Spammers Hijacking IP Space

Ron Guilmette writes "As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

I say we dust off and nuke the site from orbit

[$RANDOMLUSER (804576)]

It's the only way to be sure...

Even better. 134.17.0.0/16 /dev/null

[Gary W. Longsine (124661)]

This is almost as good as asking spammers to Set the Evil Bit, so we can filter them out. If all the spammers sign on for address space in this block, we can just route that block to /dev/null and be done with it. ;-)

Re:

[just_another_sean (919159)]

This is almost as good as asking spammers to Set the Evil Bit, so we can filter them out. If all the spammers sign on for address space in this block, we can just route that block to /dev/null and be done with it. ;-)

Maybe. This would stop the questionable spammers. The ones that send the "opt in" crap that a lot of people fall for on web forms. Heck, some of them even want email like this.

Somehow I doubt the V14gr4 and P3n15 Enlargmenttt! stuff will go away by filtering these IPs. I may be wrong, but somehow I don't think your average zombie is routing through this space.

If only we could...

[Fluffeh (1273756)]

Form an agry mob, arm ourselves with pitchforks and flaming brands, and the chase those rascals way out to the outskirts of town.

Hell, if there was any trouble, we could even transform into an angry lynch mob - THEN lets see who owns that space eh? EH? Whaddya say?

Wouldn't it be nice...

[dreamchaser (49529)]

...if everyone just blocked that IP range entirely at their routers, shutting off their connectivity?

There was a time when the Internet was a 'small' enough place that it would have even been feasible. Kind of like blacklisting a Usenet server for spam.

Re:Wouldn't it be nice...

[Fluffeh (1273756)]

Only problem with that approach is that you are therefore in fact giving them that IP space by lack of a fight.

That would then lead to another group "claiming" another spot of space, and so on and so forth - until there was no legitimate or unused space left at all - then you would have to fight the same fight with many many people rather than one spamming company as we have now.

Re:Wouldn't it be nice...

[Metasquares (555685)]

How will everyone know when the block is reclaimed? You'll end up with an entire /16 that no one can use because everyone is still blocking it.

Hijacking the IP Space Owners, not just the Space

[billstewart (78916)]

As much as I dislike Scotty Richter and his tactics, you can't say he isn't a clever bastard.

The rules for managing pre-ARIN space aren't totally clear, but nobody's worried about them too much because they were mostly owned by large reputable organizations, such as universities and government contractors. (Some of them may need to set the Evil Bit on their packets, but none of them needed to set the Stupid Bit.) In many cases, they've given most of their space back to IANA or ARIN - several universities

Re:

[LostCluster (625375)]

You're forgetting that this "claimed" IP space has a legit owner who might want to use it someday. It'd be an internet turf war of people were simply able to advertise the availability of a network they don't own.

Re:

[John Hasler (414242)]

> You're forgetting that this "claimed" IP space has a legit owner who might want to use
> it someday.

So why isn't SF Bay Packet Radio taking any action?

> It'd be an internet turf war of people were simply able to advertise the availability of
> a network they don't own.

Isn't that what is happening here?

Re:

[varmittang (849469)]

Doesn't he need access to the back bone to make this even work? Hell, I could grab all the IP addresses of the Internet and put it in a router but it would only work in my own little world here in my house. So, does he control a back bone node that he can redirect traffic to make this work? And if the AT&T's of the world black list his set of router mac addresses then it should exclude him from getting any traffic or his ability to send any traffic, right?

Re:

[TooMuchToDo (882796)]

You don't need to control a backbone to announce an AS number and a chunk of address space.

SImple, blackhole the IP space

[jmorris42 (1458)]

This one is simple. Everyone just blackholes the IP range and game over. Better if the backbones drop the route. Best if we all drop the IP space of whoever is directly connecting to a known spam network.

