Hijacked IP Addresses
By Peter Tobey & Leo Vegoda
August 11, 2022
Spammers & Hijacked IPs
From time to time a party can get out of control. Raucous celebration can become careless, even destructive. Combine a critical number of young people, a certain amount of beer and lots of music and damage often happens. Partygoers leave a mess behind them.
The same thing happens to some IP addresses. Malicious actors use IP addresses properly registered to someone else. They send spam using the purloined IP for as long as they can and move on to newly-stolen IP addresses when the first one is effectively blocked. Other IP hijackers send server malware that infects computers to cause all sorts of damage and/or extort hard cash. Eventually, they stop and leave the legitimate user of the IP addresses with a mess on their hands.
People rob banks because there’s money in them. Hijacked IP addresses are tools used in malicious, often illegal and sometimes very profitable businesses. Senders of content infected with malware or those involved in stealing others Internet users’ identities. Some spam just preys on the gullible. To reduce the amount of emailed spam, system administrators maintain a database of addresses reported to be sending unsolicited bulk email, phishing, or engaged in other malicious activities. The senders of such email are blocked from doing so via publicly available “reputation” data that allows the system to block the IP address of known bad senders of email. (See IP Address Reputation for more information.)
How do they Hijack?
Hijackers use several methods to take control of addresses
They look for addresses that are not used on the internet. This is often the case when organizations use IPv4 addresses for private networks, such as a factory network controlling manufacturing robots. Private networks are not directly connected to the internet. Hijackers can use the addresses on the internet without disrupting the private network. Sometimes addresses are not routed because the registrant is no longer in business.
Universities were among the earliest recipients of IP address space. Often, they would get many more IP addresses than they could ever use. This is because the technology available at the time only allowed three sizes of network: small (256 addresses), large (65,000 addresses), and massive (16 million addresses). So many universities have large amounts of unused address space. As an unused resource it is both an asset and a liability – as it is easier to hijack.
Hijackers look carefully at the details in the public information available in regional registries. Many older registrations were made in a more relaxed era. If the registration has not been updated for many years, there could be data missing that allows another kind of attack.
For instance, if an IP address was registered using a shortened form of an organization’s name there is an opening for an attack.
The attacker could try and forge a Letter of Authority, which would be used to convince a transit network to route the network on behalf of the hijacker. These are simply letters that give a named organization or individual authority to do something. They are often used when ordering cross connects in data centers – but also when making routing announcements.
Forged paperwork can be used to get operators to accept a routing announcement from a malicious operator. More seriously, forged paperwork has been used to try and get registries to give control of a registration to a hijacker.
How can Hijacking be Stopped?
ARIN and the RIPE NCC started talking to network operators about the problem almost 20 years ago. They asked network operators to make sure that they reviewed and updated their registrations. Putting useful contact information in the public registry doesn’t just help the registries. Other network operators rely on that information – particularly the contact information – when they perform due diligence checks.
The RIRs and the broader network operations community have also encouraged the use of Internet Routing Registries. Network operators use these IRRs to share key information. The most important information is which network should be announcing a block of IP addresses. They can also use IRRs to share detailed routing policy, like connections between networks.
The improvements in due diligence checks have been helpful. A lot of hijacks didn’t happen because of them. That pushed some bad actors to try other approaches. But even more sophisticated attacks were detected and prosecuted with the help of law enforcement.
How can Registrants of New Address Space Protect Themselves?
The fundamentals have not changed. But the community has added new approaches and refinements over time. These help protect against some but not all types of hijacking events. The three top priorities are:
1. Registration Information
Make sure the registry always has accurate contact information for your organization. They should be able to contact you about requests to make changes. The postal address should be able to receive postal mail.
Email should go to role accounts or ticketing systems rather than someone’s personal inbox. Individuals take time off (or change jobs) and are more likely to miss important messages from a registry.
2. Routing Policy
Publishing your network’s routing policy in an IRR helps other networks filter out malicious use of your addresses. The community maintains open source tools to help network operators use the IRR. There is also a low-traffic email discussion forum where people can ask questions.
A friendly website for exploring what’s in the IRR, complements these command line tools.
The Resource Public Key Infrastructure uses digital certificates to publish which networks can announce a block of IP addresses. RPKI tooling is now quite mature. The US government’s RPKI dashboard shows that almost 40% of the IPv4 space is both RPKI signed and that the routing behavior matches the certificate.
Many organizations track the behavior of each IP address connecting to their network. They use this information to decide whether they want to accept mail or web traffic from those IP addresses again. Other organizations rely on blocklists compiled by monitors of this bad behavior. It can be time consuming to get off one of these blocklists.
During that time, you or your customers might be unable to send email. Your users might have reduced access to banking services and online commerce. Plus, if you wish to transfer a block of addresses with reputation issues you may find buyers unhappy with your wares.
There are two stages to cleaning up a problem to make addresses as attractive as possible to potential buyers.
Firstly, regain control of your address space and correct the registration problems. This means:
- Work with the registry to correct business and contact information
- Update the IRR with your routing policy
- Create RPKI objects using the registry’s web interface
Working with the registry to update historic business information can take some time. Registries work hard to make sure that your request to update the company name is not an attempt to steal addresses.
Secondly, use a tool like MX Toolbox to see which blocklists have an entry for your address space. Some blocklists automatically remove entries when abuse stops. For those that don’t, follow the process on their website to have your IP removed from their list.
Some blocklists charge a delisting fee, also known as a ransom fee. Most network operators consider delisting fees to be unacceptable.
If you get stuck and need help, engage with the Mailop community.