Dr. Antonio Nucci

By Supranamaya Ranjan

While prefix hijacking has been known by the carrier networks for several years now, its impact on delivering attacks in the Internet hasn’t been grasped fully yet. In the last post, I described how hijacking an already existing prefix can lead to stealing traffic away from the original prefix owner, leading to a “Denial-of-Reachability” attack. In this post, I will describe the wide array of malicious attacks that can be injected by an attacker by hijacking a previously un-announced prefix.

We have witnessed Email Spam campaigns being carried under the guise of hijacking of several /16 and /20 prefix blocks via traffic monitored at one of the largest carrier ISP networks in North America. Given the multi-million dollar industry that is Spamming, it is no surprise that spammers have pushed the frontiers even further. However, this is an incredibly clever method for delivering spam, and the reasons for this are rooted in the increasingly lucrative spam business model as well as evolution of anti-spam campaigns. Further, the anti-spam campaigns have also taken a new turn, where a comprehensive list of ip-addresses detected to originate spam are blacklisted and provided as a DNS query in what is commonly being referred to as DNS-based BlockLists (DNSBLs). Mail servers can automatically look up source ip-address of an email via these DNSBLs to determine whether to forward the email or filter it.

Now, in order to work around the DNSBLs, spammers have resorted to hijacking large prefix blocks that are un-announced by any one else in the Internet. Owning a large prefix block, say /8, provides spammers access to a huge number (16 Million) unique ip-addresses. Now, a sophisticated spammer can spread the workload cleverly so that he remains under the radar of the DNSBLs. If the spammer has access to say, 10 mail servers for originating emails, then he could rotate the ip-addresses allocated to these mail servers in such a way that none of the ip-addresses ever become prominent. Since the hijacked prefix is now routeable back to its originating AS and router, hence, this method for spam delivery works really well- spammers are even able to get back notification of whether their email was successfully received by the destination mail server. Moreover, once the daily email target has been accomplished, the spammer may even withdraw the prefix, thereby covering his tracks completely from trace-back programs such as ICMP pings, Nmap or traceroute.

This portends an even scarier future, where an attacker may launch not only spam under the disguise of prefix hijacking, but a bewildering variety of other attacks. Another attack that we at Narus, foresee being driven by prefix hijacking just as easily are Search Engine Click Frauds, where an advertiser clicks through a competitor’s ads to wipe out his advertising budget. Any automated technique for click fraud detection must maintain counts of how many clicks originate from which ip-addresses. Now, hijacking a prefix gives the attacker a huge set of ip-addresses from which he can originate his clicks, to the point that he can remain “below-the-radar” for clicks per ip-address. Since, Click Fraud is widely acknowledged by Search Engine companies to be their bete noire; could prefix hijacking enabled Click Fraud be their ultimate nemesis?

Indeed, it is no mean task to detect prefix hijacking enabled Spam or Click Fraud, since appliances that only have a partial uncorrelated view of the network are doomed for failure. Fortunately, via its patent pending anomaly correlation technology, NarusInsight Secure Suite can correlate seemingly separate attack incidents such as those launched via prefix hijacking, into one cohesive meta-alert, providing the complete picture from root cause to end result.