How are networks hijacked?
1. Target IP ranges are identified
A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet resources such as IP addresses and autonomous system numbers (ASNs). Within the RIR’s list of registered IP addresses, there are numerous stale or legacy resources. These IP addresses have effectively become dormant as a result of various events, including:
- Companies going out of business, or bought by another company
- Existing companies losing track of IP addresses and forgetting about them
- Existing companies not utilizing IP addresses
These IP allocations are ripe for cyber criminals to take over or “hijack” for their own malicious purposes. Spamhaus lists these so-called “zombie” networks (which appear to have risen from the dead) when we detect activity on these IP ranges by bad actors.
2. Ownership of IP ranges gained through fraud and deception
The takeover of the above mentioned networks involves human engineering techniques whereby individuals/groups claim to be the original owners of the network through the use of forged documents. There are a few ways cyber criminals may go about this:
A. Hijackers find a legacy IP range to target and then register a similar sounding domain name. They then proceed to trick the relevant RIR into updating that network’s registration to include their new domain name, in effect giving them control. (See the Spamhaus blog post: Network hijacking on the rise to read about a real-life example.)
B. Hijackers uncover network registrations where the domain associated with the original registrant’s email address has expired. They attempt to register the domain themselves, if necessary buying it at auction or from the current owner.
C. Once the domain is owned by them, they can start receiving email meant for the original registrant. This allows them to easily impersonate the owners of the network, and use human engineering to trick the RIR into giving them control of the range.
If hijackers are able to buy one of these old domains for $3,000 or even $10,000, it provides them with the opportunity to fraudulently control network assets worth well over a million dollars. Not a bad return on the investment for enterprising cyber-criminals!
3. IP addresses announced
Once the hijacker has gained control of their target network, the next step is to announce they’re “open for business” on the Internet by having the IP addresses routed. This involves going to an Internet service provider (ISP) that has an ASN for this purpose.
Giving an ISP the authorization to announce an IP range involves getting a Letter of Authority (LOA) from the owner. Cyber criminals don’t think twice about forging these LOA documents on official-looking letterheads from the defunct company they are impersonating. Occasionally they will even forge the signature of the ‘point of contact’ person detailed on the original RIR registration, and even impersonating them in emails to the ISP.
What are hijacked IP ranges used for?
Typical uses of these large IP ranges that have been hijacked are for “snowshoe” style spamming or for gaming search engines through black hat “Search Engine Optimization” techniques.
Some criminals take things a step further, registering a new corporation with the same name as the original network owner, and then try to claim ownership of these IP ranges in an attempt to resell them on the open market.
If any company is unlucky enough to purchase one of these stolen ranges, they will find themselves holding the bag (or IP range in this case), while the hijacker takes their money and disappears.
A word of caution – ensure you know and trust who you are buying your IP ranges from. Where an IP range becomes listed on the Spamhaus block list (SBL), we will not remove it for the new owners if we believe that it has been fraudulently gained, as a result of hijacking. Due to the serious nature of hijacking, Spamhaus always reports this kind of activity to the relevant law enforcement agencies for investigation and prosecution.
Additional hijacking techniques
Rogue ASN announcements by ISPs
Occasionally, less than scrupulous ISPs are willing to make money on the side by catering to cyber criminals; using their ASNs to make unauthorized announcements of IP ranges. In this way they can make use of millions of IPs without bothering to register domains or forge documents.
In addition to allocated IP ranges lying dormant, hijackers can also use this technique to make use of “bogon” networks, which are IP ranges that are not currently assigned to any customer by the corresponding RIR (although this is becoming less common as the number of unassigned IPs dwindles).
Last but not least, the ASNs themselves can be hijacked and used for illegal announcements, with the rogue ISP providing transit to the downstream “customer” in an attempt to deflect the blame somewhere else. Take a look at Dyn’s blog post on ‘Shutting down the bgp hijack factory’ to read about an ISP that was recently shut down for doing just that!
Hijacking Internet exchange points – direct peering
An even more insidious version of the rogue ASN announcements, is an ISP with the ability to set up their own connection to an Internet exchange point (IXP). The IXP is a physical infrastructure where the actual exchange of data between the networks takes place. It is common in this kind of scenario for the ISP to have a specific target in mind, such as a large email provider.
By setting up in the same IXP and establishing a “peering” connection between their ASN and the target ASN, they can announce all manner of hijacked IP ranges directly, without having to worry about the watchful eye of any legitimate upstream ISP.
IXPs are often adopting a model that does not contemplate the existence of abusive members, with the result that the termination of an IXP member for abuse can be very problematic and take a very long time, or not happen at all.
Border Gateway Protocol (BGP) or ‘route hijacking’
This technique is more commonly used to tamper with the existing routes of IP ranges currently in use, rather than stealing dormant ones. The attacker can exploit some features of Border Gateway Protocol (BGP), such as announcing more specific networks, since the announcement for a smaller network will take precedence over one for a larger network containing it.
By doing this the attackers can redirect traffic destined for the original network, allowing them to undertake various malicious activities, including serving a fake website for a company and capturing login attempts and passwords.
Additionally, traffic can simply be re-routed back to the intended network, in this case giving the hijacker the opportunity to spy on or modify this traffic, such as for man-in-the-middle attacks. Perhaps one of the most publicized attacks of this nature was the revelation that China had been ‘hijacking the vital internet backbone of western countries’.
Conclusion
As you can see it’s evident that there are numerous ways cyber-criminals can hijack networks. We’ve assisted organizations investigate their own network hijackings and the fall out is not pleasant. Ensure you keep your networks safe!