Abuse Issues and IP Addresses

Introduction

We receive many reports of spam, apparent hacker activity, and other forms of abuse. Most frequently, people make these reports because they have found an Internet address associated with the abusive activity, and through a bit of research, they find the IANA name associated in some way with that address.

In virtually all such cases, the association of the IANA name with a particular address is not actually useful in dealing with the abuse incident. IANA is a set of record-keeping functions we provide, it is not an ISP, and we have no control over the use of any Internet Protocol (IP) addresses except the very few that are directly tied to the iana.org domain name.

This document was written to explain our role and to provide some pointers that may be useful in actually resolving abuse cases.

The IANA Role in the Internet

The word "authority" in the IANA name is perhaps a bit misleading: it means that the IANA service keeps authoritative records concerning various numbers for other organizations; the choice of what goes into these records is determined by a variety of engineering and other considerations. We serve as a record-keeper (also known as a registry) in recording the assignments that are made.

In addition to IP addresses, we also serve as a registry for thousands of other types of Internet names and identifiers.

It is important to realize that we are not an ISP in any way, and we do not provide any network services to any end users or organizations. We do not control the use of any of the numbers recorded in our registries, nor, in general, do we have the authority to change the values we record.

Structure of IP Addresses

IP addresses are numbers, but are expressed is specialized formats. Currently there are two types of IP addresses in active use, version 4 (IPv4) and version 6 (IPv6):

  • IPv4 addresses are represented as 4 numbers separated by dots, with each number in the range 0-255. For example, 192.0.2.80 or 203.0.13.25.

  • IPv6 addresses are represented as a series of one ore more groups of hexadecimal digits, separated by colons. Hexadecimal digits are comprised of the numbers 0-9 and letters a-f. There are many more possible numbers in IPv6 so the addresses tend to be longer. For example, 2001:db8::abc:587.

Allocation of IP Addresses

We maintain the overall global address space for IP addresses, but we do not allocate them directly to network operators or end users. Instead, we allocate large blocks of numbers to five Regional Internet Registries (RIRs) who service regions of the world, as follows:

  • AFRINIC (Africa and parts of the Indian Ocean)
  • APNIC (Asia/Pacific Region)
  • ARIN (North America and parts of the Caribbean)
  • LACNIC (Latin America and parts of the Caribbean)
  • RIPE NCC (Europe, the Middle East and Central Asia)

The RIRs are the organizations that actually allocate IP addresses to network operators and ISPs.

Not all address space is allocated to RIRs. IANA retains certain blocks either because they are not yet allocated for any purpose, or because they have been designated for special-use purposes for the entire Internet community.

Special-Use Addresses

Several address ranges are reserved for special purposes. These addresses all have restrictions of some sort placed on their use, and in general should not appear in normal use on the public Internet. The overview below briefly explains the purpose of these addresses – in general they are used in specialized technical contexts.

Particularly notable ranges include:

Address ranges Purpose
10.0.0.0 — 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Private usage with local networks, such as within homes or corporations. See Private-use addresses
169.254.0.0 — 169.254.255.255 Addresses in this range are used automatically by most network devices when they are configured to use IP, do not have a static IP Address assigned and are unable to obtain an IP address using DHCP. This traffic is intended to be confined to the local network, so the administrator of the local network should look for misconfigured hosts. Some ISPs inadvertently also permit this traffic, so you may also want to contact your ISP.
127.0.0.0 — 127.255.255.255 Each computer on the Internet uses this range to identify itself, to itself, known as a "loopback". This construct allows a computer to confirm that it can use IP and for different programs running on the same machine to communicate with each other using IP. Most software only uses 127.0.0.1 for loopback purposes (the other addresses in this range are seldom used). All of the addresses within the loopback address are treated with the same levels of restriction in Internet routing, so it is difficult to use any other addresses within this block for anything other than node specific applications, generally bootstraping.
224.0.0.0 — 239.255.255.255 Used for providing multicast services in the Internet. Multicast services allow a computer to send a single message to many destinations. Examples include the software that keeps computers’ clocks synchronised and television services delivered over IP, typically by cable ISPs. Various addresses in this range are used by routers and others are used by hosts that are listening to multicast sessions. These addresses are available for any host that wants to participate in multicast, and typically are assigned dynamically. The source address should not be multicast (without prior agreement). The destination address may be multicast. For technical background information please see RFC 1112 and RFC 2236.

A more exhaustive list of addresses is in the IPv4 Special Purpose Address Registry and IPv6 Special Purpose Address Registry, and discussed in Special-Purpose IP Address Registries (RFC 6890).

Finding the person responsible for an address

For assigned IP addresses, you can use online databases to trace the organization or entity to which an IP address has been assigned. Network operation tools can also trace where those networks connect to the Internet, although such tools may require special expertise and you may need to speak to your network operator or ISP for them to use them.

As IANA does not allocate blocks to network operators directly, you first need to identify which Regional Internet Registry is responsible for a given address. You may then lookup the address in their registry to find out which network operator the IP address has been assigned to. There are two technologies that may be used for such a lookup, either WHOIS or RDAP. Both provide similar data, but RDAP is more modern and provides additional features.

ICANN provides an RDAP Lookup Tool that allows you to enter an IP address and quickly find the records from the respective Regional Internet Registry.

Fabricated (or "spoofed") IP addresses

It is quite possible that an IP address in an e-mail header could be fabricated.

E-mail protocols are not secure and anyone with the minor technical skills necessary can forge any part of an e-mail. Forgeries are generally trivial to identify. We cannot locate the individuals who forge e-mail headers. In fact, return addresses can be spoofed right down to the packet level. (Just like in postal mail, one can put pretty much anything as a return address, but if there is a problem with the "to" address, the letter can't be delivered.) IP addresses can be spoofed in protocols other than e-mail, as well.

DNS Blackhole

In reports relating to private use IP addresses and other special-use IP addresses, you may encounter references to a DNS blackhole service, with references like "blackhole.iana.org" or "prisoner.iana.org". These relate to a service that helps alleviate unnecessary DNS traffic being generated by those IP addresses, and is described in our DNS Blackhole article.

Published 2010-06-15, last revised 2024-01-26.