Stale Registry Records

inactive ip address

Stale registry records refer to CIDR ranges that are attributed to an organization even after the organization stops using them. Many users refer to these CIDR ranges as false-positives, but that's a misnomer—these attributions are based on records found in a Regional Internet Registry (RIR) that attribute the CIDR ranges to the organization, so the attribution is based on objective evidence. This evidence is curated during our network mapping process, attributed to the organization, and then recorded in the Regional Internet Registry (RIR).

How do records become stale?

When CIDR ranges are allocated to Local Internet Registries (LIR) or Internet Service Provider (ISP), the allocation is noted in the main registry for their region. LIRs and ISPs are responsible for assigning and maintaining the sub-allocation to their customers. Though they are paid by their existing customers to maintain records, they are not motivated to clear the records for customers who terminated their contracts.

Having stale records benefit the ISP when requesting more addresses. Because the IPv4 address space is close to exhaustion, CIDR ranges are increasingly rare and valuable. New CIDR ranges are allocated only if the ISP has assigned most of their allocation. Stale records make it appear as though more CIDRs have been assigned than what are actually being used.

What are the risks of stale registry records?

Cyber criminals actively look to exploit stale records and their nefarious activities will reflect back on your organization.

Per ARIN, registration records that haven’t been updated are prime targets for hijackers and other cyber criminals. One common approach is to find registry records that haven't been updated in a few years. If it appears that the CIDR ranges aren’t being used or that the registrant is no longer in business, the perpetrators can then attempt to emulate the organization so they can take over the organization record.

Once cyber criminals succeed in taking control over the stale record, they may leverage that false equivalence with the organization to conduct illicit activities, such as attacking other organizations or hosting illegal content, while hiding behind the legitimacy of the organization of record. In addition, they may be able to take over the organization's Org ID and POC records, ultimately hijacking their internet presence and effectively conducting a denial-of-service.

Regardless of how cyber criminals use stale records, law enforcement agencies will knock on the door of the registrant of record. At best, this is an inconvenience; at worst, it can damage the registrant’s reputation.

Stale records can be a hindrance to investigation. Having access to up-to-date registration information ensures law enforcement can act quickly and confidently when investigating criminal activities. As a good netizen, it’s your responsibility to help keep the public safe by monitoring and correcting your assignments in the registries.

How do I get my organization dissociated from a CIDR block?

Reach out to your ISP. If the ISP is unresponsive, you can escalate to the associated registrar. This process is detailed in Updating IP Registration.Reach out to your ISP. If the ISP is unresponsive, you can escalate to the associated registrar. This process is detailed in Updating IP Registration.