The Spamhaus Project

how-to

How to Halt the Hijackers

by The Spamhaus TeamMarch 06, 20195 minutes reading time

If you’ve read Network hijacking - the low down, you’ll be fully versed in the varied ways cybercriminals can hijack your network. In this article, we’ll be explaining how to protect against this happening to you, along with a high-level overview as to what you can do if your Internet Protocol (IP) addresses are hijacked.

Ways to protect your networks from being hijacked in the first place

Don’t lose track of your assets! Yes, that’s right, you need to start thinking of your IPs addresses as assets, just as you would your office coffee machine. Over time IP addresses have become an increasingly valuable commodity. Unfortunately, as companies are bought, sold and merged, assets like IP ranges can get ‘lost’ in the exchange. It makes good business sense to keep track of them.

Maintain up-to-date contact information with your Regional Internet Registry (RIR) registration. This is important not only to enable the RIR to be able to get in touch for any day-to-day matters concerning your IP address but also to alert you, should a third party try to tamper with your registration, by changing the contact handles for instance.

Religiously renew any domains that are used for email addresses of contacts within your registration, as these are prime targets for a takeover by hijackers. It would make sense to extend the registration of these domains for as many years as possible.

Even if your IP ranges are not being actively used for anything make sure that you announce them. Hijackers are less likely to be interested in announced IP ranges.

Help! I’ve been hijacked! Now what?

The first step is to figure out which Autonomous System Number (ASN) is announcing your hijacked netblock and contact that Internet service provider (ISP). If the ASN itself appears hijacked or is not responding, you can go up to the upstream ISP that is routing the ASN (i.e. the next ASN upstream in the announcement path).

Remember to gather evidence

Not only should you request that the ISP stop announcing your netblock, but you should also use this as an opportunity to collect any evidence to help get things sorted out. This would include such details as:

  • Letter of Authority presented for the announcement
  • Contact information provided by the hijackers
  • Payment details used (credit card or bank information)

But the domain name for the contact information is no longer owned by me

If your domain name, which was used in the email address for the RIR contact information, has lapsed and is now in the hands of the hijackers, it would be considered to be the definition of “bad faith” under the Uniform Domain Name Dispute Resolution Policy (UDRP). Retrieving the domain should be a simple matter. Start by filing a complaint with WIPO.

Similarly, if your RIR registration has been tampered with by the hijackers, all RIR’s, for example, ARIN have a procedure to prove ownership and reclaim hijacked netblocks.

Check for any reputation damage

Having fallen into the hands of cyber criminals, it’s more than likely that your network will have been abused. As a result, it could be listed on the Spamhaus Block List (SBL) or the Spamhaus DROP list, so check here.

Additional help

There are mailing lists run by groups like the North American Network Operators Group (NANOG) where hijacking is an accepted discussion topic. In taking this route, you should be able to locate the right contact(s) to assist with a particular hijacking incident.

Law enforcement steps in

As mentioned in our previous network hijacking post there are various types of criminal activity associated with network hijackings. To put hijacked IPs to use, cybercriminals are likely to commit the crimes of fraud, identity theft, and forgery. Additionally, if the hijacked IPs are being used for spamming, this is a felony in the United States according to US CAN-SPAM Act of 2003. The relevant text is:

§ 1037. Fraud and related activity in connection with electronic mail

IN GENERAL.--Whoever, in or affecting interstate or foreign commerce, knowingly falsely represents oneself to be the registrant or legitimate successor in interest to the registrant of five or more Internet protocol addresses and intentionally initiates the transmission of multiple messages from such addresses, or conspires to do so, shall be punished as provided in subsection (b).

As of 2018, US federal grand juries have indicted six individuals on felony charges for their roles in allegedly conspiring to send illegal spam through hijacked netblocks. Given these recent indictments, Spamhaus expects that cybercriminals will figure out that network hijackings carry a heavy penalty which is not worth the risk. However, in the meantime take the necessary precautions to keep your networks safe!