Malicious actors are abusing the secondary market for IPv4 addresses, according to Lancaster University lecturer Vasileios Giotsas, University College London research and teaching assistant and postdoctoral fellow Ioana Livadariu from Norway's Simula Metropolitan Center for Digital Engineering.
In a recent paper titled A first look at the misuse and abuse of the IPv4 Transfer Market [PDF], the three explain how IP address depletion saw regional internet registries establish transfer markets for the increasingly-hard-to-find IPv4 addresses.
“However, the IPv4 market has been poorly regulated due to the lack of widely adopted IP prefix ownership authentication mechanisms, inconsistent contractual requirements between legacy and allocated address space, and policy incongruences among Regional Internet Registries (RIRs),” the trio wrote. “As a result, IPv4 transfers have become target of fraud and abuse by malefactors who try to bypass legal IP ownership processes.”
Those who abuse the process do things like using “clean” IP addresses from which to host botnets or fraudulent sites.
The authors explain that he was able to access data about address transfers from internet registries, map the address ranges against known autonomous system numbers (AS numbers), correlate all of that with border gateway protocol activity and eventually create a picture of what happens to IPv4 addresses after they are bought and sold.
Asia’s internet registry APNIC finds about 50 million unused IPv4 addresses behind the sofaREAD MORE
The paper's conclusions are not pretty: “We find that for more than 65 percent of the IP transfers, the origin ASes and the transaction dates appear to be inconsistent with the transfer reports, while six percent of Route Origin Authorizations (ROAs) become stale after the transfer for many months.”
“Our results reveal at best poor practices of resource management that can facilitate malicious activities, such as hijacking attacks, and even lead to connectivity issues due to the increasing deployment of RPKI-based or IRR-based filtering mechanisms.”
It gets worse: “ASes involved in the transfer market exhibit consistently higher malicious behavior compared to the rest of the ASes, even when we account for factors such as business models and network span,” the three authors said, adding “Our findings are likely to be a lower bound of malicious activity from within transferred IP addresses since a number of transactions may occur without being reported to the regional internet registries.”
The authors hope their work helps registries and others to do better.
“We believe that these insights can inform the debates and development of … policies regarding the regulation of IPv4 markets, and help operators and brokers conduct better-informed due diligence to avoid misuse of the transferred address space or unintentionally support malicious actors,” they wrote.
“Moreover, our results can provide valuable input to blacklist providers, security professionals and researchers who can improve their cyber-threat monitoring and detection approaches, and tackle evasion techniques that exploit IPv4 transfers.”
Giotsas talks through the paper in the video below. ®