Abuse of the IPv4 Transfer Markets Vasileios Giotsas, Ioana Livadariu , Petros Gigis AIMS 2020
IPv4 Transfers IPv4 address transactions that occur between organisations RIPE NCC Intra-RIR Tranfers ARIN APNIC LACNIC Dec Jun Oct Feb Jan Oct Mar Sep APNIC RIPE ‘08 ‘09 ‘09 ‘10 ‘11 ‘12 ‘16 ‘16 APNIC RIPE Inter-RIR Tranfers ARIN RIPE ARIN APNIC Dec Dec Jul Sep Feb Oct ‘08 ‘15 ‘12 ‘15 ‘16 ‘12 Transfer Policy First Transfer 2 AIMS2020
Transfer markets: viable source of IPv4 space Transfer market size is increasing (number of transactions and IP addresses) APNIC ARIN 10 8 RIPE LACNIC ARIN -> APNIC Number of IP addresses APNIC -> ARIN 10 6 APNIC -> RIPE RIPE -> APNIC RIPE -> ARIN ARIN -> RIPE 10 4 10 2 10 0 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 3 AIMS2020
Overview Do IPv4 transfer markets pose an opportunity for malicious actors? 1. Compile and process the IPv4 transferred addresses • Usage of the IP address space • Participants on the IPv4 transfer market 2. Analyze the IP addresses against a dataset of malicious activities • Blacklisted IP addresses • Blacklisting timing 4 AIMS2020
Datasets IPv4 Reported Transfers [1] IP Blacklists [5,6] WHOIS DB Org-to-ASNs Transferred date Honeypots [7] BGP data [2] Deployed IP Non-legimitate IP/Port space ASes [8] Scans [3,4] Correlation of malicious activity for transferred addresses [1] RIRs, IPv4 reported transfers [2] Routeviews and RIPE RIS [3] USC/ISC LANDER project, https://www.isi.edu/~johnh/PAPERS/Heidemann09b.html [4] RAPID7’s project Sonar, TCP and UDP scans, https://opendata.rapid7.com/ [5] Zhao et al. , A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists, AsiaCCS 2019 [6] UCEPROTECT: Network Project, http://www.uceprotect.net/en/ [7] Badpackets (https://badpackets.net/botnet-c2-detections/), BinaryEdge (https://www.binaryedge.io/data.html) [8] Testart et al. ,Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table, IMC 2019 5 AIMS2020
Significant percentage of the transferred prefixes appears blacklisted Blacklisted transferred IPs are distributed across 40% of the routed prefixes. 6 AIMS2020
Significant percentage of the transferred prefixes appears blacklisted Transferred prefixes are disproportionally represented in the blacklist for every type of malicious activity except spamming Transferred Unwanted Programs Non-Transferred Exploits Malware Phishing Fraudulent Services Spammers 0 7,5 15 22,5 30 Routed prefixes with blacklisted IPs (%)* *Zhao et al. , A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists, AsiaCCS 2019 7 AIMS2020
When do the transferred IPs get blacklisted? • Compare the transfer date with the blacklisting timing • Buyers are more prone to abuse of the IP space 8 AIMS2020
Future Work • Develop predictive techniques for blacklisting based on monitoring the reported IPv4 transfers • Augment our malicious datasets (IBR, DDoS, Spoofing, Honeypots) • Investigate non-canonical patterns in the reported transfer (e.g networks are both seller and buyer) 9 AIMS2020
Recommend
More recommend
