U.S. DoD has World’s Largest Honeypot: 6% of Internet Space

175 million IP addresses owned by the U.S. Defense Department have “appeared” on the public internet. Formerly unroutable, these address ranges are now being advertised by a previously-unknown contractor. But it’s all aboveboard, we’re told.

So says the Defense Digital Service’s director, Brett Goldstein (pictured). This DoD unit is tasked with checking out how its IPv4 address space is being (mis-)used on the internet. And I dare say the data it gathers will be useful to combat malicious adversaries.

But he doesn’t look very military. Perhaps he’s in the Navy? In today’s SB Blogwatch, we can sail the 0x07000000/8 seas. [You’re fired—Ed.]

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Locust vs. ants.

DoD BGP Mystery Solved

What’s the craic? Craig Timberg, Paul Sonne, Lori Rozsa and Alice Crites pen this ridiculous headline—“Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life”:

Assess, evaluate and prevent”

On Jan. 20, an obscure Florida company discreetly announced to the world’s computer networks … it now was managing a huge unused swath of the Internet that, for several decades, had been owned by the U.S. military. … That’s almost 6 percent of a coveted traditional section of Internet real estate — called IPv4 — where such large chunks are worth billions of dollars on the open market.

The only announcement of Global Resources Systems’ management of Pentagon addresses happened in the obscure world of Border Gateway Protocol (BGP) — the messaging system that tells Internet companies how to route traffic. … Network administrators began speculating about perhaps the most dramatic shift in IP address space allotment since BGP was introduced in the 1980s.

Did someone at the Defense Department sell off part of the military’s vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?

[No and no:] An elite Pentagon unit known as the Defense Digital Service … had authorized a pilot effort. … “This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space,” … Brett Goldstein, the DDS’s director, said. … “We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.” … A spokesman for the Defense Department [said] the Pentagon still owns all the IP address space and hadn’t sold any of it.

So it’s merely clickbait from the Daily Bezos? Frank Bajak and Terry Spencer subtend a more sober angle—“The big Pentagon internet mystery”:

Suspect activity”

After weeks of wonder by the networking community, the Pentagon has now provided a very terse explanation for what it’s doing. But it has not answered many basic questions, beginning with why it chose to entrust management of the address space to a company that seems not to have existed until September.

The Pentagon periodically contends with unauthorized squatting on its [IPv4 address] space, in part because there has been a shortage. [Also] the Pentagon may be using the newly advertised space to create “honeypots,” machines set up with vulnerabilities to draw hackers. Or it could be looking to set up dedicated infrastructure … to scour traffic for suspect activity.

What [it] could not explain … is why the Defense Department chose Global Resource Systems LLC, a company with no record of government contracts, to manage the address space. [It] now manages more internet space than China Telecom, AT&T or Comcast.

[But] Raymond Saulino … a managing member of a cybersecurity/internet surveillance equipment company called Packet Forensics [is] associated with it on the Florida business registry. [That] company had nearly $40 million in publicly disclosed federal contracts over the past decade, with the FBI and the Pentagon’s Defense Advanced Research Projects Agency among its customers.

Okay so that’s the who, but what about the why? Doug Madory made this—“The Mystery of AS8003”:

Threat intel”

On January 20, 2021, a great mystery appeared in the internet’s global routing table. An entity that hadn’t been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the [DoD]. AS8003 began announcing among other large DoD IPv4 ranges.

According to data available from University of Oregon’s Routeviews project, one of the very first BGP messages … has a timestamp of 16:57 UTC … moments after the swearing in of Joe Biden. … AS8003 now announces … 175 million unique addresses … 61 million more [than] China Telecom. … 5.7% of the entire IPv4 global routing table is presently originated by AS8003.

I interpret [the DoD statement] to mean that the objectives of this effort are twofold. First, to announce this address space to scare off any would-be squatters. … Second, to collect a massive amount of background internet traffic for threat intelligence: … There is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space.

We can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. Maybe they could … present about the troves of erroneous traffic being sent their way.

But why outsource it? Here’s jessriedel:

Technical talent”

In practice the US government is constrained from paying market rates for tech talent. It can either hire companies to complete the entire project, or it can hire a consulting service (which skims off a massive overhead) to provide technical talent inside a government agency.

At which retchdog kvetches:


Can you imagine how bad the internet would be if the government ran it?

But why this contractor? cronix was to guess:

Legal scrutiny”

If I were to guess, because private companies aren’t subject to FOIA requests. It’s a little trick the gov’t has been doing for some time now to avoid legitimate, legal scrutiny by the public.

Your humble blogwatcher very much needed to steal msauve’s quip for his headline:

So the DoD just created the world’s largest honeypot.

Perhaps there’s a longer game? j3th9n thinks the DoD’s also prepping for a sale:

Collect some interesting traffic”

A lot of companies use the IP [spaces] internally. And apparently the intention was to sell the IP-addresses.

But buyers would be faced with a lot of traffic coming from all those companies using the ranges internally—instant DDoS. Maybe this is an attempt to “clean” the IP-addresses before selling them.

It will probably only take time before most companies using the ranges internally and having problems now … to reconfigure their networks to fix it. In the meantime the Pentagon can probably collect some interesting traffic, speeding up the whole process of reconfiguration by companies who use the ranges, to prevent their secrets from falling into exactly the right hands.

tl;dr? Here’s a neat precis from Nicholas Weaver—@ncweaver:

Rogue actors”

This sounds like a spin up of a “network telescope” project (collect the incoming **** and see what is there), combined with just advertising the space so rogue actors can’t advertise the address ranges themselves.

Meanwhile, slashmaddy needs your clothes, your boots and your motorcycle:

Beta testing”

Nothing to see here, move along. Just the first few nodes of Skynet coming online for beta testing.

And Finally:

Please recycle

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Marine Corps Sgt. David Staten (public domain)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 547 posts and counting.See all posts by richi

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)