Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

The Mystery of AS8003 ( come alive within the final three minutes of the Trump administration...)
Kentik ^ | APRIL 24, 2021 | by Doug Madory Director of Internet Analysis

Posted on 04/24/2021 7:32:22 PM PDT by narses

On January 20, 2021, a great mystery appeared in the internet’s global routing table. An entity that hadn’t been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the U.S. Department of Defense. Registered as GRS-DoD, AS8003 began announcing among other large DoD IPv4 ranges.

According to data available from University of Oregon’s Routeviews project, one of the very first BGP messages from AS8003 to the internet was:

TIME: 01/20/21 16:57:35 TYPE: BGP4MP/MESSAGE/Update FROM: AS1299 TO: AS6447 ORIGIN: IGP ASPATH: 1299 6939 6939 8003 NEXT_HOP: ANNOUNCE The message above has a timestamp of 16:57 UTC (11:57am ET) on January 20, 2021, moments after the swearing in of Joe Biden as the President of the United States and minutes before the statutory end of the administration of Donald Trump at noon Eastern time.

The questions that started to surface included: Who is AS8003? Why are they announcing huge amounts of IPv4 space belonging to the U.S. Department of Defense? And perhaps most interestingly, why did it come alive within the final three minutes of the Trump administration?

By late January, AS8003 was announcing about 56 million IPv4 addresses, making it the sixth largest AS in the IPv4 global routing table by originated address space. By mid-April, AS8003 dramatically increased the amount of formerly unused DoD address space that it announced to 175 million unique addresses.

Following the increase, AS8003 became, far and away, the largest AS in the history of the internet as measured by originated IPv4 space. By comparison, AS8003 now announces 61 million more IP addresses than the now-second biggest AS in the world, China Telecom, and over 100 million more addresses than Comcast, the largest residential internet provider in the U.S.

In fact, as of April 20, 2021, AS8003 is announcing so much IPv4 space that 5.7% of the entire IPv4 global routing table is presently originated by AS8003. In other words, more than one out of every 20 IPv4 addresses is presently originated by an entity that didn’t even appear in the routing table at the beginning of the year.

A valuable asset

Decades ago, the U.S. Department of Defense was allocated numerous massive ranges of IPv4 address space - after all, the internet was conceived as a Defense Dept project. Over the years, only a portion of that address space was ever utilized (i.e. announced by the DoD on the internet). As the internet grew, the pool of available IPv4 dwindled until a private market emerged to facilitate the sale of what was no longer just a simple router setting, but an increasingly precious commodity.

Even as other nations began purchasing IPv4 as a strategic investment, the DoD sat on much of their unused supply of address space. In 2019, Members of Congress attempted to force the sale of all of the DoD’s IPv4 address space by proposing the following provision be added to the National Defense Authorization Act for 2020:

Sale of Internet Protocol Addresses. Section 1088 would require the Secretary of Defense to sell at fair market value all of the department’s Internet Protocol version 4 (IPv4) addresses over the next 10 years. The proceeds from those sales, after paying for sales transaction costs, would be deposited in the General Fund of the Treasury.

The authors of the proposed legislation used a Congressional Budget Office estimate that a /8 (16.7 million addresses) would fetch $100 million after transaction fees. In the end, it didn’t matter because this provision was stripped from the final bill that was signed into law - the Department of Defense would be funded in 2020 without having to sell this precious internet resource.

What is AS8003 doing?

Last month, astute contributors to the NANOG listserv highlighted the oddity of massive amounts of DoD address space being announced by what appeared to be a shell company. While a BGP hijack was ruled out, the exact purpose was still unclear. Until yesterday when the Department of Defense provided an explanation to reporters from the Washington Post about this unusual internet development. Their statement said:

Defense Digital Service (DDS) authorized a pilot effort advertising DoD Internet Protocol (IP) space using Border Gateway Protocol (BGP). This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space. Additionally, this pilot may identify potential vulnerabilities. This is one of DoD’s many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.

I interpret this to mean that the objectives of this effort are twofold. First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background internet traffic for threat intelligence.

On the first point, there is a vast world of fraudulent BGP routing out there. As I’ve documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic.

On the second, there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space. A recent example is Cloudflare’s announcement of and in 2018.

