Can someone steal my IP address and use it as their own?

Question

I am not talking about home networks (like hacking my wifi and using it). Can someone from another geographical location steal my IP address in some way?

For example:

I am angry with you. -> I want to make you suffer and managed to find your IP address. -> I decided to steal your IP address (meaning replace my IP address with yours) in such a way that what ever I do the feds going to be coming after you. -> So I bought some illegal drugs from the dark web (with my replaced IP address). -> The feds catches you.

Is this scenario possible?

A bit tangential: someone might not steal your IP, but due to how dynamic IP address works, you could end up with someone's past IP (although not at the same time). I have experienced this when browsing Wikipedia, I got a notice due to vandalism by an anonymous user (based on IP address). — Andrew T., Jan 11 '20 at 15:35
I'm guessing this question is relation to this: https://arstechnica.com/information-technology/2020/01/paul-krugmans-no-good-very-bad-internet-day/ — keithRozario, Jan 12 '20 at 00:16
It’s a scam! The bad guys call you, claim to be “IT support”, and LIE that your IP or computer is hacked. Then they trick you into “allowing remote access” so they can “fix it”. Then they use the remote access to steal your financial and business data. — Darrell Root, Jan 12 '20 at 07:25
@dispos_Acc I wouldn't believe the story. It's quite impossible to 'steal' in this specific scenario -- while the BGP scenario given below is plausible, I don't think it's happened in this case. — keithRozario, Jan 12 '20 at 10:40

score 161 · Accepted Answer · edited Jan 13 '20 at 20:29

161

Network engineer with Border Gateway Protocol (BGP) experience here.

Yes. But usually the attack would have to be for a larger address block and (as Eevee commented) require an attacker with specific skills and access. If someone calls you and claims that your IP is hacked, they are probably a scammer. Hang up!

Back to the question:

Let’s assume the “good ISP” company is allocated 1.1.0.0/16. You are a customer of “good ISP” and your home router public IP address is 1.1.5.5.

“EvilCo” wants to make you look bad by downloading ...inappropriate... content from 1.1.5.5. They have an unfiltered BGP routing protocol connection to the Internet and advertise 1.1.5.5/32.

That attack fails. While their BGP connection is not filtered (and we are talking about route advertisement filters here, not packet filters), Internet ISPs generally don’t accept IPv4 routes more specific than a /24.

So EvilCo advertises 1.1.5.0/24 in BGP. That succeeds. Both 1.1.5.0/24 and 1.1.0.0/16 exist in the core Internet routing table and the more specific route wins!

A few mitigations:

ISPs generally filter BGP connections to their customers and only accept specific routes, but there are plenty of unfiltered BGP connections out there (I personally had access to one in a prior job...it was so old it was created before the ISP tightened their standard configs).
Good BGP operators use a “BGP monitoring service” which sends them an email when someone else advertises one of their assigned blocks. (BGPmon)
There are “route registry databases” (RADB for example) and some ISPs try to police their routes with the databases, but those databases are generally incomplete.
The requirement to attack a larger block (/24) makes the attack more obvious, since multiple people are affected and all BGP updates are logged by several organizations.

It is also possible for a rogue operator inside “Good ISP” to specifically take over your /32.

It is always possible for anyone to send traffic with a source IP of 1.1.5.5 without rerouting the block, but that will not result in completed TCP handshakes so no downloads will occur (DNS queries are usually single-packet UDP, so it is easy for someone to forge DNS queries from your IP address for an inappropriate domain and send it to an arbitrary DNS server where the query might be logged).

There's a pretty good discussion and history of “BGP hijacking” incidents on Wikipedia. Network operator organizations including NANOG (North American Network Operators Group) communicate and cooperate to deal with (or at least bring visibility to) these when they occur.

