Advertisement

A First Look at the Misuse and Abuse of the IPv4 Transfer Market

  • Vasileios GiotsasEmail author
  • Ioana Livadariu
  • Petros Gigis
Conference paper
  • 33 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12048)

Abstract

The depletion of the unallocated IPv4 addresses and the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, the trading of allocated IPv4 prefixes between organizations. Despite the policies established by RIRs to regulate the IPv4 transfer market, IPv4 transfers pose an opportunity for malicious networks, such as spammers and bulletproof ASes, to bypass reputational penalties by obtaining “clean” IPv4 address space or by offloading blacklisted addresses. Additionally, IP transfers create a window of uncertainty about the legitimate ownership of prefixes, which leads to inconsistencies in WHOIS records and routing advertisements. In this paper we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild, by synthesizing an array of longitudinal IP blacklists, honeypot data, and AS reputation lists. Our findings yield evidence that transferred IPv4 address blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicate efforts to evade filtering mechanisms.

Keywords

IPv4 transfers Routing BGP Blacklists 

Notes

Acknowledgments

We thank our shepherd Taejoong Chung, the anonymous reviewers and Carlos Friaça for their constructive feedback. We also thank Randy Bush, and Jim Reid for their replies in our RIPE policy enquiries. Research supported, in part by, Security Lancaster, H2020 EC CONCORDIA GA #830927, Norwegian Research Council grant # 288744 GAIA, and the RIPE NCC Community Projects Fund.

