AFRINIC IP Block Thefts -- The Saga Continues

2020-11-15 Thread Ronald F. Guilmette
South African tech journalist Jan Vermeulen has written a new chapter in this ongoing saga of greed, theft, and skulduggery. EXECUTIVE SUMMARY: Maikel Uerlings and Elad Cohen registered a bunch of new domain names as part of their overall scheme to steal AFRINIC legacy blocks by fiddling the

Friday Reminder: Web Site Security

2020-05-15 Thread Ronald F. Guilmette
This is your helpful Friday reminder to always pay close attention to the security settings of all of the web sites under your administration. Otherwise, anonymous skript kiddiez could show up at any moment and deface one or more of your web sites. (It happens a lot.) https://ipv4.plus/

Re: Don't forget RFG (was: Re: RIPE NCC Executive Board election)

2020-05-15 Thread Ronald F. Guilmette
I want to thank Joe Greco for his kind and generous comments. That having been said, I'm not sure that I either should, or even want to take credit for having kicked off *with a single message* "a 100+-message flamefest on NANOG". That was not my intent, and it is quite clear that those NANOG

RIPE NCC Executive Board election

2020-05-13 Thread Ronald F. Guilmette
Many of you here may be dues-paying members of both ARIN and RIPE. Those of you who are may wish to be aware of the fact that there will be an election held on (I believe) May 14th, just a day or two from now, for three open RIPE NCC Executive Board seats. I have it on good authority that one of

Re: Tell me about AS19111

2020-02-09 Thread Ronald F. Guilmette
Sorry to follow up on myself, but it seems that one figure I gave here regarding the value of the IPv4 space that was gifted to AFRINIC at its inception was off by roughly an order of magnitude. I said that at its inception, AFRINIC had been gifted with two /8 IPv4 blocks with a current open

Monetizing IPv4 addresses / DiViNetworks

2020-02-07 Thread Ronald F. Guilmette
My apologies to all. I previously posted here some inaccurate information, which I must now retract and correct. I incorrectly asserted that "DiViNetworks has received $15 million USD worth of venture capital from the International Finance Corporation, a commercial lender and member of the World

DiViNetworks

2020-02-06 Thread Ronald F. Guilmette
I mention in passing also that at the present time, DiViNetworks has a grand total of some 6,070 unique route objects registered in the RADB data base. Where I come from, that's a lot of routes. https://pastebin.com/raw/YeFBd1qZ I would be gnerally unconcerned if not for the fact that two of

Re: DiviNetworks

2020-02-06 Thread Ronald F. Guilmette
Regarding DiviNetworks... I am not personally persuaded that an Israeli company that inserted a route object into the RADB data base to act as a cover for the company's apparent theft of a nice juicy /16 AFRINIC region legacy block that actually belongs to, and belonged to a South African state

Re: Tell me about AS19111

2020-02-06 Thread Ronald F. Guilmette
In message <24124.30737.599536.809...@gargle.gargle.howl>, Sandra Murphy wrote: >It could measure the extent of the problem and would be within what I >suggested. > >For example if there were only one AS being abused that would make it >a different priority than 1,000 or 10,000 (some seem to be

Re: Tell me about AS19111

2020-02-06 Thread Ronald F. Guilmette
In message <24124.27418.388460.814...@gargle.gargle.howl>, Barry Shein wrote: >Given events including the IPv4 runout etc perhaps it's long overdue >that the RIRs should hire a professional big-name (we used to call >them Big 5) accounting firm to audit or at least review IP address, >ASN, etc.

Re: Tell me about AS19111

2020-02-06 Thread Ronald F. Guilmette
In message , Shane Ronan wrote: >It's not clear to me that HE having reserved AS numbers in THEIR routing >table is actually a problem. These AS numbers are actually reserved for >private use. Perhaps they have a customer who wants to do BGP but doesn't >want to register their own AS number

Re: Tell me about AS19111

2020-02-05 Thread Ronald F. Guilmette
For all of the people who have elected to pick on me for my less that diplomatic assertion(s), I can only suggest that your time and effort would be more well spent by looking at the hard data that I suggested that everyone look at, and then looking to see if any of the bogus ASNs being used, day