For decades, internet routing operated with a widespread assumption that ASes didn’t route these prefixes on the internet (perhaps because they were canonical examples from networking textbooks). According to their blog post soon after the launch, Cloudflare received “~10Gbps of unsolicited background traffic” on their interfaces.

And that was just for 512 IPv4 addresses! Of course, those addresses were very special, but it stands to reason that 175 million IPv4 addresses will attract orders of magnitude more traffic. More misconfigured devices and networks that mistakenly assumed that all of this DoD address space would never see the light of day.


While today’s statement from the DoD answers some questions, much remains a mystery. Why did the DoD not just announce this address space themselves instead of directing an outside entity to use the AS of a long dormant email marketing firm? Why did it come to life in the final moments of the previous administration?

We likely won’t get all of the answers anytime soon, but we can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. Maybe they could come to a NANOG conference and present about the troves of erroneous traffic being sent their way.

TOPICS: Crime/Corruption; Government; US: District of Columbia
KEYWORDS: dod; internet
Navigation: use the links below to view more comments.
first 1-2021-4041-50 next last

1 posted on 04/24/2021 7:32:22 PM PDT by narses
[ Post Reply | Private Reply | View Replies]

To: narses

Designed to ensure no declassification attempts by Trump could be disemminated. Anywhere.

2 posted on 04/24/2021 7:35:53 PM PDT by montag813 ("Fallen, fallen, is Babylon the Great")
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

This is beyond my ability to speculate.

3 posted on 04/24/2021 7:36:04 PM PDT by Rebelbase
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

Interesting. For Chinese Skynet? Complete surveillance?

4 posted on 04/24/2021 7:38:30 PM PDT by dynachrome ("I will not be reconstructed, and I do not give a damn.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: montag813

There is a really intelligent freeper who I think goes by the username SWORDMAKER who would know all about this ... perhaps I haven’t remembered his username correctly .. but he would know all about this ...

5 posted on 04/24/2021 7:47:15 PM PDT by Ken522
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker


6 posted on 04/24/2021 7:48:28 PM PDT by narses (Censeo praedatorium gregem esse delendum. (The gay lobby must be destroyed))
[ Post Reply | Private Reply | To 5 | View Replies]

To: narses


7 posted on 04/24/2021 7:49:14 PM PDT by Southside_Chicago_Republican (The more I learn about people, the more I like my dog. )
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

Probably wanted to ensure that it was being used and not able to be given away.

8 posted on 04/24/2021 7:50:05 PM PDT by glorgau
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

I have some IT experience but not even enough to barely understand MOST of this article.

I’d like to.

It seems important- especially the “scooping up traffic” line.

I wish I understood it but I have a gnawing sense that it would be too frightening.

9 posted on 04/24/2021 7:57:26 PM PDT by Ken Regis
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

While I have no idea what they are up to, I would guess the Swamp and their DOD is up to something and it is not good for the United States or Americans.

10 posted on 04/24/2021 8:04:10 PM PDT by Tupelo (Old, Tired, Cranky and Disgusted)
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

Seeing as how massive and widespread the election fraud was, and how the internet was a vital tool, as well as the involvement of virtually the entire government, one would certainly conclude that the incident in question was initiated with the best of intentions.

11 posted on 04/24/2021 8:04:28 PM PDT by robel
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

Occams razor says to me that this was a planned DoD test and the timing is just coincidence.

12 posted on 04/24/2021 8:18:13 PM PDT by bigbob
[ Post Reply | Private Reply | To 1 | View Replies]

“I’m not saying
It’s Aliens,
“We Control the Vertical,”
“Medication Time,
Medication Time.”
A simpler time when
The only information one
Needed was found in a
Worn and tattered Bible.

13 posted on 04/24/2021 8:22:43 PM PDT by Big Red Badger (Be Still and Know that I Am God. Rev 19)
[ Post Reply | Private Reply | To 11 | View Replies]

To: narses


14 posted on 04/24/2021 8:22:56 PM PDT by pke
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce; dayglored; Whenifhow; null and void; aragorn; EnigmaticAnomaly; kalee; Kale; ...


