Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confronting Address Space Hijackers

Posted by timothy on from the insert-sound-effects dept.

Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."

17 of 334 comments (clear)

  1. Uh huh, yep by Hamstaus · · Score: 5, Funny

    Right... "borrowed". And that "guy I met in the van in the back alley" was just letting me "borrow" that plasma screen TV for $500.

    --
    I moderate "-1, Fool"
  2. Hijackers? by stanmann · · Score: 5, Interesting

    YOu know, as evil as this may be, Sitting on that quantity of Unused IP adresses is just as criminal. Perhaps Once they get the addresses back, they should consider selling or renting them out to raise some funds since California claims to be having budget problems. I'm sure some of these guys would be happy to put in a bid.

    --
    Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
  3. A little curious. by Sheetrock · · Score: 5, Funny

    How the hell can't you be a little suspicious of somebody offering you a Class C for $500 on the condition that you only use a small part of it? What, did it fall off a truck?

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:A little curious. by loucura! · · Score: 5, Funny

      You mean you've never found a Class C in the middle of the street? I guess I should stop selling those things... but $500 buys a lot of beer...

      --
      Black and grey are both shades of white.
    2. Re:A little curious. by Tumbleweed · · Score: 5, Funny

      > but $500 buys a lot of beer...

      Dude, you PAY for beer? I heard that there's a 'Linux' beer that's free...you should check it out.

  4. The point? by _Sharp'r_ · · Score: 5, Funny

    What's the point of stealing IPs to spam? Haven't these guys ever heard of wardriving for IPs?

    These guys really need some serious technical help...

    (Yes, not meant seriously for those law/spam enforcement types out there!)

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  5. I submitted this... by robslimo · · Score: 5, Informative

    a couple of weeks ago. Not this particular article, but a little write-up with some nice links (rejected, of course).

    Links:
    In your face hijacking

    Current list of possible bogus bgp routes

    Oh, well.

  6. Legit IP space should be easier to get by sjhwilkes · · Score: 5, Interesting

    ARIN and their members made this problem for themselves. If legit space was easier to get - you currently need to prove you have 16000 hosts. Then people would be more traceable and accountable.

    Spammers are now in a very tight spot in that their address space gets blacklisted faster than ever before so they have to keep changing - at the same time they're still making good money to use to bribe people (by paying way more for bandwidth than is normal) into taking their BGP advertisments for space of dubious origin.

    The old swamp space is never going to be reclamed just because legally it would be such a pain to do so - it would make more lawyers rich, without solving the problem because there will always be space left that can be hijacked if only for a shorter and shorter time.

    Simon

  7. It's OK... by hawthorne · · Score: 5, Funny

    You can buy 10.x.x.x from me if you like - only $0.01 per IP address

  8. Re:Does LA county even need a public /16? by Anonymous Coward · · Score: 5, Interesting
    Think that's bad?

    Eighteen companies currently hold Class A allocations: Apple, AT&T, BBN Planet, Computer Sciences, Compaq, Ford, Eli Lilly, GE, Hewlett-Packard, Interop Show Network, IBM, MIT, Mercedes Benz, Merck, PSINet, Prudential Securities, Stanford University and Xerox.

    Mercedes Benz needs 16777216 addresses??!!

    Oh wait, I shouldn't include the broadcast addresses .0 and .255.255.255, so that's only 16777214 addresses. My bad. Seems reasonable.

  9. Re:Hijackers? by TheCrazyFinn · · Score: 5, Funny

    Considering that at MIT, Pop machines and Coffee Makers have IP's, they just might be using a reasonable amount of their /8

    --
    "You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
  10. Confronting these hijackers - Daytime TV style by Torgo's+Pizza · · Score: 5, Funny
    You know, sometimes I think the answer to "confronting" these pigs is to not use the courts, but use Jerry Springer.

    Jerry: Today on our show, we have people who have stolen IP addresses to send SPAM. Why did you do it Larry?

    Larry: Jerry, it's an addiction I have. I just feel the need to tell everyone that by sending money to my friend in Nigeria, they can get a stimulating diplomia and have investment opportunities in appendage lengthening. Is that so wrong? Audience boos.

    Jerry: Not everyone agrees with you. Let's bring out a system administrator whose IP you hijacked.

    SysAdmin: Appears from backstage. Upon seeing Larry, rushes him fists raised. You stupid #$@&! I'll kill you! I'll kick your fsking @$$! Throws chair. Is restrained by large bald stagehand. You stole my IP! I'll get you!

    1. Re:Confronting these hijackers - Daytime TV style by lmfr · · Score: 5, Funny
      "You stole my IP!"

      SCO is really getting into our heads...

  11. Re:Does LA county even need a public /16? by crow · · Score: 5, Interesting

    Note that that list is old, listing both HP and Compaq as having Class A networks. Does this mean that HP now has two class A blocks? Or is the list old, with much of that space having been reallocated?

  12. Re:US bias, anyone? by TheCrazyFinn · · Score: 5, Interesting

    DaimlerChrysler (Mercedes Benz is a nameplate, not a company) is most assuredly a US company, it's also a German company.

    And I'd suspect that they got the /8 via Chrysler (Which was heavily involved with DARPA at the time IP was being rolled out, primarily for the M1 Abrams program).

    But unlike many of the IT companies, they have a reduced need for IP space. BBNPlanet, AT&T, PSINet are all providers, and IBM and HP (As well as Compaq) both maintain huge semi-private networks.

    --
    "You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
  13. You too can have your own /16.. by Elk_Moose · · Score: 5, Interesting
    Get Yours Now on Ebay!

    Don't know if it legit or not but here is one on Ebay now :) Hurry and get your own 65535 addresses!

  14. Spammers, scorched earth and stolen subnets by Xeger · · Score: 5, Interesting

    This article raises an interesting point. When a spammer successfuly hijacks address space and uses it to send spam, his IPs are naturally going to appear on various blacklists before too long.

    The problem isn't limited to blacklists, either. Bayesian spam filters will quickly learn to recognize Received-From headers bearing the stolen IPs. Collaborative hashing filters will also be affected, to a degree.

    So...the spammer steals a subnet, uses it to spam for awhile, and then is either shut down or abandons his activities. He leaves behind a zone of "scorched earth" -- addresses that are effectively cannot host a mail transfer agent. It is now the job of the next legitimate recipient to clean up the spammer's mess. He might not even notice anything's wrong until half his emails have gone missing and the other have are bounced with mysterious messages. Having identified the problem, it is now up to him to track down various blacklists and get his addresses removed. The damage done to the Bayesian and collaborative filters simply cannot be undone. Mail will be lost.

    To me, this is the real tragedy. Once an address block has been used for spamming, it's effectively ruined until someone inherits it and puts a great deal of time and effort into restoring its good reputation.