735,000 IPv4 addresses were taken from the scammer and returned to the registry

Regional Internet Registries and their service areas. The described fraud occurred in the ARIN zone

In the early days of the Internet, IPv4 addresses were distributed to everyone by large subnets. But today, companies are lining up to a regional registrar to get at least a small address space. On the black market, one IP costs from $ 13 to $ 25, so registrars struggle with a lot of shadow brokers whose business is simple: get new blocks of IP addresses under a false pretext, and then resell to spammers. In May 2019, the regional registrar ARIN was able to select IP addresses from a shadow broker who was charged with criminal charges.

About 735,000 IP addresses were returned to the registry. This is the first time that IP addresses have been taken from fraudsters after a trial.

On May 14, the prosecutor's office of South Carolina charged Amir Golestan with fraud using electronic means of communication (wire fraud), which he tested through his firm Micfo LLC and a network of dummy companies. They made IPv4 subnets, and then resold them to spammers .
')
The application for the initiation of a criminal case lists 20 cases of fraud. In some cases, the price at which Golestan was selling addresses is indicated. For example, he sold one subnet of 65,536 addresses for $ 13 per share, receiving $ 851,896. He had another contract to sell 327,680 addresses for $ 19 per share for a total of $ 6.22 million, but the last transaction was blocked.

Interestingly, Micfo itself initiated a lawsuit at the end of last year, suing ARIN (American Registrar of Internet Numbers). Prior to this, the registrar informed Golestan about the discovery of dummy companies and threatened to withdraw about 735,000 IP addresses if Micfo did not agree to provide more information about its operations and customers.

Since by that time Micfo had already sold some of the addresses to spammers, she refused to provide this information. As a result, the court rejected the company's request .

But by virtue of the agreement signed by Micfo with ARIN, any further dispute had to be resolved through arbitration. On May 13, the arbitration commission obliged Micfo to pay $ 350 thousand for ARIN legal services and return 735,000 IP addresses that the company had not yet sold.

Here is a list of some dummy companies and fictional personalities that Golestan fabricated to distribute IPv4 subnets (from court documents):


For companies and fictional personalities, websites were created, email addresses were registered, and so on. On their behalf, ARIN submitted requests for IPv4 subnets. In such a statement, the company must describe its line of business, list the names of employees and other information about the company. Golestan fabricated all documents.

According to this scheme, he acquired approximately 757,760 addresses from ARIN, the prosecutor's office valued the market value from $ 9,850,880 to $ 14,397,440. The scheme has been in operation since 2014. The table below lists the successful requests to ARIN for the allocation of IP ranges, and Golestan started selling addresses in 2017.


According to an ARIN press release , Micfo registered 11 dummy companies throughout the United States and deliberately created false identities for the fictional leaders of these companies to fraudulently lure IPv4 resources from ARIN.

“It was a difficult operation,” said Stephen Ryan, a former federal prosecutor who represented ARIN in this lawsuit. - All eleven front companies for Micfo are still on the Internet, where you see all these wonderful people who supposedly work there. And we received notarized affidavits for these fictitious names. ”

Independent experts say that Micfo is not the only shadow broker who tricked the subnets off ARIN. For many years, the American Internet numbers recorder has not been very actively fighting fraud.

It is possible that schemes with fake companies are also operating in Russia, although such massive withdrawals of subnets from shadow brokers have not yet occurred. To qualify for a block / 22 IPv4 address from the European registrar RIPE NCC, you need to register as a local Internet registry (LIR) and pay a membership fee. LIR status is usually obtained by Internet providers, telecommunications companies, large enterprises and academic institutions. LIRs receive blocks of addresses from the RIPE NCC and assign IP addresses to their clients.

There are consulting companies in Russia that help clients register LIRs for a small amount in the region of 36,000 rubles. (plus 15 thousand rubles. Annual support). Obviously, the cost of a block of / 22 IPv4 addresses is much higher, even at the minimum estimate of $ 12 per share. Blocks / 22 are sold and leased .

It is possible that someone engaged in such a business. According to statistics for the years 2012-2018 , the speed of allocation of IPv4 addresses in Europe grew in accordance with the quadratic function. The RIPE NCC explains this by the fact that more and more local recorders have been registered. A record number of new LIRs are registered in the UK, Germany and Russia.



In November 2015, RIPE prohibited the registration of additional local registrars by members of the RIPE NCC , but this did not help, so in May 2016 the restriction was lifted. At this point, organizations started registering new legal entities in order to receive blocks / 22. Reportedly, a certain member of the RIPE NCC was able to get 66 units / 22, although only one was issued for each local registrar.

A year ago, the RIPE announced the distribution of the last block / 22 of the last block / 8 , but 9 million "recovered" addresses remained in the RIPE NCC pool (that is, addresses taken from former owners). According to the calculations of the Coordination Center, this is enough for about two more years, if issued to local registrars of / 22 each.

Many organizations have registered IPv4 ranges that are huge at the present time, which are practically not used and are not going to be given (for example, 16.8 million addresses in the block 44.0.0.0/8, registered allegedly for amateur radio , or 218 million IP addresses United States Department of Defense: 11.0.0.0/8, 22.0.0.0/8, 26.0.0.0/8, 28.0.0.0/8, 29.0.0.0/8, 30.0.0.0/8 and 33.0.0.0/8).

Other blocks are used very intensively. For example, visualization with Hilbert curves shows well how the address space of approximately 4.2 billion (2³²) addresses is allocated.


IPv4 address space allocation, April 2018 ( clickable )

For comparison, here’s what the IPv6 address space allocation looks like.


IPv6 Address Space Distribution, April 2018

---