Last IPv4 addresses may be 'hot spots' of unwanted activity

Enterprises may pay for unwanted traffic from Internet-borne attacks and benign code for apps testing that pollute some of the remaining addresses

The few blocks of Internet addresses yet to be allocated under the old IPv4 protocol seem to be home to some "hot spots" of unwanted traffic that anyone who gets the addresses would have to pay for, a researcher said at the North American Network Operators Group conference on Monday.

No one can set up a Web server on an IP (Internet Protocol) address that hasn't been allocated, but anyone can write code that points to the unused addresses. The unexpected activity found in these "dark spaces" may come from a variety of sources, including both Internet-borne attacks and benign code for testing an application or PC. Though the traffic doesn't represent a security threat itself, an enterprise that acquired the affected addresses from an Internet service provider (ISP) typically would have to pay for the transmission of the irrelevant packets, said Manish Karir, a researcher at Merit Network. Merit is an educational network operator and Internet research center in Michigan.

[ Also on InfoWorld: "Beware the black market rising for IP addresses" and "D-Day coming for Internet service providers." | Keep up on the latest networking news with our Technology: Networking newsletter. ]

IPv4 only allows for about 4.3 billion addresses, and that supply is expected to run out within the next two years. If some of those remaining addresses are polluted with unwanted traffic, that could make the problem even more urgent for enterprises that want new, usable IPv4 addresses.

IP addresses are allocated by regional Internet administrators, usually to ISPs, which then assign smaller blocks of them to their enterprise customers. Only a small number of blocks of IPv4 addresses are still waiting to be handed out. Karir and a group of other researchers tried to find out whether the addresses at the bottom of the virtual barrel are as good as those that have already been handed out.

"There's growing concern that these blocks are less desirable," Karir said. The concern is over types of traffic that have been blocked or moved from already-allocated blocks to ones that so far haven't been assigned.

Karir's team joined with APNIC, the Internet registry for the Asia-Pacific region, to test one new block, called 1.0.0.0/8, because it was known to have been used in examples and test cases over the years. Capturing packets over a period of about 10 days, they found a large amount of traffic.

In the entire 1.0.0.0/8 block, there was an average of 170Mbps (bits per second) of sustained traffic, at an average of 150 packets per second, Karir said.

Some of the traffic occurred in a subnet called 1.1.1.0, which is commonly used to test computer and router configurations. But the researchers were puzzled by a very large amount of traffic in another subnet, which made up nearly 35 percent of all the traffic in the entire address block. So they used the Wireshark protocol analyzer to reconstruct it. The traffic consisted of fast busy signals and audio messages advising callers they had the wrong phone number. "If you'd like to make a call, please check the number and try again," said one of the messages, which Karir played for the NANOG audience.

The researchers believe these signals were a side effect of problems with SIP (Session Initiation Protocol), a commonly used technology for voice over IP and other types of packet-based communication. The signals could have appeared in the dark space because of misconfigured SIP servers or because of "SIP invite" attacks, in which a system is flooded with malformed invitations to join a SIP session, Karir said. Because of a "hard-coded default," the busy signals are configured to come to that particular subnet, he said.

Another source of packets to the address block, more than 17 percent of the total, was misdirected DNS (Domain Name System) queries embedded in Web pages that users clicked on.

Given the findings, APNIC decided to block the worst hotspot subnets within the 1.0.0.0/8 block. Cutting off the 10 worst hotspots significantly reduced the unwanted traffic, Karir said.

However, the researchers found evidence of similar types of pollution in several other unallocated address blocks, and it's hard to predict where such traffic will turn up, he said. "Each dark space is different ... because hot spots exist in strange and unusual places," Karir said.

He advised network administrators who are given polluted blocks to talk to the ISP about exchanging them. But this may become harder to do as the number of unused IPv4 addresses dwindles, he warned. There are only 16 remaining blocks of about 16.7 million addresses each, down from 22 such blocks just three months ago, Karir said.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies