Fraudsters are Buying IPv4 Addresses

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Hence criminals' interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN's senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group's NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

Video presentation here.

Posted on June 22, 2016 at 1:15 PM • 12 Comments


bcsJune 22, 2016 1:56 PM

Aside from it being done without consent of the prior owner, this sounds like a public service I wound have no problem with someone getting paid to provide.

JasonJune 22, 2016 2:41 PM

@bcs I'm inclined to agree with you. Seems that such a resource shouldn't not be allowed to squander away. What should happen is a process to expire such ownerships, that way people like you and I can have our own IPv4 blocks w/out getting them from IP scalpers.

Mark WelchJune 22, 2016 3:02 PM

The headline of your article is misleading, I think. Fraudsters are hijacking IPv4 address blocks, then reselling them. I'm sure that other fraudsters are among the buyers, but most of them, I assume, are good people.

Note that there are additional obstacles: many of these dubious address blocks are on blacklists and "drop" lists which preclude their announcement by legitimate providers, and sharply limits their usefulness.

TatütataJune 22, 2016 3:53 PM

Could someone enlighten me about the current market value of IP address blocks?

I believe I know at least on class-B block (65536 IP addresses) which is only marginally used. How much money could they get by subdividing it into C-blocks and selling it off like if it were just another suburban subdivision?

Mark WelchJune 22, 2016 4:19 PM

Tatutata, do a quick Google search for "valuing IPv4 address blocks" and you'll come up with some info. I see values (one-time purchase) ranging from $8 to $15 per IPv4 address.

Some providers who will delegate IPv4 blocks to customers will charge something like $1 per IPv4 address, per month (so a /24 would cost $256/month, and a /22 would cost $1,024/month).

de La BoetieJune 22, 2016 4:52 PM

Were the notion of IPv6 "obsoleting" v4 realistic, the v4 addresses might not be as valuable.

As it is, IPv6 is a crock in so many ways.

TatütataJune 22, 2016 5:42 PM

Thanks, for once it didn't even occur to me to try to look it up.

At 8-15 dollars each, the IPV4 addresses aren't quite as valuable as I would have thought. If one had asked me to guess, I would have ventured at least $100 per address, with the prices shooting up as the shortages set in.

In my eyes, the IPV4 doesn't seem to be quite the mess that the North-American telephone numbering plan degenerated into, with its splits and overlays and un-reclaimable number ranges. But the IP issue seems to be more discussed than the NANP.

OscarJune 24, 2016 7:00 AM

Sounds more like a recycling effort, even if it is digging through your neighbor's trash for unused materials.

NimJune 24, 2016 2:00 PM

I guess the NANP is not a global issue.

The lack of IPv4 addresses is getting a problem in EU where we don't have as many addresses as US.

NickJuly 4, 2016 1:00 PM

If IPv6 were widely deployed, none of this would matter.
Why isn't IPv6 taking off? Who/what is blocking it?

JamesDecember 7, 2016 9:55 AM

I hate to break it to people but the internet is broken because Arin does not know who owns some addresses and cannot even point you to Ripe, Apnic, Aficnic or Lancnic when a Whois request is made and in some cases they send you to one registry who then sends you back to Arin so you end up in a loop.

The data does not audit if you go deep and you check the data from arin ip-ranges based on the "OrgID" then it does not match with other Whois Data from Arin when it comes to ranges and we are not just talking of daily updates.

Lancnic has a rate limit on request and would like everyone to work at a snails pace and Africnic servers are always going down, next to useless and would not be around if open up to competing with the outside world.

All these main registrar's seem to be using notepad when it comes to content mananment and have yet to discover what a template is since any number of key fields can be missing from Whois requests on TCP:43 and they all need to work to a fixed standard and stick to it or do they need more than 20 years to get there act togeather ?

Bulk import of data is useless from these un-accountable peoviders since they hide behind the data protection act when it comes to bulk data so anyone trying to map the internet is force to then make millions of Whois requests to compile the data.

Talking of Fraud contracts on Tor are being sold by add-servers to fake click adverts and the criminals are being paid in BitCoins and I know this because i run a public proxy server and keep an eye on whats going on.

We are not running out of Ipv4 addresse and it's a case of large american corporations sitting on millions of unused addresses but the advent of 4G phones will soon use up whats left in the coming few years.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.