Tens of Dormant North American Networks Suspiciously Resurrected at Once

More than fifty networks in the North American region suddenly burst to life after being dormant for a long period of time, Spamhaus reveals.

The Geneva-based international nonprofit organization is focused on tracking spam, phishing, malware, and botnets, and provides threat intelligence that can help filter spam and related threats.

Last week, the organization noticed that, within days, 52 dormant networks in the ARIN (North-America) area were resurrected concurrently, and that each of them has been announced by a different autonomous system number (ASN), also inactive for a significant period of time.

“In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses,” Spamhaus explains.

The main issue, the organization explains, is that chances are almost zero for 52 organizations to suddenly come back online, all at once, although (a rare occurrence as well) some organizations might resurface after taking their network offline for a while.

Furthermore, Spamhaus could not establish a connection between these networks and the ASNs announcing them, except for the fact that they had been inactive for a long period of time.

“Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US,” the organization notes.

While investigating the incident, Spamhaus also discovered that the Border Gateway Protocol (BGP) paths that connect these networks to their hosting facility involve Ukrainian ASNs, and that these Ukrainian companies are connecting these networks to major backbones.

“Given the unlikelihood that these routes are legitimate, we have placed almost all of them on our DROP (Do not Route or Peer) list, until their owners clarify the situation,” the organization notes.

The company has published full details on these networks, as well as information on associated resources and their Spamhaus Block List (SBL) IDs.

While some of the routes had been withdrawn shortly after resurrection, many were still up and running toward the end of the week.

Related: Russian Telco Hijacked Internet Traffic of Major Networks – Accident or Malicious Action?

Related: Embrace RPKI to Secure BGP Routing, Cloudflare Says

Related: Free MANRS Tool Helps Improve Routing Security

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *