LeslieNobile

Leo Vegoda

RIPE 48 - EOF – 4 May 20041

Address Space & AS Number Hijacking

EOF, RIPE 48May 3 & 4, 2004

Leslie Nobile, ARINLeo Vegoda, RIPE NCC

2 RIPE 48 - EOF - 4 May 2004

OverviewDefinitionEffects & ImplicationsHistorical PerspectiveCurrent StatusHijackers’ Modus OperandiRIR Scope of ActivityRIR ActionsPotential ResolutionsOperators’ Actions

3 RIPE 48 - EOF - 4 May 2004

4 RIPE 48 - EOF - 4 May 2004

What is Hijacking?“Unauthorised changes made to registration records or objects in the database. The Whois data then inaccurately reflects this false information and gives the illusion that the individual now has some authority over the resources.”

5 RIPE 48 - EOF - 4 May 2004

Effects & ImplicationsOperators

Can damage your reputationIncreases workloadSlows response times Increases costs

StaffingTimeLegal fees

May create liability issues

6 RIPE 48 - EOF - 4 May 2004

Effects & ImplicationsRIRs

Can damage your reputationIncreases workloadSlows response times Increases costs

StaffingTimeLegal fees

May create liability issues

7 RIPE 48 - EOF - 4 May 2004

Historical perspectiveThe “Cheers”®™ phenomenonWhere everybody knows your name…

8 RIPE 48 - EOF - 4 May 2004

Historical perspectiveAsk and ye shall receive… John Postel’s notebookIANA, SRI NIC, DoD NIC RIRs createdInternet “Boom” in mid-90’sThings start to change…

9 RIPE 48 - EOF - 4 May 2004

Historical perspectiveWhois Databases

Different systems built from different modelsRegistration -vs- Routing RegistriesResults:

Whois data duplicated between databasesDifferent database authorisation schemasDifferent change control mechanisms

10 RIPE 48 - EOF - 4 May 2004

Now…Big businessHighly commercialised

11 RIPE 48 - EOF - 4 May 2004

Current StatusARIN

Status Number Comment

Opened 162 Reported to or discovered by ARIN

Not Validated

17 No evidence

Closed 133 Reverted to original informationReclaimed by ARINReturned to ARIN by original registrant

Pending 12 Under investigation

12 RIPE 48 - EOF - 4 May 2004

CategoriesCategory Number of Records

Legacy Class A 1

Legacy Class B 52

Legacy Class C 64

ARIN Direct Assignments or Allocations

10

Autonomous Systems 18

13 RIPE 48 - EOF - 4 May 2004

Current StatusRIPE NCC

Status Number Comment

Opened 6 Reported to or discovered by the RIPE NCC

Not Validated

2 No evidence

Closed 3 Reverted to original information, orDe-registered by the RIPE NCC, orReturned to the RIPE NCC by original registrant

Pending 1 Cases remain open

14 RIPE 48 - EOF - 4 May 2004

Categories

Category Number of Records

Legacy Class A 0

Legacy Class B 0

Legacy Class C 0

PI Assignments 4

Autonomous Systems 4

15 RIPE 48 - EOF - 4 May 2004

Hijackers’ Modus OperandiTarget legacy blocks in particularEnsure that blocks are not routedSearch Whois for out of date contact informationCheck whether the domain has expired

if it’s expired, hijacker registers the domainif it’s not expired, they register a similar domain

Many of them register a company or incorporate using the name of the original registrant

16 RIPE 48 - EOF - 4 May 2004

RIR ScopeStewardship of Internet Number ResourcesProvide a public registry for the community to maintainNeutral and impartialBottom up, consensus based policy development process

17 RIPE 48 - EOF - 4 May 2004

Out of RIR ScopeCannot guarantee routabilityCannot police the network

18 RIPE 48 - EOF - 4 May 2004

RIR Actions

19 RIPE 48 - EOF - 4 May 2004

ARIN Actions

Developed counter-hijacking proceduresResearch and document all reported or discovered hijackingsIntroduction of X.509 auth schemeDeveloped new database “status” attribute to lock down recordsCo-operating with law enforcement agencies

20 RIPE 48 - EOF - 4 May 2004

RIPE NCC ActionsCreated reporting address <reg-review@ripe.net>Increased vigilanceTake control of hijacked registrationsChanges to request formsIntroduction of Organisation objectsA multitude of auth schemes

Deprecation of NONE auth schemeIntroduction of X.509 auth schemeIntroduction of MD5-PW auth schemeLIR Portal tools

21 RIPE 48 - EOF - 4 May 2004

RIR Co-ordination Actions

Exchange informationAnalyse cases togetherDevise methodologies togetherMonitor and participate in “hijacked” mailing list

22 RIPE 48 - EOF - 4 May 2004

What Aren’t We Doing?

Reporting all incidents to law enforcement agenciesDisclosing investigation details to the general public

23 RIPE 48 - EOF - 4 May 2004

Potential ResolutionsProcesses and Procedures

Require more stringent verification dataRevise service agreementsDisplay Whois historical “change log”

24 RIPE 48 - EOF - 4 May 2004

Potential ResolutionsDatabase

Stronger validation softwareBi-Annual Whois data validation(Re-Registration)More stringent Authentication, Authorisation and Accountability

25 RIPE 48 - EOF - 4 May 2004

Potential ResolutionsLegacy Records

Separate registration database for all legacy recordsUpdate Options:

No updates permitted without joining an RIR, ORValidated updates within the *RLR to NS and contact records, on a fee-for-service basis

Legacy space holders encouraged to move their records into the RIR system over time

*RLR – “Registry of Legacy Resources”

26 RIPE 48 - EOF - 4 May 2004

Considerations

Legacy recordsPre-RIR contractual relationship?Legal obligations?Should maintenance fees be charged?Criteria to determine user legitimacy?

27 RIPE 48 - EOF - 4 May 2004

What Is the Reality?Not all operators are aware of the problemNot all operators know they are vulnerableMost operators have registrations in an RIR databaseRegistration data is provided by youThe database is maintained by the RIRs

28 RIPE 48 - EOF - 4 May 2004

What Can You Do?

Ensure Organisation, contact & registration data are accurate and up to date

Your customers’ records as well as your own

29 RIPE 48 - EOF - 4 May 2004

Questions?