A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back after the American Registry for Internet Numbers (ARIN) won a landmark judgment against it.
The dispute began in late 2018 when ARIN, which allocates IPv4 addresses in the US, Canada and parts of the Caribbean on a non-profit basis, discovered that a company called Micfo and its owner Amir Golestan had fraudulently tricked it into handing over the IP blocks.
IPv4 addresses are in incredibly short supply (see below), which means that getting hold of them involves waiting lists. Scarcity also makes them valuable on resale – between $13 and $19 each. That would make the IP addresses Micfo obtained worth between $9.8 million and $14.3 million.
Not surprisingly, cases of pocket-lining IP address fraud have risen, as ARIN’s senior director of global registry knowledge, warned about in a conference presentation in 2016.
Second-hand addresses
How do the fraudsters get hold of the addresses? By using the simple technique ARIN accused Micfo of deploying.
The key is that a lot of IPv4 addresses were handed out in the past when nobody worried about shortages, and a surprising proportion of those addresses fell into disuse.
Criminals attempt to detect these dormant ranges using public data from ARIN and Whois, checking which ones are still being used (i.e. routed).
If they’re not, and no longer have an active admin, they attempt to take them over using re-registration, claiming rights to them from ARIN.
According to ARIN, from 2014 onwards Golestan and Micfo used 11 ‘shelf’ companies across the US as fronts to obtain the 757,760 IP addresses, backing this up with faked notarised affidavits from staff who turned out not to exist.
Even when ARIN detected the fraud, Micfo continued to resist, seeking a restraining court order against the organisation. It also filed for arbitration, the first time this has happened in such a case.
On 1 May 2019, Micfo lost this arbitration and was ordered to hand back the addresses and pay ARIN $350,000 to cover legal fees. Golestan now faces charges of wire fraud carrying a possible 20-year sentence.
Some of the addresses are being used by bona fide buyers and probably won’t be returned. Nevertheless, the case has highlighted the growing problem of IP address fraud. Said ARIN president and CEO, John Curran:
We are stepping up our efforts to actively investigate suspected cases of fraud against ARIN and will revoke resources and report unlawful activity to law enforcement whenever appropriate.
Why the shortage?
As a 32-bit addressing scheme, IPv4 is limited to a maximum of 232, or 4,294,967,296, possibilities. (Several hundred million of those are reserved, so the true number available is actually somewhat lower.)
When IPv4 was defined decades ago, billions of routable addresses seemed plenty.
Not every device needs a public-facing, routable IP number – computers on a LAN can freely use one of several million different private numbers reserved for local networks.
But every network, even if it’s just one laptop at home, needs at least one public IP if it’s to make it onto the internet.
Warnings about the imminent exhaustion of these IPv4 addresses go back years, with IANA announcing that it was running out in 2011, followed by Europe’s RIPE in 2012, and North America’s ARIN in 2015.
What they meant by ‘running out’ is that as time passes they are managing scarcity by handing out smaller and smaller blocks of addresses to organisations requesting them.
As mentioned above, a lot of already allocated IPv4 addresses are still out there and have merely fallen into disuse, which is where address recycling comes in.
The long-term solution is supposed to be IPv6, finalised in 1998, which increases the address space to 128 bits.
That bumps the theoretical number of possible IP addresses to the enormous number 2128 – a stash that’s trillions of trillions times bigger than the number of grains of sand on earth and should therefore never run out.
But if you already have a website registered at an IPv4 address, why bother firing up an IPv6 equivalent? Many networks just haven’t bothered, so even those who have adopted IPv6 generally need to do IPv4 networking as well for backward compatibility.
What might eventually drive people to IPv6 is economics. As soon as the cost of IPv4 addresses crosses a threshold, IPv6 will suddenly look more attractive.
Unfortunately, exactly the same thing will draw criminals to second-hand IPv4 addresses. ARIN’s latest case is unlikely to be its last.