Many (most?) BGP hijacking incidents are “operator error” rather than intentional. In some cases companies find IPv4 address space that is assigned to a no-longer-operational entity and use that for business operations. IPv4 address space is scarce and expensive due to IP address depletion.

edited Jan 13 '20 at 20:29

Michael

2,391
2
19
36

answered Jan 11 '20 at 06:08

Darrell Root

1,462
1
7
8

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/103209/discussion-on-answer-by-darrell-root-can-someone-steal-my-ip-address-and-use-it). – Rory Alsop Jan 12 '20 at 12:56
I think I've seen one of our local telcos, which spans the whole (small) country, give out large subnet real ips to home users via dhcp. Since DHCP frequently tries to give the same address to the same MAC, wouldn't one possiblity be for attacker to clone victim's Mac and (with possibly disabling victim's computer) get the same IP -- they could be physically in another town/district. – Gnudiff Jan 13 '20 at 07:52
1

@Gnudiff Perhaps. They would probably have to be in the same area, so they'd be served by the same DHCP server, on the same subnet. Also, unless it's a modified DHCP server, you can also just set a static IP and you don't need to involve DHCP. – user253751 Jan 13 '20 at 10:32
There was a case of erroneous BGP-Advertising several months ago, which broke access to a lot of pages for many users. Which just revealed how incomplete the protections still are in this outdated networking protocol: https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/ – Falco Jan 13 '20 at 12:09
21

While this technically answers the question, I imagine the technical details are way too complicated for the OP and even with the disclaimer they might get the wrong idea from this. Sure this is possible and has happened in the past, but only a few larger organisations and states have the capabilities of doing so and it's hard to imagine you'd ever do this to target a single user. There's absolutely no reason for a normal user to worry about this – Voo Jan 13 '20 at 14:20
IPv4 addresses are sparse .. hm ,.. in theory 4.295 billion different addresses (minus a few reserved for the unicast / multicast) ... the problem was the initial class based address-reservation and the resulting strong address room fragmentation – eagle275 Jan 13 '20 at 15:24
To be clear, how much money would it cost someone to implement this attack? Is it something the average Joe needs to worry it might possibly happen? – corsiKa Jan 13 '20 at 16:56
@corsiKa The average Joe does not need to worry about it, but companies and universities that have significant IP address space assigned should use a BGP monitoring service to make sure another autonomous system does not advertise one of their blocks. – Darrell Root Jan 13 '20 at 17:53
@eagle275: are you aware of how many human beings there are? – Nick Matteo Jan 14 '20 at 18:39
@NickMatteo we are on a good way to 8 billion .. but I would appreciate finally going completely IPv6 as it makes things so much easier .. no more punching holes in NAT routers to offer services like personal cloud - and at the same time enough addresses for ANY thinkable device and still having a very large pool of free addresses for more devices in case the population grows further. But this doesn't change the fact that the mentioned sparsity of addresses still originates back to the class-based address distribution which claimed the majority of available addresses for few organizations – eagle275 Jan 15 '20 at 08:36

score 40 · Answer 2 · answered Jan 13 '20 at 00:36

40

If someone manage to get a backdoor program installed on your computer, they can route all their traffic through it using it as a proxy server, thus "stealing" your ip.

All their activity will show as coming from your ip address, so they can do shady stuff using your ip as cover and you might take the blame later.

answered Jan 13 '20 at 00:36

IcaroAugusto

519
3
4

16

Certainly the likeliest threat vector for an average person. This answer could be improved by writing with more detail and the proper terms. It's also a bit ESL-like, but I'm not concerned with that. – Harper - Reinstate Monica Jan 13 '20 at 04:31
can you please add specific incidents and work arounds for the same, this look clearly interesting. – Talk is Cheap Show me Code Jan 13 '20 at 04:50
But if police investigate then the ISP sees that the traffic was transmitted to another computer and that you were used as a proxy, isn't it? – Black Jan 13 '20 at 13:30
2

@Black No, the ISP sees the traffic from your computer to the attacker is just one one encrypted connection among many. – JiK Jan 13 '20 at 13:47
8

