IP squatting is the hijacking of unallocated IP address space by malicious networks that use this attack to number botnet command and control hosts, and spam relays with temporary addresses, in order to hinder their detectability and trackability. Squatting has been used as an effective cloaking technique because it did not affect legitimate traffic to raise alerts. However, the IPv4 address space depletion makes squatting much harder, leading attackers to resort to more sophisticated techniques. In particular, our preliminary analysis shows increasing abuse against two types of IP ranges, IXP prefixes and transferred IP prefixes, that allow hijacking attacks with similar characteristics to squatting. IXP prefixes are usually not advertised in the global routing system since they are not allocated to end hosts. Therefore, IXP prefix hijacking does not affect existing Internet paths. IP transfers create a window of uncertainty about the legitimate ownership, which adversaries try to exploit. These bogus advertisements are often realized as spear attacks, namely highly targeted bogus advertisements to evade detection. We aim to develop the necessary techniques to enable predictive capabilities in the detection and mitigation of these emerging threats that currently cannot be addressed by the existing tools.




Lancaster University