Millions of the Pentagon's Dormant IP Addresses Have Mysteriously Sprung to Life

"Just before the end of the Trump administration, an obscure Florida company began announcing routes to IP addresses owned by the Pentagon," writes long-time Slashdot reader whoever57. The Washington Post calls it "a huge unused swath of the Internet that, for several decades, had been owned by the U.S. military." What happened next was stranger still. The company, Global Resource Systems LLC, kept adding to its zone of control. Soon it had claimed 56 million IP addresses owned by the Pentagon. Three months later, the total was nearly 175 million. That's almost 6 percent of a coveted traditional section of Internet real estate — called IPv4 — where such large chunks are worth billions of dollars on the open market... "They are now announcing more address space than anything ever in the history of the Internet," said Doug Madory, director of Internet analysis for Kentik, a network monitoring company, who was among those trying to figure out what was happening...

The change is the handiwork of an elite Pentagon unit known as the Defense Digital Service, which reports directly to the secretary of defense. The DDS bills itself as a "SWAT team of nerds" tasked with solving emergency problems for the department and conducting experimental work to make big technological leaps for the military... Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon. "This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities...."

The specifics of what the effort is trying to achieve remain unclear... What is clear, however, is the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses...

Russell Goemaere, a spokesman for the Defense Department, confirmed in a statement to The Washington Post that the Pentagon still owns all the IP address space and hadn't sold any of it to a private party.

Obviously...

[Anonymous Coward]

It's gearing up for a massive DDoS on the civilians!

Re:

[geekmux]

It's gearing up for a massive DDoS on the civilians!

"a huge unused swath of the Internet that, for several decades, had been owned by the U.S. military."

With what? A massive army of...Win95 machines?

(Knowing government spending, there's a shiny new GateWay 2000 on the ass end of half that IP space.)

Re:

[93 Escort Wagon]

With what? A massive army of...Win95 machines?

You joke, but ...

Re:

[whoever57]

With what? A massive army of...Win95 machines?

You do realize that the Internet, and with it IPv4 addresses pre-date Win95, right?

Unfortunately, in the early days, massive blocks were handed out. Among others, Sun Microsystems used to have (and Oracle may still have) some massive blocks and wasted them on their internal networks. In fact, I think that Sun used to do training in which they instructed people to use the Sun IP addresses as private IP addresses (like RFC 1918 addresses).

Re:Obviously...

[retchdog]

can you imagine how bad the internet would be if the government ran it?! thank god it was Sun Microsystems.

Re:Obviously...

[quenda]

Unfortunately, in the early days, massive blocks were handed out. Among others, Sun Microsystems used to have (and Oracle may still have) some massive blocks and wasted them on their internal networks.

Back then TCP/IP was just a temporary thing that would soon be replaced by a "proper" OSI protocol stack. Nobody expected every man and his fridge to use TCP/IP.

Re:Obviously...

[tlhIngan]

Unfortunately, in the early days, massive blocks were handed out. Among others, Sun Microsystems used to have (and Oracle may still have) some massive blocks and wasted them on their internal networks. In fact, I think that Sun used to do training in which they instructed people to use the Sun IP addresses as private IP addresses (like RFC 1918 addresses).

They were handed out because the Class A/B/C system wasn't granular enough. Class C was only useful for small businesses with 254 addresses, so a medium sized business with say, 300 employees would need a Class B. This results in a lot of companies getting a class B because they couldn't fit in a Class C.

And larger organizations still, like Sun, Apple, etc, they were handed Class A's because they couldn't fit in a Class B.

Waste was huge - 254 addresses work for a small company, but if you need 255 or more, suddenly you got a Class B even though you don't need all 65534 addresses. You can bet a lot of companies that had a class B only really needed between 1000-10,000 addresses.

And big companies got 15.7M addresses, even if all they had was 100,000 computers they wanted to connect.

Of course, these days, CIDR and enhanced routers means you can have finer grained allocations, but also multiple allocations in different subnets. If you have a /24 and need another handful of addresses, you might get a /28 or something to add on.

But back when you only had the choice of /8, /16 or /24, the system wasn't so flexible. And routers weren't as good so you got a contiguous allocation to simplify the global routing table. If you were an ISP, think of your customers. If you're an ultra tiny ISP, you might fit in a Class C. If you serve maybe a small town or city, a Class B would work. But if you serve several cities of maybe a million people, you'd have to get a Class A. There's just a huge jump between 254 to 65534, and 65534 to 16.7 million.

Re:

[gosso920]

So... NetWare v3.12?

Re: Obviously...

[AcidFnTonic]

Ford owns the entire 19 class a

Re:

[Required Snark]

No, the Pentagon is executing a DDoS attack on itself!

the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses...

