a University that had some appropriate government-funded research, and there was an Acceptable Use Policy that said you couldn't do commercial activities that weren't related to the Government Work you were doing (though much of the interestingness of the Internet culture evolved because there was deliberately slack enforcement, especially on universities and non-commercial-related discussions.) The rest of us had UUCP, and Usenet, and X.25, and it wasn't until ~1990 that you could reliably use email for outside-your-company business without having to worry about whether you were violating the AUP.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If PKIs become relevant, we're going to see attacks on CAs (and not just the rather insecure SSL browser PKI).
:-P
Then those attacks will have to be quite sophisticated. PKI security is mathematically provable. Forgery, in so far as immitating someone who authorized to take a particular action, is a social engineering feat. Of course, one can always con an misinformed individual out of passphrases.
Furthermore, there is currently no large-scale PKI which tracks who is authorized to speak for which company (let alone IP address space!).
As I understand it, it was not a question of authorization but merely forgery. Someone claiming to be a person who was authorized without provided proof. I never said that PKI would solve the who can, just the who is. This case in particular was the latter of the two. Or perhaps I need to RTFA again.
All bulk data processing on the net is either done by machines
Automated authentication of authorized persons is nothing new. In fact, it's very old.
And let me repeat the major problem: At some point, you have to check that a document dealing with address space allocation issues was sent by someone who is authorized to change the allocation.
OKay, now I am really wondering what is going through your head. I do not see where the major difficulty is of keeping a secure list of authorized personnel and then authenticating their messages/commands/etc. with PKI (or any other login mechanism).
Even if you have digital certificate which proves the identity of the sender (a questionable assumption)
How is that questionable? I don't think you know what you're talking about. Want to try and forge a message coming from my key? It's infeasible unless you're the NSA. If two parties meet, each verifies the identity of the other, then sign each other's keys, then The Factoring Problem must be solved or the one of the symmetric keys compromised in order for the system to break down. If the first happens, it's the end of a lot of computer security as we know it. If the second happens, the parties will generate new keys and secrets and resume.
still don't know if the sender is authorized for the transaction. Given that we deal with extremely critical infrastructure, I really don't care if I can sue someone afterwards. The goal has to be to avoid processing bogus transactions in the first place.
Once again, I still don't see how difficult it is to maintain a list of authorized personnel. Every multiuser system in the world does this.
I hope this makes it a little bit clearer why PKIs can't immediately solve such problems.
This would have been accomplished if you demonstrated why a manifest of authorized personnel is a difficult to implement or insecurable mechanism.
Join Tor today!
- To get a big space free/cheap, given IPv4 address space's semi-artificial scarcity. IPv6 really takes care of this - a
/48 is big enough for almost anybody, and a /64 is enough for almost any subnet - the 2**64 addresses you get in your /64 let you use 48-bit MAC addresses to automatically address everything and still give you 16 more bits to play with. - To target a specific address space owner for nefarious purposes. Yeah, fine, IPv6 isn't going to prevent somebody who wants to hijack Bill Gates's House's IP address or remap all of Korea's IPv4 address space through Spamcop's T1. That's a problem for other mechanisms.
- To imitate somebody random other than yourself to make tracking you down or blocking your resources harder. IPv6 isn't much help for that, but that's also a case where hijacking subnets can be more fun than hijacking whole networks (e.g. don't steal the whole
/16, just announce some /19 or /24 subnets that they weren't using.)
There may be occasional games that you can play where hijacking the wholeBill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
They also don't help the old-defunct-company problem - any address-space owner who didn't have a public key N years ago and isn't easy to find now can still be hijacked with the fake letterhead request for a public key, which is now the obvious first step before using the fake letterhead to social engineer the ISP. Pretending to own a Class A owner is hard to fake credibly - pretending to own a Class B or /19 owner is a lot easier.
I've had one friend of a friend who at least temporarily was the last-registered technical and administrative contact for a Class B that was the remains of a long-defunct technology company, and they were thinking about selling it on the legitimate market (not the spammer market), but decided that their chain of ownership through the various bankruptcy settlements was too dubious - I forget whether the space eventually got recycled by ARIN or whether the somewhat more legitimate owners of the remaining assets got it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Japan and especially Korea are more interesting cases, because they don't have the censorship problem, they've got a much much higher fraction of their population wired, and their telecom infrastructure is much more liberalized. And besides, you don't have to sell spammers Korean address space to M4K3 M0N3Y Fa$$T!! - you can sell them lists of broken relays and proxies :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"[he] said he paid $500 for it to a guy he met online."
That must be the same guy that sold me my penis enlarger.
Nortel have 47.0.0.0/8
They now have less than 40,000 employees.
And only about ~0.001% of that class A IP space is publicly accessible.
The rest is buried behind NAT/firewalls.
I find the decision to migrate to 16 symbolic of the merger.
Finally! A year of moderation! Ready for 2019?
As I read through the responses here regarding blacklists, Obviously it will be inherent that at least a good portion of mail administrators will quickly block the block...
Here's my 2 cents... have groups like ARIN who control the IP's and are informed as to when an IP hijacking has occurred... why don't they create a ~whitelist~ of sorts.
Effectively a centralized database of recently restored IP blocks that have been used illegally and have now been returned to rightful owners. Some will probably still continue to be blacklisted because the legitimate hosts aren't as legitimate as we'd like, but at least it would provide the oppurtunity to restore order alot easier...
note - i saw used illegally in the sense that it was hijacked, notsomuch used for spam, pr0n or others socially-negative hosting, while it may include the latter... it doesn't need to be...
~~~ SCO sued me because I printed this t-shirt with a Linux driven printer...
IPv4, because of the gluttonous mismanagement of IP use and poor network planning (now and in the past) there appears to be a shortage of available IP addresses.
If all (Globally) Governments, Businesses, ⦠networks were private networks using proxy-servers (and/or firewalls) with NAT and the public/free domain (class A=10.x.x.x, Bâ¦, and Câ¦) IP addresses, then many private domain IP addresses would be freed up for distribution.
Example: The Mother of All Cable company using class-A public domain (10.x.x.x) (AKA: Private Network) IP addresses could create an unlimited number of 10.x.x.x large user networks ⦠have them all talk to each other across proxy-servers (and/or firewalls) with NAT using a few routable private IP addresses to identify a âoePublic Networkâ for the internet. Designing such TCP/IP networks for quality and speed would cost (a little) more and be (a little) more complex for management and configuration, but it would work and add a little overhead (packet/routing/â¦) burden to the available bandwidth.
This method could provide some additional (but minor) network security advantages â¦.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
what, have you people been sleeping under a rock?
IPV6 is dead. and takes too much overhead and work and cost to get done.
you could have had a v8, IPV8 that is.
not only is it more compatible with ipv4, it tunnels really nicely, and all you need is a cheap gateway.
and yes, you can have ipv4ipv8 without a v6 getting in the way...
My "class-c" ipv8 address space has more addresses than comprise the entire net!
..invest in IPv6 already! Otherwise shut it!
Must-not-watch TV!
Here is a very cool picture-graph of the entire U.S.:
http://www.popvssoda.com/
http://www.popvssoda.com/
Copyrights, Patents, Trademarks: temporary loans from the Public Domain, not real property ("intellectual" or otherwise)
Hmm, many addresses in 10.0.0.0 - something tells me some filters aren't working properly...
Copyrights, Patents, Trademarks: temporary loans from the Public Domain, not real property ("intellectual" or otherwise)
Dosen't it just figure stolen IP address space would be used for spam.
No doupt the 'land lord' of this rented address space sold it with spam.
I don't actually exist.