Article illustration 1

The depletion of IPv4 addresses in 2011 marked not just the end of freely available internet real estate, but the dawn of a new era of addressing complexity. Today, the entire IPv4 space increasingly resembles the historical 'swamp'—once a derogatory term for the inefficient, disorganized /24 prefixes in the 192/8 block. As scarcity forces smaller allocations and volatile transfers, routing tables swell while security systems grapple with unpredictable address reputations, reshaping internet infrastructure fundamentals.

The Original Swamp: A Prelude to Modern Chaos

In the 1990s, network operators coined 'The Swamp' to describe the 192/8 block, where rampant /24 assignments created routing inefficiencies. These tiny prefixes couldn't be aggregated, bloating routing tables with disorganized entries. By the early 2000s, 80% of 192/8 was assigned, contributing 10% of global routing entries. Routers from that era couldn't handle today's ~1 million IPv4 routes—a sixfold increase since 2004. This foreshadowed today's reality: a decentralized internet where fragmented addressing is the norm.

Scarcity's Legacy: Smaller Blocks and Market Frenzy

Since IANA allocated its last IPv4 /8 blocks to Regional Internet Registries (RIRs) in 2011, address distribution has intensified. Cloud giants like AWS and Microsoft aggressively acquire large blocks, splitting them for global data centers, while a secondary market sees /16+ blocks trading for six figures. Leasing and waitlists are now commonplace. Analysis of the last five free-pool /8s (102/8, 103/8, 104/8, 179/8, and 185/8) reveals a trend toward fragmentation:

  • By 2014, average assignments were ~/22-sized blocks.
  • By 2024, registries like ARIN and LACNIC shifted to smaller prefixes, with RIPE NCC even assigning sub-/24 'micro' blocks.
Article illustration 2

Figure 2: IPv4 last free pool registration prefix sizes (2014), showing early fragmentation trends.

Article illustration 3

Figure 3: 2024 data confirms smaller assignments across RIRs, nearing the /24 norm.

Crucially, this mirrors 192/8's legacy, where /24s dominate. As Figure 4 shows, over half of today’s routing entries are /24s—up from 50% to nearly 60%.

Article illustration 4

Figure 4: 192/8 registration in 2024, highlighting the persistent /24 dominance.

Routing and Security Implications: The Unstable Foundation

Routing tables now reflect this fragmentation, but imperfectly. While 192/8 has only 62% route coverage (leaving 38% unreachable), last-pool blocks like APNIC’s 103/8 show 72% coverage via 42,000+ routes—significantly more than LACNIC’s 179/8, which achieves near-total coverage with fewer, larger prefixes. The disparity underscores how small prefixes inflate routing overhead.

Security faces greater risks. Address volatility—where blocks change hands rapidly—decouples IPs from historical reputations. A prefix once hosting benign residential traffic might shift to a bulletproof hosting provider, enabling DDoS attacks or scraping. This volatility complicates threat mitigation:

  • False positives/negatives: Blocklists become unreliable as reputations shift.
  • DDoS resilience: Attackers exploit transient addresses to evade detection.
  • Reputation systems: Traditional models falter, requiring real-time, context-aware analysis.

NETSCOUT’s ASERT team notes rising DDoS and scanning incidents linked to this instability, urging adaptive defenses like continuous address-space monitoring and behavior-based threat scoring.

The New Normal: Embracing the Swamp

IPv6 adoption grows yearly, but IPv4 remains entrenched. The 'swamp' metaphor faded not because inefficiency vanished, but because it became ubiquitous. As John Kristoff, a University of Illinois Chicago researcher and NETSCOUT analyst, emphasizes, this fragmentation demands rethinking security: 'Volatility in address-reputation pairing necessitates dynamic, holistic threat intelligence beyond static blocklists.' The internet’s addressing foundation is more fluid—and fragile—than ever.

Originally published on the APNIC Blog.