Forgot your password?
typodupeerror
Botnet Networking Security IT

Hackers Buying IPv4 Blocks To Evade Detection 89

Posted by Soulskill
from the wasting-good-corners-on-bad-hot-dog-stands dept.
Trailrunner7 writes "The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. If the botnet operators do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers. Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPv4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites appeared as the IPv4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."
This discussion has been archived. No new comments can be posted.

Hackers Buying IPv4 Blocks To Evade Detection

Comments Filter:
  • >legitimate trading and auction sites
    Well, that's got to wreak havoc on routing tables.

  • by tag (22464) on Friday October 07, 2011 @01:11PM (#37640892)
    FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly." Criminals establish "safe houses" in nice neighborhoods. Film at eleven.
    • Oh my goodness, you mean blacklists don't work? My oh my, I don't think anybody ever thought of that before...

    • by causality (777677)

      FTFA: "The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly." Criminals establish "safe houses" in nice neighborhoods. Film at eleven.

      Besides, these cat-and-mouse games aren't going to stop the widespread, automated compromises of Windows systems that make botnets possible in the first place. It also won't eliminate the average users' notion that security must always be someone else's problem, that they don't need to learn a few basic things that would make them much harder targets (particularly for trojans and other user-assisted exploits).

      Inconvenient though it may sometimes seem, we need to look at the cause-and-effect and address

      • by Anonymous Coward

        Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all

        • by causality (777677)

          Oh horseshit. Microsoft makes ease-of-use it's focus because that is what it's customers want. Does your house come with a warning that trimming the shrubs is required, and if they grow too large it is bad for security? Does the home builder bear liability if someone hides behind the shrub, breaks a window and gets in? Does the homeowner? No to all of those - the only one we hold responsible is the person who broke in. And why single out Microsoft for liability? If Microsoft is liable, why aren't all software vendors (including FOSS)? Equal justice and all that.

          Most people think like you do: childishly. They will pass up an available, doable solution that will work because it might mean a slight bit more effort for users and might not fulfill their visceral desire to feel the gratification of hanging the black-hats by their toes. I know exactly how you think. Anything that doesn't give users streets paved with gold and their every heart's desire while simultaneously torturing the evil hackers to death would be ... UNFAIR. That makes it against your religion, a

          • by fluffy99 (870997)

            I think you might have trouble finding 50,000 actual working installations of QNX with internet connections. The simple point being that Windows is by far and large the largest target. No one in their right mind is going to waste time developing a botnet on the small potatoes like QNX, VAX, or Mac.

      • by tlhIngan (30335)

        Besides, these cat-and-mouse games aren't going to stop the widespread, automated compromises of Windows systems that make botnets possible in the first place. It also won't eliminate the average users' notion that security must always be someone else's problem, that they don't need to learn a few basic things that would make them much harder targets (particularly for trojans and other user-assisted exploits).

        Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority

        • by causality (777677)

          Newsflash - Windows boxes are a lot harder to infect these days. In fact, the vast majority of compromises don't happen because you connected a Windows box to the Internet. They happen because the user browses to some website, and either a drive-by download happens and installs malware (either through a compromised website, or through a compromised ad network), or they run an attachment because the email says to.

          I didn't really consider it relevant at the time, but consider the majority of the Windows userbase. They tend to not only be ignorant about technical matters, but they work hard to stay that way and will resent the notion that this should gradually change as they acquire experience. I call them permanent newbies. They're the people who can use computers for seven years and still remain as ignorant now as they were when they first started. They want to learn the basics of how their computers work about

          • by mikael (484)

            A lot of users just see the computer as utility like a cooker or television. They just expect to be able to press a button to do a particular task and have that task complete.

            It's a royal pain-in-the-ass when they want to open a file sent by a friend (dancing pig emoticons for E-mail, let alone a zip file) and the PC then tells them that they need to download or purchase XYZ application to view that file. So off they go to start up a browser, search for that file data type, find the application website, cli

  • C&C? (Score:4, Funny)

    by jd (1658) <imipak AT yahoo DOT com> on Friday October 07, 2011 @01:12PM (#37640914) Homepage Journal

    Why would hackers still be playing Command and Conquer?

    • Command and Control.

      • Either you are missing the sarcasm or I am missing the counter sarcasm or there is no sarcasm being missed at all. Either ways, I should have all my bases covered?
    • There was that big sale on steam over the summer I know I picked up a few C&C titles
  • by Anonymous Coward

    I think you mean criminals.

    • by Abstrackt (609015) *

      I think you mean criminal hackers. I'll give you that they're not synonymous, but they're not mutually exclusive either.

      • by Ant P. (974313)

        The correct word is "crackers", but I wouldn't expect tabloid media like Slashdot to have such vocabulary at this point.

  • by Anonymous Coward

    Reputation isn't something that takes ages to destroy. Do shitty things, get blacklisted. Also, IP space that hasn't been used for mail servers, porn web sites or dialup isn't cheap.

