If you believe that a customer of a network service provider is in violation of that service providers AUP, you should email ab...@serviceprovider.net. Most large networks have a security team that monitors that email address regularly and will cooperate with you to address the problem.
Dave -----Original Message----- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ronald F. Guilmette Sent: Monday, August 14, 2017 1:50 PM To: nanog@nanog.org Subject: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks? Sorry for the re-post, but it has been brought to my attention that my inclusion, in my prior posting, of various unsavory FQDNs resolving to various IPv4 addresses on AS29073 has triggered some people's spam filters. (Can't imagine why. :-) So I am re-posting this message now, with just a link to where those shady FQDNs and their current forward resolutions may be found. (I also took the opportunity to clean up some minor typos.) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% I think that this is primarily Level3's problem to fix. But you be the judge. Please, read on. +_+_+_+_+_+_+_+_ Over the weekend, I stumbled upon an interesting blog calld "Bad Packets", where a fellow named Troy has written about various unsavory goings on involving various newtorks. One network that he called out in particular was AS29073, formerly called "Ecatel". on his blog, this fellow Troy has noted at length some break-in attempts originating from AS29073 and his inability to get anyone, in particular RIPE NCC, to give a damn. https://badpackets.net/the-master-needler-80-82-65-66/ https://badpackets.net/a-conversation-with-ripe-ncc-regarding-quasi-networks-ltd/ https://badpackets.net/quasi-networks-responds-as-we-witness-the-death-of-the-master-needler-80-82-65-66-for-now/ The fact that RIPE NCC declined to accept the role of The Internet Police didn't surprise me at all... they never have and probably never will. But I decided to have a quick look at what this newtork was routing, at present, which can be easily see here: http://bgp.he.net/AS29073#_prefixes So I was looking through the announced routes for AS29073, and it all looked pretty normal... a /24 block, check, a /24 block, check, a /21 block check... another /24 block, and then ... WAIT A SECOND! HOLY MOTHER OF GOD! WHAT'S THIS??? 196.16.0.0/14 !!! So how does a little two-bit network with a rather dubious reputation and a grand total of only about a /19 to its name suddenly come to be routing an entire /14 block?? And of course, its a legacy (abandoned) Afrinic block. And of course, there's no reverse DNS for any of it, because there is no valid delegation for the reverse DNS for any of it... usually a good sign that whoever is routing the block right now -does not- have legit rights to do so. (If they did, then they would have presented their LOAs or whatever to Afrinic and thus gotten the reverse DNS properly delegated to their own name servers.) I've seen this movie before. You all have. This gives every indication of being just another sad chapter in the ongoing mass pillaging of unused Afrinic legacy IPv4 space, by various actors with evil intent. I've already documented this hightly unfortunate fad right here on multiple occasions: https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html This incident is a bit different from the others however, in that it -does not- appear that the 196.16.0.0/14 block has been filed to the brim with snowshoe spammers. Well, not yet anyway. But if in fact the stories are correct, and if AS29073 does indeed have a history of hosting outbound hacking activities, then the mind reels when thinking about how much mischief such bad actors could get into if given an entire /14 to play with. (And by the way, this is a new world's record I think, for largest single-route deliberate hijack. I've seen plenty of /16s go walkabout before, and even a whole /15. But an entire /14?!?! That is uniquely brazen.) In addition to the above, and the points raised within the Bad Packets blog (see links above) I found, via passive DNS, a number of other causes for concern about AS29073, to wit: Shady FQDNs (incl possible child porn ones) on AS29073 moved here: https://pastebin.com/raw/f4M09UKL (In addition to the above, I've also found plenty more domain names associated with AS29073 which incorporate the names "Apple" "AirBnB", "Facebook", and "Groupon", as well as dozens of other legitimate companies and organizations.) I confess that I have not had the time to look at any of