More than 50 networks in North America region suddenly resumed activity after being dormant for a long time, according to a warning from Spamhaus, an international nonprofit organization focused on tracking spam, phishing, malware, and botnets, and which is responsible for compiling widely used anti-spam lists.
The organization said it observed last week that 52 dormant networks in the ARIN (North-America) area were resurrected concurrently, and what is even more suspicious is that a different autonomous system number (ASN), also previously inactive, has announced each network.
“In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses,” Spamhaus said.
The issue is deemed serious because there is zero chance of 52 organizations choosing to go back online, all at once. Secondly, Spamhaus has not found relation between each network and the ASN announcing it, other than they’ve been inactive for some time.
“Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US,” the organization said.
While examining the issue Spamhaus noticed that the BGP paths connecting these American networks to the New York City hosting facility involve several Ukrainian ASNs, which appear to be connecting these "suddenly reborn" networks to major backbones.
Given the unlikelihood that these routes are legitimate, Spamhaus added almost all of them to the DROP (Do not Route or Peer) list, until their owners clarify the situation. The organization said that some of the suspicious routes have been withdrawn already, but the majority of them have remained up and running as of last week.
Spamhaus has provided full details on these networks, as well as information on associated resources and the Spamhaus Block List (SBL) IDs.