The people who keep the Internet running are coming to terms with address space hijacking, an old scam that's turned suddenly nasty, writes Kevin Poulsen of SecurityFocus.
Earlier this year an expanse of Internet address space belonging to the County of Los Angeles was put to some uses that had little to do with effective municipal governance. Some county addresses inexplicably began hosting porn websites, while others generated suspicious scanning activity that tripped intrusion detection systems around the net. And then there was the spam, suddenly oozing from the county's cyberspace like sludge moving down the Los Angeles river after a rain -- low-interest mortgages, bargain ink jet cartridges, an abundance of "sizzling teens" in adult situations.
It turns out the official records of the address block had been doctored, and L.A. County no longer owned the space -- at least as far as the rest of the world was concerned. All 65,534 addresses now belonged to one Emil Kacperski, the 20-something owner of a small unincorporated hosting company in Northern California. No one was more surprised than county officials, who'd been using the space on an internal county-wide network since 1995. "We found out when we got a call from some outfit overseas, saying they were being hacked and they investigated the IP address and it was one of ours," says Dennis Shelley, associate CIO for the county. "We followed up on it, and we found out that it had been hijacked."
Los Angeles County had been hit by a growing type of hi-tech fraud, in which large, and usually dormant, segments of the Internet's address space are taken away from their registered users through an elaborate shell game of forged letters, ephemeral domain names and anonymous corporate fronts. The patsies in the scheme are the four non-profit registries that parcel out address space around the world and keep track of who's using it. The prizes are the coveted "Class B" or "/16" (read "slash-sixteen") address blocks that Internet authorities passed out like candy in the days when address space was bountiful, but are harder to get legitimately now.
The most rapacious consumers of the stolen address space are spammers trying to stay a step ahead of anti-spam blacklists. A /16 provides a lot of addresses to hide behind, a lot of launch pads for unwanted e-mail, squats for hastily-erected spamvertised websites, and attack points from which one can scan the Internet for misconfigured proxy servers-- useful for laundering even more spam. Some anti-spam investigators believe an underground economy exists in which a large block of address space is broken down and re-sold in smaller chunks like a boosted Acura in a chop-shop. "Money is changing hands," says Kai Schlichting, a veteran network engineer who tracks down stolen IP space in his spare time. "I wouldn't be surprised if you could sell a /16 for $100,000 in bits and pieces."
Hijacking an IP block is cheap, and it bypasses conservation measures imposed by the regional registries: to get a large allocation legally, one must first demonstrate an immediate need for the space; it's not enough to want it. Then you have to pay the registry as much as $10,000 in fees. In contrast, to snake someone else's domain all the scamster has to do is write a letter on fake company letterhead changing the contact information for the allocation, or in some circumstances just forge an e-mail message from the owner. Investigators say that some hijackers have resorted to cloning an entire company by incorporating under a similar name.
Kacperski, owner of the Walnut Creek, Calif. hosting company Atrivo, says he acquired L.A. County's space after becoming frustrated by the cost and bureaucracy of getting a larger block through approved channels. In a telephone interview, the entrepreneur admitted that the /16 wasn't his, but he denied taking it himself. He says he purchased it from a gray-market broker he met online, who claimed to have the right to sell the block.
"He called it 'borrowed space,'" says Kacperski. "We ended up paying the person for the block and he ended up [transfering] it to us... He assured us there'd be no problems." The price, he claims, was a paltry $500, transferred through PayPal, though he was instructed to use only a tiny fraction of the space.
SecurityFocus could not locate the broker. (Kacperski blames the spam, and other anti-social net traffic, on a single bad customer that he quickly cut off.)
Regardless of who stole it, Los Angeles County quickly got its space back. But elsewhere the scam has intensified in recent months, with at least seven large allocations found newly-diverted, and countless other cases suspected. Last month anti-spam groups and concerned network operators formed a private mailing list to investigate the phenomenon outside the view of cyberjackers. "There's anything up to 100 of these blocks out there on the loose," estimates Richard Cox, an IT forensics guru with Mandarin Technology in the U.K. "That's the magnitude that we're dealing with here."
