Spam and Fraud Activity Trends | Analysis of Spam Activity Trends | Analysis of Spam Activity by Geography, Industry Sector and Company Size | Analysis of Spam Delivered by Botnets | Spam Botnet Analysis – A Strategic Viewpoint | Significant Spam Tactics | Spam by Language | Spam by Category | Future Spam Trends: BGP Hijacking | Phishing Activity Trends | Analysis of Phishing Activity by Geography, Industry Sector and Company Size
5Border Gateway Protocol
Future Spam Trends: BGP Hijacking
Case Study - Beware of “Fly-by Spammers”
BackgroundRouting between Autonomous Systems (AS) is achieved using the Border Gateway Protocol (BGP), which allows ASes to advertise to others the addresses of their network and receive the routes to reach the other ASes (figure C.17, below).
Each AS implicitly trusts the peer ASes it exchanges routing information with. BGP hijacking is an attack against the routing protocol that consists in taking control in blocks of IP addresses owned by a given organization without their authorization. This enables the attacker to perform other malicious activities (e.g., spamming, phishing, malware hosting) using hijacked IP addresses belonging to somebody else.
Some articles have recently reported on the emerging phenomenon where spammers hijack unused networks and use them to send spam from clean, non-blacklisted IP addresses. This phenomenon has been referred to as fly-by spammers.
MethodologyIn order to study this phenomenon, a tool monitoring the routes towards spamming hosts based on traceroute has been developed by Symantec to determine whether spammers actually manipulate the Internet routing to launch spam campaigns.
BGP routing data about monitored spamming networks is also collected to study the routing behavior of spammers.
Data and CommentaryOn August 20th, the network administrator of the Russian telecommunication company "Link Telecom" complained on the North American Network Operators’ Group (NANOG) mailing list that his network had been hijacked by a spammer. The victim AS 31733 had five hijacked prefixes. On both August 25th and August 29th, changes were observed in the routes towards AS 31733 advertised in BGP. These changes were the result of the owner regaining control over his network.
The hijack began in April 2011 when the spammer started to announce IP blocks belonging to the victim. Although the prefix appeared to be announced by the correct AS 31733, it was directly connected to the Internet Service Provider (ISP) AS 12182 Internap located in the US. During the period the network was under the control of the spammer, spam was received by Symantec.cloud spam honeypots.
In order to hijack the network, the spammer (i) found that the blocks of IP addresses were not currently announced in the Internet and (ii) had them routed via an ISP probably using a fake proof of ownership of the network. The trust-based nature of BGP and the lack of widely deployed security mechanisms to check that the information exchanged between ASes is correct makes such attack still possible.
The routing state of the prefixes before, during and after the hijack is shown in figure C.18. We can see that the prefixes were not used when the hijack occurred, probably because the company suspended its activity for a while. While the AS originating the prefixes remained the same throughout the hijack period, the provider AS changed between the different states of the network. The providers AS 12695 and AS 43659 found respectively before and after the hijack are official providers of AS 31733, whereas AS 12182 (Internap) is not (figure C.19). We also observed significant delays in the traceroute paths (figure C.20).
Despite being an extremely rare occurrence, the BGB5 hijacking phenomenon by spammers is a reality, and it is always difficult to validate a suspicious case without the confirmation of the real owner of a hijacked network.
Finally, it highlights the fact that some spammers become sophisticated enough to take advantage of vulnerabilities in the Internet routing in the effort to avoid current spam filters.