Hi Folks,
Just noticed that almost all DOD prefixes (7.0.0.0/8,11.0.0.0/8,22.0.0.0/8 and bunch of /22s) are now announced under AS8003 (GRSCORP) which was just formed a few months ago.
It looks so suspicious. Does anyone know if it’s authorized?
Regards,
Siyuan
Single-homed on AS6939, no website setup on gsrcorp.com.
The address listed is in Plantation, PL and shows is a typical commercial office building. You can even get virtual office address here: https://www.davincivirtual.com/loc/us/florida/plantation-virtual-offices/facility-2492
https://bgp.he.net/net/11.0.0.0/8#_dns shows a lot of .cn domains pointing to these IPs
https://bgp.he.net/net/11.0.0.0/8#_irr shows route-object created for AS95 (real DoD) and AS8003 by the same maintainer, probably to make it seem more legit.
I would be really curious to see the LOA presented to AS6939 to announce 54 million IPs out of government IP space and what type of verification was done because it doesn’t seem legit at all.
Eric
Did you try calling the number on the WHOIS for AS8003, or maybe HE’s NOC to follow up?
-jav
Contacted HE NOC earlier regarding these announcements, they are "legitimate".
Filip
I scratch it out to hiding in plain sight…
So this company (Global Resource Systems, LLC) was formed on 2020-10-13 and ARIN assigned AS8003 to them even earlier than it.
Here’s a simple timeline in case anyone want to have a check:
9/8/2020 GLOBAL RESOURCE SYSTEMS, LLC registered in Delaware
9/10/2020 Nameserver of grscorp.com was changed from AfterNIC (a website to sell premium / expired domains) to UltraDNS
9/11/2020 GLOBAL RESOURCE SYSTEMS, LLC (FL) registered their organization in ARIN
9/14/2020 GLOBAL RESOURCE SYSTEMS, LLC (FL) got AS8003 from ARIN
9/21/2020 MAINT-GRSL-AS8003 is registered in RADB
10/13/2020 GLOBAL RESOURCE SYSTEMS, LLC registered in Florida
Around 21/01/2021, AS8003 registered numerous route objects in RADB and started announcing DOD space.
In addition to AS8003, they also added AS95 to their AS-set and registered some objects under AS95.
Based on RIPEstats, Last seen of AS8003 before 2021 is around 2003.
And there’s another GLOBAL RESOURCE SYSTEMS, LLC in FL which has been inactive since 2013.
Siyuan -
If you have concerns, you can confirm whether these IP address blocks are being routed as intended by verification with their listed technical contacts - e.g. https://search.arin.net/rdap/?query=22.0.0.0
As I noted on this list several weeks back - “lack of routing history is not at all a reliable indicator of the potential for valid routing of a given IPv4 block in the future, so best practice suggest that allocated address space should not be blocked by others without specific cause. Doing otherwise opens one up to unexpected surprises when issued space suddenly becomes more active in routing and is yet is inexplicably unreachable for some destinations.”
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
Hi John,
My biggest concern is why the AS8003 was assigned to the company (GLOBAL RESOURCE SYSTEMS, LLC) even before its existence.
When we were requesting resources or transfers, ARIN always asked us to provide a Certificate of Good Standing and we had to pay the state to order it.
However, it appears that a Certificate of Good Standing is not required or ARIN didn’t validate it in this case.
Regards,
Siyuan
Siyuan -
If you believe that number resources may have been fraudulently obtained from ARIN, you can report the potential issue here -
https://www.arin.net/reference/tools/fraud_report/
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
My biggest concern is why the AS8003 was assigned to the company (GLOBAL RESOURCE SYSTEMS, LLC) even before its existence.
GRS LLC seems to have been around since 2006.
AS8003 was registered to them in Sep 2020:
ASNumber: 8003
ASName: GRS-DOD
ASHandle: AS8003
RegDate: 2020-09-14
Updated: 2020-09-14
Ref: https://rdap.arin.net/registry/autnum/8003
No doubt there is more information about the history of 8003 in WhoWas.
Nick
Hi Nick,
M06000001699 was closed in 2006 according to Sunbiz (FL’s official website):
The new GLOBAL RESOURCE SYSTEMS, LLC (M20000009226) was registered on 10/13/2020.
