Home / Blogs

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Hijacked IP Addresses

Co-authored by Peter Tobey, Marketing and Communications Director at IPv4.Global and Leo Vegoda.

From time to time, a party can get out of control. Raucous celebration can become careless, even destructive. Combine a critical number of young people, a certain amount of beer and lots of music and damage often happens. Partygoers leave a mess behind them.

The same thing happens to some IP addresses. Malicious actors use IP addresses properly registered to someone else. They send spam using the purloined IP for as long as they can and move on to newly-stolen IP addresses when the first one is effectively blocked. Other IP hijackers send server malware that infects computers to cause all sorts of damage and/or extort hard cash. Eventually, they stop and leave the legitimate user of the IP addresses with a mess on their hands.

Why Hijack?

People rob banks because there’s money in them. Hijacked IP addresses are tools used in malicious, often illegal and sometimes very profitable businesses. Senders of content infected with malware, those involved in stealing others Internet users’ identities, or an open proxy that can be used by miscreants to do any of those things are stopped from being delivered. Some spam just preys on the gullible. To reduce the amount of emailed spam, system administrators maintain a database of addresses reported to be sending unsolicited bulk email, phishing, or engaged in other malicious activities. The senders of such emails are blocked from doing so via publicly available “reputation” data that allows the system to block the IP address of known bad senders of email. (See IP Address Reputation for more information.)

How do they Hijack?

Hijackers use several methods to take control of addresses.

They look for addresses that are not used on the internet. This is often the case when organizations use IPv4 addresses for private networks, such as a factory network controlling manufacturing robots. Private networks are not directly connected to the internet. Hijackers can use the addresses on the internet without disrupting the private network. Sometimes addresses are not routed because the registrant is no longer in business.

Universities were among the earliest recipients of IP address space. Often, they would get many more IP addresses than they could ever use. This is because the technology available at the time only allowed three sizes of network: small (256 addresses), large (65,000 addresses), and massive (16 million addresses). So many universities have large amounts of unused address space. As an unused resource, it is both an asset and a liability—as it is easier to hijack.

Hijackers look carefully at the details in the public information available in regional registries. Many older registrations were made in a more relaxed era. If the registration has not been updated for many years, there could be data missing that allows another kind of attack.

For instance, if an IP address was registered using a shortened form of an organization’s name, there is an opening for an attack.

The attacker could try and forge a Letter of Authority, which would be used to convince a transit network to route the network on behalf of the hijacker. These are simply letters that give a named organization or individual authority to do something. They are often used when ordering cross connects in data centers—but also when making routing announcements.

Forged paperwork can be used to get operators to accept a routing announcement from a malicious operator. More seriously, forged paperwork has been used to try and get registries to give control of a registration to a hijacker.

How can Hijacking be stopped?

ARIN and the RIPE NCC started talking to network operators about the problem almost 20 years ago. They asked network operators to make sure that they reviewed and updated their registrations. Putting useful contact information in the public registry doesn’t just help the registries. Other network operators rely on that information—particularly the contact information—when they perform due diligence checks.

The RIRs and the broader network operations community have also encouraged the use of Internet Routing Registries. Network operators use these IRRs to share key information. The most important information is which network should be announcing a block of IP addresses. They can also use IRRs to share detailed routing policy, like connections between networks.

The improvements in due diligence checks have been helpful. A lot of hijacks didn’t happen because of them. That pushed some bad actors to try other approaches. But even more sophisticated attacks were detected and prosecuted with the help of law enforcement.

How can registrants of new address space protect themselves?

The fundamentals have not changed. But the community has added new approaches and refinements over time. These help protect against some but not all types of hijacking events. The three top priorities are:

1. Registration Information

Make sure the registry always has accurate contact information for your organization. They should be able to contact you about requests to make changes. The postal address should be able to receive postal mail.

Email should go to role accounts or ticketing systems rather than someone’s personal inbox. Individuals take time off (or change jobs) and are more likely to miss important messages from a registry.

2. Routing Policy

Publishing your network’s routing policy in an IRR helps other networks filter out malicious use of your addresses. The community maintains open source tools to help network operators use the IRR. There is also a low-traffic email discussion forum where people can ask questions.

A friendly website for exploring what’s in the IRR, complements these command line tools.

3. RPKI

The Resource Public Key Infrastructure uses digital certificates to publish, which networks can announce a block of IP addresses. RPKI tooling is now quite mature. The US government’s RPKI dashboard shows that almost 40% of the IPv4 space is both RPKI signed and that the routing behavior matches the certificate.

Reputation damage

Many organizations track the behavior of each IP address connecting to their network. They use this information to decide whether they want to accept mail or web traffic from those IP addresses again. Other organizations rely on blocklists compiled by monitors of this bad behavior. It can be time-consuming to get off one of these blocklists.

During that time, you or your customers might be unable to send email. Your users might have reduced access to banking services and online commerce. Plus, if you wish to transfer a block of addresses with reputation issues, you may find buyers unhappy with your wares.

Cleaning process

There are two stages to cleaning up a problem to make addresses as attractive as possible to potential buyers.

Firstly, regain control of your address space and correct the registration problems. This means:

  1. Work with the registry to correct business and contact information
  2. Update the IRR with your routing policy
  3. Create RPKI objects using the registry’s web interface

Working with the registry to update historic business information can take some time. Registries work hard to make sure that your request to update the company name is not an attempt to steal addresses.

Secondly, use a tool like MX Toolbox to see which blocklists have an entry for your address space. Some blocklists automatically remove entries when abuse stops. For those that don’t, follow the process on their website to have your IP removed from their list.

Some blocklists charge a delisting fee, also known as a ransom fee. Most network operators consider delisting fees to be unacceptable.

If you get stuck and need help, engage with the Mailop community.

A Message from Our Sponsor

How to Take Advantage of Rising IPv4 Address Value: IPv4.Global specializes in helping clients sell, lease and buy IPv4. We help make the process less complicated and time-consuming by:

• Helping you find a buyer
• Leading you through the registry process
• Providing advice and expertise to reorganize your network

Contact us by calling (212) 610-5601 to speak with an expert for help turning your invisible asset into revenue.

By Peter Tobey, Marketing and Communications Director at IPv4.Global

His role includes broad communication of issues and solutions for networking professionals, IPv4 address holders and those transferring the assets, either as buyers or sellers. Visit IPv4.Global website and blog for more insight.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API