the web sites that may or may not be associated with any of the above FQDNs, but the domain names themselves are certainly strongly suggestive of (a) the possible hosting of child porn and also and separately (b) the possible hosting of phishing sites. So, given the history of this network (as is well documented on the Bad Packets blog) and given all of the above, and given what would appear to be the unauthorized "liberation" of the entire 196.16.0.0/14 block by AS29073, one cannot help but wonder: Why does anybody still even peer with these jerks? The always helpful and informative web site bgp.he.net indicates that very nearly 50% of the connectivity currently enjoyed by AS29073 is being provided to them by Level3. I would thus like to ask Level3 to reconsider that peering arrangement in light of the above facts, and especially in light of what would appear to be the unauthorized routing of the 196.16.0.0/14 block by AS29073. Surprisingly, given its history, AS29073 apparently has a total of 99 different peers, at present, and I would likewise ask all of them to reconsider their current peering arrangements with this network. I am listing all 99 peers below. Before I get to that however, I'd like to also note that there currently exists, within the RIPE Routing Registry, the following route object: route: 196.16.0.0/14 origin: AS29073 mnt-by: QUASINETWORKS-MNT mnt-by: EC42500-MNT mnt-routes: EC42500-MNT mnt-routes: M247-EU-MNT created: 2017-03-28T21:47:03Z last-modified: 2017-08-11T19:58:39Z source: RIPE I confess that I am not 100% sure of the exact semantics of the "mnt-routes" tag, but it would appear from the above that the UK's M247 network (AS9009)... which itself is not even peering with AS29073... appears to have, in effect countersigned the above RIPE route object, vouching for its correctness and authenticity as they did so. Why they would have done that, especially given that they themselves are not even peering with AS29073, is, I confess, beyond me. But I would love to have them explain it, or even try to explain it. It's enigmatic, to say the least. Anyway, the "created" date in the above record seems to be consistant with that actual start of the announcement of 196.16.0.0/14 by AS29073, which the RIPE Routing History tool says occured sometime in March of this year. One additional (and rather bizzare) footnote to this whole story about the 196.16.0.0/14 block has to do with the entity that allegedly -is- the current rightful owner of the block (as far as Afrinic is concerned). That entity is designated by the Afrinic handle ORG-IA41-AFRINIC and that in turn has an admin-c and tech-c of NAIT1-AFRINIC. The record for that handle is as follows: ------------------------------------------------------- person: Network and Information Technology Administrator address: Unit 117, Orion Mall, Palm Street address: Victoria, Mahe address: Seychelles (SC) phone: +972-54-2203545 e-mail: i...@networkandinformationtechnology.com nic-hdl: NAIT1-AFRINIC mnt-by: MNT-NETWORKANDINFORMATIONTECHNOLOGY changed: i...@networkandinformationtechnology.com 20150725 source: AFRINIC ------------------------------------------------------- Upon fetching the current WHOIS record for networkandinformationtechnology.com I found it more than passing strange that all of the contact details therein are associated *not* with anything in Africa, nor even anything in the home country of AS29073 (Netherlands) but rather, the address and phone numbers therein all appear to be ones associated with a relatively well known Internet attorney in Santa Monica, Califiornia by the name of Bennet Kelly. As it happens, in the distant past (about 10 years ago) I personally crossed swords with this particular fellow. He may be a lot of things, but it never seemed to me that stupid was one of them. And indeed the domain name networkandinformationtechnology.com and all of its connections to the 196.16.0.0/14 block appear to date from 2015... long before AS29073 started routing this block (which only started in March of this year). So, my best guess about this whole confusing mess is that the -original- legitimate owners of the 196.16.0.0/14 block most probably sold it on, in a legitimate transaction, to some other party in 2015, where that other party was/is represented by Mr. Bennet Kelly, Esq. And my guess is that neither he nor the new owners, who he represents, even know that their expensive /14 has gone walkabout, as of March of this year. I will be trying to make contact with Mr. Kelley