The Abandoned Side of the Internet
A particular threat to the Internet architecture emerges from abandoned Internet resources like IP address blocks and AS numbers. When DNS names expire, attackers gain the opportunity to take resource ownership by re-registering domain names that are referenced in public databases of Regional Internet Registrars. Such a course of action enables stealthy BGP hijacking attacks.
Conventional attacks in BGP are based on a lack of origin validation, which allows an attacker to originate arbitrary prefixes from his own AS. With attacks on abandoned Internet resources, we introduce a new type of attack that also accounts for hijacking of ownership information stored in databases of Regional Internet Registrars. This kind of attack is more attractive than conventional hijacking, since the attacker can act in full anonymity. In addition, such attacks are significantly harder to disclose. Consequently, current detection techniques are not qualified to deal with these targeted attacks.
We draw on several data sources to identify abandoned resources that are at imminent risk. To this end, we utilize public resource databases, extensive WHOIS queries for administrative DNS information, and a large set of archived BGP data. Our intention is to identify vulnerable Internet resources in order to inform resource holders to deploy countermeasures in time. Naturally, this knowledge could be abused by attackers. We address this issue with a strategy for responsible disclosure of our findings.
We will shortly integrate a monitoring component for expiring DNS names into our routing analytics suite.
J. Schlamp, J. Gustafsson, M. Wählisch, T. C. Schmidt, and G. Carle
"The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire"
Proceedings of the 7th International Workshop on Traffic Monitoring and Analysis (TMA), pp. 188-201.
Barcelona, Spain, April 21-24, 2015.
Publisher: Springer International Publishing