nanog mailing list archives
Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint
From: Intergalactic Auditor via NANOG <nanog () lists nanog org>
Date: Sun, 18 Jan 2026 23:08:42 +0000
To answer your questions for the list:
1. Originating ASN: AS209 (CenturyLink/Lumen)
2. Device State: The traffic was observed after a DFU reset with only native factory applications present. No
third-party apps, profiles, or VPNs were installed.
3. Objective at Apple: Reaching Product Security (PSIRT) and Global NetOps to identify why the system is bypassing
native TLS for BoringSSL to reach these specific endpoints.
4. Regarding the CDN/Cache hypothesis, this behavior is inconsistent with standard Apple service delivery:
- AS27747 (INTERWEB-DAIREAUX) is a small, rural Argentine ISP with ~6k subscribers. It is not a logical PoP or Apple
Edge Cache (AEC) for a North American client.
- Routing from Atlanta to a French infrastructure block and a Tier-3 Argentine ISP violates standard BGP/Anycast
optimization.
- Native services like Apple TV+ or iCloud use the native OS TLS stack. The use of BoringSSL here confirms a
non-standard implementation.
- The 02:00-03:30 local timing and low-bandwidth footprint suggest telemetry or C2 check-ins rather than high-bandwidth
content delivery.
- Joseph II
On Sunday, January 18th, 2026 at 5:56 PM, Ryan Hamel via NANOG <nanog () lists nanog org> wrote:
Could you provide more information to go along with this? What exactly are you trying to reach at Apple, and the originating ASN/carrier where you are seeing this behavior? Depending on the service, it could be a cache box for Apple TV+, or something CDN related. Reformatting your email for readability. --- * Expected: Apple infrastructure (17.x.x.x) * * Actual destinations: * * - 109.1.2.1 (SFR France, INFRA-SBT, abuse () gaoland net) * - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) * - 67.1.2.1 (CenturyLink) * - 184.0.0.13 (CenturyLink) * - 136.3.5.1 (AWS) * * Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). * * Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. --- Ryan Hamel ________________________________ From: Intergalactic Auditor via NANOG nanog () lists nanog org Sent: Sunday, January 18, 2026 1:27 PM To: North American Network Operators Group nanog () lists nanog org Cc: Intergalactic Auditor fr0mTheCloud () proton me Subject: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it.... Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, abuse () gaoland net) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05|02|ryan%40rkhtech.org|cb03df11e33e4b83d2bf08de56d86f5b|81c24bb4f9ec4739ba4d25c42594d996|0|0|639043684762822734|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=28y8T8WH9mbFpgQhsDS0Tlns1nHdlwHblsjqeOq8dUU%3D&reserved=0https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QCGNZVUWA6ARYNP7O4DWCDU3W6P3GLVA/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/4KY224AN5NRJBPBNHCCNUPOBLIN6DZ6N/
Current thread:
- Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Intergalactic Auditor via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Intergalactic Auditor via NANOG (Jan 18)
- Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Ryan Hamel via NANOG (Jan 18)