The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire

  • Johann SchlampEmail author
  • Josef Gustafsson
  • Matthias Wählisch
  • Thomas C. Schmidt
  • Georg Carle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9053)


The vulnerability of the Internet has been demonstrated by prominent IP prefix hijacking events. Major outages such as the China Telecom incident in 2010 stimulate speculations about malicious intentions behind such anomalies. Surprisingly, almost all discussions in the current literature assume that hijacking incidents are enabled by the lack of security mechanisms in the inter-domain routing protocol BGP.

In this paper, we discuss an attacker model that accounts for the hijacking of network ownership information stored in Regional Internet Registry (RIR) databases. We show that such threats emerge from abandoned Internet resources (e.g., IP address blocks, AS numbers). When DNS names expire, attackers gain the opportunity to take resource ownership by re-registering domain names that are referenced by corresponding RIR database objects. We argue that this kind of attack is more attractive than conventional hijacking, since the attacker can act in full anonymity on behalf of a victim. Despite corresponding incidents have been observed in the past, current detection techniques are not qualified to deal with these attacks. We show that they are feasible with very little effort, and analyze the risk potential of abandoned Internet resources for the European service region: our findings reveal that currently 73 /24 IP prefixes and 7 ASes are vulnerable to be stealthily abused. We discuss countermeasures and outline research directions towards preventive solutions.


Internet Resource Attack Model Database Object Resource Ownership Origin Validation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the internet. In: Proc. ACM SIGCOMM 2007, pp. 265–276 (2007)Google Scholar
  2. 2.
    Cooper, D., Heilman, E., Brogle, K., Reyzin, L., Goldberg, S.: On the risk of misbehaving RPKI authorities. In: Proc. of HotNets-XII. ACM, New York (2013)Google Scholar
  3. 3.
    Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: Proc. of the 3rd USENIX LEET Conference. USENIX Association, Berkeley (2010)Google Scholar
  4. 4.
    Hong, S.-C., Ju, H.-T., Hong, J.W.: IP prefix hijacking detection using idle scan. In: Hong, C.S., Tonouchi, T., Ma, Y., Chao, C.-S. (eds.) APNOMS 2009. LNCS, vol. 5787, pp. 395–404. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  5. 5.
    Hu, X., Mao, Z.M.: Accurate real-time identification of IP prefix hijacking. In: Proc. IEEE Symposium on Security and Privacy, pp. 3–17 (2007)Google Scholar
  6. 6.
    Jacquemart, Q., Urvoy-Keller, G., Biersack, E.: A longitudinal study of BGP MOAS prefixes. In: Dainotti, A., Mahanti, A., Uhlig, S. (eds.) TMA 2014. LNCS, vol. 8406, pp. 127–138. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  7. 7.
    Kalafut, A.J., Gupta, M., Cole, C.A., Chen, L., Myers, N.E.: An empirical study of orphan DNS servers in the internet. In: Proc. of the 10th ACM SIGCOMM IMC, pp. 308–314. ACM, New York (2010)Google Scholar
  8. 8.
    Kent, S., Lynn, C., Seo, K.: Secure Border Gateway Protocol (SBGP). IEEE Journal on Selected Areas in Communications 18(4), April 2000Google Scholar
  9. 9.
    Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., Zhang, L.: PHAS: A prefix hijack alert system. In: Proc. 15th USENIX Security Symposium, vol. 15 (2006)Google Scholar
  10. 10.
    Lepinski, M.: BGPSEC Protocol Specification. Internet-Draft - work in progress 00, IETF, March 2011Google Scholar
  11. 11.
    Lepinski, M., Kent, S.: An Infrastructure to Support Secure Internet Routing. RFC 6480, IETF, February 2012Google Scholar
  12. 12.
    Lychev, R., Goldberg, S., Schapira, M.: Bgp security in partial deployment: Is the juice worth the squeeze?. In: Proc. of ACM SIGCOMM, pp. 171–182. ACM, New York (2013)Google Scholar
  13. 13.
    Mohapatra, P., Scudder, J., Ward, D., Bush, R., Austein, R.: BGP Prefix Origin Validation. RFC 6811, IETF, January 2013Google Scholar
  14. 14.
    Qiu, J., Gao, L.: Detecting bogus BGP route information: going beyond prefix hijacking. In: Proc. 3rd Int. Conf. on Security and Privacy in Communication Networks (SecureComm) (2007)Google Scholar
  15. 15.
    Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proc. ACM SIGCOMM 2006 (2006)Google Scholar
  16. 16.
  17. 17.
    Schlamp, J., Carle, G., Biersack, E.W.: A forensic case study on as hijacking: the attacker’s perspective. ACM SIGCOMM CCR 43(2), 5–12 (2013)CrossRefGoogle Scholar
  18. 18.
    Shi, X., Xiang, Y., Wang, Z., Yin, X., Wu, J.: Detecting prefix hijackings in the Internet with argus. In: Proc. ACM SIGCOMM Internet Measurement Conference (IMC) (2012)Google Scholar
  19. 19.
    Vervier, P.-A., Thonnard, O.: SpamTracer: How stealthy are spammers? In: 5th Int. Workshop on Traffic Monitoring and Analysis (TMA 2013) (2013)Google Scholar
  20. 20.
    Vervier, P.-A., Jacquemart, Q., Schlamp, J., Thonnard, O., Carle, G., Urvoy-Keller, G., Biersack, E.W., Dacier, M.: Malicious BGP hijacks: appearances can be deceiving. In: IEEE ICC Communications and Information Systems Security Symposium (ICC CISS 2014) (2014)Google Scholar
  21. 21.
    Wählisch, M., Maennel, O., Schmidt, T.C.: Towards Detecting BGP Route Hijacking Using the RPKI. ACM SIGCOMM CCR 42(4), 103–104 (2012)CrossRefGoogle Scholar
  22. 22.
    Zhang, Z., Zhang, Y., Hu, Y.C., Mao, Z.M., Bush, R.: iSPY: Detecting IP prefix hijacking on my own. IEEE/ACM Trans. on Networking 18(6), 1815–1828 (2010)CrossRefGoogle Scholar
  23. 23.
    Zheng, C., Ji, L., Pei, D., Wang, J., Francis, P.: A light-weight distributed scheme for detecting IP prefix hijacks in real-time. In: Proc. ACM SIGCOMM 2007, pp. 277–288 (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Johann Schlamp
    • 1
    Email author
  • Josef Gustafsson
    • 1
  • Matthias Wählisch
    • 2
  • Thomas C. Schmidt
    • 3
  • Georg Carle
    • 1
  1. 1.Technische Universität MünchenMünchenGermany
  2. 2.Freie Universität BerlinBerlinGermany
  3. 3.HAW HamburgHamburgGermany

Personalised recommendations