To answer your questions for the list:
1. Originating ASN: AS209 (CenturyLink/Lumen)
2. Device State: The traffic was observed after a DFU reset with only native
factory applications present. No third-party apps, profiles, or VPNs were
installed.
3. Objective at Apple: Reaching Product Security (PSIRT) and Global NetOps to
identify why the system is bypassing native TLS for BoringSSL to reach these
specific endpoints.
4. Regarding the CDN/Cache hypothesis, this behavior is inconsistent with
standard Apple service delivery:
- AS27747 (INTERWEB-DAIREAUX) is a small, rural Argentine ISP with ~6k
subscribers. It is not a logical PoP or Apple Edge Cache (AEC) for a North
American client.
- Routing from Atlanta to a French infrastructure block and a Tier-3 Argentine
ISP violates standard BGP/Anycast optimization.
- Native services like Apple TV+ or iCloud use the native OS TLS stack. The use
of BoringSSL here confirms a non-standard implementation.
- The 02:00-03:30 local timing and low-bandwidth footprint suggest telemetry or
C2 check-ins rather than high-bandwidth content delivery.
- Joseph II
On Sunday, January 18th, 2026 at 5:56 PM, Ryan Hamel via NANOG
<[email protected]> wrote:
>
>
> Could you provide more information to go along with this? What exactly are
> you trying to reach at Apple, and the originating ASN/carrier where you are
> seeing this behavior? Depending on the service, it could be a cache box for
> Apple TV+, or something CDN related.
>
> Reformatting your email for readability.
>
> ---
>
>
> *
> Expected: Apple infrastructure (17.x.x.x)
> *
>
> *
> Actual destinations:
> *
>
> *
> - 109.1.2.1 (SFR France, INFRA-SBT, [email protected])
> *
> - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23)
> *
> - 67.1.2.1 (CenturyLink)
> *
> - 184.0.0.13 (CenturyLink)
> *
> - 136.3.5.1 (AWS)
> *
>
> *
> Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes
> no sense (EU + small Argentine ISP from US).
> *
>
> *
> Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and
> 200.3.10.0/23 from non-EU/LACNIC sources.
>
> ---
>
> Ryan Hamel
>
> ________________________________
> From: Intergalactic Auditor via NANOG [email protected]
>
> Sent: Sunday, January 18, 2026 1:27 PM
> To: North American Network Operators Group [email protected]
>
> Cc: Intergalactic Auditor [email protected]
>
> Subject: Weird routing pattern - Atlanta device hitting Argentine ISP +
> unknown EU endpoint
>
> Caution: This is an external email and may be malicious. Please take care
> when clicking links or opening attachments.
>
>
> Hey NANOG,
>
> Seeing some odd routing from an Atlanta device that seems to lack logic to
> say the least. Thought I'd shed some light on it....
>
> Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1
> (SFR France, INFRA-SBT, [email protected]) - 200.3.10.2 (INTERWEB-DAIREAUX
> Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink)
> - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients
> Geographic spread makes no sense (EU + small Argentine ISP from US). Possible
> C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from
> non-EU/LACNIC sources. - Joseph II
> _______________________________________________
> NANOG mailing list
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05|02|ryan%40rkhtech.org|cb03df11e33e4b83d2bf08de56d86f5b|81c24bb4f9ec4739ba4d25c42594d996|0|0|639043684762822734|Unknown|TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D|0|||&sdata=28y8T8WH9mbFpgQhsDS0Tlns1nHdlwHblsjqeOq8dUU%3D&reserved=0https://lists.nanog.org/archives/list/[email protected]/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/
>
> _______________________________________________
> NANOG mailing list
> https://lists.nanog.org/archives/list/[email protected]/message/QCGNZVUWA6ARYNP7O4DWCDU3W6P3GLVA/
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/4KY224AN5NRJBPBNHCCNUPOBLIN6DZ6N/
