A First Look at the Misuse and Abuse of the IPv4 Transfer Market

  • Vasileios GiotsasEmail author
  • Ioana Livadariu
  • Petros Gigis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12048)


The depletion of the unallocated IPv4 addresses and the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, the trading of allocated IPv4 prefixes between organizations. Despite the policies established by RIRs to regulate the IPv4 transfer market, IPv4 transfers pose an opportunity for malicious networks, such as spammers and bulletproof ASes, to bypass reputational penalties by obtaining “clean” IPv4 address space or by offloading blacklisted addresses. Additionally, IP transfers create a window of uncertainty about the legitimate ownership of prefixes, which leads to inconsistencies in WHOIS records and routing advertisements. In this paper we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild, by synthesizing an array of longitudinal IP blacklists, honeypot data, and AS reputation lists. Our findings yield evidence that transferred IPv4 address blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicate efforts to evade filtering mechanisms.


IPv4 transfers Routing BGP Blacklists 



We thank our shepherd Taejoong Chung, the anonymous reviewers and Carlos Friaça for their constructive feedback. We also thank Randy Bush, and Jim Reid for their replies in our RIPE policy enquiries. Research supported, in part by, Security Lancaster, H2020 EC CONCORDIA GA #830927, Norwegian Research Council grant # 288744 GAIA, and the RIPE NCC Community Projects Fund.