15 posted on 04/24/2021 8:35:32 PM PDT by bitt (People who wonder if the glass is half empty or half full miss the point. The glass is refillable.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

IP Information for
Quick Stats
IP Location United States Of America United States Of America Chicago Telia Company Ab
ASN United States Of America AS1299 TELIANET Telia Carrier, SE (registered Sep 01, 1993)
Resolve Host
Whois Server
IP Address


IP Information for
Quick Stats
IP Location United States Of America United States Of America Eugene University Of Oregon
ASN United States Of America AS3582 UONET, US (registered May 11, 1994)
Resolve Host
Whois Server
IP Address
NetRange: -
NetName: UONET
NetHandle: NET-128-223-0-0-1
Parent: NET128 (NET-128-0-0-0-0)
NetType: Direct Assignment
Organization: University of Oregon (UNIVER-193)
RegDate: 1987-04-07
Updated: 2011-07-10

OrgName: University of Oregon
OrgId: UNIVER-193
Address: UO Information Services
Address: 1225 Kincaid Street
City: Eugene
StateProv: OR
PostalCode: 97403
Country: US
Updated: 2019-04-11

OrgTechHandle: EDMIS1-ARIN
OrgTechName: Edmiston, Jason
OrgTechPhone: +1-541-346-1759

OrgTechHandle: TEACH4-ARIN
OrgTechName: Teach, David
OrgTechPhone: +1-541-346-1719

OrgNOCName: UOnet NOC
OrgNOCPhone: +1-541-346-4397

OrgAbuseHandle: UAD4-ARIN
OrgAbuseName: UOnet Abuse Desk
OrgAbusePhone: +1-541-346-4397

OrgTechHandle: JAD46-ARIN
OrgTechName: Dominguez, Jose Alfredo
OrgTechPhone: +1-541-346-1685

RAbuseHandle: UAD4-ARIN
RAbuseName: UOnet Abuse Desk
RAbusePhone: +1-541-346-4397

RTechHandle: JAD46-ARIN
RTechName: Dominguez, Jose Alfredo
RTechPhone: +1-541-346-1685

RNOCPhone: +1-541-346-4397

16 posted on 04/24/2021 8:37:58 PM PDT by Chode (there is no fall back position, there is no rally point, there is no LZ... we're on our own. P144:1)
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses

To those who want to know, the writer discussed the Domain Name System and a Defense security assessment of it. There’s really nothing more to it. I installed and configured a few DNS servers and other servers during the ‘90s. No big deal.

17 posted on 04/24/2021 8:41:40 PM PDT by familyop (Only here for the tales from the rubber room.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: narses
The only thing I can imagine of that the US government is setting up some sort of "man-in-the-middle" proxy for vast numbers of Internet users, which could act like the world's largest wiretap operation. To do this they would have to probably get co-operation from the ISPs, but that's easy enough to imagine.

I think any rational person always assumes that "big brother is watching", this is probably just a move to make that a reality.

It would be a big step towards becoming Communist China.

18 posted on 04/24/2021 8:44:40 PM PDT by The Duke (Search for 'Sydney Ducks' and understand what is needed.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ken Regis

The author was being a little overly dramatic by using the word, scooped. Defense was probably only doing what any well educated sysadmin could do: analyzing traffic that came to routers. Look up Wireshark (analyzes packets). Nothing frightening. Boring, maybe. I saw some pretty silly little messages in packets at times in the past (admins joking).

19 posted on 04/24/2021 9:00:25 PM PDT by familyop (Only here for the tales from the rubber room.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Tupelo

While I have no idea what they are up to, I would guess the Swamp and their DOD is up to something and it is not good for the United States or Americans.
The DOD does not belong to the swamp. They have some DOD window dressing but the core of the DOD refused to share ‘critical intel’ with Biden’s crew in January; there was an MSM article bitterly complaining about it. One of the features they ‘needed’ information about, and could not get from the Pentagon, was ‘critical information about vaccine information.’ Think about that and then extrapolate what else the DOD would not provide.
The Biden chimps complained that they asked questions and the DOD paused to tensely consult what appeared to be a lawyer present, and then carefully declined to answer certain questions.

Another way to say it, is if the Pentago belonged to the Swamp, then we would have China in our major ports determining what other nations could be allowed to enter, as it has done in Israel. China now has their own port near Haifa and has said the US must make requests to enter that port to China.

The NG troops are not controlled by Biden (thank heavens). Things are not what they seem.

20 posted on 04/24/2021 9:11:31 PM PDT by ransomnote (IN GOD WE TRUST)
[ Post Reply | Private Reply | To 10 | View Replies]

Navigation: use the links below to view more comments.
first 1-2021-4041-50 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson