Botnets buying up IPv4 address space
I'd welcome comments as to solutions to this. Or is it just scaremongering? j ---------- Forwarded message ---------- From: Lauren Weinstein <lauren@vortex.com> Date: Fri, Oct 7, 2011 at 1:31 PM Botnets buying up IPv4 address space http://j.mp/nMJ5Lr (Threat Post) "Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPV4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites have appeared as the IPV4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware." - - - --Lauren-- NNSquad Moderator -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- -
What do you mean with "purchasing or renting IPv4". Last time that I check it was not possible in the RIR world. If you mean "hijacking" unused IPv4 space, that's another history. .as On 7 Oct 2011, at 15:11, Joly MacFie wrote:
I'd welcome comments as to solutions to this. Or is it just scaremongering?
j
---------- Forwarded message ---------- From: Lauren Weinstein <lauren@vortex.com> Date: Fri, Oct 7, 2011 at 1:31 PM
Botnets buying up IPv4 address space
http://j.mp/nMJ5Lr (Threat Post)
"Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPV4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites have appeared as the IPV4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."
- - -
--Lauren-- NNSquad Moderator
-- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- -
On Oct 7, 2011, at 11:31 AM, Arturo Servin wrote:
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
Seriously? http://www.networkworld.com/community/blog/microsoft-pays-nortel-75-million-... The next phases are anger, bargaining, depression, and finally acceptance. Regards, -drc
Yes, I forgot that one. ARIN and APNIC allows it, LACNIC will when it reaches the last /12 (so now is not possible). RIPE NCC and Afrinic do not have a policy yet AFAIK. -as On 7 Oct 2011, at 15:35, David Conrad wrote:
On Oct 7, 2011, at 11:31 AM, Arturo Servin wrote:
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
Seriously?
http://www.networkworld.com/community/blog/microsoft-pays-nortel-75-million-...
The next phases are anger, bargaining, depression, and finally acceptance.
Regards, -drc
Arturo, On Fri, Oct 7, 2011 at 8:59 PM, Arturo Servin <arturo.servin@gmail.com> wrote:
ARIN and APNIC allows it, LACNIC will when it reaches the last /12 (so now is not possible). RIPE NCC and Afrinic do not have a policy yet AFAIK.
RIPE's LIR IPv4 listing service has 1x /20 listed, *right now*. https://www.ripe.net/lir-services/resource-management/listing Regards, Martin
Thanks, I didn't know that one. I followed the link to "IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region" and seems a good and simple approach. Regards, .as On 9 Oct 2011, at 10:16, Martin Millnert wrote:
Arturo,
On Fri, Oct 7, 2011 at 8:59 PM, Arturo Servin <arturo.servin@gmail.com> wrote:
ARIN and APNIC allows it, LACNIC will when it reaches the last /12 (so now is not possible). RIPE NCC and Afrinic do not have a policy yet AFAIK.
RIPE's LIR IPv4 listing service has 1x /20 listed, *right now*. https://www.ripe.net/lir-services/resource-management/listing
Regards, Martin
* Martin Millnert
RIPE's LIR IPv4 listing service has 1x /20 listed, *right now*.
I wonder if that one was listed by mistake. The prefix in question, 128.0.16.0/20, was assigned to NetWave Ltd. by the NCC last Tuesday. If it isn't a mistake, I wonder how they justified obtaining the prefix in the first place. -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com
Maybe we should just allow this to go on until all IPv4 space is so polluted that no-one wants to use it anymore :-) "Bad Reputation as an IPv6 Transition Driver" Nice title for a PPT deck... On Mon, Oct 10, 2011 at 4:23 AM, Tore Anderson <tore.anderson@redpill-linpro.com> wrote:
* Martin Millnert
RIPE's LIR IPv4 listing service has 1x /20 listed, *right now*.
I wonder if that one was listed by mistake. The prefix in question, 128.0.16.0/20, was assigned to NetWave Ltd. by the NCC last Tuesday. If it isn't a mistake, I wonder how they justified obtaining the prefix in the first place.
-- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com
-- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =========================
And I suppose the bad guys who are out there gaming RIPE etc policies are not touching v6 with a bargepole? Or are they stockpiling massive amounts of v6 space? On Wed, Oct 12, 2011 at 10:31 PM, Carlos Martinez-Cagnazzo < carlosm3011@gmail.com> wrote:
Maybe we should just allow this to go on until all IPv4 space is so polluted that no-one wants to use it anymore :-)
"Bad Reputation as an IPv6 Transition Driver"
-- Suresh Ramasubramanian (ops.lists@gmail.com)
I don't buy the "bad-guys-rig-policies" thing... but well, I could be wrong. But regarding your second comment, yes, I do believe that bad guys take the path of least resistance whenever possible. At some point IPv6 will look attractive to them and they will start using it. My logs show that I get spam over IPv6, so some bad guys might be already doing it. cheers! Carlos On Wed, Oct 12, 2011 at 3:26 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
And I suppose the bad guys who are out there gaming RIPE etc policies are not touching v6 with a bargepole?
Or are they stockpiling massive amounts of v6 space?
On Wed, Oct 12, 2011 at 10:31 PM, Carlos Martinez-Cagnazzo < carlosm3011@gmail.com> wrote:
Maybe we should just allow this to go on until all IPv4 space is so polluted that no-one wants to use it anymore :-)
"Bad Reputation as an IPv6 Transition Driver"
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On 2011-10-12 19:34 , Carlos Martinez-Cagnazzo wrote:
I don't buy the "bad-guys-rig-policies" thing... but well, I could be wrong.
Rigging is not the right name for it, which is why the original message stated 'gaming', which is quite accurate. You just set up an official (shell) company and thus get official papers for it and with that you go to RIPE NCC (or any other RIR or LIR) and request a new chunk of address space just like every other organization is able to do. Nothing much that RIPE NCC can do about, as all the paperwork will check out just fine and they will generally even pay the fees as well, they are making money off it. [..]
My logs show that I get spam over IPv6, so some bad guys might be already doing it.
Spam will come over every path possible. If a compromised machine has IPv6, it will thus also come over IPv6 if your MXs are reachable over it. Just repeat: Long live SpamAssassin ;) Greets, Jeroen
On 10/7/11 11:31 , Arturo Servin wrote:
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
If you're not a legitimate business why would you bother with commonly accepted policy?
If you mean "hijacking" unused IPv4 space, that's another history.
the post fails entirely to cite actual examples, then goes off into the weeds on domain name reputation.
.as
On 7 Oct 2011, at 15:11, Joly MacFie wrote:
I'd welcome comments as to solutions to this. Or is it just scaremongering?
j
---------- Forwarded message ---------- From: Lauren Weinstein <lauren@vortex.com> Date: Fri, Oct 7, 2011 at 1:31 PM
Botnets buying up IPv4 address space
http://j.mp/nMJ5Lr (Threat Post)
"Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPV4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites have appeared as the IPV4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."
- - -
--Lauren-- NNSquad Moderator
-- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- -
On Oct 7, 2011, at 1:31 PM, Arturo Servin wrote:
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
Nevertheless, it is possible in the real world.
On 7 Oct 2011, at 15:11, Joly MacFie wrote:
I'd welcome comments as to solutions to this. Or is it just scaremongering? ... Botnets buying up IPv4 address space
http://j.mp/nMJ5Lr (Threat Post)
Domain names, IP addresses, network connectivity, etc - all of these are resources that people can acquire, (mis)use, and replace. The fact that reputation systems often conflate people and their (impermanent) resources is unfortunate, and is the source of much operational pain. I don't see anything new in the article, and would classify parts of it as scaremongering. (e.g. the criticism of IPv6) Cheers, -Benson
I agree with Benson. In fact, for this "problem" I find irrelevant that IPv4 is running out. They are just looking for good reputation IP nodes. -as On 7 Oct 2011, at 16:03, Benson Schliesser wrote:
I don't see anything new in the article, and would classify parts of it as scaremongering. (e.g. the criticism of IPv6)
If not short-lived, then at least self-limiting. --Richard On Fri, Oct 7, 2011 at 3:15 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Fri, Oct 7, 2011 at 3:10 PM, Arturo Servin <arturo.servin@gmail.com> wrote:
I agree with Benson.
In fact, for this "problem" I find irrelevant that IPv4 is running out. They are just looking for good reputation IP nodes.
isn't this a short-lived problem then?
* Christopher Morrow:
On Fri, Oct 7, 2011 at 3:10 PM, Arturo Servin <arturo.servin@gmail.com> wrote:
I agree with Benson.
In fact, for this "problem" I find irrelevant that IPv4 is running out. They are just looking for good reputation IP nodes.
isn't this a short-lived problem then?
IPv4 addresses will never run out in a strict sense of the word, it will just become increasingly more difficult to reassign IPv4 address space to those who need it.
On Sat, Oct 8, 2011 at 11:14 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
IPv4 addresses will never run out in a strict sense of the word, it will just become increasingly more difficult to reassign IPv4 address space to those who need it.
And hopefully... the greater the address space "pressure" or contention there is for IPv4 address resources, the more strongly organizations will feel compelled towards swapping over to IPv6 :) -- -JH
On Sat, Oct 8, 2011 at 6:14 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
IPv4 addresses will never run out in a strict sense of the word, it will just become increasingly more difficult to reassign IPv4 address space to those who need it.
If you by difficult mean expensive, then I agree. Regards, Martin
On 10/9/11 05:10 , Martin Millnert wrote:
On Sat, Oct 8, 2011 at 6:14 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
IPv4 addresses will never run out in a strict sense of the word, it will just become increasingly more difficult to reassign IPv4 address space to those who need it.
If you by difficult mean expensive, then I agree.
there are several kinds of transactional friction, some are easily denominated in dollars,
Regards, Martin
Arturo, On Oct 7, 2011, at 12:10 PM, Arturo Servin wrote:
In fact, for this "problem" I find irrelevant that IPv4 is running out. They are just looking for good reputation IP nodes.
I suspect it is relevant to IPv4 because IPv6 has so little penetration. It probably doesn't matter if you have a good reputation on IPv6... Regards, -drc
On Fri, Oct 7, 2011 at 2:11 PM, Joly MacFie <joly@punkcast.com> wrote:
Botnets buying up IPv4 address space
http://j.mp/nMJ5Lr (Threat Post)
I'd welcome comments as to solutions to this. Or is it just scaremongering?
Joly, The author has drawn a relationship between a lot of unrelated things. Hackers and spammers "rent" IP addresses all the time, and have done so for two decades. It's called, "Here's my money for colo hosting service and I need some IP addresses to go along with it." Nothing has changed as a result of IPv4 depletion. Botnets are hacked machines. They come with their own IP addresses scattered about the globe and don't require any particular source. No relation to IPv4 depletion and only tangentially related to the "bulletproof hosting" that supplies IP addresses for the C&C servers. As for auctioning IP blocks, my experience is that hackers don't bother. If they want IP addresses beyond what the colo provider offers, they steal them: find a block of addresses not routed on the public Internet and forge LoAs they present to their ISP. They're going to lose them anyway, so why bother paying money? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Fri, Oct 7, 2011 at 3:32 PM, William Herrin <bill@herrin.us> wrote:
As for auctioning IP blocks, my experience is that hackers don't bother. If they want IP addresses beyond what the colo provider offers, they steal them: find a block of addresses not routed on the public Internet and forge LoAs they present to their ISP. They're going to lose them anyway, so why bother paying money?
ala: 146.20.0.0 ?
On Fri, Oct 7, 2011 at 1:11 PM, Joly MacFie <joly@punkcast.com> wrote:
I'd welcome comments as to solutions to this. Or is it just scaremongering? Probably scaremongering... but it does raise an interesting thought.
It provides another argument why RIRs don't need to abandon justified need as a mandatory criteria for transferring addresses to specified recipients out of fear that legacy and other holders will engage in "unofficial" sales and transfers that they intentionally fail to record via WHOIS. The legacy holder/unofficial transferror would be putting the reputation of their entire address block, and their other allocations at risk; if the buyer eventually hands some of the unofficial allocation to a spammer, either by accident, or intentionally, doesn't matter. The holder of addresses that unofficially transferred them, could have some major headaches, including service-affecting headaches to their network... just to sell spare IP addresses faster for a few extra bucks; when there is a legitimate process available that doesn't have that risk?
j -- -JH
The important outcome is that transfers are documented. Making it easier for sellers to update Whois (so it points to the buyer) will encourage documentation. If "needs justification" is ever a disincentive to update Whois, then it will discourage documentation. Granted, a seller that doesn't update Whois should be more worried about the reputation of the buyer. But regardless, it is incorrect to assume that "needs justification" will prevent bad actors from acquiring address blocks. Even bad actors can justify their need, and some of them might even (*gasp*) lie about it in order to get what they want. The result would look like a normal transfer (with justified need, a Whois update, etc) and yet would result in a bad actor becoming an address holder. Cheers, -Benson On Oct 7, 2011, at 6:08 PM, Jimmy Hess wrote:
On Fri, Oct 7, 2011 at 1:11 PM, Joly MacFie <joly@punkcast.com> wrote:
I'd welcome comments as to solutions to this. Or is it just scaremongering? Probably scaremongering... but it does raise an interesting thought.
It provides another argument why RIRs don't need to abandon justified need as a mandatory criteria for transferring addresses to specified recipients out of fear that legacy and other holders will engage in "unofficial" sales and transfers that they intentionally fail to record via WHOIS.
