Abuse of the IPv4 Transfer Markets Vasileios Giotsas, Ioana Livadariu - - PowerPoint PPT Presentation

abuse of the ipv4 transfer markets
SMART_READER_LITE
LIVE PREVIEW

Abuse of the IPv4 Transfer Markets Vasileios Giotsas, Ioana Livadariu - - PowerPoint PPT Presentation

Dec 12, 2022 380 likes •491 views

Abuse of the IPv4 Transfer Markets Vasileios Giotsas, Ioana Livadariu , Petros Gigis AIMS 2020 IPv4 Transfers IPv4 address transactions that occur between organisations RIPE NCC Intra-RIR Tranfers ARIN APNIC LACNIC Dec Jun Oct Feb Jan Oct

slide-1
SLIDE 1

Abuse of the IPv4 Transfer Markets

Vasileios Giotsas, Ioana Livadariu, Petros Gigis

AIMS 2020

slide-2
SLIDE 2

AIMS2020 2

IPv4 Transfers

IPv4 address transactions that occur between organisations

Intra-RIR Tranfers

Dec ‘08

RIPE NCC

Jun ‘09 Feb ‘10 Mar ‘16

LACNIC

Oct ‘09 Jan ‘11

APNIC

Oct ‘12 Sep ‘16

Inter-RIR Tranfers

Jul ‘12 Oct ‘12

ARIN APNIC APNIC RIPE

Sep ‘15 Dec ‘15

ARIN RIPE APNIC RIPE

Feb ‘16 Dec ‘08

Transfer Policy First Transfer ARIN

slide-3
SLIDE 3

AIMS2020 3

Transfer markets: viable source of IPv4 space

Transfer market size is increasing (number of transactions and IP addresses)

100 102 104 106 108 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Number of IP addresses

APNIC ARIN RIPE LACNIC ARIN -> APNIC APNIC -> ARIN APNIC -> RIPE RIPE -> APNIC RIPE -> ARIN ARIN -> RIPE

slide-4
SLIDE 4

AIMS2020 4

Overview

Do IPv4 transfer markets pose an opportunity for malicious actors?

  • 1. Compile and process the IPv4 transferred addresses
  • 2. Analyze the IP addresses against a dataset of malicious activities
  • Usage of the IP address space
  • Participants on the IPv4 transfer market
  • Blacklisted IP addresses
  • Blacklisting timing
slide-5
SLIDE 5

AIMS2020 5 IPv4 Reported Transfers[1] WHOIS DB IP/Port Scans[3,4] BGP data[2] IP Blacklists [5,6] Honeypots[7] Non-legimitate ASes [8]

Datasets

Correlation of malicious activity for transferred addresses Deployed IP space Transferred date Org-to-ASNs

[1] RIRs, IPv4 reported transfers [2] Routeviews and RIPE RIS [3] USC/ISC LANDER project, https://www.isi.edu/~johnh/PAPERS/Heidemann09b.html [4] RAPID7’s project Sonar, TCP and UDP scans, https://opendata.rapid7.com/ [5] Zhao et al., A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists, AsiaCCS 2019 [6] UCEPROTECT: Network Project, http://www.uceprotect.net/en/ [7] Badpackets (https://badpackets.net/botnet-c2-detections/), BinaryEdge (https://www.binaryedge.io/data.html) [8] Testart et al.,Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table, IMC 2019

slide-6
SLIDE 6

AIMS2020 6

Significant percentage of the transferred prefixes appears blacklisted

Blacklisted transferred IPs are distributed across 40% of the routed prefixes.

slide-7
SLIDE 7

AIMS2020 7

Significant percentage of the transferred prefixes appears blacklisted

Unwanted Programs Exploits Malware Phishing Fraudulent Services Spammers

Routed prefixes with blacklisted IPs (%)*

7,5 15 22,5 30

Transferred Non-Transferred

Transferred prefixes are disproportionally represented in the blacklist for every type of malicious activity except spamming

*Zhao et al., A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists, AsiaCCS 2019

slide-8
SLIDE 8

AIMS2020 8

When do the transferred IPs get blacklisted?

  • Compare the transfer date with the blacklisting timing
  • Buyers are more prone to abuse of the IP space
slide-9
SLIDE 9

AIMS2020 9

Future Work

  • Develop predictive techniques for blacklisting based on

monitoring the reported IPv4 transfers

  • Augment our malicious datasets (IBR, DDoS, Spoofing, Honeypots)
  • Investigate non-canonical patterns in the reported transfer (e.g

networks are both seller and buyer)