On Wed, 13 Apr 2005, Radu Hociung wrote:
If the world were to adopt IP authorization/authentication schemes like
SPF/CSV, without removing the economic incentive for spam, the spammers would
put pressure on the next weak point.
I understand that it is difficult to do, but what would it take for a skilled
hacker to steal the IP address of an otherwise well protected SMTP server and
sell that IP to the spammers?
They've been doing it for last 3+ years. But on a lot larger scale
then just one ip address (largest was /8). My site has this information at
http://www.completewhois.com/hijacked/.
BTW - the last time new ip block was stolen (that is known to us) was 5
days ago...
I understand also that if this were possible, it would not be a reliable
ownership of that IP, as the internet routers would be confused as to which
of the two machines actually owns the IP address. But from a spammer's point
of view, an intermittent IP address is much better than no IP address at all.
What are the technical and configuration obstacles that he would have to
overcome?
My connection is DSL PPPoE, and I believe it is not possible for a hacker
behind such a setup to steal any IP, because the PPP software at the other
end would not route any packets that don't come from my assigned IP address.
But some connections are Ethernet over DSL. Can such a connection be used to
hijack an IP address?
No.
Would it be easy to hijack an IP assigned to another customer of the
same ISP?
Only for cable provider with very bad and insecure setup. None of the big
ones that I know are that careless.
Would it be easy to hijack the IP of another ISP?
How about any arbitrary IP address?
Only with cooperation of large network provider who is stupid enough to
believe some forged paper. It would be discovered within hours though.
As such spammers typically hijack unused ip addresses because it would
not be discovered quite as quickly.
Can a cable-modem customer hijack the IP of a neighbour?
See above.
I'm not interested in arguments why this is not likely to happen, but in
actual scenarios that make it possible.
It requires bad guys running bgp and announcing ip address block of somebody
else with cooperation of their upsteam provider. It used to be easier with
large providers, but they have learned and secure their provisioning process
in last two years. Last time it happened, it involved Brazilian rogue ISP
spammer host getting connectivity in Russia to announce part of the unused
ip block of US company (block was used only their local network), the only
reason it happened was also because large network (Telia) for some reason
did not do proper provisioning with Russian ISP who was their client.
The internet is not configured perfectly, there are security holes all
over the place. What are the more or less common mistakes that network
administrators make to allow IP address hijacking?
Nothing that they could easily do would make a difference short of watching
and monitoring how their isp or ip space is used (i.e. maintaining good
records in whois and making sure they are reacheable in case of problems
so they could know if something is wrong).
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net