Search the Community

Something weird happened minutes before Trump left—US says it was security research. The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a "pilot" project to conduct security research. The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world's largest announcer of IP addresses in the IPv4 global routing table. The Post wrote: “SWAT team of nerds” The 6-year-old DDS consists of "82 engineers, data scientists, and computer scientists" who "worked on the much-publicized 'hack the Pentagon' program" and a variety of other projects tackling some of the hardest technology problems faced by the military, a Department of Defense article said in October 2020. Goldstein has called the unit a "SWAT team of nerds." The Defense Department did not say what the unit's specific objectives are in its project with Global Resource Systems, "and Pentagon officials declined to say why Goldstein's unit had used a little-known Florida company to carry out the pilot effort rather than have the Defense Department itself 'announce' the addresses through BGP [Border Gateway Protocol] messages—a far more routine approach," the Post said. Still, the government's explanation piqued the interest of Doug Madory, director of Internet analysis at network-security company Kentik. "I interpret this to mean that the objectives of this effort are twofold," Madory wrote in a blog post Saturday. "First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background Internet traffic for threat intelligence." New company remains mysterious The Washington Post and Associated Press weren't able to dig up many details about Global Resource Systems. "The company did not return phone calls or emails from The Associated Press. It has no web presence, though it has the domain grscorp.com," an AP story yesterday said. "Its name doesn't appear on the directory of its Plantation, Florida, domicile, and a receptionist drew a blank when an AP reporter asked for a company representative at the office earlier this month. She found its name on a tenant list and suggested trying email. Records show the company has not obtained a business license in Plantation." The AP apparently wasn't able to track down people associated with the company. The AP said that the Pentagon "has not answered many basic questions, beginning with why it chose to entrust management of the address space to a company that seems not to have existed until September." Global Resource Systems' name "is identical to that of a firm that independent Internet fraud researcher Ron Guilmette says was sending out email spam using the very same Internet routing identifier," the AP continued. "It shut down more than a decade ago. All that differs is the type of company. This one's a limited liability corporation. The other was a corporation. Both used the same street address in Plantation, a suburb of Fort Lauderdale." The AP did find out that the Defense Department still owns the IP addresses, saying that "a Defense Department spokesman, Russell Goemaere, told the AP on Saturday that none of the newly announced space has been sold." Bigger than China Telecom and Comcast Network experts were stumped by the emergence of Global Resource Systems for a while. Madory called it "a great mystery." At 11:57 am EST on January 20, three minutes before the Trump administration officially came to an end, "[a]n entity that hadn't been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the US Department of Defense," Madory wrote. Global Resource Systems is labeled AS8003 and GRS-DOD in BGP records. Madory wrote: In mid-March, "astute contributors to the NANOG listserv highlighted the oddity of massive amounts of DoD address space being announced by what appeared to be a shell company," Madory noted. DoD has “massive ranges” of IPv4 space The Defense Department "was allocated numerous massive ranges of IPv4 address space" decades ago, but "only a portion of that address space was ever utilized (i.e. announced by the DoD on the Internet)," Madory wrote. Expanding on his point that the Defense Department may want to "scare off any would-be squatters," he wrote that "there is a vast world of fraudulent BGP routing out there. As I've documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic." On the Defense Department's goal of collecting "background Internet traffic for threat intelligence," Madory noted that "there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space." Potential routing problems The emergence of previously dormant IP addresses could lead to routing problems. In 2018, AT&T unintentionally blocked its home-Internet customers from Cloudflare's new DNS service because the Cloudflare service and the AT&T gateway were using the same IP address of 1.1.1.1. Madory wrote: Madory's conclusion was that the new statement from the Defense Department "answers some questions," but "much remains a mystery." It isn't clear why the Defense Department didn't simply announce the address space itself instead of using an obscure outside entity, and it's unclear why the project came "to life in the final moments of the previous administration," he wrote. But something good might come out of it, Madory added: "We likely won't get all of the answers anytime soon, but we can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. Maybe they could come to a NANOG conference and present about the troves of erroneous traffic being sent their way." Via arstechnica.com