Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   

Suspicious network resurrections

2020-11-25 12:11:10 UTC   |   by Spamhaus Team   |   Category:  hijack, bgp, asn, routing
Recent News Articles

Update for Composite Blocklist (CBL) Users

Suspicious network resurrections

Spamhaus Botnet Threat Update: Q2-2020

Tracking Qbot

Spamhaus Botnet Threat Update: Q1-2020

The Current State of Domain Hijacking, and a specific look at the ongoing issues at GoDaddy

It was the best of times, it was the worst of times

Weaponizing Domain Names: how bulk registration aids global spam campaigns


Older News Articles:
Spamhaus News INDEX

UPDATE Dec 1st 2020: A big thank you to Telia Carrier, Hurricane Electric and GTT for taking swift and positive action in shutting down the related announcements.

We believe there is a serious issue relating to the equivalent of 56 “/20” networks, with a corresponding 230k IPv4 addresses. The total value of these is approximately $5M to $6M1 . This is an urgent notification to all organizations involved; ARIN and the backbones, in addition to the legitimate owners, whose IPv4 ranges and ASNs may have been used without their authorization.

What activity has Spamhaus observed?

Over the past few days, we have observed 52 networks in the ARIN (North-America) area concurrently burst into life. Until this week, all these networks had been dormant (not routed) for a significant length of time. Even more unusual is that a different autonomous system number (ASN), also previously inactive, has announced each network.

In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses.

Why do we consider this to be a problem?

  1. The improbability of the timing 
Occasionally, organizations that have gone offline do reappear on the internet; however it’s a rarity. Meanwhile, the probability of 52 organizations simultaneously choosing to go back online is almost nil.

  2. No relationships between each network and the announcing ASN As far as we can deduce there is no relation between each network and the ASN announcing it, other than they’ve been inactive for some time. For instance: 

198.14.0.0/20 assigned to Hybrid Networks in Cupertino, CA, is seen announced by AS14126 assigned to VoiceStar in Philadelphia, PA.

    Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US.

  3. Suspect Border Gateway Protocol (BGP) paths and connecting major backbones The BGP paths connecting these American networks to the New York City hosting facility involve several Ukrainian ASNs, namely:
    • AS204293 and AS204815 - LLC SOLAR STRATEGIA, Chernivtsi, UA
    • AS201292 - Agrofirma Aleks PP, Chumaky, UA
    • AS42602 - KING-TRANS LLC, Kyiv, UA
    • AS209946 - ALINDA LLC, Mykolayiv, UA
    • AS205145 - Start Telecom LLC, Kyiv, UA
    • AS205268 - Ipcom invest LLC, Kyiv, UA
    Additionally, the above Ukrainian companies appear to be connecting these "suddenly reborn" networks to major backbones, notably:

    • Telia (AS1299) and Hurricane Electric (AS6939) for AS42602,
    • Cogent (AS174) for AS209946,
    • GTT (AS3257) for AS201292,
    • Lumen (AS3356) for AS205268.

What action has Spamhaus taken?

Given the unlikelihood that these routes are legitimate, we have placed almost all of them on our DROP (Do not Route or Peer) list, until their owners clarify the situation.

Here are the full details of the networks and associated resources, as well as the Spamhaus Block List (SBL) ID referring to their case

Network SBL ID Announcer Path(s)
207.183.144.0/20SBL5029381075813321426021299
159.127.48.0/20Resolved11292204293
204293
201292
209946
3257
174
206.41.128.0/20SBL50293611393204815
204815
42602
42602
6939
1299
64.250.144.0/20SBL50290611587204293209946174
209.17.192.0/20SBL5029421213915315202244205145426021299
207.183.64.0/20SBL50290713321426021299
209.66.128.0/20SBL18043813732204293426021299
140.82.96.0/20SBL50292014124204293
204293
201292
42602
3257
1299
198.14.0.0/20SBL50290414126204293209946174
209.161.64.0/19SBL50293914206426026939
167.224.32.0/20SBL502894147412012923257
209.17.208.0/20SBL5029421483515315202244205145426021299
209.95.64.0/19SBL50294015315
15315
202244
202244
205145
205145
42602
42602
6939
1299
209.148.16.0/20SBL50290216646204293209946174
206.183.128.0/20SBL50290116726204293426021299
207.201.112.0/20SBL50289616817204293426021299
72.1.224.0/20SBL50293016916204815
204185
201292
42602
3257
1299
206.183.144.0/20SBL50290118463204293426021299
76.191.0.0/20SBL50290518695204293209946174
207.201.96.0/20SBL50289619145204293426021299
104.251.192.0/20SBL502923194512012923257
207.183.128.0/20SBL5029381966613321426021299
207.244.0.0/20SBL50289821560204293426021299
24.170.208.0/20SBL50291722117204293209946174
192.252.16.0/20SBL502925226192012923257
131.153.192.0/20SBL50292922715204815
204185
205268
201292
3356
3257
198.151.16.0/20SBL244694229792012923257
207.244.16.0/20SBL50289823072204293209946174
107.191.240.0/20SBL50291525811204293209946174
207.201.64.0/20SBL50289625897204293426021299
207.244.32.0/20SBL50289826125204293426021299
207.201.80.0/20SBL50289626460204293426021299
209.66.144.0/20SBL18043826466204293
204293
42602
210292
1299
3257
24.236.16.0/20SBL50292827428204815426021299
207.244.48.0/20SBL50289829752204293426021299
64.255.192.0/20SBL38769030159204293426021299
98.143.192.0/20SBL5029263055740454
40454
209946
201292
174
3257
209.95.192.0/20SBL10713931817204815426021299
65.97.48.0/20SBL50293333057204815
204185
201292
42602
3257
1299
64.255.208.0/20SBL38769035983204293426021299
209.95.208.0/20SBL10713936818204815426021299
24.236.0.0/20SBL50292839980204815426021299
204.147.240.0/20SBL502924404312012923257
98.143.192.0/20SBL50292640454209946
201292
174
3257
209.66.0.0/19SBL5029414050715315202244205145426021299
207.183.80.0/20SBL50290740576204293209946174
139.60.240.0/20SBL50291346415204293209946174
131.153.208.0/20SBL50292953402204815
204815
201292
42602
3257
1299
209.66.32.0/19SBL5029415507815315202244205145426021299
207.183.96.0/20SBL38769162789204293
204293
42602
201292
1299
3257
141.206.128.0/20SBL50291163437204293209946174
167.82.144.0/20SBL502908395827204293209946174

Some of these routes have been withdrawn already, but the majority remain up and running today. We urge all parties to investigate immediately.


1. Based on current market values ↩︎



Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Suspicious network resurrections
http://www.spamhaus.org/news/article/802/suspicious-network-resurrections

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2021 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy