Previous month:
May 2011
Next month:
July 2011

June 2011

Address Attacks: Conclusions

This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.

Criminals or miscreants need public IP addresses for the hosts they use to conduct a variety of criminal or activities such as spam, phishing, or denials of service. Historically, spoofing IP addresses served these bad actors well. Techniques to detect and thwart address spoofing must improve. Classifying these methods serves to show how criminals target and victimize Regional Internet Registries or their customer-registrants. By distinguishing the attacks as well as the victims using the taxonomy described in this paper, we can better identify protective measures RIRs, registrants, and IP network operators can implement to reduce the threat of IP address attacks.


1 2 3 4 5 6 7 8 9 10 Trired

Addressing Attack Mitigation

This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.

Registries should consider measures to reduce attacks of these kinds against resources:

  • Implement measures to protect registrant accounts against hijacking or misuse; in particular, certain measures recommended to protect domain name registration accounts against attack or misuse (SAC040) may be of equal use to RIRs.
  • Insist on strong proof of registration before providing access to registration accounts to combat squatting or hijacking; in particular, do not rely on correspondence from a point of contact email address as sufficient demonstration that the sender is the legitimate registrant. Alternatively, implement a secure email (non-repudiation, authentication) capability so that registrants must digitally sign correspondence and thus provide verification of sender.
  • RIRs, ICANN, and TLD registries could share information regarding changes to domain name registrations of domain names from which POC email addresses in AS or IP Prefix registrations. Use a change in registration of such a domain name as an alert to a possible squatting attack (clearly, other factors must be considered to avoid a false positive).

The community and network operators can complement these activities by implementing measures to protect the global routing system:

  • Identify and share information regarding network operators who are victims of or seemingly complicit in advertising spoofed, hijacked, or squatted ASNs or IP Prefixes. Assist victimized network operators in implementing filtering/blocking fraudulent advertisements either through direct dialog or a dissemination of best practices. Bring allegedly complicit network operators to the attention of law enforcement.
  • Network operators who participate in BGP routing should implement inter-domain (BGP) filters to control fraudulent or unauthorized AS and IP prefix announcements.
1 2 3 4 5 6 7 8 9 Trired