A weakness in the way some countries manage the IP address ranges assigned to Internet Service Providers (ISPs) and hosting providers has been abused by spammers, who have hijacked them for nefarious activities.

The scam can be achieved by setting up businesses pretending to be an ISP or a host service provider and claiming the unused address space assigned to the legitimate authorities administering the IPs. If no complaint is shot their way, the crooks can use the addresses as they like.

This way, cybercriminals pass as the authority that has been allocated the respective addresses; the service taking over the addresses does not necessarily have to be fake, as legitimate organizations can also dabble with this sort of activity.

IP address spaces hijacked from all over the world

Security blogger Brian Krebs has been tracking the activity of a spammer who admitted to sending junk email via two hosting providers in Bulgaria, Mega-Spred and Kandi EOOD.

According to Krebs, the two entities “commandeered tens of thousands of Internet addresses from ISPs around the globe, including Brazil, China, India, Japan, Mexico, South Africa, Taiwan and Vietnam.”

His investigation revealed that Mega Spred had been hijacking IP address spaces from all over the world since late August this year.

The problem stems from the fact that regional Internet registry (RIR) authorities do not verify the authenticity of an ownership claim from a network operator over an IP range and simply accept it.

A graver issue is that the RIR that blindly accepts the claim also passes the fake information to databases that are used for checking the validity of an IP route. As such, the parties doing this basically make the verification based on fake data.

A digital certificate can validate routing information

RIPE NCC (Réseaux IP Européens Network Coordination Centre) is the RIR that supervises the allocation and registration of IPs for service providers in Europe, the Middle East, and some countries in Central Asia.

However, in a statement on the matter emailed to Krebs, the authority said that it could not “verify the routing information entered into Internet Routing Registries or monitor the accuracy of the route objects,” although they are the ones accepting the claims and the routing records from the fraudulent network operators in the first place.

On the other hand, RIPE provides Resource Certification (RPKI) service as a solution for network operators to protect against IP hijacking. This permits requesting of a digital certificate with the IP resources an operator has. Thus, other parties can verify if a resource is used by the legitimate holder or not.