14 DAY TRIAL // Speaking at the North American Network Operators Group’s NANOG 67 conference, Leslie Noble, Senior Director of Global Registry Knowledge at the American Registry for Internet Numbers (ARIN), revealed the lengths to which crooks go to get their hands on brand new IPv4 addresses.
Last September, ARIN announced it depleted its IPv4 address pool, meaning there were no new IPv4 addresses to be assigned to companies that needed their own IP.
Ever since then, ARIN has set up a waiting list for businesses willing to wait for the moment when a company returns unused IPv4 addresses. Otherwise, firms need to wait for ARIN to strip addresses from offending ASNs.
Crooks register old domain names, create fake companies
According to Noble, some crooks aren't willing to wait and are impersonating so-called legacy networks. These legacy networks are enterprises or institutions that at one point requested and received an IPv4 address pool from ARIN but failed to provide contact details.
ARIN says it currently knows of over 14,000 legacy networks. Of these, some IPv4 pools are bound to belong to companies that have ceased to exist.
Crooks are leveraging these odd cases. Noble says they're scanning the IPv4 address pool and looking for the networks' contact information. If they don't find any, they try to impersonate the defunct company by re-registering old business names or expired domain names.
There's a black market for IPv4 addresses
They then get in touch with ARIN to register their own contact information, and once in possession of the IPv4 pool, they move on to sell it to other companies.
Noble said they uncovered 50 IPv4 address pool hijacking incidents like these between 2005 and 2015, but 25 have happened since ARIN announced last September it ran out of IPv4 address space.
In another scenario, Noble also describes fraudsters who set up shell companies and then legally apply to ARIN for IPv4 addresses. They quietly wait in line, and when they're assigned the requested IPv4 address pool, they immediately sell it on the Dark market.
For more details, we defer to Noble's NANOG 67 presentation. The part you're interested in is right at the beginning.
