735,000 IPv4 addresses were taken from a scammer and returned to the registry


    Regional Internet registries and their service areas. The described fraud occurred in the ARIN zone.

    In the early days of the Internet, IPv4 addresses were distributed to everyone by large subnets. But today, companies are lining up for a regional registrar to get at least a small address space. On the black market, one IP costs from $ 13 to $ 25, so registrars are struggling with a mass of shadow brokers whose business is simple: get new blocks of IP addresses under a false pretext, and then resell to spammers. In May 2019, the regional registrar ARIN managed to seize the IP addresses from the shadow broker , who was charged with criminal charges.

    About 735,000 IP addresses were returned to the registry. This is the first time that IP addresses have been taken from scammers after a lawsuit.

    On May 14, South Carolina prosecutors charged Amir Golestan with wire fraud fraud, which he turned through his company Micfo LLC and a network of dummy dummy companies. They formed IPv4 subnets, and then resold them to spammers .

    The criminal complaint contains 20 cases of fraud. In some cases, the price at which Golestan sold the addresses is indicated. For example, he sold one subnet of 65,536 addresses at $ 13 apiece, receiving $ 851,896. He had another contract to sell 327,680 addresses at $ 19 apiece for a total of $ 6.22 million, but they blocked the last transaction.

    Interestingly, Micfo itself initiated a lawsuit at the end of last year, suing ARIN (American Internet Number Registrar). Prior to this, the registrar informed Golestan of the discovery of shell companies and threatened to withdraw about 735,000 IP addresses if Micfo did not agree to provide more information about its operations and customers.

    Since by that time Micfo had already sold part of the addresses to spammers, it refused to provide this information. As a result, the court rejected the company's request .

    But by virtue of an agreement signed by Micfo with ARIN, any further dispute had to be resolved through arbitration. On May 13, the arbitration commission ordered Micfo to pay $ 350,000 for ARIN legal services and return 735,000 IP addresses that the company had not yet sold.

    Here is a list of some shell companies and fictitious personalities that Golestan fabricated to distribute IPv4 subnets (from court documents):


    Websites were created for companies and fictitious personalities, email addresses were registered, and so on. On their behalf, ARIN submitted requests for IPv4 subnets. In such a statement, the company should describe the nature of its business, list the names of employees and other information about the company. Golestan fabricated all the documents.

    Under this scheme, he obtained from ARIN approximately 757,760 addresses, the market value of which the prosecutor's office estimated from $ 9,850,880 to $ 14,397,440. The scheme has been operating since 2014. The table below lists successful ARIN requests for IP ranges, and Golestan began selling addresses in 2017.


    According to an ARIN press release , Micfo registered 11 shell companies throughout the US and intentionally created false identities for fictitious executives of these companies to fraudulently trick IPv4 from ARIN.

    “It was a complicated operation,” said Stephen Ryan, a former federal attorney who represented ARIN in this lawsuit. - All eleven shell companies for Micfo are still on the Internet, where you see all these wonderful people who supposedly work there. And we received notarized affidavits in these fictitious names. ”

    Independent experts say that Micfo is not the only shadow broker who tricked ARIN into subnets. Over the years, the American Internet Number Registrar has not been very active in fighting fraud.

    Possibly, schemes with shell companies are also operating in Russia, although such massive seizures of subnets from shadow brokers have not yet occurred. To qualify for the block / 22 IPv4 addresses from the European registrar RIPE NCC, you need to register as a local Internet registry (LIR) and pay a membership fee. LIR status is usually obtained by Internet service providers, telecommunications companies, large enterprises and academic institutions. LIRs receive address blocks from the RIPE NCC and assign IP addresses to their clients.

    Consulting companies operate in Russia that help clients register LIR for a small amount in the region of 36,000 rubles. (plus 15 thousand rubles. annual support). Obviously, the cost of block / 22 IPv4 addresses is much higher even with a minimum estimate of $ 12 apiece. Blocks / 22 are sold and leased .

    It is possible that someone is engaged in such a business. According to statistics for 2012-2018 , the allocation rate of IPv4 addresses in Europe grew in accordance with the quadratic function. RIPE NCC attributes this to the fact that more and more local registrars have been registered. A record number of new LIRs are registered in the UK, Germany and Russia.



    In November 2015, RIPEbanned the registration of additional local registrars by members of the RIPE NCC , but this did not help, so in May 2016 the restriction was removed. At this point, organizations began to register new legal entities in order to receive blocks / 22. It is reported that a certain member of the RIPE NCC managed to get 66 blocks / 22, although they issued only one for each local registrar.

    A year ago, RIPE announced the distribution of the last block / 22 from the last block / 8 , but in the RIPE NCC pool there were 9 million “recovered” addresses (that is, addresses seized from former owners). According to the calculations of the Coordination Center, this will be enough for about two more years if issued to the local registrars for / 22 each.

    A lot of organizations have registered huge IPv4 ranges for today, which they practically do not use and are not going to give away (for example, 16.8 million addresses in block 44.0.0.0/8, allegedly registered for amateur radio , or 218 million IP addresses from US Department of Defense: 11.0.0.0/8, 22.0.0.0/8, 26.0.0.0/8, 28.0.0.0/8, 29.0.0.0/8, 30.0.0.0/8 and 33.0.0.0/8).

    Other blocks are used very intensively. For example, visualization with Hilbert curves shows well how the address space is distributed from about 4.2 billion (2³²) addresses. IPv4 Address Space Allocation, April 2018 ( clickable ) For comparison, here's what IPv6 address space allocation looks like.







    IPv6 Address Space Allocation, April 2018




    SPECIAL CONDITIONS for PKI solutions for enterprises are valid until 11.30.2019 under the promo code AL002HRFR for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.

    Also popular now: