Hackers Buying IPv4 Blocks To Evade Detection 89
Trailrunner7 writes "The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. If the botnet operators do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers. Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPv4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites appeared as the IPv4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."
IPv4 should be dead already (Score:2)
>legitimate trading and auction sites
Well, that's got to wreak havoc on routing tables.
Re: (Score:2)
IPv4 will stay alive for a very long time [in-other-news.com]
If IPv6 would have been designed better, IPv4 would be dead by now... but here we are.
Re: (Score:1)
hmmmm either this is very interesting and insightful, or is short-sighted and missing tons of details; but i dont know that much about ip6 to tell
It's online, patent it! (Score:3)
Re: (Score:2)
Oh my goodness, you mean blacklists don't work? My oh my, I don't think anybody ever thought of that before...
Re: (Score:2)
FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly." Criminals establish "safe houses" in nice neighborhoods. Film at eleven.
Besides, these cat-and-mouse games aren't going to stop the widespread, automated compromises of Windows systems that make botnets possible in the first place. It also won't eliminate the average users' notion that security must always be someone else's problem, that they don't need to learn a few basic things that would make them much harder targets (particularly for trojans and other user-assisted exploits).
Inconvenient though it may sometimes seem, we need to look at the cause-and-effect and address
Re: (Score:1)
Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all
Re: (Score:3)
Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all software vendors (including FOSS)? Equal justice and all that.
Most people think like you do: childishly. They will pass up an available, doable solution that will work because it might mean a slight bit more effort for users and might not fulfill their visceral desire to feel the gratification of hanging the black-hats by their toes. I know exactly how you think. Anything that doesn't give users streets paved with gold and their every heart's desire while simultaneously torturing the evil hackers to death would be ... UNFAIR. That makes it against your religion, a
Re: (Score:2)
I think you might have trouble finding 50,000 actual working installations of QNX with internet connections. The simple point being that Windows is by far and large the largest target. No one in their right mind is going to waste time developing a botnet on the small potatoes like QNX, VAX, or Mac.
Re: (Score:2)
Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority
Re: (Score:2)
Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority of compromises don't happen because you connected a Windows box to the Internet. They happen because the user browses to some website, and either a drive-by download happens and installs malware (either through a compromised website, or through a compromised ad network), or they run an attachment because the email says to.
I didn't really consider it relevant at the time, but consider the majority of the Windows userbase. They tend to not only be ignorant about technical matters, but they work hard to stay that way and will resent the notion that this should gradually change as they acquire experience. I call them permanent newbies. They're the people who can use computers for seven years and still remain as ignorant now as they were when they first started. They want to learn the basics of how their computers work about
Re: (Score:2)
A lot of users just see the computer as utility like a cooker or television. They just expect to be able to press a button to do a particular task and have that task complete.
It's a royal pain-in-the-ass when they want to open a file sent by a friend (dancing pig emoticons for E-mail, let alone a zip file) and the PC then tells them that they need to download or purchase XYZ application to view that file. So off they go to start up a browser, search for that file data type, find the application website, cli
C&C? (Score:4, Funny)
Why would hackers still be playing Command and Conquer?
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
That's three states but two bits produces four states, so there must be a base not covered.
Re: (Score:1)
I don't know.
THIRD BASE!
Re: (Score:2)
Nonononono. If you say you don't know, you should be catapulted from the bridge.
Re: (Score:2)
Either ways, I should have all my bases covered?
No. They are belong to us.
Re: (Score:2)
Heh! I still play Bell&Braben-era Elite and occasionally indulge in a round of Chuckie Egg, so yes I do know that. :)
Re: (Score:1)
Hackers, or Criminals? (Score:1)
I think you mean criminals.
Re: (Score:3)
I think you mean criminal hackers. I'll give you that they're not synonymous, but they're not mutually exclusive either.
Re: (Score:2)
You know, we're not going to defeat the word problem. "Retarded" is a perfectly correct word as is "negro" but neither are allowed. Frankly, I like "negro" better than black (even though they mean exactly the same thing) because I think it sounds cooler -- unfortunately, a bunch of uneducated whiteys couldn't say it right and it became nigger ruining a perfectly good word. And African-American isn't right either... it's just more wrong and inaccurate. And Retarded? well, can't say that any longer eithe
Re: (Score:2)
Frankly, I like "negro" better than black (even though they mean exactly the same thing) because I think it sounds cooler -- unfortunately, a bunch of uneducated whiteys couldn't say it right and it became nigger ruining a perfectly good word.
It's funny, because Negro comes from the Portuguese, well, Negro (although it's pronounced differently), which is much more accepted here than the translated version of Black ("preto").
Re: (Score:2)
The correct word is "crackers", but I wouldn't expect tabloid media like Slashdot to have such vocabulary at this point.
How does that help? (Score:1)
Reputation isn't something that takes ages to destroy. Do shitty things, get blacklisted. Also, IP space that hasn't been used for mail servers, porn web sites or dialup isn't cheap.
Ownership = Identification (Score:3)
If somebody buys IP space, then there is a money trail and other identifiers.
How could criminals purchase blocks outright?
Re: (Score:2)
They are probably just using some kind of dummy corporation.
They don't get them from a hosting provider, they buy them and route it themselfs. They are their own hosting provider. Like any ISP would do with their own IP-block.