The Trafalgar House Case
Network operators were galvanized by a particularly brazen case in April, when a trail of spam led to the discovery that no-less than six /16s -- nearly 400,000 addresses -- had been misappropriated from Trafalgar House, a British construction and shipping conglomerate that's now part of Aker Kvaerner, headquartered in Norway. From the U.K., Cox discovered that the perpetrators conned the American Registry for Internet Numbers (ARIN) into changing the contact information for the space. One of the /16s was traced to a Dutch spammer, and the other five to a mysterious company called "Fedfinancial Corp."
Fedfinancial managed to convince ARIN that it had been contracted to provide network management services for Trafalgar. ARIN won't say exactly how it was swindled, but registration records show the grifters had an authentic-looking e-mail address at a newly-minted "traf-infosystems.net" domain, and a genuine street address with matching voice and fax telephone numbers. But the phone numbers ring to Nevada and Offshore Business Formation, a company that sets up corporations for a fee, and takes orders over the Web. Public records show that they incorporated Fedfinancial as a Nevada corporation last January, on behalf of an unnamed client. The street address is also theirs.
ARIN president Ray Plzak says the registry doesn't comment on specific cases, but acknowledged that address space hijacking is a problem. "We have measures in place to detect these kinds of things, and we have a set of procedures that we follow to verify information, and we're continuously looking into ways of improving that" says Plzak. "No procedure is ever 100% perfect, and we recognize that."
Once the ARIN record for a block of space has been tweaked, the new "owner" can show it to a network access provider as proof that he has the right to use the addresses. Kacperski found three providers for his purloined L.A. County block; anyone who questioned his sudden good fortune was treated to a tall tale about an old friend who bequeathed Kacperski the mammoth space when his company went bankrupt.
Coincidentally, one of the providers, New York-based networking firm nLayer, also wound up routing a /16 that another customer took from the Italian logistics firm Zust-Ambrosetti in January. But nLayer insists it's doing everything reasonable to avoid harboring misappropriated space. "Obviously we don't want to be routing any IP blocks that are potentially stolen." says an nLayer representative who identified himself as Richard Steenbergen. "But nothing really shows up as a red flag when someone is listed as a contact on the block."
Anti-spammers argue that access providers should be more skeptical when someone comes in with a ridiculously large allocation. "If it's a customer connecting with T1 and walking in with a /16, or two or three of them, this is something that should set off some alarm bells," says Schlichting. But additional vigilance goes against an access provider's financial interest -- they make money by connecting people, not by turning them away.
And until spammers discovered the technique, IP hijacking was largely considered a dishonest but forgivable path to acquiring old, unused address space belonging to defunct companies. The perpetrators were what the Spamhaus Project describes as "a few crufty geeks" in search of "cheap digs." The scam is victimless in that it normally targets dormant allocations that are otherwise going to waste, in many cases taking blocks of space that belong to defunct companies, or, like the Trafalgar House space, have long faded from corporate memory.
But like the mob moving in on a neighborhood poker game, spammers have turned a once-harmless misdemeanor into an organized and well-funded scheme. Internet defenders shudder at the thought of large portions of the net's real-estate under the control of anonymous rogue entities. "There's no accountability. You don't know who really owns this particular address space. You have no way of finding out," says Schlichting." Some even worry that malefactors will go a step further, and begin hijacking address space that's already in active use. "This whole episode has identified huge weaknesses in the Internet's own infrastructure," says Cox. "What we've seen happen is trivial compared to what we've seen possible."
For now, attention is turning to what the regional registries could or should do to stop the practice, and ARIN has begun reviewing old records for signs of chicanery. "Where we find evidence that there has been a fraudulent transfer... we will remove that information and try to go back through history, if you will, and try and find out who has the earliest established legitimate use of the address space," says Plzak. What that history might yield has some network operators nervous; some of the space appropriated by those "crufty geeks" has been stratified into legitimacy by the passage of time. This week network operators on the NANOG mailing list began debating whether benevolent squatters should be granted some kind of amnesty from the coming "witch hunt."
As for Kacperski, last week he received approval from ARIN for a new block of space that he can rightfully call his own. "There are forms, there are a lot of procedures, and we had to pay $2,500... This is not an easy thing to do," he says. His new block is a /20, which means he has a little over 4,000 IP addresses for his hosting company. That's not bad, but it's a long fall from the heady days when he had enough virtual real estate to serve the City of Angeles.