This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.
In this scenario, the attacker determines that an IP Prefix is not registered at an RIR, or the registration is dormant (i.e., the resource is simply not visible in the global routing system). The attack scenarios are similar to AS squatting, and again, the victim is the RIR. Here, the targeted resource is an IP Prefix. In the not registered scenario, the attacker ignores the customary registration channels, squat on the IP Prefix and uses it for malicious purposes. In the dormant scenario, the attacker compromises or socially engineers access to the legitimate registrant’s registration account.
The attacker doesn’t need to squat on or hijack an AS to announce the IP net block; he must, however, find a way to have the IP prefix advertised as reachable via an autonomous system. He can try any of the following attack vectors:
- Inject advertisements directly into the global routing system by establishing a BGP connection and peering with an autonomous system that doesn’t diligently screen advertisements. The injected routing information announces reachability of the squatted IP Prefix.
- Through social engineering or coercion, convince an access or transit provider to include the squatted IP Prefix in BGP advertisements. This usually occurs as a matter of implicit permit/accept policies. Here, the ISP becomes an unwitting or unwilling participant when it propagates advertisements into the global routing system.
Figure 5. IP Prefix Squatting via unwitting party
- Through collaboration or bribery, convince an access or transit provider to include the squatted IP Prefix in BGP advertisements. Here, the ISP is a willing participant when it propagates advertisements into the global routing system.
Figure 6. IP Prefix Squatting via willing party
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 |
Comments
You can follow this conversation by subscribing to the comment feed for this post.