Because spammers can’t easily obtain new IP addresses through legitimate means, they frequently resort to stealing IP address blocks that are dormant and aren’t being utilized by the rightful owners. There is a thriving black market in IP addresses; spammers don’t care whether the source of their IP addresses is legitimate or even legal. A cybercriminal that can steal a large IP address block (for example, a /16 or 65,536 IP addresses) can generate thousands of dollars per month.
Using the Turk Telekom looking glass we can see that AS9121 (Turk Telekom) has specific /32 routes for these IP addresses. Since this is the most specific route possible for an IPv4 address, this route will always be selected and the result is that traffic for this IP address is sent to this new bogus route.
Starting at 10:26 UTC (12:26pm in Damascus), Syria’s international Internet connectivity shut down. In the global routing table, all 84 of Syria’s IP address blocks have become unreachable, effectively removing the country from the Internet.
These five offshore survivors include the webservers that were implicated in the delivery of malware targeting Syrian activists in May of this year.