Spamhaus Observes Suspicious Network Resurrections

NOTE: Spamhaus gave an update today and said that Telia Carrier, Hurricane Electric, and GTT have taken action and shut down the related networks.

Spamhaus.org announced on Nov. 25 that they had observed a troubling issue occurring on 56 “/20” networks, which have a total of 230k IPv4 addresses associated with them. (/20 is an IPv4 address block).

The activity in question was that these networks had not been routed for a significant length of time, but then all of a sudden, they spontaneously erupted into life again. In addition, a different autonomous system number (ASN), which was inactive prior to this event, announced the online status of each network.

According to Spamhaus, they are /20 networks comprising 4096 IPv4 addresses; the last four are /19 networks with 8192 addresses. While this may not sound like a problem in and of itself, they explained that:

  • The timing of this event is implausible – while some organizations that go offline occasionally reappear on the internet, it doesn’t happen often. The probability of 52 such organizations coming back online spontaneously is almost zero.
  • There doesn’t appear to be any relationship between the networks and the announcing ASN – Thus far, Spamhaus says that they cannot find any obvious connection between the networks and the ASNs announcing them, besides the fact that they’ve been inactive for a lengthy period. As one example, they cite 198.14.0.0/20 assigned to Hybrid Networks in Cupertino, CA, announced by AS14126 assigned to VoiceStar in Philadelphia, PA. They conducted several traceroutes and pings to the ASNs, and discovered that they are all physically hosted in New York City.
  • There are also suspicious Border Gateway Protocol (BGP) paths and major backbones connecting said American networks to Ukrainian ASNs, such as:
    • AS204293 and AS204815 – LLC SOLAR STRATEGIA, Chernivitsi, UA
    • AS201292 – Agrofirma Aleks PP, Chumaky, UA
    • AS42602 – KING-TRANS LLC, Kyiv, UA
    • AS209946 – ALINDA LLC, Mykolayiv, UA
    • AS205145 – Start Telecom LLC, Kyiv, UA
    • AS205268 – Ipcom invest LLC, Kyiv, UA
  • It looks as though the Ukrainian companies in question seem to be connecting the resurrected networks to major backbone networks, such as:
    • Telia (AS1299) and Hurricane Electric (AS6939) for AS42602
    • Cogent (AS174) for AS209946
    • GTT (AS3257) for AS201292
    • Lumen (AS3356) for AS205268

As a result, Spamhaus has added almost all of these onto their DROP (Do Not Route or Peer) list, until further information is provided. The full list of networks and paths can be found on the original article.


One thought on “Spamhaus Observes Suspicious Network Resurrections”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.