After becoming dormant for a long period of time, more than fifty networks in the North American area unexpectedly burst to life, Spamhaus reveals.
The multinational non-profit organisation headquartered in Geneva works on monitoring spam, phishing, ransomware, and botnets, and provides information on threats that can help philtre spam and associated threats.
Last week the organisation noted that 52 dormant networks in the ARIN (North America) region were simultaneously revived within days and that each of them had been declared by a separate Autonomous System Number (ASN), which was also inactive for a considerable amount of time.
They are /20 networks with 4096 IPv4 addresses in 48 cases and /19 networks with 8192 addresses in the remaining 4 cases,” Spamhaus explains.”
The big challenge, the organisation states, is that chances are almost zero for 52 organisations to unexpectedly return online, all at once, while some organisations may resurface after taking their network offline for a while (a unusual phenomenon as well).
In addition, Spamhaus was unable to create a connection between these networks and the ASNs announcing them, except that they had been inactive for a long period of time.
The organisation says, ‘Traceroutes and pings suggest that they are all physically hosted in the area of New York City, in the US.’
When researching the incident, Spamhaus also found that Ukrainian ASNs are active in the Border Gateway Protocol (BGP) routes connecting these networks to their hosting facilities, and that these Ukrainian companies are connecting these networks to big backbones.
“We have placed almost all of them on our DROP (Do not Route or Peer) list, given the unlikelihood that these routes are legitimate, until their owners clarify the situation,” the organisation states.
Full specifics of these networks have been released by the organisation, as well as information about similar services and their Spamhaus Block List (SBL) IDs.
While some of the routes were eliminated soon after the resurrection, plenty were still up and working by the end of the week.