The legacy holder/unofficial transferror would be putting the reputation of their entire address block, and their other allocations at risk; if the buyer eventually hands some of the unofficial allocation to a spammer, either by accident, or intentionally, doesn't matter.
The holder of addresses that unofficially transferred them, could have some major headaches, including service-affecting headaches to their network... just to sell spare IP addresses faster for a few extra bucks; when there is a legitimate process available that doesn't have that risk?
j -- -JH
On Fri, Oct 7, 2011 at 6:47 PM, Benson Schliesser <bensons@queuefull.net> wrote:
Granted, a seller that doesn't update Whois should be more worried about the reputation of the buyer. But regardless, it is incorrect to assume that "needs justification" will prevent bad actors from acquiring address blocks. Even bad actors can justify their need, and some of them might even (*gasp*) lie about it in order to get what they want. The result would look like a normal transfer (with justified need, a Whois update, etc) and yet would result in a bad actor becoming an address holder.
Yes.... I am completely conceded to the fact that some bad actors will get all the addresses they want and more, in massive numbers. And continue to manage to get new addresses to play with, conveniently, as soon as their existing ones are blacklisted. I believe they already get all the addresses they want inexpensively, through lying to others or through illicit routing advertisements, and IPv4 exhaustion will make it harder/more expensive for the bad actors to "legitimately" get addresses that "look ok"; from the point of view of actually receiving the assignment, or the bad actor announcing address space "nobody will notice". Address exhaustion simply ultimately means there are a lot fewer addresses for bad actors to play; and they will be competing for scarce IP addresses against legitimate businesses, resulting in higher costs for bad actors attempting to utilize legitimate channels. My suggestion is that the right solution is not to try to prevent bad actors from getting addresses, but that the solution is for the bad actors to get de-peered.
Cheers, -Benson -- -JH
On Oct 7, 2011, at 4:47 PM, Benson Schliesser wrote:
The important outcome is that transfers are documented. Making it easier for sellers to update Whois (so it points to the buyer) will encourage documentation. If "needs justification" is ever a disincentive to update Whois, then it will discourage documentation.
Granted, a seller that doesn't update Whois should be more worried about the reputation of the buyer. But regardless, it is incorrect to assume that "needs justification" will prevent bad actors from acquiring address blocks. Even bad actors can justify their need, and some of them might even (*gasp*) lie about it in order to get what they want. The result would look like a normal transfer (with justified need, a Whois update, etc) and yet would result in a bad actor becoming an address holder.
True, however, the existence of bad actors encourages documentation even if one needs to comply with needs basis, which has many other benefits to the community. Documentation is NOT the highest single purpose of ARIN and eliminating community developed policy in favor of some mythical incentive towards documentation. Indeed, there is actually no evidence to support the theory that organizations that transfer outside of needs basis would choose to document those transfers through ARIN even if that requirement were removed. Likely if we removed needs basis, we would see the same level of undocumented transfers, but, with the added detriments of speculative address hoarding, higher artificial valuations of integers, etc. Owen
Cheers, -Benson
On Oct 7, 2011, at 6:08 PM, Jimmy Hess wrote:
On Fri, Oct 7, 2011 at 1:11 PM, Joly MacFie <joly@punkcast.com> wrote:
I'd welcome comments as to solutions to this. Or is it just scaremongering? Probably scaremongering... but it does raise an interesting thought.
It provides another argument why RIRs don't need to abandon justified need as a mandatory criteria for transferring addresses to specified recipients out of fear that legacy and other holders will engage in "unofficial" sales and transfers that they intentionally fail to record via WHOIS.
The legacy holder/unofficial transferror would be putting the reputation of their entire address block, and their other allocations at risk; if the buyer eventually hands some of the unofficial allocation to a spammer, either by accident, or intentionally, doesn't matter.
The holder of addresses that unofficially transferred them, could have some major headaches, including service-affecting headaches to their network... just to sell spare IP addresses faster for a few extra bucks; when there is a legitimate process available that doesn't have that risk?
j -- -JH
participants (18)
-
Arturo Servin
-
Benson Schliesser
-
Carlos Martinez-Cagnazzo
-
Carlos Martinez-Cagnazzo
-
Christopher Morrow
-
David Conrad
-
Florian Weimer
-
Jeroen Massar
-
Jimmy Hess
-
Joel jaeggli
-
Joly MacFie
-
Martin Millnert
-
Owen DeLong
-
Randy Bush
-
Richard Barnes
-
Suresh Ramasubramanian
-
Tore Anderson
-
William Herrin