Red Hot Cyber

Sicurezza informatica, cybercrime, hack
news, e altro ancora

Red Hot Cyber

Mystery on 175 M ipv4 address space (held by DoD)

8 Ottobre 2021 08:58

Author: Antonio Piovesan Pubblication day: 4/10/2021

Washington Post – Sept the 10th, 2021

“Pentagon ends mysterious program, Defense Department retakes control of 175 million IP addresses”

A Pentagon program delegating management of a huge chunk of the Internet to a Florida “so-and-so” company in January 2021 – that appeared minutes before President Trump leaving the office (January 20, 2021) – ended as mysteriously as it mysteriously began, with the US Department of Defense (DoD) regaining control of 175 million IPv4 addresses.

At its peak, the “mysterious company” Global Resource Systems LLC, of Plantation – Fort Lauderdale Florida, controlled nearly 6% of the IPv4 Internet section.

These IP addresses have been under Pentagon control for decades but were left unused, despite potentially being worth billions of dollars on the open market and have never been sold or leased to Global Resource Systems LLC.

They were simply placed under GRS LLC control for a “pilot program” created by a Pentagon elite unit known as the Defense Digital Service (DDS), reporting directly to the Secretary of Defense: DDS solves emergency problems and conducts experiments for military forces.

Pentagon shed little new light on what exactly it was doing with the so-called pilot program or why it now ended, but perhaps it ended only because the “mission” has now been extended albeit, more formally, under the Pentagon strict control.

So headlined and wrote Washington Post in an article on September, the 10th 2021 . But what happened?

January the 20th, 2021

Something strange, happened minutes before Trump left on January 20, 2021:

the US government claimed it was a security search operation.

The US Department of Defense left lotta Internet experts very surprised by apparently handing control over millions of “dormant” IP addresses to an obscure Florida company hours before President Donald Trump left White House, but Pentagon offered a partial explanation as to why this happened.

Department of Defense (DoD) said it still owns the addresses, but that it used a third-party company in a “pilot” project to conduct security research.

“Minutes before Trump left office, millions of dormant Pentagon IP addresses came to life”: literally, three minutes before Joe Biden became president, a company called Global Resource Systems LLC “discreetly announced one surprising development: it was now managing a huge unused area of the Internet that, for several decades, had been owned by the United States Army,” Washington Post states.

The number of Pentagon-owned IP addresses announced by the company rose to 56 million in late January 2021 and 175 million in April 2021, making “Global Resource Systems LLC” the largest IP addresses manager in the world in the IPv4 global routing chart.

“Theories were many,” Washington Post article says. “Did anyone at the Department of Defense sell part of the vast collection of IP addresses sought by the military when Trump left office?

Has Pentagon finally acted on demands to dump the billions of dollars of IP address space military has sat on, largely unused, for decades? “

None of that …

Brett Goldstein, DDS director , told in a statement that his unit has authorized a “pilot effort” to advertise Pentagon-owned IP space.

“This pilot project will evaluate and prevent unauthorized use of the DoD IP addresses space,” Goldstein said. “Additionally, this pilot can identify potential security vulnerabilities.”

Goldstein described the project as one of “the Department of Defense’s many efforts focused on continually improving our cyber and defense position in response to Advanced Persistent Threats. We are working with the entire Department of Defense to ensure that potential vulnerabilities are mitigated “.

Kinda “SWAT team of nerds” in short …

Some cybersecurity experts speculated Pentagon may have used the advertised space of 175 million IPv4 to create “honeypots” – machines configured with vulnerabilities to attract threat actors, or it could have tried to set up dedicated infrastructure, software and servers, to scour internet traffic for suspicious activity.

New company stays mysterious yet…

Washington Post and Associated Press (AP) couldn’t find many details about Global Resource Systems LLC.

“The company has not responded to phone calls or emails from The Associated Press. It has no web presence, although it owns the domain” an AP article says.

“His name is not listed in companies’ registry for Plantation, Florida location, and a front desk clerk was silent when an AP reporter asked to meet a company representative at early April (2021) … Records show that the company did not obtain a trading license in Plantation, Fort Lauderdale.”

The PA was also unable to track down people associated with the company.

AP said Pentagon “did not answer many basic questions, starting with why it chose to entrust management of the addresses space to a company that appears not to have existed till September 2020”.

The name of Global Resource Systems “is identical to that of a company that, according to Ron Guilmette, an independent Internet fraud researcher, sent spam emails using the same Internet routing identifier,” AP continued. “It closed more than ten years ago. All that differs is the type of company. The new one is a Limited Liability Corporation (LLC). The other was a (joint-stock) company.

Both companies used the same physical address in Plantation, a suburb of Fort Lauderdale.

“Doug Madory of Kentik, expert in DDoS Detection and Network Security called it “a great mystery”.

On the Defense Department’s goal of gathering “background Internet traffic for threat intelligence,” Madory noted that “there is a lot of background noise that can be picked up when announcing such large ranges of IPv4 address space.”

Potential routing problems

Emergence of previously inactive IP addresses could lead to routing problems.

In 2018, AT&T unintentionally blocked its home internet customers from Cloudflare’s new DNS service because the Cloudflare service and AT&T gateway used the same IP address.

Madory says:

“For decades, Internet routing worked with the widespread assumption that these prefixes weren’t routed over the Internet (perhaps because they were canonical examples from networking books). According to their blog post shortly after launching [DNS resolver], Cloudflare received “~ 10 Gbps of unsolicited background traffic” on their interfaces.”

And that was only for 512 IPv4 addresses!

Of course, those addresses were very special, but it goes without saying that 175 million IPv4 addresses will attract orders of magnitude more traffic [from] badly configured devices and networks that mistakenly assumed that this whole DoD address space would never see the light of the day.


Madory’s conclusion was that new Defense Department statement “answers some questions”, but “much remains a mystery.”

It is unclear why Department of Defense did not simply announce the address space itself instead of using an obscure external entity, and it is unclear why the project came to life “in the final moments of the previous administration,” it has been written.

But something good could come of it, Madory added: “We probably won’t have all the answers anytime soon, but we can certainly hope that Defense Department uses threat intelligence gleaned from the large amounts of background traffic for the benefit of all.

Maybe they could come to a Cybersecurity conference to present the ‘treasures of the bad traffic’ that has been sent to them.”