What are "hijacked netblocks"?
What are "hijacked netblocks"?
A “hijacked” or a “zombie” netblock is a block of IPs that have been “brought back from the dead”, often by a spammer:
- The original owner of the block leaves it derelict for any number of reasons.
- Squatters then reclaim it with various ploys. This may include registering an abandoned domain name to accept email for the domain contact, printing false letterhead, or doing some social engineering over the telephone.
- Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their BGP Autonomous System Number.
- Autonomous Systems Numbers can be hijacked as well. Abandoned ASNs are taken by a spammer or spammer’s supplier to announce various IP ranges, so it’s possible to have a hijacked netblock advertised by a hijacked ASN!
Hijacked netblocks can be found in ranges assigned by every Regional Internet Registry (RIR).
Restoring the proper ownership of a hijacked netblock means finding the original owner – which is often a dissolved company – and jumping through RIR hoops. It’s a slow and laborious process, important but not suitable to stopping today’s spam.
The peering/transit arrangements for these netblocks changes very quickly.
- Spamhaus lists the entire hijacked netblock in the SBL, categorized by RIR, and then provides additional pointer records for networks carrying the traffic for that netblock.
- While such records are often only a single router’s IP address, the record will indicate the greater problem and the full range of IPs.
- Spamhaus may also provide additional SBL records within a hijacked netblock because SWiPs or single IPs within the netblock are assigned to different spammers.
- These can serve as pointers to the upstream, as the block is sometimes SWiPed as portable subnets. Each spammer is then left to find their own transit.
Many of these hijacked netblocks find their way into a ROKSO record specifically for them. Spamhaus lists entire hijacked networks. Some of these netblocks are known to be controlled by a particular spammer and are thus listed under that spammer’s ROKSO records.
Back