Re:SImple, blackhole the IP space

[dave.josephsen (1087529)]

It really isn't that simple. I'd refer you to my own work (http://www.usenix.org/media/events/lisa07/tech/videos/josephsen.mp4, and http://media.defcon.org/dc-15/video/Defcon15-Dave_Josephsen-Homeless_Vikings.mp4 [defcon.org] ) or that of Nick Feamster at Georgia tech. They've been hijacking address space via short-lived BGP prefix hijacks for at least 5 years now, and It is exactly the attitude of "we'll just block X" that got us here in the first place. If you use RBL's and make the arms race about IP's , then the most direct response is to attack the network layer and/or IP space. Further there are real world reasons why IP filters just aren't going to work on a global scale. For that I'd refer you to the work of Mohit Lad at UCLA. There is an economic layer on top of BGP. The effect of no-valley routing is that you're going to get route propagation from folks you think you can trust but cannot. It's a bit much to get into here, but off-handedly blacklisting more shit isn't the answer here, it's the problem.

Firewall Updated

[Bigbutt (65939)]

Thanks.

[John]

I say they can have it...

[Talez (468021)]

# ip route add blackhole 134.17.0.0/16
# route -n

All good!

Blackhole == Defeat!

[Fluffeh (1273756)]

If the IP is simply blackholed, you are by lack of argument allowing this Spammer to put some sort of credible hold on that IP. That's like finding a squatter in a house on the street where the owners have gone on holiday - and simply putting a peice of tape across the driveway - it doesn't solve the bigger problem which is that someone walked into the house and started living there without any credible reason of doing so. It doesn't solve the problem of what's going to happen when the people return from holidays and find this squatter in their house.

Also, if we simply blackhole that IP, what's going to happen when a legitimate user tries to use that space. It's going to go to bollocks for them when they find that the rest of the net is ignoring them already.

Re:

[Nullav (1053766)]

So let 'em have it. Then we can start citing it as even more reason to move over to IPv6 already.

Re:

[QuantumG (50515)]

That's like finding a squatter in a house on the street where the owners have gone on holiday

Huh? That's not squatting. If the premises are occupied then it is trespass. I know this must be hard to understand in the US where there are no sensible squatting laws, but in civilized world squatting is where you are living somewhere that is vacant without the authorization of the owner. Squatting serves an important purpose: to force property owners to develop the property. Otherwise all the buying up property for the purpose of speculating on an increase in the market would result in widespread h

Re:

[John Hasler (414242)]

> I know this must be hard to understand in the US where there are no sensible squatting
> laws...

Google "adverse possession".

> Squatting serves an important purpose: to force property owners to develop the property.

Why is necessary that all property be "developed"?

> Otherwise all the buying up property for the purpose of speculating on an increase in
> the market would result in widespread homelessness.

You have a defective understanding of economics.

Snotty Scotty Richter

[kchrist (938224)]

OptinRealBig belongs to none other than Snotty Scotty Richter [flickr.com]. I haven't heard of that guy in a while. I was hoping he had been hit by a bus or something.

Blackholing this address space may not be wise

[Whuffo (1043790)]

If you're going to add this address space to your firewall or block it at the router - consider that this rogue outfit is likely to be taken down soon, and that address space may then be assigned to a legitimate operation. There's not an unlimited number of addresses left in IPv4 you know.

What's been happening for years now is well-meaning admins blocking various IP addresses / blocks and/or domain names. Their motives are good, but after the address or domain name is blocked they almost never go back and recheck to see if the block is still needed. What this leads to over time are holes in the address space that can't be used, awkward or no routes to some addresses from some other addresses, etc. Especially in this time of zombie machines; blackhole that IP address and you've knocked some individual off line - but you've done nothing to reduce the amount of spam / viruses / worms / etc.

This is what killed ORBS and other services of that type. Easy to add domains / addresses to the blocklist, but difficult to remove them. Eventually the list becomes useless...

Much better solution: make an example out of the people who are squatting on this netblock. Break out the pitchforks and torches...

Re:Blackholing this address space may not be wise

[v1 (525388)]

He has to peer somewhere. THEY should be the ones to blackhole him. One way or another he has to be paying someone off to route in his direction. I don't see why that's hard to cut off?

