AS22769, formerly known as “DDOSING NETWORK” and “DDOSING-BGP-NETWORK” is now back in the global routing table as a legitimate organization: Valley Strong Credit Union. This is due to ARIN reclaiming the autonomous system number (ASN) and re-issuing it, per their Return and Revocation Process for internet number resources.
Previously, AS22769 was a fraudulent autonomous system that originated thousands of IPv4 addresses between 2018 and 2022. Despite a fraud report being filed with ARIN in 2018, AS22769 was allowed to pollute the internet with various forms of cybercrime (malware hosting, DDoS botnet command-and-control servers, phishing sites, exploit activity, etc.) for years.
Over time, the Whois record for AS22769 reported two different fake street addresses and non-functioning phone number:
282 W. 1st St.
LA CA 90012
999 alkn unit #1999
rolande CA 99888
+1-909-878-9999
Point of Contact: Tom Jack
The legitimacy of the IPv4 space originated by AS22769 was highly suspect. Additionally, AS22769 originated bogon prefixes (unassigned IP space) – regardless, the opinion of ARIN at the time was, “routing a bogon by itself is not a cardinal sin” and they, “leave routing to network operators.”
In August 2019, a request for comment from ARIN CEO John Curran was forwarded to another employee who advised AS22769 (known as DDoSing Network) was, “[not] eligible to receive additional number resources from ARIN until their [fake] information has been updated.”
Despite this, AS22769 shortly thereafter started announcing new, previously unseen, IPv4 space:
- 154.83.29.0/24
- 154.90.1.0/24
- 154.95.1.0/24
At the time, these netblocks were registered to an organization called Cloud Innovation. Owner Lu Heng was asked if AS22769 was authorized to route the prefixes, to which his associate Tingting Xu, confirmed that AS22769 was indeed authorized. After this reassurement, AS22769 and all announced prefixes remained in the global routing table until its mysterious demise in February 2022.
So what happened to all the IPv4 space announced by AS22769?
Lucky for us, an archived copy of the netblocks (BGP prefixes) announced by AS22769 in 2018 was archived here. Historical global routing data is also available via RIPEstat.
Let’s use BGP.Tools and find out who routes those netblocks today:
| Prefix | Current ASN |
| 14.192.4.0/24 | None* |
| 14.192.5.0/24 | None* |
| 14.192.6.0/24 | None* |
| 14.192.7.0/24 | None* |
| 43.224.224.0/24 | None** |
| 43.224.225.0/24 | None** |
| 43.224.226.0/24 | None** |
| 43.224.227.0/24 | None** |
| 103.116.46.0/24 | AS135542 |
| 103.200.33.0/24 | AS133334 |
| 154.95.1.0/24 | None*** |
| 223.130.8.0/24 | None |
| 223.130.9.0/24 | None |
| 223.130.10.0/24 | None |
| 223.130.11.0/24 | None |
| + 288 more prefixes | (coming soon) |
* APNIC RIR allocation found for less specific prefix 14.192.4.0/22
** APNIC RIR allocation found for less specific prefix 43.224.224.0/22
*** Less specific 154.95.0.0/23 announced by AS9009. Less specific 154.95.0.0/17 and 154.92.0.0/14 announced by AS35916.
In summary – AS22769 is now assigned to, and operated by, a legitimate organization. You should not include AS22769 in your routing blocklist.
Leave a Reply