SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Suspicious network resurrections

By Spamhaus Team

November 30, 2020

We believe there is a serious issue relating to the equivalent of 56 “/20” networks, with a corresponding 230k IPv4 addresses. The total value of these is approximately $5M to $6M. This is an urgent notification to all organizations involved; ARIN and the backbones, in addition to the legitimate owners, whose IPv4 ranges and ASNs may have been used without their authorization.

What activity has Spamhaus observed?

Over the past few days, we have observed 52 networks in the ARIN (North-America) area concurrently burst into life. Until this week, all these networks had been dormant (not routed) for a significant length of time. Even more unusual is that a different autonomous system number (ASN), also previously inactive, has announced each network.

In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses.

Why do we consider this to be a problem?

  1. The improbability of the timing 
Occasionally, organizations that have gone offline do reappear on the internet; however it’s a rarity. Meanwhile, the probability of 52 organizations simultaneously choosing to go back online is almost nil.

     
  2. No relationships between each network and the announcing ASN As far as we can deduce there is no relation between each network and the ASN announcing it, other than they’ve been inactive for some time. For instance: 

198.14.0.0/20 assigned to Hybrid Networks in Cupertino, CA, is seen announced by AS14126 assigned to VoiceStar in Philadelphia, PA.

    Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US.

     
  3. Suspect Border Gateway Protocol (BGP) paths and connecting major backbones The BGP paths connecting these American networks to the New York City hosting facility involve several Ukrainian ASNs, namely:
    • AS204293 and AS204815 - LLC SOLAR STRATEGIA, Chernivtsi, UA
    • AS201292 - Agrofirma Aleks PP, Chumaky, UA
    • AS42602 - KING-TRANS LLC, Kyiv, UA
    • AS209946 - ALINDA LLC, Mykolayiv, UA
    • AS205145 - Start Telecom LLC, Kyiv, UA
    • AS205268 - Ipcom invest LLC, Kyiv, UA
    Additionally, the above Ukrainian companies appear to be connecting these "suddenly reborn" networks to major backbones, notably:

    • Telia (AS1299) and Hurricane Electric (AS6939) for AS42602,
    • Cogent (AS174) for AS209946,
    • GTT (AS3257) for AS201292,
    • Lumen (AS3356) for AS205268.

What action has Spamhaus taken?

Given the unlikelihood that these routes are legitimate, we have placed almost all of them on our DROP (Do not Route or Peer) list, until their owners clarify the situation.

Here are the full details of the networks and associated resources, as well as the Spamhaus Block List (SBL) ID referring to their case

Network SBL ID Announcer Path(s)
207.183.144.0/20 SBL502938 10758 13321 42602 1299    
159.127.48.0/20 Resolved 11292 204293
204293
201292
209946
3257
174
   
206.41.128.0/20 SBL502936 11393 204815
204815
42602
42602
6939
1299
   
64.250.144.0/20 SBL502906 11587 204293 209946 174    
209.17.192.0/20 SBL502942 12139 15315 202244 205145 42602 1299
207.183.64.0/20 SBL502907 13321 42602 1299      
209.66.128.0/20 SBL180438 13732 204293 42602 1299    
140.82.96.0/20 SBL502920 14124 204293
204293
201292
42602
3257
1299
   
198.14.0.0/20 SBL502904 14126 204293 209946 174    
209.161.64.0/19 SBL502939 14206 42602 6939      
167.224.32.0/20 SBL502894 14741 201292 3257      
209.17.208.0/20 SBL502942 14835 15315 202244 205145 42602 1299
209.95.64.0/19 SBL502940 15315
15315
202244
202244
205145
205145
42602
42602
6939
1299
 
209.148.16.0/20 SBL502902 16646 204293 209946 174    
206.183.128.0/20 SBL502901 16726 204293 42602 1299    
207.201.112.0/20 SBL502896 16817 204293 42602 1299    
72.1.224.0/20 SBL502930 16916 204815
204185
201292
42602
3257
1299
   
206.183.144.0/20 SBL502901 18463 204293 42602 1299    
76.191.0.0/20 SBL502905 18695 204293 209946 174    
207.201.96.0/20 SBL502896 19145 204293 42602 1299    
104.251.192.0/20 SBL502923 19451 201292 3257      
207.183.128.0/20 SBL502938 19666 13321 42602 1299    
207.244.0.0/20 SBL502898 21560 204293 42602 1299    
24.170.208.0/20 SBL502917 22117 204293 209946 174    
192.252.16.0/20 SBL502925 22619 201292 3257      
131.153.192.0/20 SBL502929 22715 204815
204185
205268
201292
3356
3257
   
198.151.16.0/20 SBL244694 22979 201292 3257      
207.244.16.0/20 SBL502898 23072 204293 209946 174    
107.191.240.0/20 SBL502915 25811 204293 209946 174    
207.201.64.0/20 SBL502896 25897 204293 42602 1299    
207.244.32.0/20 SBL502898 26125 204293 42602 1299    
207.201.80.0/20 SBL502896 26460 204293 42602 1299    
209.66.144.0/20 SBL180438 26466 204293
204293
42602
210292
1299
3257
   
24.236.16.0/20 SBL502928 27428 204815 42602 1299    
207.244.48.0/20 SBL502898 29752 204293 42602 1299    
64.255.192.0/20 SBL387690 30159 204293 42602 1299    
98.143.192.0/20 SBL502926 30557 40454
40454
209946
201292
174
3257
   
209.95.192.0/20 SBL107139 31817 204815 42602 1299    
65.97.48.0/20 SBL502933 33057 204815
204185
201292
42602
3257
1299
   
64.255.208.0/20 SBL387690 35983 204293 42602 1299    
209.95.208.0/20 SBL107139 36818 204815 42602 1299    
24.236.0.0/20 SBL502928 39980 204815 42602 1299    
204.147.240.0/20 SBL502924 40431 201292 3257      
98.143.192.0/20 SBL502926 40454 209946
201292
174
3257
     
209.66.0.0/19 SBL502941 40507 15315 202244 205145 42602 1299
207.183.80.0/20 SBL502907 40576 204293 209946 174    
139.60.240.0/20 SBL502913 46415 204293 209946 174    
131.153.208.0/20 SBL502929 53402 204815
204815
201292
42602
3257
1299
   
209.66.32.0/19 SBL502941 55078 15315 202244 205145 42602 1299
207.183.96.0/20 SBL387691 62789 204293
204293
42602
201292
1299
3257
   
141.206.128.0/20 SBL502911 63437 204293 209946 174    
167.82.144.0/20 SBL502908 395827 204293 209946 174    

Some of these routes have been withdrawn already, but the majority remain up and running today. We urge all parties to investigate immediately.


1. Based on current market values

Terms of Use | Copyright © 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement