Demystifying the IP blackspace

Jacquemart, Quentin; Vervier, Pierre-Antoine; Urvoy-Keller, Guillaume; Biersack, Ernst
RAID 2015, 18th International Symposium on Research in Attacks, Intrusions and Defenses, November 2-4, 2015, Kyoto, Japan / Also published in LNCS 9404, Book Chapter of "Research in Attacks, Intrusions, and Defenses"

A small part of the IPv4 address space has still not been assigned for use to any organization. However, some of this IP space is announced through BGP, and is, therefore, globally reachable. These prefixes which are a subset of the bogon prefixes, constitute what we call the blackspace.It is generally admitted that the blackspace stands to be abused by anybody who wishes to carry out borderline and/or illegal activities without being traced.

The contribution of this paper is twofold. First, we propose a novel methodology to accurately identify the IP blackspace. Based on data collected over a period of seven months, we study the routing-level characteristics of these networks and identify some benign reasons why these networks are announced on the Internet. Second, we focus on the security threat associated with these networks by looking at their applicationlevel footprint. We identify live IP addresses and leverage them to fingerprint services running in these networks. Using this data we uncover a large amount of spam and scam activities. Finally, we present a case study of confirmed fraudulent routing of IP blackspace.


DOI
HAL
Type:
Conference
City:
Kyoto
Date:
2015-11-02
Department:
Digital Security
Eurecom Ref:
4705
Copyright:
© Springer. Personal use of this material is permitted. The definitive version of this paper was published in RAID 2015, 18th International Symposium on Research in Attacks, Intrusions and Defenses, November 2-4, 2015, Kyoto, Japan / Also published in LNCS 9404, Book Chapter of "Research in Attacks, Intrusions, and Defenses" and is available at : http://dx.doi.org/10.1007/978-3-319-26362-5_6

PERMALINK : https://www.eurecom.fr/publication/4705