IPv4 Hijacking For Idiots

Hank Nussbacher hank at efes.iucc.ac.il
Tue Jun 6 06:25:56 CST 2017

On 06/06/2017 03:20, William Herrin wrote:


Here is how I would do it:

1.  As you noted in your first email in this thread, find an abandoned
ASN, lets call it AS12345, with a POC of support at acme.com
2.  Create a domain called acme-corp.com and a user called peering
3.  Contact an IX, preferably not one in a Westernized, clueful area:
4.  Using peering at acme-corp.com, state that you are AS12345 and you wish
to join their wonderful IXP and to bring you router to their IXP for
peering purposes and to pay full membership dues.
5.  In general, not much due diligence will be done, since all Acme is
requesting is to colo their router in the same room/floor/building as
the IX and the IX is always trying to increase membership.  Not every IX
in the world is as diligent as LINX (example):
6.  In the event the IX does ask for some documentation, create a logo,
forge a few documents, create a nice corporate landing page with the
logo, etc.    Remember, the ASN hijacker will have done their homework
and shy away from clueful IXs.
7.  Pay your membership, bring your router to the IX and install it
8.  IX announces to all members about the existence of a new IX member.
9.  Major/large peers will shy away from small unknown ASNs, but there
are always many smaller IX members who are willing to peer with you
simply by sending them an email.
10.  Of the 56 IX members at clueless IX, 18 have peered with you within
a week and you have established your bona-fides.  You are now in your
way to growing your business :-)


> On Mon, Jun 5, 2017 at 6:56 AM, Ronald F. Guilmette <rfg at tristatelogic.com>
> wrote:
>> So, I guess then, if you're clever, you look and see who the ASN you've
>> just successfully hijacked has historically peered with, and then you
>> somehow arrange to send route announcements to those guys, right?
>> (I'm talking about AS206776 and AS57344 here, BTW.)
>> But see, this is where I get lost.  I mean how do you push your route
>> announcements to these guys?
> Hi Ron,
> You actually got lost a couple steps back.
> First, you want to control the POC emails for the IP addresses. Controlling
> just the POC emails for the AS number won't do you any good.
> Let's say you have gained control of the POC emails for the IP address
> block. Stay completely away from the historical BGP peers. They might know
> the real registrant and get suspicious when you show up. Go to somebody
> else, dummy up some letterhead for the purported registrant and write
> yourself a letter authorizing the ISP to whom the letter is presented to
> route those IP addresses. Explain that you're a networking contractor
> working for the organization holding the registration and give them
> adequate contact information for yourself: postal address, email, phone.
> Not "1234 Main, box 30" but "1234 Main, Suite 30". Paid for with the
> cash-bought debit card. You get the idea.
> Then you pay the ISP to connect you to the Internet and present your
> letter. Until the inevitable complaints roll it, that's it: you have
> control of those IP addresses.
>> (I don't actually know that much about
>> how BGP actually works in practice, so please bear with me.)  How do
>> you know what IP address to send your announcements to?
> You don't. Even if the session wasn't disabled when the customer stopped
> paying, you're not physically connected to the same network interface where
> it was configured. This reasoning path is a dead end.
> I've read article after article after article bemoanging the fact that
>> "BGP isn't secure",
> They're talking about a different problem: ISPs are supposed to configure
> end-user BGP sessions per BCP38 which limits which BGP announcements the
> customer can make. Some ISPs are sloppy and incompetent and don't do this.
> Unfortunately, once you're a level or two upstream the backbone ISP
> actually can't do much to limit the BGP announcements because it's often
> impractical to determine whether a block of IP addresses can legitimately
> be announced from a given peer.
> Regards,
> Bill Herrin

More information about the NANOG mailing list