Re:

[mysidia (191772)]

If you're willing to pay enough for the bandwidth you will probably find a major provider to let you advertise your range.

For the origin of that range to get as far as they have, they clearly had paperwork to prove to their upstream that the range is assigned to them.

You're their customer. Without a very good reason to do so, they won't (can't) blackhole you without violating whatever interconnection agreement was signed.

Temporarily blocking a range should cause no permanent issue for the new own

Re:

[Fluffeh (1273756)]

Hey! It's pitchforks and flaming brands, not torches...

See here! [slashdot.org]

Spammers know no limits

[erroneus (253617)]

There's only one true solution to the problem of spammers. Death. I'm not joking. These people that create botnets, hijack networks and servers so that they can sell advertising are creating problems on a global scale for money. Nothing but death will stop or deter them. They need to die.

It's good that I do not own any firearms and good that I do not know where these people live and good that I lack the means to get there. If I had those things and an air-tight alibi, I wouldn't hesitate to make my first murder one of these people.

Re:

[dfm3 (830843)]

Dude. Back away from the computer, get out of the basement for a little, and maybe step outside for a minute to take a breather. I'm not joking. ;-)

Re:

[ForumTroll (900233)]

I wouldn't hesitate to make my first murder one of these people.

First? You plan on murdering other people?

Re:

[owlnation (858981)]

Hmmm... I'm not sure modding him flamebait was really fair. He does have a point, all too scarily emphatic about it, but a point nonetheless. He's on that cusp between funny, insightful and flamebait. It's not really flamebait since he's only likely to offend spammers, and I'm not sure we really should care what they think.

We do definitely treat spammers (and lawyers) with far too much leniency in society. Spammers, direct marketers, viral marketers should all be in prison for a very, very long time. If

Re:

[erroneus (253617)]

For years I've been trying to explode their heads with my mind... it hasn't seemed to work yet.

"Hijack?"

[PhotoGuy (189467)]

Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.

If he is president of a company that owns the company that provides routing for the block, doesn't that mean he has legal ownership of that block?

Yes, if the block is used primarily for spam, I'm all for people blackholing the range. And if he's using it for illegal purposes, yes, he should be punished (and the range appropriated). But I don't see where the term "hijacking" could be applied at all.

If I own some cars and use them in crimes, I haven't "hijacked" anyone.

What am I missing?

Re:

[Fluffeh (1273756)]

You are missing the fact that his so called "ownership" is in his eyes only, not that of anyone else.

Just becuase you squat doesn't mean you own.

Quote:
Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997.

Re:"Hijack?"

[jon787 (512497)]

That it doesn't belong to the parent company either:

$ whois 134.17.0.0

OrgName: SF Bay Packet Radio
OrgID: SBPR-1
Address: 1490 W 121st Ave
Address: Suite 201
City: Westminster
StateProv: CO
PostalCode: 80234
Country: US

NetRange: 134.17.0.0 - 134.17.255.255
CIDR: 134.17.0.0/16
NetName: BAY-PR-NET
NetHandle: NET-134-17-0-0-1
Parent: NET-134-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.SFBPRSERVICES.COM
NameServer: NS2.SFBPRSERVICES.COM
Comment:
RegDate: 1989-04-12
Updated: 2007-10-05

Re:"Hijack?"

[Kadin2048 (468275)]

Humm ... San Francisco Packet Radio ... with a Colorado mailing address. Somehow I don't think so.

It looks like what they did was just register a company with a similar-sounding name to a defunct organization that had an old /16. Then they went to ARIN and got control of it on the strength of the similar name, including getting themselves listed in WHOIS. (Which, when you think about it, isn't that hard -- there's no real authentication mechanism for proving you're the "real" San Francisco Packet Radio.)

Then they had another front company obtain an AS number and provide routing, and suddenly they have lots of IPs from which to send spam.

