- Joined
- Apr 15, 2009
- Messages
- 47,237
- Thread Author
- #1
http://arstechnica.com/security/news/2009/12/malware-authors-grabbing-scarce-ipv4-address-blocks.ars
Malware distributors, apparently tired of facing the constant threats of disconnection, are taking advantage of lax background checks in the system for distributing IP address blocks and buying them directly. Address blocks, which cover a contiguous range of IP addresses, are typically reserved for legitimate institutions and businesses that can demonstrate a need for that sort of allocation. But, at the top level, there are only five regional registries, most of which cover large and culturally diverse geographic regions. That makes it difficult to confirm whether a given request comes from a legitimate organization, a problem that malware makers are using to their advantage.
These allegations against spammers and other online criminals were made in a recent article on Kaspersky Lab's Threat Post. According to its author, online crime is big enough business that it now makes financial sense for its perpetrators to colocalize hardware at server farms, set up a legitimate looking business address, and apply for blocks of IP addresses via a cooperative or indifferent local registry. When the application is received by the regional organization, it often lacks the ability to carefully vet them, or even understand the local business laws where the request originated.
It's still possible for ISPs to block access to a given allocation, but there are several ways to make that step more difficult, including mixing in some legitimate hosting within an address block and rotating among different allocations, among others. It also relies on the legitimate ISPs expending the time and effort to identify and block traffic. In any case, the practice chews through the increasingly scarce pool of unallocated IPv4 addresses.
The article is a bit confused in spots; it suggests that the malware authors are acting as their own ISPs (they're not) and suggests it's useful for botnet herders (they count on other peoples' computers to do the heavy lifting). But it does provide yet another example of how, since various forms of malware have become big sources of income, the line between that and legitimate business has become increasingly blurry.
Malware distributors, apparently tired of facing the constant threats of disconnection, are taking advantage of lax background checks in the system for distributing IP address blocks and buying them directly. Address blocks, which cover a contiguous range of IP addresses, are typically reserved for legitimate institutions and businesses that can demonstrate a need for that sort of allocation. But, at the top level, there are only five regional registries, most of which cover large and culturally diverse geographic regions. That makes it difficult to confirm whether a given request comes from a legitimate organization, a problem that malware makers are using to their advantage.
These allegations against spammers and other online criminals were made in a recent article on Kaspersky Lab's Threat Post. According to its author, online crime is big enough business that it now makes financial sense for its perpetrators to colocalize hardware at server farms, set up a legitimate looking business address, and apply for blocks of IP addresses via a cooperative or indifferent local registry. When the application is received by the regional organization, it often lacks the ability to carefully vet them, or even understand the local business laws where the request originated.
It's still possible for ISPs to block access to a given allocation, but there are several ways to make that step more difficult, including mixing in some legitimate hosting within an address block and rotating among different allocations, among others. It also relies on the legitimate ISPs expending the time and effort to identify and block traffic. In any case, the practice chews through the increasingly scarce pool of unallocated IPv4 addresses.
The article is a bit confused in spots; it suggests that the malware authors are acting as their own ISPs (they're not) and suggests it's useful for botnet herders (they count on other peoples' computers to do the heavy lifting). But it does provide yet another example of how, since various forms of malware have become big sources of income, the line between that and legitimate business has become increasingly blurry.