IPv4 Hijacking For Idiots

Ronald F. Guilmette rfg at tristatelogic.com
Mon Jun 5 23:17:24 CST 2017

In message <CAL9jLaZRhH8+5mD0Tgu1SdnEjG5zvxkKs+SaFFqk3FAjfnVjaw at mail.gmail.com>
Christopher Morrow <morrowc.lists at gmail.com> wrote:

>that doesn't seem to be what's happening in ron's example though...
>it looks, to me, like the example ron has is more a case of:
>  1) register contacts for lost asn (AS34991)
>  2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with
>another shill/lost-child asn (AS206776)

I'm perplexed at why you would call AS206776 a "lost child", so perhaps
you could explain that.  From where I'm sitting, it does look rather
entirely dodgy... being (allegedly) located as it is in the British
Virgin Islands, and having only been created (manufactured?) circa
2016-11-04.  But bpg.he.net is showing that it has 35 peers, and that
it is peering even with the likes of big boys like HE.net and Level3,
just to name a few.

>  3) start doing the bgps with the IX fabric's route-server

Yeabut again, I personally would like to be enlightened about the basic
mechanics of how one causes this to happen.  If I am Joe Blow criminal
and I somehow manage to finnagle my way into having a machine which is
physically present within some IX at some locale, somewhere on planet
earth, then does that mean that, by definition, I know -where- to inject
bogus routes and -how- to inject bogus routes and that I have the
-capability- in inject bogus routes into the kind of "fabric route
server" you speak of?

And by the way, I see now that I botched the Subject: for this thread
that I started.  I meant to say "IP Hijacking for Dummies".  Obviously,
this activity has become so popular that it is high time that somebody
wrote one of those "XYZ for Dummies" books, you know, with the yellow
and black covers, so that aspiring but ignorant criminals don't have to
always start from scratch and learn how to do this stuff from the ground up,
based just on piecing together little scraps and fragments of information
scattered all over the Internet.

>  4) profit (or something)

Yea.  I don't think that hijackers are doing this stuff just for fun.
But they've already figured out how to MAKE MONEY FAST from the purloined
IP space, so that part probably doesn't even need to go in the book.

>err, you'll have to better explain this I think.
>Are you saying: "get an ASN from RIR that costs 100USD" (might, probably
>this doesn't get you a peering/transit contract though...

Yea, this is a part of what I'm still mystified about.

Have AS206776 and AS57344 been paid to pass the routes given to them
by AS34991 ?  And have they been paid an extra premium, above and beyond
the normal fee for this service, you know, to look the other way and
do the old Muhammad Ali rope-a-dope and act stupid/innocent when and
if anybody ever calls them out for this rather entirely blatant and
brazen bogosity?

I've seen this movie before, and not that long ago.  And it's just not
nearly as entertaining the second time around.  The upstreams shrug and
offer the lame excuse of "Oh... well... the routes are all properly
registered in the RIPE route registry, so, you know, how could we have
possibly known that anything was amiss?"  But as I learned last time
this lame excuse was used, any baboon with a keyboard and a pulse can
get himself a RIPE account and then create all of the bogus route objects
he or she desires.  And since it took me less than a day to find out this
ludicrous but true fact last time, I have to wonder if network operators,
and particularly those in the RIPE region, are in some cases being
-willfully ignorant- of the fact that a route object's presence within
the RIPE data base has a reliability value roughly equal to that of a
three dollar bill.


P.S.  I'll be more than happy to take it upon myself... even being the
basically unknown nobody and non-network-operator that I am... to send
polite emails to both AS206776 and AS57344, asking them, as politely as
I can manage, to please explain just WTF they think they are doing.  But
if past experience from the last such event is any guide, these emails
will have no effect whatsoever.  So that leads me to ask the obvious
next question:  Is it at all likely that anybody at, say, HE.net and/or
Level3 might give enough of a damn about any of this ludicrous and clearly
malevolent bogosity so that they mught actually be inclined to have a
friendly word with the folks at AS206776 and AS57344?  And if so, how
might I get in touch with any such people (at HE and/or Level3)?

More information about the NANOG mailing list