The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.
IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.
And that’s the way it’s supposed to work everywhere. Applicants who can’t show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don’t have the resources to investigate every application as fully as they’d like.
The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they’ve taken a layer of potential problems out of the equation.
“It’s gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,” said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. “It takes one more level out of it: You own your own IP space and you’re your own ISP at that point.
“If there’s a problem, who are you going to talk to? It’s a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16. They’re not the Internet police,” Lanstein said.
The most famous example of this is the Russian Business Network case, in which a group of criminals was able to get a large amount of IP space by using an LIR to get an allocation from RIPE, the European RIR. The LIR gave RIPE documentation that supposedly showed a need for the allocation, and that’s as far as it went.
“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn’t until May 2008 that RIPE was able to close down the LIR and get the IP space back.
In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space. The RIR staff often will request a listing of each machine the organization has and may go as far as to request purchase receipts for the machines, as well, said John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), which is responsible for the U.S., Canada and parts of the Caribbean.
“When you submit an application to us, once it’s been accepted you’ll get a call from our group asking to show us a list of PCs, your router configurations, maybe a network map so that wecan show the need for the IP space,” Curran said. “If you already have the PCs, what ASN numbers do they have? At this point, a lot of applicants disappear.”
Criminals subverting this process has become a major problem in some regions, particularly parts of Europe and the Caribbean, where there are dozens of jurisdictions and multiple languages, which can lead to confusion and difficulty in tracking down exactly who is doing what online, security experts say.
“There are a lot of instances where they don’t go past the letter of justification,” Lanstein said. “There are plenty of IP allocations I can pull up and look at the domains and see that they’re total BS. U.S. data centers are much better, but in Europe there are so many languages and countries, it’s impossible for them to check everyone. And the bad guys know this.”
This set-up has become a useful tactic for the criminals running botnets and large spam and carding operations. Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There’s no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses.
“The policies for handing out IP space and verifying the people behind and application are global, they apply to all of the RIRs. But within that framework, there’s room for RIRs to set their own local policies too,” said Curran. “The bad news is, those policies are very local. How does someone verify an organization when in some regions they may only have written records and it’s a town of 2,000 people? It’s very difficult in Africa, parts of Europe, parts of the Caribbean. It’s very much the case that parts of our process are very hard to implement in other regions. Other regions have different ways of recording how a company is formed and they recognize very informal structures. The record-keeping is decentralized and it might take a while to determine who is behind a company.”
And once the IP space has been allocated, getting it back can be a long and arduous process. Criminals often will use a certain IP block for as long as it’s useful and profitable for them. But if security researchers and ISPs notice suspicious activity in a certain block, they will sometimes stop accepting traffic from it and block any traffic from their own networks to that block. This can be an effective tactic, but once the criminals abandon the IP space, it can take a long time for a legitimate business to be able to get traffic flowing there again.
“This is part of the problem that’s causing the IPv4 shortage,” Lanstein said, referring to the imminent exhaustion of the IPv4 address space, forecasted to occur in less than two years. “They stop paying the bills, the space gets null-routed and then it’s a mess. There’s clear fraud going on, but who can do something about it?”