AS11296 -- Hijacked?

• Previous message (by thread): AS11296 -- Hijacked?
• Next message (by thread): AS11296 -- Hijacked?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 30, 2010 at 11:34:16PM -0700, George Bonser wrote:
> "Hijacking" of defunct resources is probably a widespread activity.

It is.  A number of individuals and entities have been involved in
tracking these over the years, and I've seen enough to figure out
that it's common because it's relatively easy, it's likely to be
undetected, it's likely to be ignored if detected, there are no
significant penalties, and even if it all goes south: it's easy
to start over and do it again.

> How much address space is being wasted in this way?

A lot.  Moreover, large chunks of address space are being wasted in this way:

	1. Spammer sets up dummy front web-hosting/ISP company.
	1a. (optional) Spammer sets up second-level dummy front.
	2. Spammer gets ARIN et.al. to allocate a /20 or a /17 or whatever.
	3. Spammer uses spammer-friendly registrar to purchase
	   throwaway domains in bulk.  (Sometimes the registrar IS
	   the spammer.  Cost-effective.)
	4. Spammer populates the allocation with throwaway domains
	   and commences snowshoe spamming.
	4a. (optional) Spamming facilitates drive-by downloads, malware
	    injection, browser exploits, phishing, and other attacks.
	5. Anti-spam resources notice this and blacklist the allocation.
	   So do large numbers of individual network/system/mail admins.
	6. Return to step 1.

It's instructive to consider who profits from each of these steps.

A quick check of my (local, incomplete, barely scratch-the-surface) list
of such things includes (and I've left out smaller and larger blocks,
thus this is a pretty much a snapshot of the middle of the curve):

	/16's: 25
	/17's: 20
	/18's: 47
	/19's: 73
	/20's: 99
	/21's: 88
	/22's: 105
	/23's: 198
	/24's: 3245

for a total of about 6.6 million IP addresses.  My guess is that this
is likely a few percent, at best, of the real total: it just happens
to be the set that brought itself to my attention by being sufficiently
annoying to local resources.  So I wouldn't be at all surprised to find
that real total is in the 100M ballpark.

So I've concluded that there really isn't an IPv4 address space shortage.
Spammers have absolutely no problem getting allocation after allocation
after allocation, turning each one into scorched earth and moving on.
ARIN et.al. certainly have no interest in stopping them, and ICANN only
cares about registrar profits, so there's no help coming from either
of those.

---rsk

• Previous message (by thread): AS11296 -- Hijacked?
• Next message (by thread): AS11296 -- Hijacked?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]