Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint
Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it.... Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, abuse@gaoland.net) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II
Could you provide more information to go along with this? What exactly are you trying to reach at Apple, and the originating ASN/carrier where you are seeing this behavior? Depending on the service, it could be a cache box for Apple TV+, or something CDN related. Reformatting your email for readability. --- * Expected: Apple infrastructure (17.x.x.x) * * Actual destinations: * * - 109.1.2.1 (SFR France, INFRA-SBT, abuse@gaoland.net) * - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) * - 67.1.2.1 (CenturyLink) * - 184.0.0.13 (CenturyLink) * - 136.3.5.1 (AWS) * * Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). * * Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. --- Ryan Hamel ________________________________ From: Intergalactic Auditor via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 1:27 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Intergalactic Auditor <fr0mTheCloud@proton.me> Subject: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it.... Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, abuse@gaoland.net) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05%7C02%7Cryan%40rkhtech.org%7Ccb03df11e33e4b83d2bf08de56d86f5b%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043684762822734%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=28y8T8WH9mbFpgQhsDS0Tlns1nHdlwHblsjqeOq8dUU%3D&reserved=0<https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/>
Looks like ">" quoting in Outlook has other plans when converted to plain text. Sorry about that folks. Ryan Hamel ________________________________ From: Ryan Hamel via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 2:55 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Intergalactic Auditor <fr0mTheCloud@proton.me>; Ryan Hamel <ryan@rkhtech.org> Subject: Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Could you provide more information to go along with this? What exactly are you trying to reach at Apple, and the originating ASN/carrier where you are seeing this behavior? Depending on the service, it could be a cache box for Apple TV+, or something CDN related. Reformatting your email for readability. --- * Expected: Apple infrastructure (17.x.x.x) * * Actual destinations: * * - 109.1.2.1 (SFR France, INFRA-SBT, abuse@gaoland.net) * - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) * - 67.1.2.1 (CenturyLink) * - 184.0.0.13 (CenturyLink) * - 136.3.5.1 (AWS) * * Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). * * Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. --- Ryan Hamel ________________________________ From: Intergalactic Auditor via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 1:27 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Intergalactic Auditor <fr0mTheCloud@proton.me> Subject: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it.... Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, abuse@gaoland.net) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05%7C02%7Cryan%40rkhtech.org%7C840953a8ed4d4d9c0c0708de56e4c4eb%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043737733213912%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=qDXwN6PAZvebM5NF5%2Bk99aMm97Jyh9rxzmbIaH8U1bg%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05%7C02%7Cryan%40rkhtech.org%7C840953a8ed4d4d9c0c0708de56e4c4eb%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043737733237547%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=YSBGPePQ48Zh1Ca0HAX29dX%2BQcyucfmop5%2BmMq3hupg%3D&reserved=0><https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/> _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FQCGNZVUWA6ARYNP7O4DWCDU3W6P3GLVA%2F&data=05%7C02%7Cryan%40rkhtech.org%7C840953a8ed4d4d9c0c0708de56e4c4eb%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043737733255156%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ZN95WRGXi0QmYFcnA5YC4xOur1NARP7K0nlzVIB8oHg%3D&reserved=0<https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/QCGNZVUWA6ARYNP7O4DWCDU3W6P3GLVA/>
To answer your questions for the list: 1. Originating ASN: AS209 (CenturyLink/Lumen) 2. Device State: The traffic was observed after a DFU reset with only native factory applications present. No third-party apps, profiles, or VPNs were installed. 3. Objective at Apple: Reaching Product Security (PSIRT) and Global NetOps to identify why the system is bypassing native TLS for BoringSSL to reach these specific endpoints. 4. Regarding the CDN/Cache hypothesis, this behavior is inconsistent with standard Apple service delivery: - AS27747 (INTERWEB-DAIREAUX) is a small, rural Argentine ISP with ~6k subscribers. It is not a logical PoP or Apple Edge Cache (AEC) for a North American client. - Routing from Atlanta to a French infrastructure block and a Tier-3 Argentine ISP violates standard BGP/Anycast optimization. - Native services like Apple TV+ or iCloud use the native OS TLS stack. The use of BoringSSL here confirms a non-standard implementation. - The 02:00-03:30 local timing and low-bandwidth footprint suggest telemetry or C2 check-ins rather than high-bandwidth content delivery. - Joseph II On Sunday, January 18th, 2026 at 5:56 PM, Ryan Hamel via NANOG <nanog@lists.nanog.org> wrote:
Could you provide more information to go along with this? What exactly are you trying to reach at Apple, and the originating ASN/carrier where you are seeing this behavior? Depending on the service, it could be a cache box for Apple TV+, or something CDN related.
Reformatting your email for readability.
---
* Expected: Apple infrastructure (17.x.x.x) *
* Actual destinations: *
* - 109.1.2.1 (SFR France, INFRA-SBT, abuse@gaoland.net) * - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) * - 67.1.2.1 (CenturyLink) * - 184.0.0.13 (CenturyLink) * - 136.3.5.1 (AWS) *
* Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). *
* Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources.
---
Ryan Hamel
________________________________ From: Intergalactic Auditor via NANOG nanog@lists.nanog.org
Sent: Sunday, January 18, 2026 1:27 PM To: North American Network Operators Group nanog@lists.nanog.org
Cc: Intergalactic Auditor fr0mTheCloud@proton.me
Subject: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint
Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments.
Hey NANOG,
Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it....
Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, abuse@gaoland.net) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05|02|ryan%40rkhtech.org|cb03df11e33e4b83d2bf08de56d86f5b|81c24bb4f9ec4739ba4d25c42594d996|0|0|639043684762822734|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=28y8T8WH9mbFpgQhsDS0Tlns1nHdlwHblsjqeOq8dUU%3D&reserved=0https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/QCGNZVUW...
participants (2)
-
Intergalactic Auditor -
Ryan Hamel