The even-creepier part is that it looks like they have another block stolen through similar means (currently registered to a P.O. box in NYC) and possible connections to Russian spammers, which means basically the Russian mafia.

Here's hoping that when the whole thing falls apart, the Russian mob comes calling for this guy's head. Ironically they're the best chance for this guy getting the slow, painful death he so richly deserves.

To read this comment

[lisany (700361)]

I'm sorry but to read this comment you must accept the terms of service of my crappy comment. Please click your back button to accept terms of service.

A lack of ethics

[mlwmohawk (801821)]

I will continue to say it every time I can.

We need a strong societal repudiation of the violation of ethics. Organizations like Microsoft, SCO, and the like and people like Bill Gates, Darl McBride, etc. need to be made pariahs for the shameless unethical and illegal behavior.

"Spamming" is unethical. The only reason why it is done is because their unethical behavior is not shunned.

And what is spam?

[Jane Q. Public (1010737)]

There must be a line somewhere: this is spam and that is not. Current U.S. law defines it pretty specifically.

Re:

[mlwmohawk (801821)]

It is like the definition of PORN. Unfortunately, it is "I know it when I see it."

Re:

[swordgeek (112599)]

I expect that people will misinterpret what you mean by shun, or maybe I am. However, I agree entirely--if it could be done in a comprehensive way. Imagine if nobody would sell groceries or toilet paper to Bill Gates, because of his behaviour. Rather than being invited as guests to TV shows, the media would all collectively turn their backs on the likes of Darl McBride and Steve Ballmer at press conferences. The Richters shouldn't be able to get power, water, or gas service to their houses or businesses. Pe

Set firewalls on shun!

[zerofoo (262795)]

Boy, that was a cheezy joke huh?

-ted

what's the big deal?

[ILuvRamen (1026668)]

I assume they mean they own 134.17.0.0 through 134.17.0.16, right? What's the big deal? If I owned 16 web servers, I'd have control over a block that size too. Even if they mean it goes up to 134.17.16.255 large web hosts can own that much too. Now if they stole all of 134.anything that'd be bad.

Re:

[wytcld (179112)]

Um no. Everyone else knows this. But might as well clue you in. They've claimed 134.17.*.* - all of it.

Re:

[Ron Bennett (14590)]

No, it means they control 134.17.0.0 to 134.17.255.255 ... NOT 16 addresses, but rather 65,536 addresses. Though still a far cry from them controlling all of 134, since they only have 1/256 slice of it.

Ron

Re:

[Have Blue (616)]

The "/16" means they claimed the remaining 16 bits of the 32-bit IP address whose first 2 bytes are 134.17 in decimal- everything from 134.17.0.0 to 134.17.255.255. That's one of only 65,000 blocks of its class available and is the sort of range that would be owned by a large corporation or university.

who is linking this to the backbone?

[timmarhy (659436)]

this has a very simple fix. major backbone providers like at&t need to cease routing from providers who allow this kind of misconfiguration of the internet.

because that's all it is, a mid level isp has added someone to their routing tables with ip's that they have no right to. simply telling their provider to correct their configurations or all their traffic will be dropped should be enough, indeed it should be mandatory for backbone providers to do this in order for them to legally keep their own ip ranges. anything else is asking for people to start claiming ip's all over the place and before you know it each isp will route you to a different site for the same ip, making the internet useless.

This is good news

[CustomDesigned (250089)]

Now I can just add that entry to my IP blacklist...

By George he's got something there

[JustNiz (692889)]

>>> Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

By George he's right! I'm gonna lay claim to 127.0.0.1. oh wait I already seem to own it...

I wish it weren't illegal

[Associate (317603)]

to set people like this on fire.

easily fixed......

[Indy1 (99447)]

" I felt a great disturbance in the internet, as if 65535 ip addresses suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened. "

iptables -A spam -s 134.17.0.0/16 -j DROP

Re:

[timmarhy (659436)]

it's been done, and ironically he claimed it was harassment.

pot calling kettle black.