IPv4 addresses hit the black market

Admire Moyo
By Admire Moyo
Johannesburg, 24 Jun 2016
IPv4 is still popular because it routes most Internet traffic today despite the ongoing deployment of successor protocol IPv6.
IPv4 is still popular because it routes most Internet traffic today despite the ongoing deployment of successor protocol IPv6.

Cyber criminals are looking to cash in on the fast running out IPv4 addresses.

IPv4 is still popular because it routes most Internet traffic today despite the ongoing deployment of successor protocol IPv6. IPv4 uses 32-bit, which limits the address space to 4 294 967 296 addresses. This limitation stimulated the development of IPv6 in the 1990s, and it has been in commercial deployment since 2006.

The newer IPv6 addresses are 128-bits in length, vastly enlarging the size of the usable address space. Data released by Google shows the uptake of IPv6 has grown considerably. It notes 10.09% of all traffic to its Web sites was made of IPv6 connections as of January 2016, nearly double that from the same time last year when the number was 5.47%.

The American Registry for Internet Numbers (ARIN), a non-profit that oversees the allocation of IP addresses in North America, in September last year confirmed the available pool of the 32-bit network addresses is totally depleted.

APNIC, which allocates addresses in Asia-Pacific, more or less ran out of available IPv4 addresses in 2011; RIPE, which oversees Europe, the Middle East and parts of Central Asia, was running on fumes by 2012; and LACNIC, which manages Latin America and the Caribbean, hit rock bottom in 2014. All that's left is AFRINIC, which oversees Africa, and is expected to run out of IPv4 addresses in 2019.

Desperate need

Leslie Noble, senior director of global registry knowledge at ARIN, says criminals are swarming to hijack, clean and resell IPv4 addresses. "The need for IPv4 is still great. People are desperately seeking IPv4. ARIN gets requests and calls everyday," she says.

ARIN says it has seen 25 IPv4 address hijackings reported since September last year when it ran out of the addresses. In contrast, over the previous 10 years, there were only 50 verifiable hijackings.

On top of that, ARIN has found fraud rings that started their activity just before the IPv4 depletion. The crooks set up shell companies to hoard IPv4 address space for spamming and/or to sell.

One such ring that got by ARIN without setting off a red flag managed to set up 30 shell companies and got space under each one.

ARIN defines hijacking as unauthorised changes made to database records to gain control of IP resources.

ARIN has observed that some buyers and sellers of IPv4 addresses simply operate around an ecosystem of "brokers" who help companies fill IPv4 gaps more legitimately.

"These people are basically looking for IPv4 space to use in their networks. They're still growing their business with IPv4," says Noble.

But she warned that another group is "actually looking for space to sell and looking to make money off it, so we have seen an increase in hijackings and attempted hijackings at the registry".

ARIN has discovered that most hijackings take place inside the legacy space, targeting defunct Web sites or Web sites for defunct brands.

Fraud rings began to set up shell companies to hoard IPv4 space just before depletion, so a lot of activity was very much planned before October 2015, according to Noble.

According to Jon Tullett, IDC's research manager for IT services, Africa, IPv4 is universal, simple, and very well understood.

Valuable asset

"IPv6 is more complex and not yet universally supported. Upgrading complex networks and Internet applications to a different address space is expensive and potentially risky, and so long as IPv4 is perceived to be sufficient, organisations tend to resist investing or upgrading."

He points out AFRINIC is sitting on very valuable address space right now, and knows it. "There will be an impact, both from international players wanting to buy addresses, which could lead to exhaustion of the AFRINIC blocks faster, and from the same black market address hijacking in time. But the direct impact should be relatively minor in the near-term. We aren't out of addresses yet and AFRINIC is aware of the situation.

"IP address hijacking is fraud, and service providers need to ensure they have processes in place to identify and thwart such attacks, same as account hijacking, identify theft and other impersonation attacks," Tullett concludes.