Re: Obviously... a massive honey pot

[flyingfsck]

Its a trap

Re:

[Actually, I do RTFA]

I don't like the idea of a unique ID for each of my devices.

Re:

[BeemanIT]

Like a MAC address?

Re:

[sconeu]

But in most traffic, my machine's MAC address doesn't propagate beyond the local router.

Re:

[Actually, I do RTFA]

You mean something my machine self-reports and never gets transmitted beyond my local router?

Re: Horrible mistake since IPv4

[WindBourne]

From security POV, unique IDs are superior. However, even IPv6 still allows NATing.

Re:

[NicknameUnavailable]

DoD should have hung on these, and helped pushed everybody to IPv6. We need to get off IPv4 as soon as possible..

IPv6 is a plague which should be banned. No one implements it properly so it either fails to work or is riddled with security holes. There are plenty of IPv4 addresses with NATing, which also encourages proper firewall configs and in turn a computational-herd-immunity from not having every retard under the sun on a flat network. IPv6 is primarily pushed for and by the IoT fuckers - the ones who want to have an IP for every device they manufacture such that it can latch onto any available wifi network withou

Re:

[phantomfive]

No one implements it properly so it either fails to work or is riddled with security holes.

It works for me and thousands of people who visit my website.

Re:

[Megane]

Doesn't the Windows NT networking stack literally black-hole all of 240-255?

Re:

[Megane]

Did you even bother to look it up before you hit reply? 240-255 isn't class D, it's class E, and Microsoft's IPv4 networking stack since Windows NT has basically started with "if (ip >= 240.0.0.0) return;" for every packet, making the entire 240/4 block forever useless, even if you don't run Windows.

Re:

[Junta]

I'm unable to discern what you are specifically claiming in this example that you are doing in ipv4 that doesn't work in ipv6.

Class D is multicasting, so if you were correct about using class D then you are misusing the protocol in a way that probably wouldn't work with a lot of ipv4 peers. In such a case, you could use ff00::/8 in a similarly bad idea of misusing the protocol. If you meant 253 and 254 are the two octets you are using to lead, then you are using class E, which also isn't valid to broadly u

Huh?

[raymorris]

I'm trying to figure out what you could possibly be trying to say here. The one part I can parse and answer is this:

> How do you manage subdomains?

Google.com is a subdomain of com.
Google.co.uk is a subdomain of co.uk is a subdomain of uk

There is nothing special about mail.google.co.uk that makes it somehow different from google.co.uk. DNS assigns an ip to a name. It doesn't matter how many dots are in a particular name.

Re:

[raymorris]

Let me try phrasing it a different way.
Have you set up a record for www.you.com?
Congrats, that's a subdomain.

There is nothing special about www. You could set up uuu or hfjd exactly the same way.

Re: Horrible mistake since IPv4

[pieterbos]

That sounds like bad implementations, not bad design. Ipv6 works fine in many places.

Re: Horrible mistake since IPv4

[WindBourne]

Wrong.
IPv6 allows better tailoring of firewall. It removes the NEED of NAT, and instead makes it an.option. finally, once companies like CenturyLink, Comcast, etc actually implement IPv6 correctly, we can.return to static class ownership.

Re:

[NicknameUnavailable]

Removing the need to take an extra step to connect a camera, microwave, toaster, refrigerator, or lightbulb to the internet makes everyone more secure because the average user doesn't know how to do that let alone take the effort to do so, reducing the number of nodes available to botnets exploiting compromised low-security and no-security IoT devices (which let's be honest, is nearly every IoT device,) in turn providing herd immunity by inoculating-by-default incompetent user's networks.

Re:

[NicknameUnavailable]

Removing the need to take an extra step to connect a camera, microwave, toaster, refrigerator, or lightbulb to the internet makes everyone more secure

*less secure

Re:

[Junta]

The one point in that that I would concede is that a home router that has no choice but to NAT is inherently having to implement stateful firewalling and failures to do so tended to block traffic rather than allow traffic through. In IPv6 world, in theory a lack of firewalling properly may possibly lead to unintentional forwarding as a failure mode.

However, IoT doesn't need IPv6 to misbehave. One they can always call home through having a public IP address to reach out to. Secondly, UPNP port forwarding mea

Re:

[NicknameUnavailable]

That first one is a pretty major point when you consider IoT as people sticking IPv6 addresses in cameras, toasters, microwaves, lightbulbs, etc - the average user having to take extra steps to allow those things through (which most never actually do) dramatically increases the security of everyone simply by cutting down on the number of nodes available in botnets akin to a technological herd immunity.

Re:

[Junta]

But that's just it, they *don't* have to take extra steps.