References

  1. 1.
  2. 2.
  3. 3.
    AFRINIC: IPv4 Resources transfer within the AFRINIC Region. http://bit.ly/2sFjUZu
  4. 4.
    Alieyan, K., ALmomani, A., Manasrah, A., Kadhum, M.M.: A survey of botnet detection based on DNS. Neural Comput. Appl. 28(7), 1541–1558 (2017)CrossRefGoogle Scholar
  5. 5.
    Anderson, T., Hutty, M.: Post depletion adjustment of procedures to match policy objectives, and clean-up of obsolete policy text. RIPE policy proposal, November 2013Google Scholar
  6. 6.
    APNIC: APNIC transfer, merger, acquisition, and takeover policy (2010). https://www.apnic.net/policy/transfer-policy_obsolete
  7. 7.
    APNIC blog, Huberman, D.: Seven steps to successful IPv4 transfers (2017)Google Scholar
  8. 8.
    APNIC blog, Huston, G.: IPv4 Address Exhaustion in APNIC (2015). https://blog.apnic.net/2015/08/07/ipv4-address-exhaustion-in-apnic
  9. 9.
    ARIN: ARIN Number Resource Policy Manual (Version 2010.1) (2009). https://www.arin.net/policy/nrpm.html
  10. 10.
    ARIN: ARIN Number Resource Policy Manual (Version 2012.3) (2012). https://www.arin.net/policy/nrpm.html
  11. 11.
    BadPackets: Cyber-Threat Intelligence: Botnet C2 Detections (2019). https://badpackets.net/botnet-c2-detections
  12. 12.
    BinaryEdge: HoneyPots/Sensors (2019). https://www.binaryedge.io/data.html
  13. 13.
    Böttger, T., Cuadrado, F., Uhlig, S.: Looking for hypergiants in peeringDB. ACM SIGCOMM Comput. Commun. Rev. 48(3), 13–19 (2018)CrossRefGoogle Scholar
  14. 14.
    CAIDA: Inferred AS to Organization Mapping Dataset. http://www.caida.org/data/as_organizations.xml
  15. 15.
    Cho, S., Fontugne, R., Cho, K., Dainotti, A., Gill, P.: BGP hijacking classification. In: 2019 TMA, pp. 25–32. IEEE (2019)Google Scholar
  16. 16.
    Dainotti, A., et al.: Estimating internet address space usage through passive measurements. SIGCOMM Comput. Commun. Rev. 44(1), 42–49 (2013)CrossRefGoogle Scholar
  17. 17.
    Edelman, B.: Running out of numbers: scarcity of IP addresses and what to do about it. In: Das, S., Ostrovsky, M., Pennock, D., Szymanksi, B. (eds.) AMMA 2009. LNICST, vol. 14, pp. 95–106. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03821-1_16CrossRefGoogle Scholar
  18. 18.
    Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., Bannister, J.: Census and survey of the visible internet. In: Proceedings of the ACM Internet Measurement Conference, pp. 169–182. ACM, October 2008Google Scholar
  19. 19.
    Huberman, D.: Smarter purchasing of IPv4 addresses in the market. NANOG 68, October 2016. http://bit.ly/36H7LkJ
  20. 20.
    Huston, G.: How Big is that Network? October 2014. http://bit.ly/367t6DD
  21. 21.
    Huston, G.: IPv4 Address Report, October 2019. https://ipv4.potaroo.net
  22. 22.
    Huston, G.: IPv6/IPv4 Comparative Statistics, October 2019. http://bit.ly/36G7sGN
  23. 23.
    Livadariu, I., Elmokashfi, A., Dhamdhere, A.: On IPv4 transfer markets: analyzing reported transfers and inferring transfers in the wild. Comput. Commun. 111, 105–119 (2017)CrossRefGoogle Scholar
  24. 24.
    Internet Archive: Wayback Machine (2001). https://archive.org/web
  25. 25.
    IPv4 Brokers: IPv4 blacklist removal service. https://ipv4brokers.net/ipv4-sales
  26. 26.
    IPv4 Market Group: IPv4 blacklist removal service. http://bit.ly/37dfDM3
  27. 27.
    Konte, M., Perdisci, R., Feamster, N.: ASwatch: an as reputation system to expose bulletproof hosting ASes. ACM SIGCOMM CCR 45(4), 625–638 (2015)Google Scholar
  28. 28.
    Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 1–21. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11379-1_1CrossRefGoogle Scholar
  29. 29.
    LACNIC: One-way interregional transfers to LACNIC (2017). http://bit.ly/369F5kd
  30. 30.
    Lehr, W., Vest, T., Lear, E.: Running on empty: the challenge of managing internet addresses. In: TPRC (2008)Google Scholar
  31. 31.
    Luckie, M., Huffaker, B., Dhamdhere, A., Giotsas, V., et al.: AS relationships, customer cones, and validation. In: Proceedings of the 2013 ACM IMC (2013)Google Scholar
  32. 32.
    Torres, M.: Purchasing IPv4 space - due diligence homework. NANOG mailing list, March 2018. http://bit.ly/36L5Trg
  33. 33.
    McMillen, D.: The inside story on botnets. IBM X-Force Research, September 2016Google Scholar
  34. 34.
    Mueller, M., Kuerbis, B.: Buying numbers: an empirical analysis of the IPv4 number market. In: Proceedings of iConference (2013)Google Scholar
  35. 35.
