Beware! DNS Changer IP Blocks are re-allocated and advertised!

(Last Updated On: February 7, 2018)

DNS Changer Update

As of Friday morning (August 10, 2012), the IP address blocks used by the DNS Changer –  Rove Digital criminal operations have been re-allocated by RIPE-NCC and advertised to the Internet:

As a reminder, the Rove Digital/DNS Changer Crew used the following IP address blocks for their nefarious activities:

From November 9th, 2011  until July 9th, 2012, the DNS Changer Working Group with the FBI hosted clean DNS servers to help victims clean up their systems. On July 9th, 2012, these servers were shut down and the IP blocks were removed from the global routing table.

It was assumed that these blocks would remain in limbo until all the court proceedings were completed. The “assumption” was not correct. Alarms that many service providers and security professionals put in place to watch for miscreant “hijacking” of these IP address block were triggered early on Friday. What was a surprise was that these blocks were not “hijacked,” but re-allocated. was previously Promnet Ltd but has now been reallocated to INEVO-NET (see was was previously Promnet Ltd but has now been reallocated to LT-HOSTING

Of course this could be a false alarm. When you take the existing INEVO-Net block and look for miscreant activities, we find the following:

While not a detailed analysis of AS 56831’s cleanliness, the quick check calms some fears. Still until all the details are in, operators should treat the network with suspicion.

Why is this a problem?

DNS Changer was not the only malicious activities inside these Netfblocks. Who ever controls these netblocks can hijack computers that are still infected with DNS Changer and other malware. The way these netblocks are reallocated and surprise at the speed of the reallocation exacerbates the concern. This move by RIPE surprised many in the security industry, law enforcement, and participants of the DCWG. Given the surprise, network operators should be very cautious with any traffic to/from these netblocks.

What should you do to protect your network and your customers?

First, monitor traffic to and from these netblocks. If you do not have the resources, then consider filtering all traffic to and from these netblocks until you receive the all clear.

How would you filter


Complements and Kudos to my peers in several security groups who had the alarms set up and watching for any chances to the DNS Changer netblocks. It is hard to hide on the Internet. 🙂


Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.