{"id":4191,"date":"2016-06-23T22:06:33","date_gmt":"2016-06-23T14:06:33","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4191"},"modified":"2016-06-23T22:07:11","modified_gmt":"2016-06-23T14:07:11","slug":"criminal-rings-hijacking-unused-ipv4-address-spaces","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/06\/criminal-rings-hijacking-unused-ipv4-address-spaces\/","title":{"rendered":"Criminal Rings Hijacking Unused IPv4 Address Spaces"},"content":{"rendered":"<p>So apparently this Hijacking Unused IPv addresses has been going on for a while, but with quite a lot number of attempts recently it&#8217;s ramped up a LOT since the <a href=\"https:\/\/www.arin.net\/announcements\/2015\/20150924.html\">September announcement by ARIN about IPv4 depletion<\/a>. There was only only 50 hijacking attempts between 2005 and 2015.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/06\/ipv4-hijacking-our-experience-5-638.jpg\" alt=\"Criminal Rings Hijacking Unused IPv4 Address Spaces\" width=\"638\" height=\"479\" class=\"aligncenter size-full wp-image-4192\" \/><\/p>\n<p>Since September, ARIN has already seen 25 such attacks though &#8211; which is basically 5 years worth. <\/p>\n<blockquote><p>IPv4 addresses are now so valuable that criminals are setting up shell companies so they can apply for addresses, then resell them to users desperate to grow their networks.<\/p>\n<p>Criminals are doing so because there are no more IPv4 addresses left: the American Registry for Internet Numbers (ARIN) ran out in September 2015.<\/p>\n<p>ARIN maintains a waiting list for address buyers and also oversees a market for used IPv4 addresses. While it is conceivable that some users will hand back addresses they no longer require, the IPv4 transfer market is short of stock.<\/p>\n<p>Hence criminals&#8217; interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN&#8217;s senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group&#8217;s NANOG 67 conference.<\/p>\n<p>Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for un-used IPv4 addresses possessed by dormant legacy networks.<\/p><\/blockquote>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>So if you&#8217;re a company that owns a dormant IPv4 address space, give it back or sell it &#8211; because people need it! And secondly, it might get stolen anyway.<\/p>\n<p>From the figures it seems there&#8217;s about 15,000 dormant network records without a validated point of contact.<\/p>\n<blockquote><p>Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.<\/p>\n<p>This activity is not rampant, but is rising fast: Nobile said ARIN detected about 50 such hijacking attempts between 2005 and 2015. Since announcing IPv4 depletion in September 2015 the organisation has detected about 25.<\/p>\n<p>Nobile said ARIN has also found \u201cfraud rings \u2026 people who set up shell companies in order to hoard IPv4 address spaces.\u201d<\/p>\n<p>These fraudsters came into existence just before the depletion of the IPv4 address space. One entity created 30 shell companies with the sole intention of securing addresses for later re-sale.<\/p>\n<p>\u201cThey were good,\u201d Nobile admitted. \u201cThey got by us.\u201d<\/p>\n<p>ARIN&#8217;s tightened its checks of late to stop hijackers and fraudsters. Nobile suggested you do likewise by keeping Whois records up to date and responding to ARIN&#8217;s annual point of contact validation request.<\/p><\/blockquote>\n<p>Keep your WHOIS records up to date, especially contact details for your network blocks, even if they are in use &#8211; it will go a long way towards not getting jacked.<\/p>\n<p>Same goes for domains.<\/p>\n<p>Source: <a href=\"http:\/\/www.theregister.co.uk\/2016\/06\/16\/ipv4_hijacking\/\">The Register<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So apparently this Hijacking Unused IPv addresses has been going on for a while, but with quite a lot number of attempts recently it&#8217;s ramped up a LOT since the September announcement by ARIN about IPv4 depletion. There was only only 50 hijacking attempts between 2005 and 2015. Since September, ARIN has already seen 25 [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"So apparently this Hijacking Unused IPv addresses has been going on for a while, but with quite a lot number of attempts recently, it's definitely ramped up","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[23,5],"tags":[],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4191"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4191"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4191\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}