Enlarge
Getty Images | Andriy Onufriyenko
reader comments
137
with 88 posters participating
Share this story
Share on Facebook
Share on Twitter
Share on Reddit
The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a "pilot" project to conduct security research.
"Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life" was the title of a
Washington Post article
on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC "discreetly announced to the world's computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military," the Post said.
The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world's largest announcer of IP addresses in the IPv4 global routing table.
"The theories were many," the Post article said. "Did someone at the Defense Department sell off part of the military's vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?"
The Post said it got an answer from the Defense Department on Friday in the form of a statement from the director of "an elite Pentagon unit known as the Defense Digital Service."
The Post wrote:
“SWAT team of nerds”
The 6-year-old DDS consists of "82 engineers, data scientists, and computer scientists" who "worked on the much-publicized '
hack the Pentagon
' program" and a variety of other projects tackling some of the hardest technology problems faced by the military, a Department of Defense
article
said in October 2020. Goldstein has called the unit a "SWAT team of nerds."
The Defense Department did not say what the unit's specific objectives are in its project with Global Resource Systems, "and Pentagon officials declined to say why Goldstein's unit had used a little-known Florida company to carry out the pilot effort rather than have the Defense Department itself 'announce' the addresses through BGP [Border Gateway Protocol] messages—a far more routine approach," the Post said.
Advertisement
Still, the government's explanation piqued the interest of Doug Madory, director of Internet analysis at network-security company Kentik.
"I interpret this to mean that the objectives of this effort are twofold," Madory wrote in a
blog post
Saturday. "First, to announce this address space to scare off any would-be squatters, and secondly, to collect a massive amount of background Internet traffic for threat intelligence."
New company remains mysterious
The Washington Post and Associated Press weren't able to dig up many details about Global Resource Systems. "The company did not return phone calls or emails from The Associated Press. It has no web presence, though it has the domain grscorp.com," an
AP story
yesterday said. "Its name doesn't appear on the directory of its Plantation, Florida, domicile, and a receptionist drew a blank when an AP reporter asked for a company representative at the office earlier this month. She found its name on a tenant list and suggeste
d trying email. Records show the company has not obtained a business license in Plantation." The AP apparently wasn't able to track down people associated with the company.The AP said that the Pentagon "has not answered many basic questions, beginning with why it chose to entrust management of the address space to a company that seems not to have existed until September." Global Resource Systems' name "is identical to that of a firm that independent Internet fraud researcher Ron Guilmette says was sending out email spam using the very same Internet routing identifier," the AP continued. "It shut down more than a decade ago. All that differs is the type of company. This one's a limited liability corporation. The other was a corporation. Both used the same street address in Plantation, a suburb of Fort Lauderdale."
The AP did find out that the Defense Department still owns the IP addresses, saying that "a Defense Department spokesman, Russell Goemaere, told the AP on Saturday that none of the newly announced space has been sold."
Bigger than China Telecom and Comcast
Network experts were stumped by the emergence of Global Resource Systems for a while. Madory called it "a great mystery."
At 11:57 am EST on January 20, three minutes before the Trump administration officially came to an end, "[a]n entity that hadn't been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the US Department of Defense," Madory wrote. Global Resource Systems is labeled
AS8003
and GRS-DOD in BGP records.
Madory wrote:
In mid-March, "astute contributors to the NANOG listserv
highlighted
the oddity of massive amounts of DoD address space being announced by what appeared to be a shell company," Madory noted.
Advertisement
DoD has “massive ranges” of IPv4 space
The Defense Department "was allocated numerous massive ranges of IPv4 address space" decades ago, but "only a portion of that address space was ever utilized (i.e. announced by the DoD on the Internet)," Madory wrote. Expanding on his point that the Defense Department may want to "scare off any would-be squatters," he wrote that "there is a
vast world of fraudulent BGP routing
out there. As I've documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic."
On the Defense Department's goal of collecting "background Internet traffic for threat intelligence," Madory noted that "there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space."
Potential routing problems
The emergence of previously dormant IP addresses could lead to routing problems. In 2018,
AT&T unintentionally blocked
its home-Internet customers from Cloudflare's new DNS service because the Cloudflare service and the AT&T gateway were using the same IP address of 1.1.1.1.
Madory wrote:
Madory's conclusion was that the new statement from the Defense Department "answers some questions," but "much remains a mystery." It isn't clear why the Defense Department didn't simply announce the address space itself instead of using an obscure outside entity, and it's unclear why the project came "to life in the final moments of the previous administration," he wrote.
But something good might come out of it, Madory added: "We likely won't get all of the answers anytime soon, but we can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. Maybe they could come to a NANOG conference and present about the troves of erroneous traffic being sent their way."
