address space & as number hijacking · leslie nobile leo vegoda 1 ripe 48 - eof – 4 may 2004...
TRANSCRIPT
LeslieNobile
Leo Vegoda
RIPE 48 - EOF – 4 May 20041
Address Space & AS Number Hijacking
EOF, RIPE 48May 3 & 4, 2004
Leslie Nobile, ARINLeo Vegoda, RIPE NCC
2 RIPE 48 - EOF - 4 May 2004
OverviewDefinitionEffects & ImplicationsHistorical PerspectiveCurrent StatusHijackers’ Modus OperandiRIR Scope of ActivityRIR ActionsPotential ResolutionsOperators’ Actions
4 RIPE 48 - EOF - 4 May 2004
What is Hijacking?“Unauthorised changes made to registration records or objects in the database. The Whois data then inaccurately reflects this false information and gives the illusion that the individual now has some authority over the resources.”
5 RIPE 48 - EOF - 4 May 2004
Effects & ImplicationsOperators
Can damage your reputationIncreases workloadSlows response times Increases costs
StaffingTimeLegal fees
May create liability issues
6 RIPE 48 - EOF - 4 May 2004
Effects & ImplicationsRIRs
Can damage your reputationIncreases workloadSlows response times Increases costs
StaffingTimeLegal fees
May create liability issues
7 RIPE 48 - EOF - 4 May 2004
Historical perspectiveThe “Cheers”®™ phenomenonWhere everybody knows your name…
8 RIPE 48 - EOF - 4 May 2004
Historical perspectiveAsk and ye shall receive… John Postel’s notebookIANA, SRI NIC, DoD NIC RIRs createdInternet “Boom” in mid-90’sThings start to change…
9 RIPE 48 - EOF - 4 May 2004
Historical perspectiveWhois Databases
Different systems built from different modelsRegistration -vs- Routing RegistriesResults:
Whois data duplicated between databasesDifferent database authorisation schemasDifferent change control mechanisms
11 RIPE 48 - EOF - 4 May 2004
Current StatusARIN
Status Number Comment
Opened 162 Reported to or discovered by ARIN
Not Validated
17 No evidence
Closed 133 Reverted to original informationReclaimed by ARINReturned to ARIN by original registrant
Pending 12 Under investigation
12 RIPE 48 - EOF - 4 May 2004
CategoriesCategory Number of Records
Legacy Class A 1
Legacy Class B 52
Legacy Class C 64
ARIN Direct Assignments or Allocations
10
Autonomous Systems 18
13 RIPE 48 - EOF - 4 May 2004
Current StatusRIPE NCC
Status Number Comment
Opened 6 Reported to or discovered by the RIPE NCC
Not Validated
2 No evidence
Closed 3 Reverted to original information, orDe-registered by the RIPE NCC, orReturned to the RIPE NCC by original registrant
Pending 1 Cases remain open
14 RIPE 48 - EOF - 4 May 2004
Categories
Category Number of Records
Legacy Class A 0
Legacy Class B 0
Legacy Class C 0
PI Assignments 4
Autonomous Systems 4
15 RIPE 48 - EOF - 4 May 2004
Hijackers’ Modus OperandiTarget legacy blocks in particularEnsure that blocks are not routedSearch Whois for out of date contact informationCheck whether the domain has expired
if it’s expired, hijacker registers the domainif it’s not expired, they register a similar domain
Many of them register a company or incorporate using the name of the original registrant
16 RIPE 48 - EOF - 4 May 2004
RIR ScopeStewardship of Internet Number ResourcesProvide a public registry for the community to maintainNeutral and impartialBottom up, consensus based policy development process
19 RIPE 48 - EOF - 4 May 2004
ARIN Actions
Developed counter-hijacking proceduresResearch and document all reported or discovered hijackingsIntroduction of X.509 auth schemeDeveloped new database “status” attribute to lock down recordsCo-operating with law enforcement agencies
20 RIPE 48 - EOF - 4 May 2004
RIPE NCC ActionsCreated reporting address <[email protected]>Increased vigilanceTake control of hijacked registrationsChanges to request formsIntroduction of Organisation objectsA multitude of auth schemes
Deprecation of NONE auth schemeIntroduction of X.509 auth schemeIntroduction of MD5-PW auth schemeLIR Portal tools
21 RIPE 48 - EOF - 4 May 2004
RIR Co-ordination Actions
Exchange informationAnalyse cases togetherDevise methodologies togetherMonitor and participate in “hijacked” mailing list
22 RIPE 48 - EOF - 4 May 2004
What Aren’t We Doing?
Reporting all incidents to law enforcement agenciesDisclosing investigation details to the general public
23 RIPE 48 - EOF - 4 May 2004
Potential ResolutionsProcesses and Procedures
Require more stringent verification dataRevise service agreementsDisplay Whois historical “change log”
24 RIPE 48 - EOF - 4 May 2004
Potential ResolutionsDatabase
Stronger validation softwareBi-Annual Whois data validation(Re-Registration)More stringent Authentication, Authorisation and Accountability
25 RIPE 48 - EOF - 4 May 2004
Potential ResolutionsLegacy Records
Separate registration database for all legacy recordsUpdate Options:
No updates permitted without joining an RIR, ORValidated updates within the *RLR to NS and contact records, on a fee-for-service basis
Legacy space holders encouraged to move their records into the RIR system over time
*RLR – “Registry of Legacy Resources”
26 RIPE 48 - EOF - 4 May 2004
Considerations
Legacy recordsPre-RIR contractual relationship?Legal obligations?Should maintenance fees be charged?Criteria to determine user legitimacy?
27 RIPE 48 - EOF - 4 May 2004
What Is the Reality?Not all operators are aware of the problemNot all operators know they are vulnerableMost operators have registrations in an RIR databaseRegistration data is provided by youThe database is maintained by the RIRs
28 RIPE 48 - EOF - 4 May 2004
What Can You Do?
Ensure Organisation, contact & registration data are accurate and up to date
Your customers’ records as well as your own