|Authors||V. Giotsas, I. Livadariu and P. Gigis|
|Title||A first look at the misuse and abuse of the IPv4 Transfer Market|
|Publication Type||Proceedings, refereed|
|Year of Publication||2020|
|Conference Name||Passive and Active Measurement Conference (PAM) 2020|
|Keywords||BGP, Blacklists., IPv4 transfers, Routing|
The depletion of the unallocated IPv4 addresses and the slowpace of IPv6 deployment have given rise to the IPv4 transfer market, the trading of allocated IPv4 prefixes between organizations. Despite the policies established by RIRs to regulate the IPv4 transfer market, IPv4 transfers pose an opportunity for malicious networks, such as spammers and bulletproof ASes, to bypass reputational penalties by obtaining“clean” IPv4 address space or by offloading blacklisted addresses. Addi-tionally, IP transfers create a window of uncertainty about the legitimateownership of prefixes, which leads to inconsistencies in WHOIS recordsand routing advertisements. In this paper we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild, by synthesizing an array of longitudinal IP blacklists, honeypot data, and AS reputation lists. Our findings yield evidence that transferred IPv4 addressblocks are used by malicious networks to address botnets and fraudulentsites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicate efforts to evade filtering mechanisms.