Misuse and abuse of IPv4 addresses

According to Vasileios Giotsas, lecturer at Lancaster University, University College London research and teaching assistant Petros Gigis, and Ioana Livadariu, a postdoctoral fellow at the Simula Metropolitan Center for Digital Engineering in Norway, malicious behaviours are exploiting the secondary market for IPv4 addresses. In a recent paper entitled ‘A first look at the usage and misuse of the IPv4 Transfer Market’, the researchers clarify how IP address depletion has resulted in regional Internet registries developing transfer markets for increasingly difficult-to-find IPv4 addresses.

"Due to the lack of widely adopted IP prefix proprietary authentication mechanisms, inconsistent contractual requirements between legacy and allocated address space, and policy inconsistencies between the Regional Internet Registers (RIRs), the IPv4 market has been poorly regulated,” the researchers wrote. "As a consequence, IPv4 transfers are now the target of waste and abuse by fraudsters who are trying to override legal IP ownership processes." Those who misuse the process are using "clean" IP addresses from which to host botnets or fake pages.

The writers clarify that they have been able to access data on the transfer of addresses from the Internet registries, map the range of addresses against known Autonomous System Numbers (AS numbers), compare all this with border gateway protocol operation, and finally create an image of what happens to IPv4 addresses after they are purchased and sold.

From the paper’s findings, researchers found out there are more than 65% of the IP transfers, the origin of the ASes and the dates of the transaction are not correspondent with the transfer reports, while 6% of the Route Origin Authorizations (ROAs) have been stalled for period of time after the transfer. Besides, the authors claim the best poor resources management practices stimulate the fraud activities such as hijacking attacks or lead to connectivity issue due to increasing deployment of RPKI-based or IRR-based filtering mechanisms based on their findings.

It is getting worse: "Asses participating in the transfer market have consistently higher malicious conduct relative to the rest of the ASes, even if we take into account factors such as business models and network duration," the three authors said, adding "Our studies are likely to be a lower bound of malicious activity from within the transferred IP addresses, as a number of transactions may occur without having occurred.

‘We believe that these insights can inform the debates and development of RIR policies regarding the regulation of IPv4 markets, and help operators and brokers conduct better-informed due diligence to avoid misuse of the transferred address space or unintentionally support malicious actors. Moreover, our results can provide valuable input to blacklist providers, security professionals and researchers who can improve their cyber-threat monitoring and detection approaches, and tackle evasion techniques that exploit IPv4 transfers,’ the researches wrote.

Source：The Register