Re: How to deal with unused registered public IP subnets

[Johnny Wong <johnnywkm () gmail com>]

Hello there,

Thanks for replying. It was very insightful. I still think this is a 
business decision because IP address space can be considered as 
"intellectual property" or assets too. For that point, business may 
want to keep it if doing so does not cause too much heartburn. I also 
think the security risk is remote. Like someone mentioned in an 
earlier post, investigators will know that the owners of a spoofed IP 
in an attack will be the last place to look.

Cheers,

JW

At 02:30 AM 29-10-08, krymson () gmail com wrote:
> I don't see any replies yet, so I'll throw down something. :)
>
> 1) I think you're on the right track with trying to give those 
> unused IPs back, especially if you're being charged for them. Keep 
> in mind this is not always as easy as it might sound, as they might 
> be part of a package. Ask your networking guy and if he gives you a 
> look and begins a lecture on how to subnet and why breaking these up 
> is bad, walk away. :) But if you approach mgmt, I think your only 
> real argument is that these may cost you money yearly. (Of course, 
> it may cost more money for you to take your time to get them returned!)
>
> 2) I'm not sure how these IPs can be used for malware/spyway. 
> Typically IP addresses can be "evil" because something is behind it. 
> Unless your ISP has made a mistake and given those IPs to someone 
> else, there's really nothing else that can be done with them barring 
> routing mishaps. So, let's just assume these addresses are properly 
> owned, routed, and nothing is behind them. They terminate at your 
> border and that's it.
>
> 3) What do you do with them? Well, likely they already terminate on 
> your edge devices whether you know it or not. It might not hurt to 
> NAT them over to an internal, dedicated, hardened box and just have 
> it sniff for incoming traffic. You could set yourself up a nice 
> honeypot or just a listener. If those IPs have never hosted 
> anything, all you should see if the normal white noise from the 
> net...which itself can be an important health indicator. You could 
> maybe even tell when someone else is scanning your owned net range, 
> and if you feel curious, even blackhole them. You can do all sorts 
> of curious stuff if you have the time and do it safely without 
> jeopardizing your company's assets. If you're a member of a SOC, I'd 
> totally pen this sort of a listener in as a rainy-day project.
>
> 4) Future use. There is nothing terribly wrong with keeping a range 
> for future use. One could argue that at any time your company, 
> email, or servers may find their way onto a blacklist (warranted or 
> not). It might be easier to just redo DNS and move your services 
> over than eat the downtime and effort required to remove yourself 
> from them. It certainly is not a bad thing to have some options in 
> your back pocket.
>
> At any rate, there's some discussion for ya. If anyone else has 
> thoughts or what they've done with such unused space, I'm up for further ideas!
>
>
>
> <-snip->
>
> >Hello list,
> >
> >Recently, in an external assessment effort, we found a list of
> >public IP subnets registered under my company's name. However, about
> >half of them are no longer in use. I could only guessed that they
> >were leftovers from mergers/acquisitions in the past. Being a good
> >Internet citizen, I would release these unused subnets since there's
> >a worldwide shortage of IPv4 addresses. However, bringing this point
> >forward to the management is rather tricky -- because they think
> >these are still company's property, keep for future expansion and so on.
> >
> >There are possibilities that these unused IP subnets/addresses being
> >used for malicious intent (spyware, scam, trojan propagation,
> >spoofing). What other risks are there with us retaining these IP
> >subnets/addresses?
> >
> >What do other companies do with unused IP subnets/addresses? Do they
> >just release them or keep them for future needs?
> >
> >Thank you,
> >
> >JW