Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

A First Look at the Misuse and Abuse of the IPv4 Transfer Market

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2020)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12048))

Included in the following conference series:

Abstract

The depletion of the unallocated IPv4 addresses and the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, the trading of allocated IPv4 prefixes between organizations. Despite the policies established by RIRs to regulate the IPv4 transfer market, IPv4 transfers pose an opportunity for malicious networks, such as spammers and bulletproof ASes, to bypass reputational penalties by obtaining “clean” IPv4 address space or by offloading blacklisted addresses. Additionally, IP transfers create a window of uncertainty about the legitimate ownership of prefixes, which leads to inconsistencies in WHOIS records and routing advertisements. In this paper we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild, by synthesizing an array of longitudinal IP blacklists, honeypot data, and AS reputation lists. Our findings yield evidence that transferred IPv4 address blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicate efforts to evade filtering mechanisms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    RIPE Stat also provides access to Spamhaus DROP snapshots which we do not use because it covers only directly allocated address space.

References

  1. IPv4 Market Group. https://ipv4marketgroup.com/broker-services/buy

  2. PeeringDB. https://www.peeringdb.com

  3. AFRINIC: IPv4 Resources transfer within the AFRINIC Region. http://bit.ly/2sFjUZu

  4. Alieyan, K., ALmomani, A., Manasrah, A., Kadhum, M.M.: A survey of botnet detection based on DNS. Neural Comput. Appl. 28(7), 1541–1558 (2017)

    Article  Google Scholar 

  5. Anderson, T., Hutty, M.: Post depletion adjustment of procedures to match policy objectives, and clean-up of obsolete policy text. RIPE policy proposal, November 2013

    Google Scholar 

  6. APNIC: APNIC transfer, merger, acquisition, and takeover policy (2010). https://www.apnic.net/policy/transfer-policy_obsolete

  7. APNIC blog, Huberman, D.: Seven steps to successful IPv4 transfers (2017)

    Google Scholar 

  8. APNIC blog, Huston, G.: IPv4 Address Exhaustion in APNIC (2015). https://blog.apnic.net/2015/08/07/ipv4-address-exhaustion-in-apnic

  9. ARIN: ARIN Number Resource Policy Manual (Version 2010.1) (2009). https://www.arin.net/policy/nrpm.html

  10. ARIN: ARIN Number Resource Policy Manual (Version 2012.3) (2012). https://www.arin.net/policy/nrpm.html

  11. BadPackets: Cyber-Threat Intelligence: Botnet C2 Detections (2019). https://badpackets.net/botnet-c2-detections

  12. BinaryEdge: HoneyPots/Sensors (2019). https://www.binaryedge.io/data.html

  13. Böttger, T., Cuadrado, F., Uhlig, S.: Looking for hypergiants in peeringDB. ACM SIGCOMM Comput. Commun. Rev. 48(3), 13–19 (2018)

    Article  Google Scholar 

  14. CAIDA: Inferred AS to Organization Mapping Dataset. http://www.caida.org/data/as_organizations.xml

  15. Cho, S., Fontugne, R., Cho, K., Dainotti, A., Gill, P.: BGP hijacking classification. In: 2019 TMA, pp. 25–32. IEEE (2019)

    Google Scholar 

  16. Dainotti, A., et al.: Estimating internet address space usage through passive measurements. SIGCOMM Comput. Commun. Rev. 44(1), 42–49 (2013)

    Article  Google Scholar 

  17. Edelman, B.: Running out of numbers: scarcity of IP addresses and what to do about it. In: Das, S., Ostrovsky, M., Pennock, D., Szymanksi, B. (eds.) AMMA 2009. LNICST, vol. 14, pp. 95–106. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03821-1_16

    Chapter  Google Scholar 

  18. Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., Bannister, J.: Census and survey of the visible internet. In: Proceedings of the ACM Internet Measurement Conference, pp. 169–182. ACM, October 2008

    Google Scholar 

  19. Huberman, D.: Smarter purchasing of IPv4 addresses in the market. NANOG 68, October 2016. http://bit.ly/36H7LkJ

  20. Huston, G.: How Big is that Network? October 2014. http://bit.ly/367t6DD

  21. Huston, G.: IPv4 Address Report, October 2019. https://ipv4.potaroo.net

  22. Huston, G.: IPv6/IPv4 Comparative Statistics, October 2019. http://bit.ly/36G7sGN

  23. Livadariu, I., Elmokashfi, A., Dhamdhere, A.: On IPv4 transfer markets: analyzing reported transfers and inferring transfers in the wild. Comput. Commun. 111, 105–119 (2017)

    Article  Google Scholar 

  24. Internet Archive: Wayback Machine (2001). https://archive.org/web

  25. IPv4 Brokers: IPv4 blacklist removal service. https://ipv4brokers.net/ipv4-sales

  26. IPv4 Market Group: IPv4 blacklist removal service. http://bit.ly/37dfDM3

  27. Konte, M., Perdisci, R., Feamster, N.: ASwatch: an as reputation system to expose bulletproof hosting ASes. ACM SIGCOMM CCR 45(4), 625–638 (2015)

    Google Scholar 

  28. Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 1–21. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_1

    Chapter  Google Scholar 

  29. LACNIC: One-way interregional transfers to LACNIC (2017). http://bit.ly/369F5kd

  30. Lehr, W., Vest, T., Lear, E.: Running on empty: the challenge of managing internet addresses. In: TPRC (2008)

    Google Scholar 

  31. Luckie, M., Huffaker, B., Dhamdhere, A., Giotsas, V., et al.: AS relationships, customer cones, and validation. In: Proceedings of the 2013 ACM IMC (2013)

    Google Scholar 

  32. Torres, M.: Purchasing IPv4 space - due diligence homework. NANOG mailing list, March 2018. http://bit.ly/36L5Trg

  33. McMillen, D.: The inside story on botnets. IBM X-Force Research, September 2016

    Google Scholar 

  34. Mueller, M., Kuerbis, B.: Buying numbers: an empirical analysis of the IPv4 number market. In: Proceedings of iConference (2013)

    Google Scholar 

  35. Mueller, M., Kuerbis, B., Asghari, H.: Dimensioning the elephant: an empirical analysis of the IPv4 number market. In: GigaNet: Global Internet Governance Academic Network, Annual Symposium (2012)

    Google Scholar 

  36. Myers, E.W.: An O(ND) difference algorithm and its variations. Algorithmica 1(1–4), 251–266 (1986)

    Article  MathSciNet  Google Scholar 

  37. NANOG 68, Potter, A.: How to Navigate Getting IPv4 Space in a Post-Run-Out World (2017)

    Google Scholar 

  38. Nobile, L.: Who is accuracy. ARIN 39, April 2017

    Google Scholar 

  39. Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: ACM SIGCOMM CCR, vol. 36, pp. 291–302. ACM (2006)

    Google Scholar 

  40. Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: Proceedings of the 14th ACM conference CCS. ACM (2007)

    Google Scholar 

  41. RAPID7: Project Sonar TCP Scans. RAPID7 Open Data (2019). https://opendata.rapid7.com/sonar.tcp

  42. RAPID7: Project Sonar UDP Scans. RAPID7 Open Data (2019). https://opendata.rapid7.com/sonar.udp

  43. Reddit Networking: What are your experiences with the IPv4 secondary market? March 2018. https://tinyurl.com/yyumhax5

  44. Richter, P., Allman, M., Bush, R., Paxson, V.: A primer on IPv4 scarcity. SIGCOMM Comput. Commun. Rev. 45(2), 21–31 (2015). http://bit.ly/3b2878Q

    Article  Google Scholar 

  45. Richter, P., Smaragdakis, G., Plonka, D., Berger, A.: Beyond counting: new perspectives on the active IPv4 address space. In: Proceedings of the 2016 ACM IMC (2016)

    Google Scholar 

  46. RIPE: Routing Information Service (RIS). http://www.ripe.net/ris

  47. RIPE Labs, Wilhem, R.: Developments in IPv4 Transfers (2016). https://labs.ripe.net/Members/wilhelm/developments-in-ipv4-transfers

