Pentagon explains odd transfer of 175 million IP addresses to obscure company
The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a "pilot" project to conduct security research.
"Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life" was the title of a Washington Post article on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC "discreetly announced to the world's computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military," the Post said.
The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world's largest announcer of IP addresses in the IPv4 global routing table.
"The theories were many," the Post article said. "Did someone at the Defense Department sell off part of the military's vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?"
The Post said it got an answer from the Defense Department on Friday in the form of a statement from the director of "an elite Pentagon unit known as the Defense Digital Service."
The Post wrote:
Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon.
"This pilot will assess, evaluate, and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities."
Goldstein described the project as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated."
“SWAT team of nerds”
The 6-year-old DDS consists of "82 engineers, data scientists, and computer scientists" who "worked on the much-publicized 'hack the Pentagon' program" and a variety of other projects tackling some of the hardest technology problems faced by the military, a Department of Defense article said in October 2020. Goldstein has called the unit a "SWAT team of nerds."
The Defense Department did not say what the unit's specific objectives are in its project with Global Resource Systems, "and Pentagon officials declined to say why Goldstein's unit had used a little-known Florida company to carry out the pilot effort rather than have the Defense Department itself 'announce' the addresses through BGP [Border Gateway Protocol] messages—a far more routine approach," the Post said.
Still, the government's explanation piqued the interest of Doug Madory, director of Internet analysis at network-security company Kentik.
"I interpret this to mean that the objectives of this effort are twofold," Madory wrote in a blog post Saturday. "First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background Internet traffic for threat intelligence."
New company remains mysterious
The Washington Post and Associated Press weren't able to dig up many details about Global Resource Systems. "The company did not return phone calls or emails from The Associated Press. It has no web presence, though it has the domain grscorp.com," an AP story yesterday said. "Its name doesn't appear on the directory of its Plantation, Florida, domicile, and a receptionist drew a blank when an AP reporter asked for a company representative at the office earlier this month. She found its name on a tenant list and suggested trying email. Records show the company has not obtained a business license in Plantation." The AP apparently wasn't able to track down people associated with the company.
The AP said that the Pentagon "has not answered many basic questions, beginning with why it chose to entrust management of the address space to a company that seems not to have existed until September." Global Resource Systems' name "is identical to that of a firm that independent Internet fraud researcher Ron Guilmette says was sending out email spam using the very same Internet routing identifier," the AP continued. "It shut down more than a decade ago. All that differs is the type of company. This one's a limited liability corporation. The other was a corporation. Both used the same street address in Plantation, a suburb of Fort Lauderdale."
The AP did find out that the Defense Department still owns the IP addresses, saying that "a Defense Department spokesman, Russell Goemaere, told the AP on Saturday that none of the newly announced space has been sold."
Bigger than China Telecom and Comcast
Network experts were stumped by the emergence of Global Resource Systems for a while. Madory called it "a great mystery."
At 11:57 am EST on January 20, three minutes before the Trump administration officially came to an end, "[a]n entity that hadn't been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the US Department of Defense," Madory wrote. Global Resource Systems is labeled AS8003 and GRS-DOD in BGP records.
By late January, AS8003 was announcing about 56 million IPv4 addresses, making it the sixth largest AS [autonomous system] in the IPv4 global routing table by originated address space. By mid-April, AS8003 dramatically increased the amount of formerly unused DoD address space that it announced to 175 million unique addresses.
Following the increase, AS8003 became, far and away, the largest AS in the history of the Internet as measured by originated IPv4 space. By comparison, AS8003 now announces 61 million more IP addresses than the now-second biggest AS in the world, China Telecom, and over 100 million more addresses than Comcast, the largest residential Internet provider in the US.
In fact, as of April 20, 2021, AS8003 is announcing so much IPv4 space that 5.7 percent of the entire IPv4 global routing table is presently originated by AS8003. In other words, more than one out of every 20 IPv4 addresses is presently originated by an entity that didn't even appear in the routing table at the beginning of the year.
In mid-March, "astute contributors to the NANOG listserv highlighted the oddity of massive amounts of DoD address space being announced by what appeared to be a shell company," Madory noted.
DoD has “massive ranges” of IPv4 space
The Defense Department "was allocated numerous massive ranges of IPv4 address space" decades ago, but "only a portion of that address space was ever utilized (i.e. announced by the DoD on the Internet)," Madory wrote. Expanding on his point that the Defense Department may want to "scare off any would-be squatters," he wrote that "there is a https://dyn.com/blog/vast-world-of-fraudulent-routing /">vast world of fraudulent BGP routing out there. As I've documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic."
On the Defense Department's goal of collecting "background Internet traffic for threat intelligence," Madory noted that "there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space."
Potential routing problems
The emergence of previously dormant IP addresses could lead to routing problems. In 2018, AT&T unintentionally blocked its home-Internet customers from Cloudflare's new DNS service because the Cloudflare service and the AT&T gateway were using the same IP address of 18.104.22.168.
For decades, Internet routing operated with a widespread assumption that ASes didn't route these prefixes on the Internet (perhaps because they were canonical examples from networking textbooks). According to their blog post soon after the launch [of DNS resolver 22.214.171.124], Cloudflare received "~10Gbps of unsolicited background traffic" on their interfaces.
And that was just for 512 IPv4 addresses! Of course, those addresses were very special, but it stands to reason that 175 million IPv4 addresses will attract orders of magnitude more traffic [from] misconfigured devices and networks that mistakenly assumed that all of this DoD address space would never see the light of day.
Madory's conclusion was that the new statement from the Defense Department "answers some questions," but "much remains a mystery." It isn't clear why the Defense Department didn't simply announce the address space itself instead of using an obscure outside entity, and it's unclear why the project came "to life in the final moments of the previous administration," he wrote.
But something good might come out of it, Madory added: "We likely won't get all of the answers anytime soon, but we can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. Maybe they could come to a NANOG conference and present about the troves of erroneous traffic being sent their way."