@TalkisCheapShowmeCode Search for the term "botnet" and you will get a load of examples. Every "bot" in a botnet is exactly that - a computer controlled by a malicious actor and doing bad things from the owner's IP address. A "workaround" is to keep your computer free of malicious software. – fraxinus Jan 13 '20 at 13:48
I think its more likely for a hacker to hack any device like a smart device or router in your network and then route traffic though it. Computers are vulnerable but smart devices and older routers are far easier to hack. – SILENT Jan 24 '20 at 17:15
@Harper-ReinstateMonica what do you mean by "ESL-like"? – robertspierre Dec 07 '20 at 01:53

yeah_well · Answer 3 · 2020-01-13T21:08:20.533

NOTE:-I am only writing this because other answer talks of BGP hijacking which is sophisticated and will be quite noisy and the other answer touches on the malware subject but does't give details.

Can a guy from another geographical location steal my IP address in someway?

Oh absolutely,if i for example were to "steal your IP address" or in other terms make http request coming from your location,the easiest way to do it would be to get code execution in your system.From there i could drop a shell and route all traffic from your computer using proxy. Hell you could even write a very small version of that yourself in C.

Once your malware establishes socket connection,the client can send and receive data.All you need to do is send data from C&C network. For example you could just write www.google.com and send the data to client.
The client will receive that data and then you call getaddrinfo,make up a valid http request and send it to google.com.(For https you would use something like libcurl)
For google.com(their web server) the request will originate from your computer IP address,hence effectively stealing your Ip address.

the same applies for file downloading and rest of the internet

BTW the same technique is used by BOTNETS to effectively perform DDOS attacks where the originating IP is of victims.

How is that different from @IcaroAugusto answers? Isn't this basically the backdoor talked about in that answer? — robertspierre, Dec 07 '20 at 01:52
I go over how to achieve the task programmatically and the other answer says a backdoor could do it. — yeah_well, Dec 07 '20 at 06:09

score 0 · Answer 4 · edited Jan 24 '20 at 22:08

To simplify some of the responses made here to something a little clearer.

Yes, it is technically possible to steal someone's IP address but it would be extremely difficult. Michael is correct that someone could theoretically advertised your address block from a rogue BGP AS* but unless your ISP provided you an IP address that was portable(meaning it could leave the ISP's AS) it would be rejected by virtually all core providers.

Many, although not all, providers require that router advertisements are installed via registries like RADB.

Furthermore, to insert the routes into BGP you would need to coopt a legitimate ISP. You can't just spin up a router instance and connect it to a ISP BGP instance and be off and running. The ISPs are not going to be too keen on rogue route advertisements.

And even if that all happened, there would be a record of the poison route being inserted and when it was removed so it would be pretty easy to prove it wasn't you.

It would be far easier, although certainly not that easy, to coopt a user's desktop and install malware that would appear to be you doing whatever it is you wanted to do.

*: BGP AS is the identifier that BGP routers use to tell other BGP routers who they are organizationally.

Vitaly Osipov · Answer 5 · 2020-02-03T07:33:50.463

No, they cannot.

Theoretically, everything is possible when it concerns Internet (how do you know I'm not a smart dog with fingers?), but he'd have to spend a few, or many, millions of $ to set it up. And this diversion would be detected within a seconds and repaired, so it's a huge waste of $ for revenge. I can come up with much cheaper and more efficient ways.

Eg. example in the question - it'd be much cheaper to order some drugs off ze dark web to your home address with your name on the order, then tip off the local police. What happens then - who knows, probably nothing, they have limited budgets and cannot afford to chase ghosts.

"Buying from your IP address" - this is a teenager's feverish dream, nobody cares about that level of evidence unless the person they are investigating is, I don't know, a successful terrorist of the scale of 9-11.

Can someone steal my IP address and use it as their own?

5 Answers5

Linked