[ppml] Poulsen: Cracking down on cyberspace land grabs

[Joe Baptista]

http://www.theregister.co.uk/content/55/31156.html

   Cracking down on cyberspace land grabs
   By Kevin Poulsen, SecurityFocus
   Posted: 11/06/2003 at 22:47 GMT



   The people who keep the Internet running are coming to terms with
   address space hijacking, an old scam that's turned suddenly nasty,
   writes Kevin Poulsen of SecurityFocus.

   Earlier this year an expanse of Internet address space belonging to
   the County of Los Angeles was put to some uses that had little to do
   with effective municipal governance. Some county addresses
   inexplicably began hosting porn websites, while others generated
   suspicious scanning activity that tripped intrusion detection systems
   around the net. And then there was the spam, suddenly oozing from the
   county's cyberspace like sludge moving down the Los Angeles river
   after a rain -- low-interest mortgages, bargain ink jet cartridges, an
   abundance of "sizzling teens" in adult situations.

   It turns out the official records of the address block had been
   doctored, and L.A. County no longer owned the space -- at least as far
   as the rest of the world was concerned. All 65,534 addresses now
   belonged to one Emil Kacperski, the 20-something owner of a small
   unincorporated hosting company in Northern California. No one was more
   surprised than county officials, who'd been using the space on an
   internal county-wide network since 1995. "We found out when we got a
   call from some outfit overseas, saying they were being hacked and they
   investigated the IP address and it was one of ours," says Dennis
   Shelley, associate CIO for the county. "We followed up on it, and we
   found out that it had been hijacked."

   Los Angeles County had been hit by a growing type of hi-tech fraud, in
   which large, and usually dormant, segments of the Internet's address
   space are taken away from their registered users through an elaborate
   shell game of forged letters, ephemeral domain names and anonymous
   corporate fronts. The patsies in the scheme are the four non-profit
   registries that parcel out address space around the world and keep
   track of who's using it. The prizes are the coveted "Class B" or "/16"
   (read "slash-sixteen") address blocks that Internet authorities passed
   out like candy in the days when address space was bountiful, but are
   harder to get legitimately now.

   The most rapacious consumers of the stolen address space are spammers
   trying to stay a step ahead of anti-spam blacklists. A /16 provides a
   lot of addresses to hide behind, a lot of launch pads for unwanted
   e-mail, squats for hastily-erected spamvertised websites, and attack
   points from which one can scan the Internet for misconfigured proxy
   servers-- useful for laundering even more spam. Some anti-spam
   investigators believe an underground economy exists in which a large
   block of address space is broken down and re-sold in smaller chunks
   like a boosted Acura in a chop-shop. "Money is changing hands," says
   Kai Schlichting, a veteran network engineer who tracks down stolen IP
   space in his spare time. "I wouldn't be surprised if you could sell a
   /16 for $100,000 in bits and pieces."

   Hijacking an IP block is cheap, and it bypasses conservation measures
   imposed by the regional registries: to get a large allocation legally,
   one must first demonstrate an immediate need for the space; it's not
   enough to want it. Then you have to pay the registry as much as
   $10,000 in fees. In contrast, to snake someone else's domain all the
   scamster has to do is write a letter on fake company letterhead
   changing the contact information for the allocation, or in some
   circumstances just forge an e-mail message from the owner.
   Investigators say that some hijackers have resorted to cloning an
   entire company by incorporating under a similar name.

   Kacperski, owner of the Walnut Creek, Calif. hosting company Atrivo,
   says he acquired L.A. County's space after becoming frustrated by the
   cost and bureaucracy of getting a larger block through approved
   channels. In a telephone interview, the entrepreneur admitted that the
   /16 wasn't his, but he denied taking it himself. He says he purchased
   it from a gray-market broker he met online, who claimed to have the
   right to sell the block.

   "He called it 'borrowed space,'" says Kacperski. "We ended up paying
   the person for the block and he ended up [transfering] it to us... He
   assured us there'd be no problems." The price, he claims, was a paltry
   $500, transferred through PayPal, though he was instructed to use only
   a tiny fraction of the space.

   SecurityFocus could not locate the broker. (Kacperski blames the spam,
   and other anti-social net traffic, on a single bad customer that he
   quickly cut off.)

   Regardless of who stole it, Los Angeles County quickly got its space
   back. But elsewhere the scam has intensified in recent months, with at
   least seven large allocations found newly-diverted, and countless
   other cases suspected. Last month anti-spam groups and concerned
   network operators formed a private mailing list to investigate the
   phenomenon outside the view of cyberjackers. "There's anything up to
   100 of these blocks out there on the loose," estimates Richard Cox, an
   IT forensics guru with Mandarin Technology in the U.K. "That's the
   magnitude that we're dealing with here."

