The Zombie/Hijacked database is a list of networks that have been (or are suspected to be) hijacked from their original and rightful owners. This generally happens because the company that owns the space has gone bankrupt (or ceased trading for other reasons) and the net space has been forgotten and not returned to the regional Internet registry for reassignment.

What IP address blocks are in danger of being hijacked?
Because most organizations actively use their IP address blocks, they can easily notice if somebody else begins to use them (and network providers would usually not announce IP address space that is already being announced somewhere else) and this would lead to the immediate shutdown of improper IP address block announcements. There are a number of old IP address blocks where the organization owning them may not be aware that it has them and as such the IP address block is not used on the Internet. There are also some IP address blocks that are "private" (i.e. used only inside the organization on their local network) and are also not announced on the Internet, and then some organizations have too much IP address space (the organization may have become smaller or its network more efficient) and they are not using that IP address space any more. These categories (IP address blocks that are not in active use on the Internet) are the most common targets of IP address block hijackers.

How is hijacking done?
In most cases hijacking involves not only announcing IP address space but also changing WHOIS information in the regional Internet registry to show the hijacker's nameservers and email address. This is necessary because upstream ISPs would usually not announce IP address space unless they see that the address block has some relation to their client and this is checked through WHOIS records. In order to change WHOIS records at the regional Internet registry and to have administrative control over the IP address space, several methods have been used, but basically all of them involve somebody pretending to represent the organization that originally owned the address space.

Since it currently is the case that most RIRs do not have any security beyond email confirmation (especially for old records), hijacking is usually done by those who have in some way gained control over the old domain (and as such the email address) listed as contact for that particular IP address block. Gaining control over email for the domain may involve directly hijacking the domain, by re-registering the domain if it has expired, or by direct hacking of the email servers.

Other ways that are known to have been involve in some way trying to convince the RIR to change the email address for the handle to a different domain. This method is often used for IP records where there is no email listed or the email address is for a domain that is not currently active. Then somebody would try to hijack an IP address space by registering a very similar domain with WHOIS records matching details of the current IP address record and asking the RIR to change the record to point to that new domain.

Other methods involve providing fraudulent paper records to the RIR requesting the change (i.e. fraudulent address change forms, fraudulent records of one company buying another, incorrect information from the company about a new responsible individual or company that they authorized to take care of the IP address space, etc).

What happens to ip blocks after they have been hijacked?
After an IP address block is hijacked, i.e. after somebody has effectively gained administrative control over the address range in the RIR records, the block is either sold (entirely) or leased (entirely or in parts) to other companies. These companies are often victims of deception and have no idea that the block they got is not theirs to hold and any transaction to get it had been illegal to start with. In many cases the blocks are also directly used by companies that hijacked them for their own other illegal activities. In either case, very often hijacked blocks end up in the hands of spammers (both those directly sending out unsolicited bulk email and those hosting web sites advertised by unsolicited bulk emails), porn-advertisers (who need a lot of IP addresses to fool search engines and to drive more traffic to their sites), shell-hosting providers (who need IP addresses for long weird reverse names used) so generally they are used for activities which otherwise not have been able to qualify for such a large IP address space or where the company that got the IP address space is trying to hide who they are (by using an old address that may not even exist any more and was only present in WHOIS records for that IP address block).

Most often the IP address block is hijacked by spammers and used directly by them. When the block is block listed by organizations such as SORBS, they sell it to somebody else and begin to use another hijacked block.

Why is IP address hijacking and in fact any kind of "selling of IP address space" illegal?
The very first thing to remember is that it is illegal to use somebody else's property without the owner's permission - and this is the very basis of hijacking IP address space.

The process of hijacking IP address space is also serious criminal activity. As has been noted above, it involves trying to appear as somebody else or as representing a company that the hijacker has no relation with - this is identity fraud, and there are several additional criminal statutes when forgery of paper documents is involved.

More criminal activity appears when somebody is trying to sell (or lease) IP address space for profit. It is rumored that as much as $100,000 would be the asking price for a /16 block of IP addresses (most likely seriously overstated since companies that can justify a /16 can get it for $5000/year from ARIN). Obviously these activities are illegal as they are trying to sell something that does not belong to them.

On this point, it can be noted that any kind of selling of IP address space is illegal, or at the very least, a violation of contracts that the owner of the IP space involved has signed with the RIR. All RIRs have very specific policies that say that IP address space is allocated/assigned specifically for use by a company that requested it or its clients (with the exception that if one company buys another one, IP address space can be transferred to company that bought the original one).

What can be done to combat and prevent IP hijacking?
First we have to educate everyone that IP address blocks CAN NOT be bought and sold. If you know that somebody offered to sell IP address space - find out who exactly is involved and what IP address space and report it here. We'll investigate the matter. More than likely it is hijacked IP address space as companies that received IP address space directly from the RIR already know all this (having signed a service agreement with the RIR that says the IP address block cannot be transferred to other companies except in case of a merger) and would not try to sell IP address space.

Second, ISPs must cooperate with each other and refuse to route through their network any IP address blocks that are known to have been hijacked (see the list on this web site). ISPs must pay close attention to any new customers (especially those with only co-location servers that come in and say they want to have a large IP address block routed that would seem to consist of a substantially larger number of IP addresses than this organization would really need based on its size and the amount of hardware it has). If the IP address block that the ISP is being asked to route is not properly listed for the client (e.g. name of the block in WHOIS, etc.), it would be a good idea to investigate such an IP address block before allowing it to be routed (if you're interested, please go here to initiate investigation, if it's an urgent matter, see the commercial services section of the web site about official investigations into old domains and IP addresses that we can do).

Those who have become victims of IP address space hijacking (either those whose IP address space has been taken or those who have been sold hijacked IP address space, which is consequently taken away) have to consider this serious criminal activity and report it to the police and file charges.

We have to educate law enforcement about IP address hijacking so that more serious and faster measures may be taken and these criminals are prosecuted. Right now, because of slow and inadequate response, hijackers may continue their activities even after it has been found who they are and their hijacked IP address blocks have been taken away.

Better security needs to be implemented at the RIR to protect their records and IP address blocks from being hijacked in the first place as current authentication based on email is inadequate. Those RIRs that have necessary security systems (such as PGP) need to educate their ISP and end-user customers to actually take advantage of it. Requiring new IP address allocations and assignments to use the improved security methods would be a big step.

Better security also needs to be made available at BGP routing level to make sure that the companies advertising the IP address blocks are allowed to do that. Currently there is a proposal for S-BGP that involves having a certificate for each allocated IP address block and using certificates as part of routing and BGP for authentication of IP address space by AS numbers. S-BGP can solve the problem but will require upgrades to the core Internet infrastructure as it requires a lot more memory for routers in order to not only accommodate the IP route but also the certificate that comes with it (bearing in mind that a certificate takes about 10 times more memory than the route itself) as well as the ability to do cryptographic verification quickly, which requires more CPU power or specific hardware for cryptography. Because of these necessary hardware upgrade and serious investment in new hardware that would be necessary, S-BGP has not gone beyond theoretical work so far.

Because many of the current IP address hijackings involve old IP address blocks allocated prior to 1995 ("legacy IP address space"), we have to take a closer look at how this space is being currently used and by what companies. Steps must be taken to investigate each block and to make sure the records about technical and administrator contacts are correct (often the people listed in WHOIS records for particular IP address blocks have been gone for 10 years or more!)

What SORBS is doing to combat these activities...
Absolutely nothing! However, Complete Whois are doing plenty, which is where a lot of the text above came from.

SORBS is just listing space that appears to be a zombie or hijacked in a DNS based block list format. This is intended to make the IP space useless for normal operations, both for spammers and for the people buying/leasing the IP space.

Whilst this may seem vindictive or pointless it does serve a purpose. The IP space is stolen and should not be used. Therefore, mail from it should be considered invalid regardless of the company sending it. Any respectable company will approach their regional Internet registry, fill out the necessary forms and pay their price and be assigned IP address space in accordance with published policies.

How does zombie/hijacked IP address space get de-listed by SORBS?
In most cases it doesn't. All you can do is to notify the SORBS investigators that they should reinvestigate the details of the entry.

In the few cases where it is possible, you would do so by providing proof that the Netblock is legally registered to you via the regional Internet registry and that SORBS has made a mistake. This is unlikely, but possible nonetheless. SORBS does not want to make mistakes and will correct any errors as soon as notified (with evidence).

Copyright © 2002-2023 by SORBS | Terms & Conditions | Privacy Policy