    Mueller, M., Kuerbis, B., Asghari, H.: Dimensioning the elephant: an empirical analysis of the IPv4 number market. In: GigaNet: Global Internet Governance Academic Network, Annual Symposium (2012)Google Scholar
  36. 36.
    Myers, E.W.: An O(ND) difference algorithm and its variations. Algorithmica 1(1–4), 251–266 (1986)MathSciNetCrossRefGoogle Scholar
  37. 37.
    NANOG 68, Potter, A.: How to Navigate Getting IPv4 Space in a Post-Run-Out World (2017)Google Scholar
  38. 38.
    Nobile, L.: Who is accuracy. ARIN 39, April 2017Google Scholar
  39. 39.
    Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: ACM SIGCOMM CCR, vol. 36, pp. 291–302. ACM (2006)Google Scholar
  40. 40.
    Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: Proceedings of the 14th ACM conference CCS. ACM (2007)Google Scholar
  41. 41.
    RAPID7: Project Sonar TCP Scans. RAPID7 Open Data (2019). https://opendata.rapid7.com/sonar.tcp
  42. 42.
    RAPID7: Project Sonar UDP Scans. RAPID7 Open Data (2019). https://opendata.rapid7.com/sonar.udp
  43. 43.
    Reddit Networking: What are your experiences with the IPv4 secondary market? March 2018. https://tinyurl.com/yyumhax5
  44. 44.
    Richter, P., Allman, M., Bush, R., Paxson, V.: A primer on IPv4 scarcity. SIGCOMM Comput. Commun. Rev. 45(2), 21–31 (2015). http://bit.ly/3b2878QCrossRefGoogle Scholar
  45. 45.
    Richter, P., Smaragdakis, G., Plonka, D., Berger, A.: Beyond counting: new perspectives on the active IPv4 address space. In: Proceedings of the 2016 ACM IMC (2016)Google Scholar
  46. 46.
    RIPE: Routing Information Service (RIS). http://www.ripe.net/ris
  47. 47.
    RIPE Labs, Wilhem, R.: Developments in IPv4 Transfers (2016). https://labs.ripe.net/Members/wilhelm/developments-in-ipv4-transfers
  48. 48.
    RIPE Labs, Wilhem, R.: Impact of IPv4 Transfers on Routing Table Fragmentation (2016). http://bit.ly/30NCBHj
  49. 49.
    RIPE Labs, Wilhem, R.: Trends in RIPE NCC Service Region IPv4 Transfers (2017). https://labs.ripe.net/Members/wilhelm/trends-in-ipv4-transfers
  50. 50.
    RIPE Labs, Wilhem, R.: A Shrinking Pie? The IPv4 Transfer Market in 2017 (2018). http://bit.ly/2topCQ1
  51. 51.
    RIPE NCC: Intra-RIR Transfer Policy Proposal (2012). https://www.ripe.net/participate/policies/proposals/2012-03
  52. 52.
    RIPE NCC: Inter-RIR Transfers (2015). http://bit.ly/2v8kShV
  53. 53.
    RIPE NCC: RIPE Stat Data API: Blacklists (2019). http://bit.ly/2SafbId
  54. 54.
    RIPE NCC Address Policy Working Group: ASNs of organizations in reported IPv4 transfers. https://bit.ly/2v8Krzp
  55. 55.
    Shue, C.A., Kalafut, A.J., Gupta, M.: Abnormally malicious autonomous systems and their internet connectivity. IEEE/ACM TON 20(1), 220–230 (2012)CrossRefGoogle Scholar
  56. 56.
    Sinha, S., Bailey, M., Jahanian, F.: Shades of grey: on the effectiveness of reputation-based “blacklists”. In: 3rd International Conference on Malicious and Unwanted Software (MALWARE), pp. 57–64. IEEE (2008)Google Scholar
  57. 57.
    Spamhaus: Don’t Route Or Peer List (DROP). https://www.spamhaus.org/drop
  58. 58.
    Streambank, H.: IPv4 Auctions. https://auctions.ipv4.global
  59. 59.
    WatchGuard Technologies: Internet Security Report: Q2 2019, September 2019Google Scholar
  60. 60.
    Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: Profiling BGP serial hijackers: capturing persistent misbehavior in the global routing table. In: Proceedings of the Internet Measurement Conference, pp. 420–434. ACM (2019)Google Scholar
  61. 61.
    UCEPROTECT: Network Project. http://www.uceprotect.net/en
  62. 62.
    University of Oregon: The Route Views Project. http://www.routeviews.org
  63. 63.
    VirusTotal: Online Virus Malware and URL scanner. https://www.virustotal.com
  64. 64.
    Zhao, B.Z.H., Ikram, M., Asghar, H.J., Kaafar, M.A., Chaabane, A., Thilakarathna, K.: A decade of mal-activity reporting: a retrospective analysis of internet malicious activity blacklists. In: ASIACCS, pp. 193–205. ACM (2019)Google Scholar
  65. 65.
    Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Comput. Surv. 51(4), 67 (2018)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Vasileios Giotsas
    • 1
    Email author
  • Ioana Livadariu
    • 2
  • Petros Gigis
    • 3
    • 4
  1. 1.Lancaster UniversityLancasterUK
  2. 2.Simula MetropolitanOsloNorway
  3. 3.University College LondonLondonUK
  4. 4.Foundation for Research and Technology-Hellas (FORTH-ICS)PatrasGreece

Personalised recommendations