news
Suspicious network resurrections
***UPDATE** Dec 1st 2020: A big thank you to Telia Carrier, Hurricane Electric and GTT for taking swift and positive action in shutting down the related announcements.* We believe there is a serious issue relating to the equivalent of 56 “/20” networks, with a corresponding 230k IPv4 addresses. The total...
In this guide
Jump to
UPDATE Dec 1st 2020: A big thank you to Telia Carrier, Hurricane Electric and GTT for taking swift and positive action in shutting down the related announcements.
We believe there is a serious issue relating to the equivalent of 56 “/20” networks, with a corresponding 230k IPv4 addresses. The total value of these is approximately $5M to $6M1 . This is an urgent notification to all organizations involved; ARIN and the backbones, in addition to the legitimate owners, whose IPv4 ranges and ASNs may have been used without their authorization.
What activity has Spamhaus observed?
Over the past few days, we have observed 52 networks in the ARIN (North-America) area concurrently burst into life. Until this week, all these networks had been dormant (not routed) for a significant length of time. Even more unusual is that a different autonomous system number (ASN), also previously inactive, has announced each network.
In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses.
Why do we consider this to be a problem?
- The improbability of the timing Occasionally, organizations that have gone offline do reappear on the internet; however it’s a rarity. Meanwhile, the probability of 52 organizations simultaneously choosing to go back online is almost nil.
- No relationships between each network and the announcing ASN As far as we can deduce there is no relation between each network and the ASN announcing it, other than they’ve been inactive for some time. For instance: 198.14.0.0/20 assigned to Hybrid Networks in Cupertino, CA, is seen announced by AS14126 assigned to VoiceStar in Philadelphia, PA.
Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US. 3. Suspect Border Gateway Protocol (BGP) paths and connecting major backbones The BGP paths connecting these American networks to the New York City hosting facility involve several Ukrainian ASNs, namely: * AS204293 and AS204815 - LLC SOLAR STRATEGIA, Chernivtsi, UA * AS201292 - Agrofirma Aleks PP, Chumaky, UA * AS42602 - KING-TRANS LLC, Kyiv, UA * AS209946 - ALINDA LLC, Mykolayiv, UA * AS205145 - Start Telecom LLC, Kyiv, UA * AS205268 - Ipcom invest LLC, Kyiv, UA Additionally, the above Ukrainian companies appear to be connecting these "suddenly reborn" networks to major backbones, notably: * Telia (AS1299) and Hurricane Electric (AS6939) for AS42602, * Cogent (AS174) for AS209946, * GTT (AS3257) for AS201292, * Lumen (AS3356) for AS205268.
What action has Spamhaus taken?
Given the unlikelihood that these routes are legitimate, we have placed almost all of them on our DROP (Do not Route or Peer) list, until their owners clarify the situation.
Here are the full details of the networks and associated resources, as well as the Spamhaus Block List (SBL) ID referring to their case
| Network | SBL ID | Announcer | Path(s) |
|---|---|---|---|
| 207.183.144.0/20 | SBL502938 | 10758 | 13321 |
| 159.127.48.0/20 | Resolved | 11292 | 204293204293 |
| 206.41.128.0/20 | SBL502936 | 11393 | 204815204815 |
| 64.250.144.0/20 | SBL502906 | 11587 | 204293 |
| 209.17.192.0/20 | SBL502942 | 12139 | 15315 |
| 207.183.64.0/20 | SBL502907 | 13321 | 42602 |
| 209.66.128.0/20 | SBL180438 | 13732 | 204293 |
| 140.82.96.0/20 | SBL502920 | 14124 | 204293204293 |
| 198.14.0.0/20 | SBL502904 | 14126 | 204293 |
| 209.161.64.0/19 | SBL502939 | 14206 | 42602 |
| 167.224.32.0/20 | SBL502894 | 14741 | 201292 |
| 209.17.208.0/20 | SBL502942 | 14835 | 15315 |
| 209.95.64.0/19 | SBL502940 | 1531515315 | 202244202244 |
| 209.148.16.0/20 | SBL502902 | 16646 | 204293 |
| 206.183.128.0/20 | SBL502901 | 16726 | 204293 |
| 207.201.112.0/20 | SBL502896 | 16817 | 204293 |
| 72.1.224.0/20 | SBL502930 | 16916 | 204815204185 |
| 206.183.144.0/20 | SBL502901 | 18463 | 204293 |
| 76.191.0.0/20 | SBL502905 | 18695 | 204293 |
| 207.201.96.0/20 | SBL502896 | 19145 | 204293 |
| 104.251.192.0/20 | SBL502923 | 19451 | 201292 |
| 207.183.128.0/20 | SBL502938 | 19666 | 13321 |
| 207.244.0.0/20 | SBL502898 | 21560 | 204293 |
| 24.170.208.0/20 | SBL502917 | 22117 | 204293 |
| 192.252.16.0/20 | SBL502925 | 22619 | 201292 |
| 131.153.192.0/20 | SBL502929 | 22715 | 204815204185 |
| 198.151.16.0/20 | SBL244694 | 22979 | 201292 |
| 207.244.16.0/20 | SBL502898 | 23072 | 204293 |
| 107.191.240.0/20 | SBL502915 | 25811 | 204293 |
| 207.201.64.0/20 | SBL502896 | 25897 | 204293 |
| 207.244.32.0/20 | SBL502898 | 26125 | 204293 |
| 207.201.80.0/20 | SBL502896 | 26460 | 204293 |
| 209.66.144.0/20 | SBL180438 | 26466 | 204293204293 |
| 24.236.16.0/20 | SBL502928 | 27428 | 204815 |
| 207.244.48.0/20 | SBL502898 | 29752 | 204293 |
| 64.255.192.0/20 | SBL387690 | 30159 | 204293 |
| 98.143.192.0/20 | SBL502926 | 30557 | 4045440454 |
| 209.95.192.0/20 | SBL107139 | 31817 | 204815 |
| 65.97.48.0/20 | SBL502933 | 33057 | 204815204185 |
| 64.255.208.0/20 | SBL387690 | 35983 | 204293 |
| 209.95.208.0/20 | SBL107139 | 36818 | 204815 |
| 24.236.0.0/20 | SBL502928 | 39980 | 204815 |
| 204.147.240.0/20 | SBL502924 | 40431 | 201292 |
| 98.143.192.0/20 | SBL502926 | 40454 | 209946201292 |
| 209.66.0.0/19 | SBL502941 | 40507 | 15315 |
| 207.183.80.0/20 | SBL502907 | 40576 | 204293 |
| 139.60.240.0/20 | SBL502913 | 46415 | 204293 |
| 131.153.208.0/20 | SBL502929 | 53402 | 204815204815 |
| 209.66.32.0/19 | SBL502941 | 55078 | 15315 |
| 207.183.96.0/20 | SBL387691 | 62789 | 204293204293 |
| 141.206.128.0/20 | SBL502911 | 63437 | 204293 |
| 167.82.144.0/20 | SBL502908 | 395827 | 204293 |
Some of these routes have been withdrawn already, but the majority remain up and running today. We urge all parties to investigate immediately.
- Based on current market values ↩︎