However, it appears that a Certificate of Good Standing is not required or ARIN didn’t validate it in this case.
You don’t know what ARIN did or did not do, or really anything about the circumstances surrounding this other than what is gleanable from public records. It’s not a good look to chuck rocks at them like this.
Mr. Curran has helpfully provided the link to report suspected fraud. That’s the best place to take this discussion.
According to the timeline posted to this list (by you, Siyuan), Globl Resource Systems, LLC was registered in Delaware on September 8, 2020.
Your timeline also shows the resources being issued to GRS by ARIN on September 11, september 14, 2020
It looks to me like they subsequently registered the corporation in Florida and moved the company address there.
I don’t see anything suspicious here based on your own statements, so I’m a bit confused what you are on about.
Owen
Owen,
I think one cause for concern is why “almost all DOD prefixes (7.0.0.0/8,11.0.0.0/8,22.0.0.0/8 and bunch of /22s) are now announced under AS8003 (GRSCORP) which was just formed a few months ago,” which, according to ARIN WHOIS, had a source registry of “DoD Network Information Center”.
I think it’s a general matter of public interest how this reassignment of a massive government-owned block of well over sixteen million IP addresses happened. Even if not fraudulent, the public has a right to know who is behind this huge transfer of wealth.
Don’t you?
-mel beckman
I also note that this reassignment isn’t reflected in ARIN’s Whois database.
-mel
I also note that this reassignment isn’t reflected in ARIN’s Whois database.
where is it reflected?
-mel
Owen,
I think one cause for concern is why “almost all DOD prefixes (7.0.0.0/8,11.0.0.0/8,22.0.0.0/8 and bunch of /22s) are now announced under AS8003 (GRSCORP) which was just formed a few months ago,” which, according to ARIN WHOIS, had a source registry of “DoD Network Information Center”.
I think it’s a general matter of public interest how this reassignment of a massive government-owned block of well over sixteen million IP addresses happened. Even if not fraudulent, the public has a right to know who is behind this huge transfer of wealth.
is it possible that the DoD:
1) signed a lRSA (or really just an RSA)
2) asked AS8003 to announce these prefixes (in certain sized blocks, maybe)
under normal actions that arin does all the time for people?
If these were /24's and not parts/whole of /8's would anyone have noticed?
it's entirely possible that 8003 is just a holding tank for the
prefixes while DoD/etc find a method to xfer the space to those that
may be willing to pay pesos per ip, right?
As I said, “DOD Network Information Center”:
-mel
As I said, “DOD Network Information Center”:
Source Registry ARIN Kind Org Full Name DoD Network Information Center Handle DNIC Address 3990 E. Broad Street Columbus OH 43218 United States Roles Registrant Last Changed Wed, 17 Aug 2011 14:45:37 GMT (Wed Aug 17 2011 local time) Self https://rdap.arin.net/registry/entity/DNIC Alternate https://whois.arin.net/rest/org/DNIC Port 43 Whois whois.arin.net
-mel
NetRange: 7.0.0.0 - 7.255.255.255
CIDR: 7.0.0.0/8
NetName: DISANET7
NetHandle: NET-7-0-0-0-1
Parent: ()
NetType: Direct Allocation
OriginAS:
Organization: DoD Network Information Center (DNIC)
RegDate: 1997-11-24
Updated: 2006-04-28
Ref: https://rdap.arin.net/registry/ip/7.0.0.0
OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
it seems to still say that...
This looks like any other sort of: "have my ISP announce my prefixes
because I can't bgp" (or whatever other reason)
Like any other announcement, except DOD and what looks suspiciously like a shell corporation. Either the DOD doesn’t know about it (and I’ve called DISA and opened a ticket), which is scary, or the DOD is creating a private shell corporation to move all it’s IP space out of government purview, which sounds even more scary.
-mel via cell
Mr. Beckman -
The number resources remain assigned to the DoD – please note that the routing of an IP address block does not make for the transfer of the resources, but rather is the normal activity that ISPs often provide to their customers. Questions about routing of an address block should be referred to the registrant organization in the ARIN database (which you indicate that you have already done), and they can elucidate to you as they determine most appropriate.
Thanks,
/John
John Curran
President and CEO
American Registry for Internet Numbers