In a surprising move, European IP regulator RIPE NCCÂ has made available two of the IP blocks seized by the FBI and the Internet Systems Consortium during the DNS Changer incident last month.
From November, 2011 until July 2012, these IP ranges used by DNS Changer were controlled by the FBI as per the US court order to prevent a blackout for the infected PCs. After the expiration of the court order, they have been quarantined, but theyâ€™re now back in business with new owners.
Â According to the piece of news published on the RIPE web page, the two network blocksÂ (126.96.36.199/21 and 85.255.112/20) have been reallocated despite concerns expressed by the industry.
â€œThe address space was quarantined for six weeks before being returned to the RIPE NCCâ€™s available pool of IPv4 address space. It was then randomly reallocated to a new resource holder according to normal allocation procedures,â€ reads the note on the RIPE NCC page.
The random allocation of the resources landed the two network blocks to computer consultancy firm Inevo (85.255.112/20) in Romania and webhosting provider Aurimas Rapalis / II Hosting Media (188.8.131.52/21) in Lithuania. The re-introduction of these IP ranges six weeks after they got quarantined can hardly be regarded as â€œstandard procedureâ€ and might carry risks for the new owners.
For instance, all the computers that are still infected with DNS changer will attempt to call back these IPs, which will likely result in servers getting hammered with millions of requests on port 53 that they were not designed to serve.
This isnâ€™t the only problem the new owners will have to face: most networks have been instructed to disregard (â€œdropâ€) traffic originating from these IP blocks because it was known to be malicious. This will lead to routing issues, as some peer networks will still drop the traffic, even if it is now legit.