800 servers gone, the scans kept coming

1. Opening position

The Dutch FIOD seized 800 servers. One week later, AS209847 is scanning at its normal daily rate. The enforcement action removed hardware. The network behaviour did not change.

That is the only conclusion the data supports. A seizure of that size produced no observable degradation in scan output at the ASN level. Whatever relationship existed between the seized 800 servers and the scanning activity, it was not load-bearing.

The attribution of the scanning, the contents of the seized servers, and the operational structure behind AS209847 are not confirmed. What is confirmed is the gap between the action taken and the behaviour it was expected to suppress.

2. What actually failed

The assumption failed. Seizing 800 servers inside a hosting network was treated as a control action against that network’s output. The output did not respond. Daily scan volume at AS209847 remained at baseline across the week following the seizure.

What is externally observable: 800 servers removed, scan rate unchanged. The two facts do not reconcile under the assumption that the seized hardware was generating the scans. Either the scanning was not sourced from the seized 800 servers, or the source has capacity beyond what was seized. The correct interpretation is not confirmed.

What this means in operational terms: the seizure did not function as a kill action against the scanning behaviour. It functioned as the removal of 800 specific machines. Those are not the same thing. Treating them as the same thing is the failure.

3. Why it failed

The observable system behaviour is this: AS209847 emits scan traffic at a consistent daily rate. One week after 800 servers were removed from that network, the rate is unchanged. No other system behaviour is confirmed.

The internal structure that produces this output is not visible from the facts provided. Whether the scanning originates from remaining hosts inside AS209847, from infrastructure outside the seized 800, or from automation that survived the seizure, is not confirmed. The mechanism is opaque. The output is not.

What the unchanged rate establishes is the boundary of the enforcement action. The seizure operated on 800 specific assets. It did not operate on the capability that produces the scan traffic. If that capability had been concentrated in the seized hardware, the rate would have moved. It did not. The control acted on inventory. The behaviour sits somewhere the control did not reach.

4. Mechanism of Failure or Drift

The drift is between the object of enforcement and the object of behaviour. The enforcement acted on 800 servers. The behaviour is produced by whatever produces scan traffic at AS209847. The two were treated as the same surface. The week of post-seizure data shows they were not.

The mechanism that allows this drift is simple. Inventory is concrete. Capability is not. A server can be seized. A capability can only be removed if the control reaches the specific component that holds it. If the capability is distributed, replicated, or sourced from infrastructure outside the seizure scope, removing inventory does not remove capability. The scan rate is the measurement that confirms which of those conditions is true here. The rate did not move. The capability was not in the seized 800. Where it was instead is not confirmed.

This is the failure pattern. The control was scoped to assets that could be physically taken. The behaviour was scoped to whatever can emit traffic under the ASN. Those scopes did not match. When the scopes of a control and the scope of the behaviour it targets do not match, the control does not act on the behaviour. It acts on the inventory it can reach. The output of AS209847 across the week following the seizure is the evidence that this gap existed and was not closed.

5. Expansion into Parallel Pattern

The same mechanism appears anywhere a control is scoped to assets and the behaviour is scoped to capability. Revoking a set of credentials does not remove access if the access path does not depend on those specific credentials. Blocking a set of IP addresses does not remove reachability if the traffic can re-emerge from addresses outside the block. Removing a set of binaries does not remove execution if the execution can be reconstituted from sources the removal did not touch. In each case the control acts on an enumerable set. The behaviour is produced by a capability that is not bound to that set.

The pattern is observable through the same signal used here: the rate of the targeted behaviour after the control is applied. If the rate moves, the control reached the capability. If the rate does not move, the control reached inventory the capability did not depend on. There is no third reading. The signal is binary at the level of effect, regardless of how complex the underlying system is. AS209847 produced the unchanged-rate reading. That reading defines the relationship between the seizure and the scanning.

What this pattern exposes, generalised strictly from the mechanism: any enforcement action whose scope is defined by what can be taken, rather than by what produces the behaviour, will produce this same result whenever the two scopes do not align. The alignment is not assumed by the existence of the action. It must be demonstrated by the post-action measurement. Without that measurement, the action is recorded as a success on its own terms and the behaviour continues on its own terms. The Dutch FIOD seizure is one instance of this. The mechanism is not specific to it.

6. Hard Closing Truth

The scan rate at AS209847 is the only fact that matters for assessing the seizure as a control action against scanning. It did not change. The seizure did not act on the capability that produces the scans. Whether it acted on something else of value is a separate question and is not confirmed by the data described.

What must now be true: the scoping of enforcement actions against network behaviour cannot be assumed to align with the source of that behaviour. Alignment is established by the post-action signal, not by the size of the action. Eight hundred servers is a number. It is not a measurement of effect. The measurement of effect is the rate of the behaviour the action was meant to suppress. In this case the measurement is unchanged. The action did not suppress the behaviour. Any internal report that records this seizure as a disruption of the scanning activity at AS209847 is recording an assumption, not a result.

Controls that do not move the targeted signal are not controls against that signal. They are activity. AS209847 is scanning at its normal daily rate one week after 800 servers were removed from the network it operates. That is the position. Everything else about this event is not confirmed.