   The Trafalgar House Case

   Network operators were galvanized by a particularly brazen case in
   April, when a trail of spam led to the discovery that no-less than six
   /16s -- nearly 400,000 addresses -- had been misappropriated from
   Trafalgar House, a British construction and shipping conglomerate
   that's now part of Aker Kvaerner, headquartered in Norway. From the
   U.K., Cox discovered that the perpetrators conned the American
   Registry for Internet Numbers (ARIN) into changing the contact
   information for the space. One of the /16s was traced to a Dutch
   spammer, and the other five to a mysterious company called
   "Fedfinancial Corp."

   Fedfinancial managed to convince ARIN that it had been contracted to
   provide network management services for Trafalgar. ARIN won't say
   exactly how it was swindled, but registration records show the
   grifters had an authentic-looking e-mail address at a newly-minted
   "traf-infosystems.net" domain, and a genuine street address with
   matching voice and fax telephone numbers. But the phone numbers ring
   to Nevada and Offshore Business Formation, a company that sets up
   corporations for a fee, and takes orders over the Web. Public records
   show that they incorporated Fedfinancial as a Nevada corporation last
   January, on behalf of an unnamed client. The street address is also
   theirs.

   ARIN president Ray Plzak says the registry doesn't comment on specific
   cases, but acknowledged that address space hijacking is a problem. "We
   have measures in place to detect these kinds of things, and we have a
   set of procedures that we follow to verify information, and we're
   continuously looking into ways of improving that" says Plzak. "No
   procedure is ever 100% perfect, and we recognize that."

   Once the ARIN record for a block of space has been tweaked, the new
   "owner" can show it to a network access provider as proof that he has
   the right to use the addresses. Kacperski found three providers for
   his purloined L.A. County block; anyone who questioned his sudden good
   fortune was treated to a tall tale about an old friend who bequeathed
   Kacperski the mammoth space when his company went bankrupt.

   Coincidentally, one of the providers, New York-based networking firm
   nLayer, also wound up routing a /16 that another customer took from
   the Italian logistics firm Zust-Ambrosetti in January. But nLayer
   insists it's doing everything reasonable to avoid harboring
   misappropriated space. "Obviously we don't want to be routing any IP
   blocks that are potentially stolen." says an nLayer representative who
   identified himself as Richard Steenbergen. "But nothing really shows
   up as a red flag when someone is listed as a contact on the block."

   Skepticism Sought

   Anti-spammers argue that access providers should be more skeptical
   when someone comes in with a ridiculously large allocation. "If it's a
   customer connecting with T1 and walking in with a /16, or two or three
   of them, this is something that should set off some alarm bells," says
   Schlichting. But additional vigilance goes against an access
   provider's financial interest -- they make money by connecting people,
   not by turning them away.

   And until spammers discovered the technique, IP hijacking was largely
   considered a dishonest but forgivable path to acquiring old, unused
   address space belonging to defunct companies. The perpetrators were
   what the Spamhaus Project describes as "a few crufty geeks" in search
   of "cheap digs." The scam is victimless in that it normally targets
   dormant allocations that are otherwise going to waste, in many cases
   taking blocks of space that belong to defunct companies, or, like the
   Trafalgar House space, have long faded from corporate memory.

   But like the mob moving in on a neighborhood poker game, spammers have
   turned a once-harmless misdemeanor into an organized and well-funded
   scheme. Internet defenders shudder at the thought of large portions of
   the net's real-estate under the control of anonymous rogue entities.
   "There's no accountability. You don't know who really owns this
   particular address space. You have no way of finding out," says
   Schlichting." Some even worry that malefactors will go a step further,
   and begin hijacking address space that's already in active use. "This
   whole episode has identified huge weaknesses in the Internet's own
   infrastructure," says Cox. "What we've seen happen is trivial compared
   to what we've seen possible."

   For now, attention is turning to what the regional registries could or
   should do to stop the practice, and ARIN has begun reviewing old
   records for signs of chicanery. "Where we find evidence that there has
   been a fraudulent transfer... we will remove that information and try
   to go back through history, if you will, and try and find out who has
   the earliest established legitimate use of the address space," says
   Plzak. What that history might yield has some network operators
   nervous; some of the space appropriated by those "crufty geeks" has
   been stratified into legitimacy by the passage of time. This week
   network operators on the NANOG mailing list began debating whether
   benevolent squatters should be granted some kind of amnesty from the
   coming "witch hunt."

   As for Kacperski, last week he received approval from ARIN for a new
   block of space that he can rightfully call his own. "There are forms,
   there are a lot of procedures, and we had to pay $2,500... This is not
   an easy thing to do," he says. His new block is a /20, which means he
   has a little over 4,000 IP addresses for his hosting company. That's
   not bad, but it's a long fall from the heady days when he had enough
   virtual real estate to serve the City of Angeles.

regards
joe

Joe Baptista - only at www.baptista.god

  AddALink - The Internet Directory that you own! - http://AddALink.NOMAD