  48. RIPE Labs, Wilhem, R.: Impact of IPv4 Transfers on Routing Table Fragmentation (2016). http://bit.ly/30NCBHj

  49. RIPE Labs, Wilhem, R.: Trends in RIPE NCC Service Region IPv4 Transfers (2017). https://labs.ripe.net/Members/wilhelm/trends-in-ipv4-transfers

  50. RIPE Labs, Wilhem, R.: A Shrinking Pie? The IPv4 Transfer Market in 2017 (2018). http://bit.ly/2topCQ1

  51. RIPE NCC: Intra-RIR Transfer Policy Proposal (2012). https://www.ripe.net/participate/policies/proposals/2012-03

  52. RIPE NCC: Inter-RIR Transfers (2015). http://bit.ly/2v8kShV

  53. RIPE NCC: RIPE Stat Data API: Blacklists (2019). http://bit.ly/2SafbId

  54. RIPE NCC Address Policy Working Group: ASNs of organizations in reported IPv4 transfers. https://bit.ly/2v8Krzp

  55. Shue, C.A., Kalafut, A.J., Gupta, M.: Abnormally malicious autonomous systems and their internet connectivity. IEEE/ACM TON 20(1), 220–230 (2012)

    Article  Google Scholar 

  56. Sinha, S., Bailey, M., Jahanian, F.: Shades of grey: on the effectiveness of reputation-based “blacklists”. In: 3rd International Conference on Malicious and Unwanted Software (MALWARE), pp. 57–64. IEEE (2008)

    Google Scholar 

  57. Spamhaus: Don’t Route Or Peer List (DROP). https://www.spamhaus.org/drop

  58. Streambank, H.: IPv4 Auctions. https://auctions.ipv4.global

  59. WatchGuard Technologies: Internet Security Report: Q2 2019, September 2019

    Google Scholar 

  60. Testart, C., Richter, P., King, A., Dainotti, A., Clark, D.: Profiling BGP serial hijackers: capturing persistent misbehavior in the global routing table. In: Proceedings of the Internet Measurement Conference, pp. 420–434. ACM (2019)

    Google Scholar 

  61. UCEPROTECT: Network Project. http://www.uceprotect.net/en

  62. University of Oregon: The Route Views Project. http://www.routeviews.org

  63. VirusTotal: Online Virus Malware and URL scanner. https://www.virustotal.com

  64. Zhao, B.Z.H., Ikram, M., Asghar, H.J., Kaafar, M.A., Chaabane, A., Thilakarathna, K.: A decade of mal-activity reporting: a retrospective analysis of internet malicious activity blacklists. In: ASIACCS, pp. 193–205. ACM (2019)

    Google Scholar 

  65. Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Comput. Surv. 51(4), 67 (2018)

    Article  Google Scholar 

Download references

Acknowledgments

We thank our shepherd Taejoong Chung, the anonymous reviewers and Carlos Friaça for their constructive feedback. We also thank Randy Bush, and Jim Reid for their replies in our RIPE policy enquiries. Research supported, in part by, Security Lancaster, H2020 EC CONCORDIA GA #830927, Norwegian Research Council grant # 288744 GAIA, and the RIPE NCC Community Projects Fund.

Author information

Authors and Affiliations

  1. Lancaster University, Lancaster, UK

    Vasileios Giotsas

  2. Simula Metropolitan, Oslo, Norway

    Ioana Livadariu

  3. University College London, London, UK

    Petros Gigis

  4. Foundation for Research and Technology-Hellas (FORTH-ICS), Patras, Greece

    Petros Gigis

Authors
  1. Vasileios Giotsas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ioana Livadariu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Petros Gigis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vasileios Giotsas .

Editor information

Editors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Anna Sperotto

  2. University of California, San Diego, CA, USA

    Alberto Dainotti

  3. University of Zürich, Zürich, Switzerland

    Burkhard Stiller

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Giotsas, V., Livadariu, I., Gigis, P. (2020). A First Look at the Misuse and Abuse of the IPv4 Transfer Market. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-44081-7_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-44080-0

  • Online ISBN: 978-3-030-44081-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation