The Spamhaus Project

news

Suspicious network resurrections

by The Spamhaus TeamNovember 25, 20207 minutes reading time

Jump to

Introduction

UPDATE Dec 1st 2020: A big thank you to Telia Carrier, Hurricane Electric and GTT for taking swift and positive action in shutting down the related announcements.

We believe there is a serious issue relating to the equivalent of 56 “/20” networks, with a corresponding 230k IPv4 addresses. The total value of these is approximately $5M to $6M1 . This is an urgent notification to all organizations involved; ARIN and the backbones, in addition to the legitimate owners, whose IPv4 ranges and ASNs may have been used without their authorization.

What activity has Spamhaus observed?

Over the past few days, we have observed 52 networks in the ARIN (North-America) area concurrently burst into life. Until this week, all these networks had been dormant (not routed) for a significant length of time. Even more unusual is that a different autonomous system number (ASN), also previously inactive, has announced each network.

In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses.

Why do we consider this to be a problem?

  1. The improbability of the timing 
Occasionally, organizations that have gone offline do reappear on the internet; however it’s a rarity. Meanwhile, the probability of 52 organizations simultaneously choosing to go back online is almost nil.
  2. No relationships between each network and the announcing ASN As far as we can deduce there is no relation between each network and the ASN announcing it, other than they’ve been inactive for some time. For instance: 

198.14.0.0/20 assigned to Hybrid Networks in Cupertino, CA, is seen announced by AS14126 assigned to VoiceStar in Philadelphia, PA.

Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US. 3. Suspect Border Gateway Protocol (BGP) paths and connecting major backbones The BGP paths connecting these American networks to the New York City hosting facility involve several Ukrainian ASNs, namely: * AS204293 and AS204815 - LLC SOLAR STRATEGIA, Chernivtsi, UA * AS201292 - Agrofirma Aleks PP, Chumaky, UA * AS42602 - KING-TRANS LLC, Kyiv, UA * AS209946 - ALINDA LLC, Mykolayiv, UA * AS205145 - Start Telecom LLC, Kyiv, UA * AS205268 - Ipcom invest LLC, Kyiv, UA Additionally, the above Ukrainian companies appear to be connecting these "suddenly reborn" networks to major backbones, notably: * Telia (AS1299) and Hurricane Electric (AS6939) for AS42602, * Cogent (AS174) for AS209946, * GTT (AS3257) for AS201292, * Lumen (AS3356) for AS205268.

What action has Spamhaus taken?

Given the unlikelihood that these routes are legitimate, we have placed almost all of them on our DROP (Do not Route or Peer) list, until their owners clarify the situation.

Here are the full details of the networks and associated resources, as well as the Spamhaus Block List (SBL) ID referring to their case

NetworkSBL IDAnnouncerPath(s)
207.183.144.0/20SBL5029381075813321
159.127.48.0/20Resolved11292204293204293
206.41.128.0/20SBL50293611393204815204815
64.250.144.0/20SBL50290611587204293
209.17.192.0/20SBL5029421213915315
207.183.64.0/20SBL5029071332142602
209.66.128.0/20SBL18043813732204293
140.82.96.0/20SBL50292014124204293204293
198.14.0.0/20SBL50290414126204293
209.161.64.0/19SBL5029391420642602
167.224.32.0/20SBL50289414741201292
209.17.208.0/20SBL5029421483515315
209.95.64.0/19SBL5029401531515315202244202244
209.148.16.0/20SBL50290216646204293
206.183.128.0/20SBL50290116726204293
207.201.112.0/20SBL50289616817204293
72.1.224.0/20SBL50293016916204815204185
206.183.144.0/20SBL50290118463204293
76.191.0.0/20SBL50290518695204293
207.201.96.0/20SBL50289619145204293
104.251.192.0/20SBL50292319451201292
207.183.128.0/20SBL5029381966613321
207.244.0.0/20SBL50289821560204293
24.170.208.0/20SBL50291722117204293
192.252.16.0/20SBL50292522619201292
131.153.192.0/20SBL50292922715204815204185
198.151.16.0/20SBL24469422979201292
207.244.16.0/20SBL50289823072204293
107.191.240.0/20SBL50291525811204293
207.201.64.0/20SBL50289625897204293
207.244.32.0/20SBL50289826125204293
207.201.80.0/20SBL50289626460204293
209.66.144.0/20SBL18043826466204293204293
24.236.16.0/20SBL50292827428204815
207.244.48.0/20SBL50289829752204293
64.255.192.0/20SBL38769030159204293
98.143.192.0/20SBL502926305574045440454
209.95.192.0/20SBL10713931817204815
65.97.48.0/20SBL50293333057204815204185
64.255.208.0/20SBL38769035983204293
209.95.208.0/20SBL10713936818204815
24.236.0.0/20SBL50292839980204815
204.147.240.0/20SBL50292440431201292
98.143.192.0/20SBL50292640454209946201292
209.66.0.0/19SBL5029414050715315
207.183.80.0/20SBL50290740576204293
139.60.240.0/20SBL50291346415204293
131.153.208.0/20SBL50292953402204815204815
209.66.32.0/19SBL5029415507815315
207.183.96.0/20SBL38769162789204293204293
141.206.128.0/20SBL50291163437204293
167.82.144.0/20SBL502908395827204293

Some of these routes have been withdrawn already, but the majority remain up and running today. We urge all parties to investigate immediately.

  1. Based on current market values ↩︎