This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.
Criminals use hosts connected to the Internet to act as traffic sources, proxies or application servers for spam, phishing, or other criminal activities. These hosts are typically infected with some form of malware and are often elements of a botnet. Irrespective of the intended use by criminals, these hosts need public Internet addresses. While they do have IP addresses assigned to them by public or private network administrators, criminals will often spoof traffic from these hosts using IP addresses other than the intended assigned address. In either case, criminals have strong incentives to do as much as possible to send traffic and receive traffic from hosts under their control.
As an example, consider direct-to-MX spam (Note: A summary of this and other spam techniques can be found at Spam Transmission Methods Explained). Criminals use this technique to send spam directly from infected hosts they control to mail servers whose IP addresses are identified in mail exchange (MX) records in the DNS. The source IP addresses that appear in direct-to-MX spam messages are quickly added to block lists such as the Composite or Exploits Block Lists (CBL, XBL). Investigators use this and other information and work in cooperation with law enforcement and justice systems to disrupt or dismantle spam botnets, or to collect and provide participant system reputation information in various block lists. Such activities threaten the spammers’ livelihoods, so these criminals have altered their tactics to provide greater agility and stealth to their activities.
Rather than relying on the IP addresses assigned to infected hosts by network administrators, criminals have turned to using “someone else’s IP addresses”. Specifically, they take control over blocks of IP addresses, worm their way into the Internet routing system to announce these IP blocks as reachable from an injection point of their choosing, and spam from hosts to which they’ve assigned addresses from these IP blocks. Once they’ve completed a spam campaign, they cease spamming from this insertion point, stop announcing the IP addresses into the routing system, and effectively “disappear”. This could even occur with spammer-owned and operated systems, employing network layer address space that is either unallocated or belonging to other organizations.
Criminals Obtain and Use IP addresses in Several Ways
The phrase AS hijacking – or more accurately, prefix hijacking – is applied to many scenarios where criminals obtain and use someone else’s IP addresses in this manner. AS refers to Autonomous System, a number that is in the Internet routing system to identify a group of IP networks that operate under a single routing policy. In certain scenarios, the attackers exploit an Autonomous System number (ASN) to abet routing information injection and in such cases, the attackers do impersonate an AS. Labeling all unauthorized route insertion attacks as AS hijacks, however, is inaccurate, and not merely because the phrase calls attention to an AS when the prefix is what matters. What is important to the attacker is that the routing information that is inserted identifies destinations that can be reached via an ASN. Such destinations are represented as IP Prefixes, also known as a CIDR blocks. In all cases, the attacker’s objective is to put the IP addresses where he intends to host criminal activities on the routing “map” – that is, to assert reachability into the inter-domain routing system for the addresses he plans to use to perform nefarious activities.
The term hijacking is also used too generously. Hijacking means that a commodity is taken from a legitimate, authorized owner or registrant by an attacker, and the legitimate party is consequently unable to use that commodity. In certain scenarios, i.e., where traffic that would have otherwise been routed towards a legitimate resource holder is diverted, prefix hijacking does indeed occur. However, the term hijacking is also used in circumstances where spoofing more accurately describes the attack. The distinction is important because in the case of spoofing, the legitimate user may be advertising routes and the attacker may be advertising conflicting routes at the same time; in the hijacking case, the legitimate user may not be advertising at all, or the hijack may prevent from advertising legitimate routing information entirely.
Hijacking is also incorrectly used when an attacker usesASNs or IP Prefixes that are not assigned (not registered through a Regional Internet Registry, RIR) or that are assigned but dormant (not used by the registered party). Such attacks are more characteristically like squatting than spoofing or hijacking.
Attacks that exploit ASNs
I classify attacks that exploit ASNs for malicious activities as hijacking, spoofing, or squatting attacks in several articles that follow. The goal in defining this taxonomy is to call attention to the distinguishing characteristics of each kind of attack and identify measures to possibly mitigate them.