Hackers Buying IPv4 Blocks To Evade Detection

Trailrunner7 writes "The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. If the botnet operators do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers. Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPv4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites appeared as the IPv4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."

It's online, patent it!

[tag]

FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly." Criminals establish "safe houses" in nice neighborhoods. Film at eleven.

Re:It's online, patent it!

[causality]

Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all software vendors (including FOSS)? Equal justice and all that.

Most people think like you do: childishly. They will pass up an available, doable solution that will work because it might mean a slight bit more effort for users and might not fulfill their visceral desire to feel the gratification of hanging the black-hats by their toes. I know exactly how you think. Anything that doesn't give users streets paved with gold and their every heart's desire while simultaneously torturing the evil hackers to death would be ... UNFAIR. That makes it against your religion, an anathema to you. Like I said, this is childish.

If you have a widespread, reoccurring problem that causes real material harm, and you have practical, achievable steps you can take to ameliorate it, you take those steps. You then worry about going after the bad guys. They are not mutually exclusive. Hardening the targets doesn't mean the criminals get a pass. Your either-or thinking is pathetic and outdated. I'm tired of how many good discussions it poisons.

It's funny that you mention homeowners. Actually, if a premises is maintained poorly enough, indeed the city or the county will step in and mandate that basic maintainence be performed. Also, you don't need to tell most homeowners to lock their doors at night, to mow their lawns occasionally, to shovel the ice and snow from their sidewalks because they understand that these chores go along with owning your own home. It is considered basic common knowledge. Those who fail to adequately maintain their properties are the small minority. That's not the case with computer users at all and you know it.

Personally I practice what I preach. I read up on security from time to time. I'm not the world's foremost expert, nor do I have to be. You'd be surprised how little research it takes to become a much harder target. It is no exaggeration to say that any literate adult can handle it. Whether you think it's fair or not, the circumstances are offering users the following choices: do nothing and consider it a matter of time until you join a botnet, or put a small amount of effort into informing yourself. Now I know you can't stand that this effort is a cost imposed by bad guys, but in that case you should never put locks on your doors or PINs on your ATM card because those have a non-zero cost and fall into the same category, you hypocrite.

I mentioned Microsoft specifically because I am realistic. I have never seen nor heard of a 50,000-member botnet that exploited *nix or OSX. I don't see many VAX-based botnets. There seems to be a shortage of QNX-based botnets as well. At the moment, Windows is the problem area. If that should change, my focus will change with it. If you think that means the big mean ol' causality is verbally beating up on the poor helpless widdle Microsoft, well then I'm glad you always take the high road whenever it is possible. So be it.

C&C?

[jd]

Why would hackers still be playing Command and Conquer?

Re:Hackers, or Criminals?

[Abstrackt]

I think you mean criminal hackers. I'll give you that they're not synonymous, but they're not mutually exclusive either.

Ownership = Identification

[Toe,+The]

If somebody buys IP space, then there is a money trail and other identifiers.

How could criminals purchase blocks outright?

Bull Pucky

[Spazmania]

I call BS. Hackers don't rent or buy IP addresses for botnets. The bots run on machines each of which has an IP address already. And when they do need IP addresses, they steal them: find an address assignment not currently routed on the Internet and forge papers they present to the ISP claiming to be the actual registrant.

There are a number of protections in place at ARIN and the other Internet Registries which do a reasonably good job preventing hackers from taking actual "ownership" of blocks of IP addresses.

While there is such a thing as a "legitimate trading and auction sites," there are also a lot of snake oil salesman out there right now claiming legitimacy. Here's a hint: the legitimate ones don't cater to the hacker crowd because they know perfectly well they can't effect a registry transfer without meeting the registry's criteria for "legitimate need."

Not sure "hacker" is the right word

[93+Escort+Wagon]

Shouldn't we instead be referring to "botnet operators" or some such? I'm not making the "hacker" versus "cracker" argument, since language and words are dynamic - but even if we just use hackers in the pejorative sense, we're talking about a much larger group than just the subset who run botnets.

So?

[Arancaytar]

As the summary, these spammers (to use the appropriate term; botnets aren't much use for "hacking") are basically reverse Midas to IP blocks: Whatever they touch is blacklisted. All that this means is that non-blacklisted address space becomes scarcer to the point where either these assholes can't afford it, or ICANN introduces new rules to seize address space that is abused (which would be a worrying precedent on the censorship & net neutrality front), or everyone switches to IPv6.

Frankly, I wouldn't mind something that speeds that along. It will never reach wide adoption without pressure.

Re:So?

[Pi1grim]

Wonder how fast will IPv6 non-blacklisted IPs run out with all the spammers out there.

Also, on an unrelated note — some day governments will realize, that "child pron" distraction no longer works and will switch to spammers and and botnet operators, that is sure to distract the public's attention while slowly imposing measures to control the internet.

Re:Shoot the Spammers

[Algae_94]

I feel your pain, but come on now. Capital punishment for spamming? It's a tough enough case to push for justifiable homicide if someone physically breaks into your house and tries to rob you. How are you going to press the case that, "he spammed me, so I shot his ass"? Scams, fraud and general douche-hattery are not new. This is just a newer realm for them.