nanog mailing list archives
Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint
From: Intergalactic Auditor via NANOG <nanog () lists nanog org>
Date: Sun, 18 Jan 2026 21:27:12 +0000
Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it.... Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, abuse () gaoland net) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/
Current thread:
- Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Intergalactic Auditor via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Intergalactic Auditor via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)