Dormant IP addresses RIPE for hijacking

'That's not us spamming, honest' cries hosting firm

4 Reg comments Got Tips?

Spammers are using loop holes in the internet routing registry to commandeer address space and pump out junk mail, and potentially launch denial of service attacks and steal traffic.

As explained by cyber crime reporter Brian Krebs and Cisco researcher Jaeson Schultz, IP addresses can be snatched by scammers who establish bogus overseas internet service providers.

The two examined Bulgarian provider Mega Spred which commandeered an Irish hosting providers' unused address space, plonking it and that owned by many others on spam blacklists by announcing to the internet it was the new respective authority.

That announcement was gobbled up as truth making the scammer the new owner of the stolen space through which spam could be delivered at the expense of the reputation of the former legitimate hosting provider.

"As a consequence, these unused and unannounced IP prefixes become ripe for abuse," Schultz said.

"Increasingly, miscreants are maliciously announcing BGP prefixes for unused IP net blocks, hijacking these IP addresses for their own means.

"The potential havoc that can be wreaked by a hijacked IP is not limited to sending spam. The hijacked IP could be used for any manner of illicit activities including Denial of Service, or even stealing traffic from the legitimate network owners."

Mega Spred stolen space. © Cisco

Mega Spred stolen space. Image: Cisco

There was little internet registries could and have done to close the loophole without hindering legitimate uses for foreign entities to announce IP address space, according to Schultz and networking bods who spoke to Krebs.

"What can be done to stop this atrocity? Unfortunately, the solution to this problem is not so easy. IP hijacking is made possible when internet networks are not configured to filter their BGP traffic," Schultz said.

"A properly configured internet network would prevent its downstream networks from announcing BGP prefixes for IP net blocks they do not control [but] until more networks get strict about monitoring for, and preventing malicious BGP announcements, the problem will continue."

He said the attacks were hard to pull off for the unsophisticated cyber criminal rabble.

For its part, the internet registry for Europe, the Middle East and Central Asia RIPE NCC said the problem affected the Internet Routing Registry (IRR) level and not Regional Internet Registries to which it was part.

"It is not possible therefore for the RIRs to verify the routing information entered into Internet Routing Registries or monitor the accuracy of the route objects," RIPE NCC told Krebs.

Network owners could reduce the risk of attack through the use of Resource Certification (RPKI) which used cryptographic certificates to specify the Autonomous Systems that could announce BGP prefixes, preventing networks from accepting incorrect or malicious BGP prefixes. ®


Biting the hand that feeds IT © 1998–2020