IPv4 Hijacking For Idiots

Ronald F. Guilmette rfg at tristatelogic.com
Tue Jun 6 02:16:38 CST 2017

In message <CAP-guGUt_JVjk0pa_ao2FGJuudun389UyAReqVhfy7Oah8eSSQ at mail.gmail.com>
William Herrin <bill at herrin.us> wrote:

>You actually got lost a couple steps back.
>First, you want to control the POC emails for the IP addresses. Controlling
>just the POC emails for the AS number won't do you any good.

Ummm... in this case there doesn't seem to be any reason to believe
that the hijacker(s) have gotten anywhere near to controlling the POC
emails for any, let alone -all- of the relevant (Columbian) IP blocks...
only the POC emails for the ASN.

But you are suggesting that they -did- get control of those, all essentially
simultaneously (or anyway sometime during the past 2 months), for all
of about five or six or seven separate and different Columbian entities.

That theory would seem to fail the Occam's razor test.  It just doesn't
seem at all liklely.

>Let's say you have gained control of the POC emails for the IP address
>block. Stay completely away from the historical BGP peers. They might know
>the real registrant and get suspicious when you show up.

Good point!  I'll have to remember to put that in the book. :-)

>Go to somebody
>else, dummy up some letterhead for the purported registrant and write
>yourself a letter authorizing the ISP to whom the letter is presented to
>route those IP addresses. Explain that you're a networking contractor
>working for the organization holding the registration and give them
>adequate contact information for yourself: postal address, email, phone.
>Not "1234 Main, box 30" but "1234 Main, Suite 30". Paid for with the
>cash-bought debit card. You get the idea.

Yes.  The whole general identity theft ruse isn't that complicated to
understand.  I still don't get how these crooks managed to get past
that occular biometric scan, but I guess the check cleared, so maybe
that goes a long way towards explaining -that- mystery. :-)

>Then you pay the ISP to connect you to the Internet and present your
>letter. Until the inevitable complaints roll it, that's it: you have
>control of those IP addresses.

I guess that I must be hoplessly naive to believe that the likes of
either Hurricane or Level3 might employ some warm body, at least part
time, to actually look for this kind of blatant gibberish, and flag
it for further inquiry when it arises.  I would volunteer to do the
job for them if they would just keep me in Cheetos.  (Cheetos are my
new favorite snack ever since last November's election. :-)

>I've read article after article after article bemoanging the fact that
>> "BGP isn't secure",
>They're talking about a different problem: ISPs are supposed to configure
>end-user BGP sessions per BCP38 which limits which BGP announcements the
>customer can make. Some ISPs are sloppy and incompetent and don't do this.

Yea.  I kinda thought that most or all of the very public hand-wringing
over the "insecurity" of BGP was indeed about this other aspect of the
problem.  But I just wanted to be sure that I was clear in my own mind
about this.  The insecurity -isn't- that any Joe Blow can just willy nilly
connect up to any router on the Internet and push bogus routes into it.
The insecurity is only that people/entities you know, trust, and have
actual business relationships with can (and apparently do), in many cases, 
pass goofy stuff to you, and if you are not fastidious enough about washing
up after such contacts, then you pass those bits of nonsense along to
everybody else who you have relationships with...  sort-of like chlamydia.


More information about the NANOG mailing list