This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.
Registries should consider measures to reduce attacks of these kinds against resources:
- Implement measures to protect registrant accounts against hijacking or misuse; in particular, certain measures recommended to protect domain name registration accounts against attack or misuse (SAC040) may be of equal use to RIRs.
- Insist on strong proof of registration before providing access to registration accounts to combat squatting or hijacking; in particular, do not rely on correspondence from a point of contact email address as sufficient demonstration that the sender is the legitimate registrant. Alternatively, implement a secure email (non-repudiation, authentication) capability so that registrants must digitally sign correspondence and thus provide verification of sender.
- RIRs, ICANN, and TLD registries could share information regarding changes to domain name registrations of domain names from which POC email addresses in AS or IP Prefix registrations. Use a change in registration of such a domain name as an alert to a possible squatting attack (clearly, other factors must be considered to avoid a false positive).
The community and network operators can complement these activities by implementing measures to protect the global routing system:
- Identify and share information regarding network operators who are victims of or seemingly complicit in advertising spoofed, hijacked, or squatted ASNs or IP Prefixes. Assist victimized network operators in implementing filtering/blocking fraudulent advertisements either through direct dialog or a dissemination of best practices. Bring allegedly complicit network operators to the attention of law enforcement.
- Network operators who participate in BGP routing should implement inter-domain (BGP) filters to control fraudulent or unauthorized AS and IP prefix announcements.