  • by Toe, The (545098) on Friday October 07, 2011 @01:20PM (#37641036)

    If somebody buys IP space, then there is a money trail and other identifiers.

    How could criminals purchase blocks outright?

  • Bull Pucky (Score:5, Insightful)

    by Spazmania (174582) on Friday October 07, 2011 @01:27PM (#37641142) Homepage

    I call BS. Hackers don't rent or buy IP addresses for botnets. The bots run on machines each of which has an IP address already. And when they do need IP addresses, they steal them: find an address assignment not currently routed on the Internet and forge papers they present to the ISP claiming to be the actual registrant.

    There are a number of protections in place at ARIN and the other Internet Registries which do a reasonably good job preventing hackers from taking actual "ownership" of blocks of IP addresses.

    While there is such a thing as a "legitimate trading and auction sites," there are also a lot of snake oil salesman out there right now claiming legitimacy. Here's a hint: the legitimate ones don't cater to the hacker crowd because they know perfectly well they can't effect a registry transfer without meeting the registry's criteria for "legitimate need."

    • Having haggled with ARIN, I have to say it is a pain in the ass to get IP addresses from them (though they are really nice people on the phone). Hackers hack computers with existing IPs. That's why they are called hackers. Spammers on the other hand, purchase services from hosting providers who have purchased IPs. And if they abuse their IPs they fire them as customers. I know because that's what we do at our datacenter.

      • by jrumney (197329)
        If you think ARIN is a pain in the ass, try getting IPv4 addresses from APNIC.
    • by Lennie (16154)
      While there is such a thing as a "legitimate trading and auction sites,"

      While I'm not aware of any auction sites, I do believe it is possible to do trading in Asia/Pacific region:

      "APNIC transfer, merger, acquisition, and takeover policy"

      http://www.apnic.net/policy/transfer-policy [apnic.net]

      Which came from this:

      "prop-050: IPv4 address transfers"

      "Current status Implemented on 10 February 2010"

      http://www.apnic.net/policy/proposals/prop-050 [apnic.net]

      And I know there is a proposal for doing simialir things in Eur
  • Shoot the Spammers (Score:2, Insightful)

    by ebunga (95613)

    It should be justifiable homicide to shoot and kill spammers, phishers, malware authors, and those asshats attempting dictionary attacks against a bunch of pop3 accounts looking for a new spam vector. Any nation that does not enact such a law should be labeled a rogue threat to humanity and be nuked until there is nothing left to nuke.

    • by Algae_94 (2017070)
      I feel your pain, but come on now. Capital punishment for spamming? It's a tough enough case to push for justifiable homicide if someone physically breaks into your house and tries to rob you. How are you going to press the case that, "he spammed me, so I shot his ass"? Scams, fraud and general douche-hattery are not new. This is just a newer realm for them.
      • by sjames (1099)

        One slap on the wrist by a nun with a ruler for each spam sent. Or death if they prefer.

  • by 93 Escort Wagon (326346) on Friday October 07, 2011 @01:42PM (#37641338)

    Shouldn't we instead be referring to "botnet operators" or some such? I'm not making the "hacker" versus "cracker" argument, since language and words are dynamic - but even if we just use hackers in the pejorative sense, we're talking about a much larger group than just the subset who run botnets.

    • by ShaunC (203807)

      The word "hacker" is now so permanently ruined, we ought to just stop using it altogether. These days, leaving your Facebook or Twitter account logged in on a shared machine, and then having someone else notice that fact and make a posting under your account, is what the general population considers "hacking" to be.

  • from getting IP space from a datacenter and using it until it gets a bad reputation.

    And besides, if you have a block of IPs just to cycle it between botnets and spammers, just because it changes hands doesn't clean the block's reputation. So these blocks will also get blacklisted in short order.

    • by Rich0 (548339)

      Yup. This isn't really anything new to IT either - just an extension of the company-buys-Schwinn and churns out $80 Walmart bikes story. To an MBA a reputation that cost a century to build is just an asset whose NPV is less than the cash you can get for pimping it on anything with two wheels.

  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Friday October 07, 2011 @02:21PM (#37641838) Homepage

    As the summary, these spammers (to use the appropriate term; botnets aren't much use for "hacking") are basically reverse Midas to IP blocks: Whatever they touch is blacklisted. All that this means is that non-blacklisted address space becomes scarcer to the point where either these assholes can't afford it, or ICANN introduces new rules to seize address space that is abused (which would be a worrying precedent on the censorship & net neutrality front), or everyone switches to IPv6.

    Frankly, I wouldn't mind something that speeds that along. It will never reach wide adoption without pressure.

    • by Pi1grim (1956208)

      Wonder how fast will IPv6 non-blacklisted IPs run out with all the spammers out there.

      Also, on an unrelated note — some day governments will realize, that "child pron" distraction no longer works and will switch to spammers and and botnet operators, that is sure to distract the public's attention while slowly imposing measures to control the internet.

  • Call me a spellfag, but it's BLOCS, not blocks.

What hath Bob wrought?

Working...