today to discuss this with him and will post a follow-up if any new and interesting information arises from that conversation. Regards, rfg Peers of AS29073: ================================================================================ 1 Level 3 Communications, Inc. United States AS3356 2 REBA Communications BV Netherlands AS56611 3 Hurricane Electric, Inc. United States AS6939 4 Core-Backbone GmbH Germany AS33891 5 Init7 (Switzerland) Ltd. Switzerland AS13030 6 RETN Limited Ukraine AS9002 7 COLT Technology Services Group Limited United Kingdom AS8220 8 State Institute of Information Technologies and Telecommunications (SIIT&T "Informika") Russian Federation AS3267 9 GlobeNet Cabos Submarinos Colombia, S.A.S. Colombia AS52320 10 Digital Telecommunication Services S.r.l. Italy AS49605 11 IT.Gate S.p.A. Italy AS12779 12 green.ch AG Switzerland AS1836 13 UNIDATA S.p.A. Italy AS5394 14 GEANT Limited European Union AS20965 15 IP-Max SA Switzerland AS25091 16 Lost Oasis SARL France AS29075 17 nexellent ag Switzerland AS31424 18 SEACOM Limited Mauritius AS37100 19 Angola Cables Angola AS37468 20 ENTANET International Limited United Kingdom AS8468 21 Blix Solutions AS Norway AS50304 22 POST Luxembourg Luxembourg AS6661 23 Zayo France SAS France AS8218 24 Wind Telecomunicazioni SpA Italy AS1267 25 Swisscom (Switzerland) Ltd Switzerland AS3303 26 Pacnet Global Ltd Hong Kong AS10026 27 SURFnet bv Netherlands AS1103 28 SEEWEB s.r.l. Italy AS12637 29 BIT BV Netherlands AS12859 30 euNetworks Managed Services GmbH Germany AS13237 31 CAIW Diensten B.V. Netherlands AS15435 32 netplus.ch SA Switzerland AS15547 33 DOKOM Gesellschaft fuer Telekommunikation mbH Germany AS15763 34 ADISTA SAS France AS16347 35 Viewqwest Pte Ltd Singapore AS18106 36 Digital Ocean, Inc. European Union AS200130 37 Digital Ocean, Inc. Netherlands AS202018 38 Open Peering B.V. Netherlands AS20562 39 Services Industriels de Geneve Switzerland AS20932 40 Cemig Telecomunicaes SA Brazil AS23106 41 SG.GS Singapore AS24482 42 Vorboss Limited United Kingdom AS25160 43 equada network GmbH Germany AS25220 44 Avantel, Close Joint Stock Company Russian Federation AS25227 45 Gyron Internet Ltd United Kingdom AS29017 46 IPROUTE SRL Italy AS49289 47 LLC "TRC FIORD" Russian Federation AS28917 48 Hostserver GmbH Germany AS29140 49 Telekommunikation Mittleres Ruhrgebiet GmbH Germany AS12329 50 Internet Systems Consortium, Inc. United States AS30132 51 Liquid Telecommunications Ltd United Kingdom AS30844 52 Paulus M. Hoogsteder trading as Meanie Netherlands AS31019 53 Digiweb ltd Ireland AS31122 54 Fiberax Networking&Cloud Ltd. United Kingdom AS3252 55 Hivane France AS34019 56 CELESTE SAS France AS34177 57 Kantonsschule Zug Switzerland AS34288 58 Citycable Switzerland AS34781 59 SoftLayer Technologies Inc. United States AS36351 60 Network Platforms (PTY) LTD South Africa AS37497 61 Micron21 Datacentre Pty Ltd Australia AS38880 62 Convergenze S.p.A. Italy AS39120 63 Fiberby ApS Denmark AS42541 64 IP ServerOne Solutions Sdn Bhd, Malaysia AS45352 65 Easynet Global Services European Union AS4589 66 IP-Only Networks AB Sweden AS12552 67 Tango S.A. Luxembourg AS48526 68 Les Nouveaux Constructeurs SA France AS49463 69 CustodianDC Limited United Kingdom AS50300 70 MCKAYCOM LTD United Kingdom AS50763 71 Daisy Communications Ltd United Kingdom AS5413 72 MC-IX Matrix Internet Exchange RS-1 Indonesia AS55818 73 NetIX Communications Ltd. Bulgaria AS57463 74 Anycast Global Backbone Australia AS58511 75 LUXNETWORK S.A. Luxembourg AS29467 76 oja.at GmbH Austria AS39912 77 Elisa Oyj Finland AS6667 78 A1 Telekom Austria AG Austria AS8447 79 Fusix Networks B.V. Netherlands AS57866 80 ClaraNET LTD United Kingdom AS8426 81 "OBIT" Ltd. Russian Federation AS8492 82 Console Network Solutions Ltd United Kingdom AS43531 83 NetCologne GmbH Germany AS8422 84 Tesonet Ltd Lithuania AS201341 85 Linx Telecommunications B.V. Estonia AS3327 86 Strato AG Germany AS6724 87 CJSC RASCOM Russian Federation AS20764 88 Sunrise Communications AG Switzerland AS6730 89 KPN B.V. Netherlands AS1136 90 MTN SA South Africa AS16637 91 Portlane AB Sweden AS42708 92 TM Net, Internet Service Provider Malaysia AS4788 93 Network Dedicated SAS Switzerland AS62355 94 Next Layer Telekommunikationsdienstleistungs- und Beratungs GmbH Austria AS1764 95 Telkom SA Ltd. South Africa AS5713 96 ShockSRV Internet Services Private Limited Netherlands AS60115 97 JUPITER 25 LIMITED Netherlands AS64484 98 M-net Telekommunikations GmbH Germany AS8767 99 Neterra Ltd. Bulgaria AS34224
