Skip to content
Naked Security Naked Security

IPv4 hijackers setting up shell companies to hoard and sell addresses

Got a Whois record you haven't updated in a while? The crooks are eyeballing defunct records like that, so use it or lose it!

We’ve long known it was coming, and it finally happened in September 2015: the pool of available IPv4 addresses for North America completely dried up.

That doesn’t mean you can’t still get an IPv4 address space, which is the internet protocol that routes most internet traffic today.

Hijackers are making sure they’re one of your options to get that space: all you have to do is go buy it off some crook who set up a shell company to apply for the addresses so they could resell them to desperate buyers.

Leslie Nobile, senior director of global registry knowledge at the American Registry for Internet Numbers (ARIN), last week described the situation at the North American Network Operators Group’s NANOG 67 conference.

Here’s her presentation.

She said that the need for IPv4 is still great: people are “desperately” seeking IPv4. ARIN gets requests and calls everyday.

Some still come in requesting addresses, not realizing ARIN’s fresh out. They can get on the waiting list, where hopefuls gather to wait for an address to open up – say, if a registrant returns their address or ARIN yanks it (typically for non-payment).

They also come in, looking for a pre-approved block size, so they’re ready to conduct a transfer quickly once they find their space. Also, the transfer listing service has seen increased activity: people who need space and have space can get matched up.

All that activity’s going on because businesses are still looking to grow their networks on IPv4.

But there’s a whole other category of activity going on, Nobile said, and it’s a whole lot slimier. In that category are hijackers: people looking for space to sneak out from absentee owners and sell on the hot market.

ARIN has seen a spike in hijackings, be they attempted or successful, in the legacy space, where addresses have been dormant for years – even dating back to the 1990s.

ARIN staff have seen 25 hijackings reported since September when it ran out of addresses. In contrast, over the previous 10 years, there were only 50 verifiable hijackings.

On top of that, ARIN has found fraud rings that started their activity just before the IPv4 depletion. The crooks set up shell companies in order to hoard IPv4 address space for spamming and/or to sell.

One such ring that managed to get by ARIN without setting off a red flag managed to set up 30 shell companies and got space under each one.

ARIN defines hijacking as unauthorized changes made to database records to gain control of IP resources.

Here’s how the crims do it:

  1. They find dormant registration records in Whois (typically ones that haven’t been updated for years)
  2. They check the routing
  3. They re-register the expired domain names
  4. They then re-register the defunct business names, and go through a series of registration record modifications pretending to be the original registrant, before finally…
  5. They sell and transfer the IP addresses.

Another method that has nothing to do with ARIN but which it’s hearing about, is when crooks bring forged letters of authority to ISPs to get them to route the space.

ARIN has 30,556 legacy network records, Nobile said, but it has a validated point of contact for only 54% of them.

The remaining 46% – about 14,000 networks – have no validated point of contact, and they’re published as such. Such records are ripe for the plucking in the eyes of hijackers, Nobile said.

ARIN warned back in September that it was time to pack up and move to the successor protocol, IPv6.

Come on over to Ipv6, ARIN President and CEO John Curran urged: there’s plenty of room!

[IPv6] contains enough address space to sustain the internet for generations.

Curran told The Register that we need not worry: our ISPs will gradually – if they haven’t already – give us IPv6 connectivity so we can get at websites and other stuff on the internet using that cavernous space, all without us broadband subscribers needing to lift a finger.

In the meantime, ARIN’s been tightening up its checks to stop the hijackers. Nobile suggested we can all help by keeping Whois records up to date and responding to ARIN’s annual point of contact validation request.


“Another method that has nothing to do with ARIN but which it’s hearing about, is when crooks bring forged letters of authority to ISPs to get them to route the space.”

There’s a book about the first and most famous such hijacked domain,


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!