Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support)
Published on August 13, 2015 07:05 UTC by GovCERT.ch (permalink)
Last updated on August 13, 2015 07:05 UTC
In June 2015, GovCERT.ch was informed about Border Gateway Protocol (BGP) IP hijacking of IP space that is owned by a cantonal administration in Switzerland. We received the initial hint from The Spamhaus Project, an international non-profit organization that fights spam. MELANI / GovCERT.ch informed the affected canton immediately after being informed by Spamhaus.
During our investigation, we noticed that the IP space has been hijacked at least since January 2015. The hijack was originating from a hosting provider in the United States. GovCERT.ch contacted the responsible hosting provider, asking for additional information regarding the incident. Within a few hours we received a feedback from the hosting provider, stating that the announcement originates from one of their downstream customers and that our request has been forwarded to the customer. Since then, we didn't receive any further response or statement from the hosting provider, nor from the customer that was obviously responsible for the IP hijacking. Fortunately, the hosting provider's upstream provider stopped the announcement after receiving a written statement from the network owner that the announcement has been made without their permission.
So, why should someone hijack an IP allocation owned by a Swiss canton? Of course, there could be several reasons. Since the hijacked IP space is state owned, it might be reasonable to presume that the IP space was hijacked due to a cyber espionage campaign. However, the reason for this hijack is actually much simpler: spammers noticed that the prefix in question has not been announced for quite a while (the prefix has not been in use for several years) and hence decided to announce it by themselves for the one and only purpose: sending out spam emails. If the receiver of spam, originating from this IP range, does a whois lookup on the sending IP address, he will actually conclude that the spam email originates from the Swiss canton.
While hijacking unused IP space for the purpose of sending spam is very straightforward, it is also cheaper for the spammer since he does not need to rent the IP space by himself (and pay for it). Since hijacked IP space is owned by someone else, the spammer may also claim that he is not responsible for the spam originating from dormant IP allocations such as these. Because of this, spammers are able to weaponize thousands of IP addresses (in the described case a /16 - more than 64,000 IP addresses) for sending out spam.
Another issue are the upstream providers. It might sometimes be very hard to reach an appropriate person in a timely manner and convincing them that the IP range he (or better said his downstream customer) announces is hijacked.
If you are a network owner, MELANI / GovCERT.ch recommends you to take the following steps:
Back to top