Used IPv4 addresses need a ‘vehicle history check’

Like used cars, there are risks involved in acquiring used IPv4 addresses

It's a case of 'buyer beware' with used IPv4 addresses

It's a case of 'buyer beware' with used IPv4 addresses

Before buying a used car, prospective buyers can review vehicle histories in most states of Australia through a service such as the NSW Roads & Traffic Authority’s Vehicle History Check. The histories include information about how many owners the vehicle has had, whether it has been written off or stolen and other information that helps consumers understand the risks of purchasing the car.

Now that new IPv4 addresses are history, there is a developing market for acquiring ‘used’ IPv4 addresses. And like used cars, there are risks involved in acquiring these used addresses. So, where is the Vehicle History Check for IPv4 addresses?

Reputation follows used IPv4 addresses

When companies buy used IPv4 addresses, they are also buying the reputation of that address. If an address was either knowingly or unknowingly part of a malware network, it probably has a negative rating that would be blocked by a typical acceptable use policy. Without maintenance cycles, that previous history may reside in web filtering and reputation ratings systems long after the malware attack is over sometimes for years. These old ratings can result in blocked pages when deployed by the new owner. Requests that are blocked will ultimately drive new ratings in static databases, but the frustration of being blocked for multiple days or longer has a high cost.

Often web filtering and reputation ratings solutions use human raters to continuously add new ratings but neglect to review existing ratings on a regular basis for quality control. The de facto practice is to wait for a complaint and then react with updated ratings.

Not long ago, Cisco expanded its website only to find that a leading web filtering solution blocked the new pages. The root cause was used IPv4 addresses that were used in a web attack a few years ago.

Read more about IT security in CIO Australia’s Security category.

As long as new IPv4 addresses were available, this practice had minimal impact. As we now enter an era in which only used IPv4 addresses are available, the impact becomes more visible. The option of having human raters work late nights or a few weekends a month to review millions of ratings is futile. The web is expanding too quickly with two-way publishing and new web services and applications for humans to keep pace with manual ratings. What’s more, the expansion of the web is creating large legacy ratings databases that are too large to review periodically for quality. IPv4 address reuse brings the issue to the forefront and puts new owners at risk of being blocked.

Real-time ratings improve ratings relevancy

Real-time rating technologies change the game. They not only rate new web content on the fly to protect users, but during off peak hours, they can re-rate existing ratings for quality control and greater relevancy. If an IPv4 address was used as part of a web threat and that threat no longer exists, the negative rating should be removed. Or, if an IPv4 address was related to objectionable content (for example, pornography) or unproductive content (such as games) but no longer is, these ratings should be removed as they are frequently blocked by acceptable use policies.

This need for real-time ratings takes on a new dimension in the face of dynamically generated web threats that poison search engine results to drive users to phishing attacks, fake anti-malware offers or fake software updates. Real-time ratings become paramount to quickly detect these machine-generated attacks and immediately protect users.

In the absence of a Vehicle History Check for IPv4 addresses, buyers should beware. Knowing where an address came from and how it has been used will save a lot of headaches and costs down the road.

Qing Li is Chief Scientist at Blue Coat Systems and is responsible for the design and implementation of the IPv6 Secure Web Gateway Appliance at Blue Coat. He has published several reference titles, including ‘IPv6 Core Protocols Implementation’ and ‘IPv6 Advanced Protocols Implementation’. Qing is an active FreeBSD developer and committer.

Join the CSO newsletter!

Error: Please check your email address.

Tags IPv4 black marketQing Liblue coatTelecommunications

More about Blue Coat SystemsCiscoetworkGatewayGateway

Show Comments