LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Is Your Provider Squatting on Someone Else's IPs?

Block HijackingWhen a provider needs IPs, they typically request them from their Regional Internet Registry (e.g., ARIN) or purchase them from an IP broker. The blocks are then assigned to the provider’s AS (Autonomous System).

These blocks can be viewed by various tool, such as on Hurricane Electric’s site.  For example, LowEnd provider SecureDragon.net is AS54561.  If you look them up on HE’s site, you’ll see they have four blocks assigned to them:

AS54561

This a legitimate entry (for a very reputable provider) who has approximately 16,000 IPv4 addresses to assign to its various customer servers.  As you can see, the name assigned to each block matches the AS name.

Now let’s look at an entry that is not legitimate.

Here is AS62900:

AS62900

Rather confusing, isn’t it?  Multiple blocks assigned to companies in many different countries (US, Canada, South Africa, and China), and many with the same name.  Some of these companies don’t even exist any more.  “MCI” went defunct in 2006; Arthur Andersen back in 2002.

So what’s going on here?  Block hijacking.  These blocks are blocks of IP space which the RIR has forgotten or were not properly returned to the RIR.  For example, the requester went bankrupt and never relinquished the blocks, or the requester has many blocks and forgot about one assigned to them.  Or perhaps the requester has many blocks and has experienced a decreased need but is reluctant to return them (as IPv4 is getting scarce) and so continues to hold on to them without using them.  Also, some organizations may request a block and use part or all of it as “private” IP space (which should not be done, as there are designated IP networks which are not publicly routable).

A sketchy provider may search IP space to find a block not currently announced and then simply begin announcing it (using BGP) as their own.  This can work for a time, possibly for a long time.  But it’s a dangerous game because the actual owner might wake up and start using the block.

The provider is potentially saving a ton of money by not paying for his IPs.  But if you’re a client of that provider, you might suddenly find your network no longer works, usually following swiftly by an email from the provider stating that due to (insert purposefully obtuse technobabble) they’ve had to change some customer IPs.

How to protect yourself?  Find out your provider’s AS number and look it up.  You should see all blocks owned in the company’s name (or a related name if the company has changed names or is part of a larger firm).  The block may also be in the name of the provider’s upstream provider.

However, if you see something that seems strange, ask why.  If the provider can’t provide a logical explanation, look for a new provider because you may be sitting on squatted space.

raindog308

2 Comments

  1. David:

    Everyone can easily submit route objects on IRR like RADB and AltDB and start BGP annoucement, they don’t verify the owner of IP address.

    That’s why we need RPKI, only IP owners have permission to set RPKI/ROA records.

    August 20, 2021 @ 1:35 am | Reply
  2. Simon Williams:

    If an entity hijacks a block, what recourse does the owner have to regain control of their block?

    August 20, 2021 @ 3:54 am | Reply

Leave a Reply to David Cancel reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *