Slashdot Mirror
Confronting Address Space Hijackers
Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."
1) Start a fake business
2) forge some documents
3) steal more IPs than the whole of china has
4) sell to spammers
5) PROFIT!!!!
(note, ??????? step not required)
There is no god
Right... "borrowed". And that "guy I met in the van in the back alley" was just letting me "borrow" that plasma screen TV for $500.
I moderate "-1, Fool"
YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys would be happy to put in a bid.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
How the hell can't you be a little suspicious of somebody offering you a Class C for $500 on the condition that you only use a small part of it? What, did it fall off a truck?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online.
That's like getting stopped with a tractor trailer full of stolen goods and saying you bought it from some homeless guy on 82nd for 30 bucks.
Oh.. no it's not..
SCO employee? Check out the bounty
Judging by the article, LA county was using that /16 for internal routing only. I understand that they probably got it when it was easy to get, but do they really still need it? On that note, how much IP space that is allocated is actually in use? I heard something like 25%..
That Class A block that I bought on ebay from the guy from Nigeria who spammed me via SMS isn't legit? I better quickly cancel that wire transfer of money to his cousin, you know, the finance minister until I can check out his story about the president dieing in a plane crash and leaving all that money that he was going to invest in helping Quark get its native OSX version done.
It won't guarantee that this won't happen, but signed communications would help. Private keys can be stolen though, but I suspect that takes more effort. A public key should be included in the registry application, or with whois record, or in some other private DB at the registry. I guess this would be the opposite of PGP encrypted mail where the private key is used to decrypt rather than encrypt.
That this guy would end up in jail and that big guy in the cell next door merely "borrows" his ass for a pack of cigarettes.
The legwork involved in assuring that a block of IPs is legitimate should be fairly simple and part of the network administrator's job. We're not talking about end-users here, we're talking about networking professionals acting on behalf of a corporation. If they don't do their job properly they should be held responsible for that failure, especially when the transaction should raise suspicions as these would.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
What's the point of stealing IPs to spam? Haven't these guys ever heard of wardriving for IPs?
These guys really need some serious technical help...
(Yes, not meant seriously for those law/spam enforcement types out there!)
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).
Links:
In your face hijacking
Current list of possible bogus bgp routes
Oh, well.
ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.
Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.
The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.
Simon
You can buy 10.x.x.x from me if you like - only $0.01 per IP address
I have a whole bunch of 10.0.0.0/8 address spaces for sale. :)
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Considering that at MIT, Pop machines and Coffee Makers have IP's, they just might be using a reasonable amount of their /8
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
Sitting on that quantity of Unused IP adresses is just as criminal.
;)
I do agree with you here, but... ever heard about natural selection ?
IPv4 addresses have been designed in a time when there were at most a dozen people expecting IP to be used by more than a million users in the future. Just like the w2k bug (failed to) prove, old things should eventually die so that new ones can take the free slot. Yup, just like spammers should die so that other people may use those IP slots, but I digress.
IPv6 is here and would resolve the problem. This requires a huge switch however, and people won't be ready for it unless natural selection proves IPv4 hopelessly doomed.
So let spammers accumulate IPv4 addresses just a little more
Karma cannot be described by words alone.
I'd also like to know if companies like IBM, GE, and such really use all of their class A's; or of the US DoD really uses their multiple class A's (at least 3 that ARIN would let me check before they started denying my frequent requests -- that's at least 50 million addresses)
"You know, it'd be a shame if something were to happen to that subnet..."
Arm DNS Registrars with guns and tazers
Ask users to take off shoes before mass e-mailing
Round up geeks and other suspicious technical people as 'persons of interest' to secure undisclosed locations...
Wait, these guidelines are from Homeland Security.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Jerry: Today on our show, we have people who have stolen IP addresses to send SPAM. Why did you do it Larry?
Larry: Jerry, it's an addiction I have. I just feel the need to tell everyone that by sending money to my friend in Nigeria, they can get a stimulating diplomia and have investment opportunities in appendage lengthening. Is that so wrong? Audience boos.
Jerry: Not everyone agrees with you. Let's bring out a system administrator whose IP you hijacked.
SysAdmin: Appears from backstage. Upon seeing Larry, rushes him fists raised. You stupid #$@&! I'll kill you! I'll kick your fsking @$$! Throws chair. Is restrained by large bald stagehand. You stole my IP! I'll get you!
DaimlerChrysler (Mercedes Benz is a nameplate, not a company) is most assuredly a US company, it's also a German company.
/8 via Chrysler (Which was heavily involved with DARPA at the time IP was being rolled out, primarily for the M1 Abrams program).
And I'd suspect that they got the
But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
That's just completely wrong. It could be as many as 65534 usable addresses. Networks certainly needn't be on octet boundaries.
"[A] high IQ is like a Jeep; you will still get stuck, just farther from help!" --Just d' FAQs, c.g.a
Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!
It's not that simple.
The way I understand it, you can't just give back some of your addresses. You have to give back the entire block and then go through the whole lengthy application process to get a new block. Which means there will be a significant amount of time during which you have no addresses. And when you finally do get them, you'll have to renumber your network, because you won't get back addresses from the block you gave up. And if ARIN decides that you don't actually "need" as many addresses as you want to keep, you're SOL.
And if your network grows, you have to go through all the red tape of justifying your request for another/larger block.
The fact that you did the internet a service by surrendering a lot of unused addresses in the first place doesn't figure into thesedecisions.
For anybody who has a legacy class-B (or even class-A) block, it just doesn't pay to go through all the work, only to find yourself screwed in six months when you find that your new allocation wasn't big enough.
This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.
The problem isn't limited to blacklists, either. Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters will also be affected, to a degree.
So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.
To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.
Executives at SCO, the RIAA, Amazon and other large companies sufered public embarrisment when it was annouced that IP was being stolen and they rushed home to see if they owned any of it to sue over.
Beep beep.