Fraudsters are Buying IPv4 Addresses

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Hence criminals’ interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN’s senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group’s NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

Video presentation here.

Posted on June 22, 2016 at 1:15 PM13 Comments


bcs June 22, 2016 1:56 PM

Aside from it being done without consent of the prior owner, this sounds like a public service I wound have no problem with someone getting paid to provide.

Jason June 22, 2016 2:41 PM

@bcs I’m inclined to agree with you. Seems that such a resource shouldn’t not be allowed to squander away. What should happen is a process to expire such ownerships, that way people like you and I can have our own IPv4 blocks w/out getting them from IP scalpers.

Mark Welch June 22, 2016 3:02 PM

The headline of your article is misleading, I think. Fraudsters are hijacking IPv4 address blocks, then reselling them. I’m sure that other fraudsters are among the buyers, but most of them, I assume, are good people.

Note that there are additional obstacles: many of these dubious address blocks are on blacklists and “drop” lists which preclude their announcement by legitimate providers, and sharply limits their usefulness.

Tatütata June 22, 2016 3:53 PM

Could someone enlighten me about the current market value of IP address blocks?

I believe I know at least on class-B block (65536 IP addresses) which is only marginally used. How much money could they get by subdividing it into C-blocks and selling it off like if it were just another suburban subdivision?

Mark Welch June 22, 2016 4:19 PM

Tatutata, do a quick Google search for “valuing IPv4 address blocks” and you’ll come up with some info. I see values (one-time purchase) ranging from $8 to $15 per IPv4 address.

Some providers who will delegate IPv4 blocks to customers will charge something like $1 per IPv4 address, per month (so a /24 would cost $256/month, and a /22 would cost $1,024/month).

de La Boetie June 22, 2016 4:52 PM

Were the notion of IPv6 “obsoleting” v4 realistic, the v4 addresses might not be as valuable.

As it is, IPv6 is a crock in so many ways.

Tatütata June 22, 2016 5:42 PM

Thanks, for once it didn’t even occur to me to try to look it up.

At 8-15 dollars each, the IPV4 addresses aren’t quite as valuable as I would have thought. If one had asked me to guess, I would have ventured at least $100 per address, with the prices shooting up as the shortages set in.

In my eyes, the IPV4 doesn’t seem to be quite the mess that the North-American telephone numbering plan degenerated into, with its splits and overlays and un-reclaimable number ranges. But the IP issue seems to be more discussed than the NANP.

Oscar June 24, 2016 7:00 AM

Sounds more like a recycling effort, even if it is digging through your neighbor’s trash for unused materials.

Nim June 24, 2016 2:00 PM

I guess the NANP is not a global issue.

The lack of IPv4 addresses is getting a problem in EU where we don’t have as many addresses as US.

Nick July 4, 2016 1:00 PM

If IPv6 were widely deployed, none of this would matter.
Why isn’t IPv6 taking off? Who/what is blocking it?

James December 7, 2016 9:55 AM

I hate to break it to people but the internet is broken because Arin does not know who owns some addresses and cannot even point you to Ripe, Apnic, Aficnic or Lancnic when a Whois request is made and in some cases they send you to one registry who then sends you back to Arin so you end up in a loop.

The data does not audit if you go deep and you check the data from arin ip-ranges based on the “OrgID” then it does not match with other Whois Data from Arin when it comes to ranges and we are not just talking of daily updates.

Lancnic has a rate limit on request and would like everyone to work at a snails pace and Africnic servers are always going down, next to useless and would not be around if open up to competing with the outside world.

All these main registrar’s seem to be using notepad when it comes to content mananment and have yet to discover what a template is since any number of key fields can be missing from Whois requests on TCP:43 and they all need to work to a fixed standard and stick to it or do they need more than 20 years to get there act togeather ?

Bulk import of data is useless from these un-accountable peoviders since they hide behind the data protection act when it comes to bulk data so anyone trying to map the internet is force to then make millions of Whois requests to compile the data.

Talking of Fraud contracts on Tor are being sold by add-servers to fake click adverts and the criminals are being paid in BitCoins and I know this because i run a public proxy server and keep an eye on whats going on.

We are not running out of Ipv4 addresse and it’s a case of large american corporations sitting on millions of unused addresses but the advent of 4G phones will soon use up whats left in the coming few years.

Abraham Y. Chen July 15, 2018 3:43 PM

The whole IP address subject is a mess starting from day one of the Internet. For any communication system, the identification tag on each participating device is an essential part of the operation. It is a common resources that should not be “owned” by individual parties in any sense. Like it or not, the traditional PSTN (Public Switched Telephone Network) industry did this correctly, avoided so much of the headaches that we are getting from the Internet today.

Not only IPv4 addresses were given away initially (to some degree, the IPv6 is being treated similarly, except requiring some justification.), but also became private properties that could stay idle without being questioned, while others are suffering from the shortage of it. Now, those unidentifiable addresses are even somehow being kept from been reassign, yet sitting there waiting to be grabbed by hackers. This looks to me is a fundamental issue with the the Internet operation philosophy.

Relating to the topic of relieving the pressure of IPv4 address exhaustion, below is the result of a study that we accidentally ventured into. It utilizes nothing more than the original IPv4 protocol RFC791 and the long-reserved yet hardly-utilized 240/4 address block to expand the IPv4 pool by 256M fold. We have submitted a draft proposal called EzIP (phonetic for Easy IPv4) to IETF:

Basically, the EzIP approach will not only resolve IPv4 address shortage issues, but also largely mitigate the root cause to cyber security vulnerabilities, plus open up new possibilities for the Internet, all within the confines of the IPv4 domain. In fact, this scheme may be deployed “stealthily” for isolated regions where needed. These should relieve the urgency to deploy the IPv6 for an appreciable length of time, and invalidate the market of trading the IPv4 addresses.

Any thought or comment will be much appreciated.

Abe(2018-07-15 16:26)

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.