The few blocks of Internet addresses yet to be allocated under the old IPv4 protocol seem to be home to some "hot spots" of unwanted traffic that anyone who gets the addresses would have to pay for, a researcher said at the North American Network Operators Group conference on Monday.
No one can set up a Web server on an IP (Internet Protocol) address that hasn't been allocated, but anyone can write code that points to the unused addresses. The unexpected activity found in these "dark spaces" may come from a variety of sources, including both Internet-borne attacks and benign code for testing an application or PC. Though the traffic doesn't represent a security threat itself, an enterprise that acquired the affected addresses from an Internet service provider (ISP) typically would have to pay for the transmission of the irrelevant packets, said Manish Karir, a researcher at Merit Network. Merit is an educational network operator and Internet research center in Michigan.
[ Also on InfoWorld: "Beware the black market rising for IP addresses" and "D-Day coming for Internet service providers." | Keep up on the latest networking news with our Technology: Networking newsletter. ]
IPv4 only allows for about 4.3 billion addresses, and that supply is expected to run out within the next two years. If some of those remaining addresses are polluted with unwanted traffic, that could make the problem even more urgent for enterprises that want new, usable IPv4 addresses.
IP addresses are allocated by regional Internet administrators, usually to ISPs, which then assign smaller blocks of them to their enterprise customers. Only a small number of blocks of IPv4 addresses are still waiting to be handed out. Karir and a group of other researchers tried to find out whether the addresses at the bottom of the virtual barrel are as good as those that have already been handed out.
"There's growing concern that these blocks are less desirable," Karir said. The concern is over types of traffic that have been blocked or moved from already-allocated blocks to ones that so far haven't been assigned.
Karir's team joined with APNIC, the Internet registry for the Asia-Pacific region, to test one new block, called 220.127.116.11/8, because it was known to have been used in examples and test cases over the years. Capturing packets over a period of about 10 days, they found a large amount of traffic.
In the entire 18.104.22.168/8 block, there was an average of 170Mbps (bits per second) of sustained traffic, at an average of 150 packets per second, Karir said.
Some of the traffic occurred in a subnet called 22.214.171.124, which is commonly used to test computer and router configurations. But the researchers were puzzled by a very large amount of traffic in another subnet, which made up nearly 35 percent of all the traffic in the entire address block. So they used the Wireshark protocol analyzer to reconstruct it. The traffic consisted of fast busy signals and audio messages advising callers they had the wrong phone number. "If you'd like to make a call, please check the number and try again," said one of the messages, which Karir played for the NANOG audience.