CEO told to hand back 757,000 fraudulently obtained IP addresses
A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back after the American Registry for Internet Numbers (ARIN) won a landmark judgment against it.
The dispute began in late 2018 when ARIN, which allocates IPv4 addresses in the US, Canada and parts of the Caribbean on a non-profit basis, discovered that a company called Micfo and its owner Amir Golestan had fraudulently tricked it into handing over the IP blocks.
IPv4 addresses are in incredibly short supply (see below), which means that getting hold of them involves waiting lists. Scarcity also makes them valuable on resale – between $13 and $19 each. That would make the IP addresses Micfo obtained worth between $9.8 million and $14.3 million.
Not surprisingly, cases of pocket-lining IP address fraud have risen, as ARIN’s senior director of global registry knowledge, warned about in conference presentation in 2016.
Second-hand addresses
How do the fraudsters get hold of the addresses? By using the simple technique ARIN accused Micfo of deploying.
The key is that a lot of IPv4 addresses were handed out in the past when nobody worried about shortages – a surprising proportion of which fell into disuse.
Criminals attempt to detect these dormant ranges using public data from ARIN and Whois, checking which ones are still being used (i.e. routed).
If they’re not, and no longer have an active admin, they attempt to take them over using re-registration, claiming rights to them from ARIN.
According to ARIN, from 2014 onwards Golestan and Micfo used 11 ‘shelf’ companies across the US as fronts to obtain the 757, 760 IP addresses, backing this up with faked notarised affidavits from staff who turned out not to exist.
Even when ARIN detected the fraud, Micfo continued to resist, seeking a restraining court order against the organisation. It also filed for arbitration, the first time this has happened in such a case.
On 1 May, Micro lost this arbitration and was ordered to hand back the addresses and pay ARIN $350,000 to cover legal fees. Golestan now faces charges of wire fraud carrying a possible 20-year sentence.
Some of the addresses are being used by bona fide buyers and probably won’t be returned. Nevertheless, the case has highlighted the growing problem of IP address fraud. Said ARIN president and CEO, John Curran:
We are stepping up our efforts to actively investigate suspected cases of fraud against ARIN and will revoke resources and report unlawful activity to law enforcement whenever appropriate.
Why the shortage?
As a 32-bit addressing scheme, IPv4 is limited to a maximum of 232, or 4,294,967,296, possibilities. When it was defined decades ago, that seemed plenty.
Even though not every device needs one of these addresses (router/ISP Network Address Translation hides lots of networks and devices behind a single IP), this won’t work for routable servers receiving incoming traffic.
Warnings about the imminent exhaustion of these IPv4 addresses go back years with IANA announcing that it was running out in 2011, followed by Europe’s RIPE in 2012, and North America’s ARIN in 2015.
What they meant by ‘running out’ is that as time passes they are managing scarcity by handing out smaller and smaller blocks of addresses to organisations requesting them.
Ironically, a lot of already allocated IPv4 addresses are still out there and have merely fallen into disuse, which is where address recycling comes in.
The long-term solution of supposed to be IPv6, finalised in 1998, which increases the address space to 128 bits and the number of possible IP addresses to a very large number (2128).
The problem with moving to IPv6 is that it because it requires operating systems, websites and routing hardware to support it, migration is happening very slowly.
If you already have a website registered at an IPv4 address, why bother firing up an IPv6 equivalent? Having an internet with two separate address spaces is like driving on the left but being told that it might be a good idea to drive on the right too – people understandably stick to what they know.
What might eventually drive people to IPv6 in is economics. As soon as the cost of IPv4 addresses crosses a threshold, IPv6 will suddenly look more attractive.
Unfortunately, exactly the same thing will draw criminals to second-hand IPv4 addresses. ARIN’s latest case is unlikely to be its last.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u_V5vmHdUrM/