Spamhaus.org announced on Nov. 25 that they had observed a troubling issue occurring on 56 “/20” networks, which have a total of 230k IPv4 addresses associated with them. (/20 is an IPv4 address block).
The activity in question was that these networks had not been routed for a significant length of time, but then all of a sudden, they spontaneously erupted into life again. In addition, a different autonomous system number (ASN), which was inactive prior to this event, announced the online status of each network.
According to Spamhaus, they are /20 networks comprising 4096 IPv4 addresses; the last four are /19 networks with 8192 addresses. While this may not sound like a problem in and of itself, they explained that:
- The timing of this event is implausible – while some organizations that go offline occasionally reappear on the internet, it doesn’t happen often. The probability of 52 such organizations coming back online spontaneously is almost zero.
- There doesn’t appear to be any relationship between the networks and the announcing ASN – Thus far, Spamhaus says that they cannot find any obvious connection between the networks and the ASNs announcing them, besides the fact that they’ve been inactive for a lengthy period. As one example, they cite 220.127.116.11/20 assigned to Hybrid Networks in Cupertino, CA, announced by AS14126 assigned to VoiceStar in Philadelphia, PA. They conducted several traceroutes and pings to the ASNs, and discovered that they are all physically hosted in New York City.
- There are also suspicious Border Gateway Protocol (BGP) paths and major backbones connecting said American networks to Ukrainian ASNs, such as:
- AS204293 and AS204815 – LLC SOLAR STRATEGIA, Chernivitsi, UA
- AS201292 – Agrofirma Aleks PP, Chumaky, UA
- AS42602 – KING-TRANS LLC, Kyiv, UA
- AS209946 – ALINDA LLC, Mykolayiv, UA
- AS205145 – Start Telecom LLC, Kyiv, UA
- AS205268 – Ipcom invest LLC, Kyiv, UA
- It looks as though the Ukrainian companies in question seem to be connecting the resurrected networks to major backbone networks, such as:
- Telia (AS1299) and Hurricane Electric (AS6939) for AS42602
- Cogent (AS174) for AS209946
- GTT (AS3257) for AS201292
- Lumen (AS3356) for AS205268
As a result, Spamhaus has added almost all of these onto their DROP (Do Not Route or Peer) list, until further information is provided. The full list of networks and paths can be found on the original article.