IPv4 Hijacking For Idiots

William Herrin bill at herrin.us
Tue Jun 6 00:20:53 CST 2017

On Mon, Jun 5, 2017 at 6:56 AM, Ronald F. Guilmette <rfg at tristatelogic.com>

> So, I guess then, if you're clever, you look and see who the ASN you've
> just successfully hijacked has historically peered with, and then you
> somehow arrange to send route announcements to those guys, right?
> (I'm talking about AS206776 and AS57344 here, BTW.)
> But see, this is where I get lost.  I mean how do you push your route
> announcements to these guys?

Hi Ron,

You actually got lost a couple steps back.

First, you want to control the POC emails for the IP addresses. Controlling
just the POC emails for the AS number won't do you any good.

Let's say you have gained control of the POC emails for the IP address
block. Stay completely away from the historical BGP peers. They might know
the real registrant and get suspicious when you show up. Go to somebody
else, dummy up some letterhead for the purported registrant and write
yourself a letter authorizing the ISP to whom the letter is presented to
route those IP addresses. Explain that you're a networking contractor
working for the organization holding the registration and give them
adequate contact information for yourself: postal address, email, phone.
Not "1234 Main, box 30" but "1234 Main, Suite 30". Paid for with the
cash-bought debit card. You get the idea.

Then you pay the ISP to connect you to the Internet and present your
letter. Until the inevitable complaints roll it, that's it: you have
control of those IP addresses.

> (I don't actually know that much about
> how BGP actually works in practice, so please bear with me.)  How do
> you know what IP address to send your announcements to?

You don't. Even if the session wasn't disabled when the customer stopped
paying, you're not physically connected to the same network interface where
it was configured. This reasoning path is a dead end.

I've read article after article after article bemoanging the fact that
> "BGP isn't secure",

They're talking about a different problem: ISPs are supposed to configure
end-user BGP sessions per BCP38 which limits which BGP announcements the
customer can make. Some ISPs are sloppy and incompetent and don't do this.
Unfortunately, once you're a level or two upstream the backbone ISP
actually can't do much to limit the BGP announcements because it's often
impractical to determine whether a block of IP addresses can legitimately
be announced from a given peer.

Bill Herrin

William Herrin ................ herrin at dirtside.com  bill at herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>

More information about the NANOG mailing list