nanog mailing list archives
Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint
From: Ryan Hamel via NANOG <nanog () lists nanog org>
Date: Sun, 18 Jan 2026 22:55:34 +0000
Could you provide more information to go along with this? What exactly are you trying to reach at Apple, and the originating ASN/carrier where you are seeing this behavior? Depending on the service, it could be a cache box for Apple TV+, or something CDN related. Reformatting your email for readability. --- * Expected: Apple infrastructure (17.x.x.x) * * Actual destinations: * * - 109.1.2.1 (SFR France, INFRA-SBT, abuse () gaoland net) * - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) * - 67.1.2.1 (CenturyLink) * - 184.0.0.13 (CenturyLink) * - 136.3.5.1 (AWS) * * Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). * * Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. --- Ryan Hamel ________________________________ From: Intergalactic Auditor via NANOG <nanog () lists nanog org> Sent: Sunday, January 18, 2026 1:27 PM To: North American Network Operators Group <nanog () lists nanog org> Cc: Intergalactic Auditor <fr0mTheCloud () proton me> Subject: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it.... Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, abuse () gaoland net) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05%7C02%7Cryan%40rkhtech.org%7Ccb03df11e33e4b83d2bf08de56d86f5b%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043684762822734%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=28y8T8WH9mbFpgQhsDS0Tlns1nHdlwHblsjqeOq8dUU%3D&reserved=0<https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QCGNZVUWA6ARYNP7O4DWCDU3W6P3GLVA/
Current thread:
- Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Intergalactic Auditor via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Intergalactic Auditor via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)