In most cases ip hijacking involves not only announcing ip space but also changing whois information in RIR whois registry to show hijacker's nameservers and email address. This is necessary because upstream ISPs would usually not announce ip blocks unless they see that these blocks have some relation to their client and this is checked by doing whois lookup. In order to change whois records at RIR and basically have administrative control over the ip space, several methods have been used, all of them involve in some way pretending to represent the organization that originally got the ip space.
Since many RIRs still do not have any security beyond email confirmation (especially for old records) when changing whois records, the hijacking is usually done by those who have in some way gained control over the domain, and through that over email address listed as contact for the particular ip block. Gaining control may involve directly hijacking domain, by reregistering domain if it has expired or by direct hacking of email servers.
Other ways that are known to have been involve in some way trying to convince the RIR to change email for the handle to different domain. These are often used for ip records where there are no email addresses listed or email addresses are within domain that is no longer actively used on the internet. Then somebody may try to hijack ip space by registering very similar domain with whois record matching details of the current ip record and thereafter asking RIR to change the record to point to that new domain.
Other methods used include providing fraudulent paper records to RIR when requesting the change (i.e. fraudulent address change forms, fraudulent records of one company buying another, incorrect information from company about new responsible individual or company that they authorized to take care of the ip space, etc).
so try to be more careful online ,whatever and whomever you are dealing with .
No comments:
Post a Comment