If the device says 'hey, I want a public port', then most consumer NAT routers will oblige and set up a port forward to make them reachable, with no human involved. UPnP has that to allow passive connection to a device behind a NAT gateway. NAT hole-punching is a widely implemented thing.

The usage scenario that would be mitigated would be:
-A non-NAT IPv6 consumer gateway (which is the norm for IPv6 as far as I've seen)
-That router for some reason do

Re:

[kot-begemot-uk]

You cannot hang on them if they are not annoounced.

Basic internet registry policy. If you do not announce it - you lose it. I used to have a class C. I was told to surrender it, because it was not being advertised and used. That was more than a decade ago.

Looks like ARIN has finally stopped applying "all animals are equal, but some are more equal than others" to the Pentagon so they decided to start advertising them to be compliant. They are not using them, they are still hoarding them - it is a prefix

Re:

[skegg]

>> Looks like ARIN has finally stopped applying "all animals are equal, but some are more equal than others" to the Pentagon so they decided to start advertising them to be compliant.

Except in this particular case, the United States Department of Defense *IS* more equal than other animals ... they created the internet. If they've retained a heap of IPV4 good luck to them, and thanks for giving us the net. Founder's privilege.

With all of the IPv4 addresses owned by USG ...

[schwit1]

... they can't give some of those /8 & /16 back?

Re:

[Mostly a lurker]

Back in 2015, there were proposals to sell most of the unused spectrum. The proposal was stripped from the legislation. It could have raised several billion dollars, but Congress is famous for supporting government waste.

Re:

[Luthair]

Technically they don't actually own them. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Tom]

They could - but why would they? It's not like they need money and they can always be useful. More importantly: They're a scarce resource, so once you gave them back, you won't get them again.

Nothing to see here, move along...

[slashmaddy]

Just the first few nodes of Skynet coming online for beta testing.

Re:

[postbigbang]

Nah, they were BGP hijacked by China Telecom. Who knows why....

Re:

[Narcocide]

Yea, that's more along the lines of what I was thinking; What makes everyone so sure the people actually in charge of these IP addresses even know this is happening?

RTFS

[Admiral Krunch]

What makes everyone so sure the people actually in charge of these IP addresses even know this is happening?

They read the summary...

Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon. "This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities...."

Re:

[fermion]

This is potentially no joke. The company, which shares the same name with a company that was listed at the same coworker space that is company uses as its address, was a spam factory

The current owner, which does have some contracts with the government, only lists his other address as box at a UPS store.

The company has no public facing website. There is no mention that these contracts went up for bid. In fact there is seems to be no documentation on any formalities or protection for the country concernin

Re: Someone typoed

[longk]

And gets a +1. Is this Facebook?

So...

[msauve]

the DoD just created the world's largest honeypot.

Re:

[Anonymous Coward]

the DoD just created the world's largest honeypot.

Exactly. And since certain countries of interest have providers well known to use some of those DoD IPv4 addresses for internal use, the data may provide some insights (at least for a while).

Re:

[crunchy_one]

Not much of a honeypot if all you get is random ingress traffic attempting to connect to a port on what used to be a squatter device on a previously unclaimed DoD address.

OK, who bought the red balloons?

[istartedi]

The war machine springs to life
Opens up one eager eye
Focusing it on the sky
Where 99 red balloons go by

Re: 10.4 /8's

[joelsherrill]

In the 90s, I worked on a DoD base. All PCs had public IP addresses with no NAT. I only had dial up at home so do not remember the state of NAT at that time. By ~2000, I had Internet access at home with NAT though.

iptables et al

[noise-randomizer]

drop a few more /8 and treat the u.s. military terrorists the same as china & russia. a whitelist is shorter and easier on the firewall cpu than a drop/block list.

DoD discussion on this on IPv4 Global

[kaptink]

Some background here - https://ipv4.global/u-s-depart... [ipv4.global]

(1) IN GENERAL.—Not later than 10 years after the date of the enactment of this Act, the Secretary of Defense shall sell all of the IPv4 addresses described in subsection (b) at fair market value. The net proceeds collected from a sale under this section shall be deposited in the General Fund of the Treasury.
(2) DEADLINES FOR CERTAIN BLOCKS.—Of the IPv4 addresses described in subsection (b), the Secretary of Defense shall sell in accordance

YouTube hijacked

[enriquevagu]

The Pentagon may be studying how to avoid having its addresses hijacked, as occurred to YouTube in 2008 [ripe.net] when Pakistan Telecom started advertising their addresses.

IG Investigation?

[EagleRider70]

I think it is entirely reasonable to have the IG validate these claims. Given when they started, I am still concerned that someone it trying to profit off of these addresses.

Re:

[account_deleted]

Comment removed based on user account deletion