This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.
In this scenario, the attacker does not attack the RIR or registration account but instead, assumes the use of an IP Prefix that is registered and is actively in use by an authorized, registered entity. The attacker contrives to have the spoofed IP Prefix advertised using any of the methods described under IP Prefix Squatting. There is also a scenario where attackers announce smaller IP Prefixes to exploit that BGP follows paths to the shortest matching prefix. This is also called an IP hijack; however, the attack method does not require than the registration be hijacked as I describe here.
As is the case for AS spoofing, this attack can cause conflicting advertisements: what the attacker injects into the routing system (and where) is different from what the legitimate registrant advertises, but an attacker could topologically localize this attack so that the route injection is not intuitively or easily visible to the victim.
Figure 8. IP Prefix Spoofing
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 |
Comments
You can follow this conversation by subscribing to the comment feed for this post.