Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it....
Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, [email protected]) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/