Re: (Score:2)
Re: (Score:2)
How could criminals purchase blocks outright?
I'll give you $20 to buy me a six pack of domestic beer.
I have a credit card here and I'll offer $100 for that six pack. Carding has been around for a LONG time.
Re: (Score:2)
Re: (Score:2)
You've been hacked, dude. You should use one of those free browser pop-up virus scanners and fix your system.
Bull Pucky (Score:5, Insightful)
I call BS. Hackers don't rent or buy IP addresses for botnets. The bots run on machines each of which has an IP address already. And when they do need IP addresses, they steal them: find an address assignment not currently routed on the Internet and forge papers they present to the ISP claiming to be the actual registrant.
There are a number of protections in place at ARIN and the other Internet Registries which do a reasonably good job preventing hackers from taking actual "ownership" of blocks of IP addresses.
While there is such a thing as a "legitimate trading and auction sites," there are also a lot of snake oil salesman out there right now claiming legitimacy. Here's a hint: the legitimate ones don't cater to the hacker crowd because they know perfectly well they can't effect a registry transfer without meeting the registry's criteria for "legitimate need."
Re: (Score:1)
Having haggled with ARIN, I have to say it is a pain in the ass to get IP addresses from them (though they are really nice people on the phone). Hackers hack computers with existing IPs. That's why they are called hackers. Spammers on the other hand, purchase services from hosting providers who have purchased IPs. And if they abuse their IPs they fire them as customers. I know because that's what we do at our datacenter.
Re: (Score:2)
Re: (Score:2)
While I'm not aware of any auction sites, I do believe it is possible to do trading in Asia/Pacific region:
"APNIC transfer, merger, acquisition, and takeover policy"
http://www.apnic.net/policy/transfer-policy [apnic.net]
Which came from this:
"prop-050: IPv4 address transfers"
"Current status Implemented on 10 February 2010"
http://www.apnic.net/policy/proposals/prop-050 [apnic.net]
And I know there is a proposal for doing simialir things in Eur
Re: (Score:2)
In that situation, they're not renting addresses. They're purchasing colo service, for which some number of addresses is appropriate. Same as they have done for nearly two decades using so-called "bulletproof hosting" companies. It's not by any means an IPv4 run-out phenomenon as the article proclaims and they're no renting bare IP addresses from you regardless.
Re: (Score:2)
Was it ARIN-assigned addresses or legacy addresses which predated ARIN? If the former, did you report it as fraud and supply your evidence that led you to believe that the entity in question was not using addresses according to ARIN's standards? (for legacy addresses, ARIN's rules only really apply when there's a transfer)
Shoot the Spammers (Score:2, Insightful)
It should be justifiable homicide to shoot and kill spammers, phishers, malware authors, and those asshats attempting dictionary attacks against a bunch of pop3 accounts looking for a new spam vector. Any nation that does not enact such a law should be labeled a rogue threat to humanity and be nuked until there is nothing left to nuke.
Re: (Score:2)
Re: (Score:2)
From orbit, just to be sure.
What if she is in orbit?
Re: (Score:2)
Re: (Score:2)
One slap on the wrist by a nun with a ruler for each spam sent. Or death if they prefer.
Not sure "hacker" is the right word (Score:4, Insightful)
Shouldn't we instead be referring to "botnet operators" or some such? I'm not making the "hacker" versus "cracker" argument, since language and words are dynamic - but even if we just use hackers in the pejorative sense, we're talking about a much larger group than just the subset who run botnets.
Re: (Score:1)
The word "hacker" is now so permanently ruined, we ought to just stop using it altogether. These days, leaving your Facebook or Twitter account logged in on a shared machine, and then having someone else notice that fact and make a posting under your account, is what the general population considers "hacking" to be.
How is this different (Score:2)
from getting IP space from a datacenter and using it until it gets a bad reputation.
And besides, if you have a block of IPs just to cycle it between botnets and spammers, just because it changes hands doesn't clean the block's reputation. So these blocks will also get blacklisted in short order.
Re: (Score:2)
Yup. This isn't really anything new to IT either - just an extension of the company-buys-Schwinn and churns out $80 Walmart bikes story. To an MBA a reputation that cost a century to build is just an asset whose NPV is less than the cash you can get for pimping it on anything with two wheels.
So? (Score:3)
As the summary, these spammers (to use the appropriate term; botnets aren't much use for "hacking") are basically reverse Midas to IP blocks: Whatever they touch is blacklisted. All that this means is that non-blacklisted address space becomes scarcer to the point where either these assholes can't afford it, or ICANN introduces new rules to seize address space that is abused (which would be a worrying precedent on the censorship & net neutrality front), or everyone switches to IPv6.
Frankly, I wouldn't mind something that speeds that along. It will never reach wide adoption without pressure.
Re: (Score:2)
Wonder how fast will IPv6 non-blacklisted IPs run out with all the spammers out there.
Also, on an unrelated note — some day governments will realize, that "child pron" distraction no longer works and will switch to spammers and and botnet operators, that is sure to distract the public's attention while slowly imposing measures to control the internet.
Re: (Score:2)
The funny thing is that the hotmails of the world do not have a AAAA records for their mail servers. That means no ipv6 spam server can reach them.
Re: (Score:2)
'Blocks' of IP addresses? (Score:1)