Suspicious network resurrections

Suspicious network resurrections

By Spamhaus Team

November 30, 2020

We believe there is a serious issue relating to the equivalent of 56 “/20” networks, with a corresponding 230k IPv4 addresses. The total value of these is approximately $5M to $6M. This is an urgent notification to all organizations involved; ARIN and the backbones, in addition to the legitimate owners, whose IPv4 ranges and ASNs may have been used without their authorization.

What activity has Spamhaus observed?

Over the past few days, we have observed 52 networks in the ARIN (North-America) area concurrently burst into life. Until this week, all these networks had been dormant (not routed) for a significant length of time. Even more unusual is that a different autonomous system number (ASN), also previously inactive, has announced each network.

In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses.

Why do we consider this to be a problem?

The improbability of the timing  Occasionally, organizations that have gone offline do reappear on the internet; however it’s a rarity. Meanwhile, the probability of 52 organizations simultaneously choosing to go back online is almost nil.
No relationships between each network and the announcing ASN As far as we can deduce there is no relation between each network and the ASN announcing it, other than they’ve been inactive for some time. For instance:   198.14.0.0/20 assigned to Hybrid Networks in Cupertino, CA, is seen announced by AS14126 assigned to VoiceStar in Philadelphia, PA.

Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US.
Suspect Border Gateway Protocol (BGP) paths and connecting major backbones The BGP paths connecting these American networks to the New York City hosting facility involve several Ukrainian ASNs, namely:
- AS204293 and AS204815 - LLC SOLAR STRATEGIA, Chernivtsi, UA
- AS201292 - Agrofirma Aleks PP, Chumaky, UA
- AS42602 - KING-TRANS LLC, Kyiv, UA
- AS209946 - ALINDA LLC, Mykolayiv, UA
- AS205145 - Start Telecom LLC, Kyiv, UA
- AS205268 - Ipcom invest LLC, Kyiv, UA
Additionally, the above Ukrainian companies appear to be connecting these "suddenly reborn" networks to major backbones, notably: 
- Telia (AS1299) and Hurricane Electric (AS6939) for AS42602,
- Cogent (AS174) for AS209946,
- GTT (AS3257) for AS201292,
- Lumen (AS3356) for AS205268.

What action has Spamhaus taken?

Given the unlikelihood that these routes are legitimate, we have placed almost all of them on our DROP (Do not Route or Peer) list, until their owners clarify the situation.

Here are the full details of the networks and associated resources, as well as the Spamhaus Block List (SBL) ID referring to their case

Network	SBL ID	Announcer	Path(s)
207.183.144.0/20	SBL502938	10758	13321	42602	1299
159.127.48.0/20	Resolved	11292	204293 204293	201292 209946	3257 174
206.41.128.0/20	SBL502936	11393	204815 204815	42602 42602	6939 1299
64.250.144.0/20	SBL502906	11587	204293	209946	174
209.17.192.0/20	SBL502942	12139	15315	202244	205145	42602	1299
207.183.64.0/20	SBL502907	13321	42602	1299
209.66.128.0/20	SBL180438	13732	204293	42602	1299
140.82.96.0/20	SBL502920	14124	204293 204293	201292 42602	3257 1299
198.14.0.0/20	SBL502904	14126	204293	209946	174
209.161.64.0/19	SBL502939	14206	42602	6939
167.224.32.0/20	SBL502894	14741	201292	3257
209.17.208.0/20	SBL502942	14835	15315	202244	205145	42602	1299
209.95.64.0/19	SBL502940	15315 15315	202244 202244	205145 205145	42602 42602	6939 1299
209.148.16.0/20	SBL502902	16646	204293	209946	174
206.183.128.0/20	SBL502901	16726	204293	42602	1299
207.201.112.0/20	SBL502896	16817	204293	42602	1299
72.1.224.0/20	SBL502930	16916	204815 204185	201292 42602	3257 1299
206.183.144.0/20	SBL502901	18463	204293	42602	1299
76.191.0.0/20	SBL502905	18695	204293	209946	174
207.201.96.0/20	SBL502896	19145	204293	42602	1299
104.251.192.0/20	SBL502923	19451	201292	3257
207.183.128.0/20	SBL502938	19666	13321	42602	1299
207.244.0.0/20	SBL502898	21560	204293	42602	1299
24.170.208.0/20	SBL502917	22117	204293	209946	174
192.252.16.0/20	SBL502925	22619	201292	3257
131.153.192.0/20	SBL502929	22715	204815 204185	205268 201292	3356 3257
198.151.16.0/20	SBL244694	22979	201292	3257
207.244.16.0/20	SBL502898	23072	204293	209946	174
107.191.240.0/20	SBL502915	25811	204293	209946	174
207.201.64.0/20	SBL502896	25897	204293	42602	1299
207.244.32.0/20	SBL502898	26125	204293	42602	1299
207.201.80.0/20	SBL502896	26460	204293	42602	1299
209.66.144.0/20	SBL180438	26466	204293 204293	42602 210292	1299 3257
24.236.16.0/20	SBL502928	27428	204815	42602	1299
207.244.48.0/20	SBL502898	29752	204293	42602	1299
64.255.192.0/20	SBL387690	30159	204293	42602	1299
98.143.192.0/20	SBL502926	30557	40454 40454	209946 201292	174 3257
209.95.192.0/20	SBL107139	31817	204815	42602	1299
65.97.48.0/20	SBL502933	33057	204815 204185	201292 42602	3257 1299
64.255.208.0/20	SBL387690	35983	204293	42602	1299
209.95.208.0/20	SBL107139	36818	204815	42602	1299
24.236.0.0/20	SBL502928	39980	204815	42602	1299
204.147.240.0/20	SBL502924	40431	201292	3257
98.143.192.0/20	SBL502926	40454	209946 201292	174 3257
209.66.0.0/19	SBL502941	40507	15315	202244	205145	42602	1299
207.183.80.0/20	SBL502907	40576	204293	209946	174
139.60.240.0/20	SBL502913	46415	204293	209946	174
131.153.208.0/20	SBL502929	53402	204815 204815	201292 42602	3257 1299
209.66.32.0/19	SBL502941	55078	15315	202244	205145	42602	1299
207.183.96.0/20	SBL387691	62789	204293 204293	42602 201292	1299 3257
141.206.128.0/20	SBL502911	63437	204293	209946	174
167.82.144.0/20	SBL502908	395827	204293	209946	174

Some of these routes have been withdrawn already, but the majority remain up and running today. We urge all parties to investigate immediately.

1. Based on current market values