> <i>Defense Digital Service (DDS) authorized a pilot effort advertising DoD Internet Protocol (IP) space using Border Gateway Protocol (BGP). This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space. Additionally, this pilot may identify potential vulnerabilities. This is one of DoD’s many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.</i><p>Interesting, seems an effort to find out who was abusing ranges that were exclusively allowed or disallowed based on the ranges. Malware that tries to look like something else that uses a state level IP range to evade blocking, or check for blocks.[1]<p>><i>I interpret this to mean that the objectives of this effort are twofold. First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background internet traffic for threat intelligence.</i><p>><i>On the first point, there is a vast world of fraudulent BGP routing out there. As I’ve documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic.</i><p>Cloudflare example shows how much traffic some of these ranges that are included/excluded have when turned on.<p>><i>On the second, there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space. A recent example is Cloudflare’s announcement of 1.1.1.0/24 and 1.0.0.0/24 in 2018.</i><p>><i>For decades, internet routing operated with a widespread assumption that ASes didn’t route these prefixes on the internet (perhaps because they were canonical examples from networking textbooks). According to their blog post soon after the launch, Cloudflare received “~10Gbps of unsolicited background traffic” on their interfaces.</i><p>><i>And that was just for 512 IPv4 addresses! Of course, those addresses were very special, but it stands to reason that 175 million IPv4 addresses will attract orders of magnitude more traffic. More misconfigured devices and networks that mistakenly assumed that all of this DoD address space would never see the light of day.</i><p>Looks like a new cybersecurity policy/process started on inauguration day. Probably a defensive or offensive measure to combat the supply chain attacks that may well have used those ranges in evading blocking.<p>Why use a front company? As a honeypot.<p>If other scammers are using spoofing the ranges then another company does it, that doesn't raise alarm in the other entities abusing the same trick.
If you announce it as DoD then it may scare off the others.<p>In any good investigation, you want to shroud the data/intel collection. Using a front company, or series of levels of fronts, is the way you have to go about it.<p>[1] <a href="https://www.kentik.com/blog/the-mystery-of-as8003/" rel="nofollow">https://www.kentik.com/blog/the-mystery-of-as8003/</a>