  1. 1.
  2. 2.
  3. 3.
    AFRINIC: IPv4 Resources transfer within the AFRINIC Region.
  4. 4.
    Alieyan, K., ALmomani, A., Manasrah, A., Kadhum, M.M.: A survey of botnet detection based on DNS. Neural Comput. Appl. 28(7), 1541–1558 (2017)CrossRefGoogle Scholar
  5. 5.
    Anderson, T., Hutty, M.: Post depletion adjustment of procedures to match policy objectives, and clean-up of obsolete policy text. RIPE policy proposal, November 2013Google Scholar
  6. 6.
    APNIC: APNIC transfer, merger, acquisition, and takeover policy (2010).
  7. 7.
    APNIC blog, Huberman, D.: Seven steps to successful IPv4 transfers (2017)Google Scholar
  8. 8.
    APNIC blog, Huston, G.: IPv4 Address Exhaustion in APNIC (2015).
  9. 9.
    ARIN: ARIN Number Resource Policy Manual (Version 2010.1) (2009).
  10. 10.
    ARIN: ARIN Number Resource Policy Manual (Version 2012.3) (2012).
  11. 11.
    BadPackets: Cyber-Threat Intelligence: Botnet C2 Detections (2019).
  12. 12.
    BinaryEdge: HoneyPots/Sensors (2019).
  13. 13.
    Böttger, T., Cuadrado, F., Uhlig, S.: Looking for hypergiants in peeringDB. ACM SIGCOMM Comput. Commun. Rev. 48(3), 13–19 (2018)CrossRefGoogle Scholar
  14. 14.
    CAIDA: Inferred AS to Organization Mapping Dataset.
  15. 15.
    Cho, S., Fontugne, R., Cho, K., Dainotti, A., Gill, P.: BGP hijacking classification. In: 2019 TMA, pp. 25–32. IEEE (2019)Google Scholar
  16. 16.
    Dainotti, A., et al.: Estimating internet address space usage through passive measurements. SIGCOMM Comput. Commun. Rev. 44(1), 42–49 (2013)CrossRefGoogle Scholar
  17. 17.
    Edelman, B.: Running out of numbers: scarcity of IP addresses and what to do about it. In: Das, S., Ostrovsky, M., Pennock, D., Szymanksi, B. (eds.) AMMA 2009. LNICST, vol. 14, pp. 95–106. Springer, Heidelberg (2009). Scholar
  18. 18.
    Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., Bannister, J.: Census and survey of the visible internet. In: Proceedings of the ACM Internet Measurement Conference, pp. 169–182. ACM, October 2008Google Scholar
  19. 19.
    Huberman, D.: Smarter purchasing of IPv4 addresses in the market. NANOG 68, October 2016.
  20. 20.
    Huston, G.: How Big is that Network? October 2014.
  21. 21.
    Huston, G.: IPv4 Address Report, October 2019.
  22. 22.
    Huston, G.: IPv6/IPv4 Comparative Statistics, October 2019.
  23. 23.
    Livadariu, I., Elmokashfi, A., Dhamdhere, A.: On IPv4 transfer markets: analyzing reported transfers and inferring transfers in the wild. Comput. Commun. 111, 105–119 (2017)CrossRefGoogle Scholar
  24. 24.
    Internet Archive: Wayback Machine (2001).
  25. 25.
    IPv4 Brokers: IPv4 blacklist removal service.
  26. 26.
    IPv4 Market Group: IPv4 blacklist removal service.
  27. 27.
    Konte, M., Perdisci, R., Feamster, N.: ASwatch: an as reputation system to expose bulletproof hosting ASes. ACM SIGCOMM CCR 45(4), 625–638 (2015)Google Scholar
  28. 28.
    Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 1–21. Springer, Cham (2014). Scholar
  29. 29.
    LACNIC: One-way interregional transfers to LACNIC (2017).
  30. 30.
    Lehr, W., Vest, T., Lear, E.: Running on empty: the challenge of managing internet addresses. In: TPRC (2008)Google Scholar
  31. 31.
    Luckie, M., Huffaker, B., Dhamdhere, A., Giotsas, V., et al.: AS relationships, customer cones, and validation. In: Proceedings of the 2013 ACM IMC (2013)Google Scholar
  32. 32.
    Torres, M.: Purchasing IPv4 space - due diligence homework. NANOG mailing list, March 2018.
  33. 33.
    McMillen, D.: The inside story on botnets. IBM X-Force Research, September 2016Google Scholar
  34. 34.
    Mueller, M., Kuerbis, B.: Buying numbers: an empirical analysis of the IPv4 number market. In: Proceedings of iConference (2013)Google Scholar
  35. 35.
    Mueller, M., Kuerbis, B., Asghari, H.: Dimensioning the elephant: an empirical analysis of the IPv4 number market. In: GigaNet: Global Internet Governance Academic Network, Annual Symposium (2012)Google Scholar
  36. 36.
    Myers, E.W.: An O(ND) difference algorithm and its variations. Algorithmica 1(1–4), 251–266 (1986)MathSciNetCrossRefGoogle Scholar
  37. 37.
    NANOG 68, Potter, A.: How to Navigate Getting IPv4 Space in a Post-Run-Out World (2017)Google Scholar
  38. 38.
    Nobile, L.: Who is accuracy. ARIN 39, April 2017Google Scholar
  39. 39.
    Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: ACM SIGCOMM CCR, vol. 36, pp. 291–302. ACM (2006)Google Scholar
  40. 40.
    Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: Proceedings of the 14th ACM conference CCS. ACM (2007)Google Scholar
  41. 41.
    RAPID7: Project Sonar TCP Scans. RAPID7 Open Data (2019).
  42. 42.
    RAPID7: Project Sonar UDP Scans. RAPID7 Open Data (2019).
  43. 43.
    Reddit Networking: What are your experiences with the IPv4 secondary market? March 2018.
  44. 44.
    Richter, P., Allman, M., Bush, R., Paxson, V.: A primer on IPv4 scarcity. SIGCOMM Comput. Commun. Rev. 45(2), 21–31 (2015). Scholar
  45. 45.
    Richter, P., Smaragdakis, G., Plonka, D., Berger, A.: Beyond counting: new perspectives on the active IPv4 address space. In: Proceedings of the 2016 ACM IMC (2016)Google Scholar
  46. 46.
    RIPE: Routing Information Service (RIS).
  47. 47.
    RIPE Labs, Wilhem, R.: Developments in IPv4 Transfers (2016).
  48. 48.
    RIPE Labs, Wilhem, R.: Impact of IPv4 Transfers on Routing Table Fragmentation (2016).
  49. 49.
    RIPE Labs, Wilhem, R.: Trends in RIPE NCC Service Region IPv4 Transfers (2017).
  50. 50.
    RIPE Labs, Wilhem, R.: A Shrinking Pie? The IPv4 Transfer Market in 2017 (2018).
  51. 51.
    RIPE NCC: Intra-RIR Transfer Policy Proposal (2012).
  52. 52.
    RIPE NCC: Inter-RIR Transfers (2015).
  53. 53.
    RIPE NCC: RIPE Stat Data API: Blacklists (2019).
  54. 54.
    RIPE NCC Address Policy Working Group: ASNs of organizations in reported IPv4 transfers.
  55. 55.
    Shue, C.A., Kalafut, A.J., Gupta, M.: Abnormally malicious autonomous systems and their internet connectivity. IEEE/ACM TON 20(1), 220–230 (2012)CrossRefGoogle Scholar
  56. 56.
    Sinha, S., Bailey, M., Jahanian, F.: Shades of grey: on the effectiveness of reputation-based “blacklists”. In: 3rd International Conference on Malicious and Unwanted Software (MALWARE), pp. 57–64. IEEE (2008)Google Scholar
  57. 57.
    Spamhaus: Don’t Route Or Peer List (DROP).
  58. 58.
    Streambank, H.: IPv4 Auctions.
  59. 59.
    WatchGuard Technologies: Internet Security Report: Q2 2019, September 2019Google Scholar
  60. 60.
    Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: Profiling BGP serial hijackers: capturing persistent misbehavior in the global routing table. In: Proceedings of the Internet Measurement Conference, pp. 420–434. ACM (2019)Google Scholar
  61. 61.
    UCEPROTECT: Network Project.
  62. 62.
    University of Oregon: The Route Views Project.
  63. 63.
    VirusTotal: Online Virus Malware and URL scanner.
  64. 64.
    Zhao, B.Z.H., Ikram, M., Asghar, H.J., Kaafar, M.A., Chaabane, A., Thilakarathna, K.: A decade of mal-activity reporting: a retrospective analysis of internet malicious activity blacklists. In: ASIACCS, pp. 193–205. ACM (2019)Google Scholar
  65. 65.
    Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Comput. Surv. 51(4), 67 (2018)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Vasileios Giotsas
    • 1
    Email author
  • Ioana Livadariu
    • 2
  • Petros Gigis
    • 3
    • 4
  1. 1.Lancaster UniversityLancasterUK
  2. 2.Simula MetropolitanOsloNorway
  3. 3.University College LondonLondonUK
  4. 4.Foundation for Research and Technology-Hellas (FORTH-ICS)PatrasGreece

Personalised recommendations