Re: Tell me about AS19111

2020-02-05 Thread Ronald F. Guilmette
In message <20200206013024.4b0b213c2...@ary.qy>, "John Levine" wrote: >1800vitamins.org has a web site at 12.180.219.234 which looks like >they would sell me vitamins should I or my dog need any. > >Routeviews tells me that IP is in AS19111, routed via AS7018. AS7018 >is AT which isn't

Re: AFRINIC: The Saga Continues

2020-01-30 Thread Ronald F. Guilmette
In message , Dan Hollis wrote: >What can or should be done when a registry goes rogue? Answering that question is a task which is above my pay grade. I would be remiss however if I did not take this opportunity to make a few brief and relevant points. *) There are other and additional shoes

AFRINIC: The Saga Continues

2020-01-29 Thread Ronald F. Guilmette
My apologies to all. Certain of the blocks mentioned in my prior posting here have already been reclaimed, and are currently being routed by appropriate parties. In particular, these ones: 152.108.0.0/16 155.237.0.0/16 165.4.0.0/16 165.5.0.0/16 Also, I somehow managed to miss mentioning a few

The curious case of 159.174.0.0/16

2020-01-29 Thread Ronald F. Guilmette
[[ Fair warning to newcomers: I write and post longish pieces here regarding my various investigations of funny business I find going on within the IPv4 address space and the allocations and uses thereof. If you're looking for a quick 2 minute read then you are advised to skip this

Re: AFRINIC: The Saga Continues

2020-01-28 Thread Ronald F. Guilmette
In message , thomas brenac wrote: >Thank you Ronald, I also heard of governance issue in AFRINIC by some >people during the last RIPE meeting so the word is spreading. Now is >there any other /16 impacted to your knowledge ? Would be worth pushing >to have them in as many Drop list as

AFRINIC: The Saga Continues

2020-01-27 Thread Ronald F. Guilmette
For the benefit of those of you who may have been living in caves for the past two months, I would like to share the following links regarding a massive fraud that appears to have been perpetrated by at least one AFRINIC insider. (It has still not been definitively determined if he had help or

Re: Colombia Network Operators Group

2019-09-23 Thread Ronald F. Guilmette
In message <6f2876a6abe02547ba85adb58bd21...@mail.dessus.com>, "Keith Medcalf" wrote: >Fascinating. What is the security threat I wonder, that there is no >JavaScript? Undoubtedly drug smuggling over HTTP.

Re: Elad Cohen (was: Re: Cogent sales reps who actually respond)

2019-09-19 Thread Ronald F. Guilmette
In message <20190919084649.gc30...@jima.tpb.net>, niels=na...@bakker.net wrote: >* r...@tristatelogic.com (Ronald F. Guilmette) [Thu 19 Sep 2019, 10:05 CEST]: >>I never like to generalize to entire populations, and I will >>therefore refrain from suggesting any endemic

Re: Elad Cohen

2019-09-19 Thread Ronald F. Guilmette
In message <8a49bf73-7a68-4b8f-9dc5-e94b7fe63...@globalone.io>, Florian Brandstetter wrote: >... this is certainly not a place where you can >slander his name or anyone associated with him in any manner for the >entertainment of everyone... If I have slandered anyone, then I shall bear the

Re: Elad Cohen

2019-09-19 Thread Ronald F. Guilmette
In message , Elad Cohen wrote: >Mr. Ronald Guilmette > >Everything you did and you wrote in this forum until today, including mud- >slinging and slandering, including thieves and crooks, they are libel for all >intents and purposes with everything it implies, and this without to >display any

Re: Elad Cohen

2019-09-19 Thread Ronald F. Guilmette
In message , Masataka Ohta wrote: >Ronald F. Guilmette wrote: > > > So, if you are looking for a Crime here, i.e. one defined under law, > > there isn't one. > >You don't know how broadly crime of fraud is defined by the current code. > >Just injecting false route

Re: Elad Cohen (was: Re: Cogent sales reps who actually respond)

2019-09-19 Thread Ronald F. Guilmette
In message Christopher Morrow wrote: >"who cares about the sale?" My apologies. I see that I have failed to be adequately clear. There was no "sale". There was only theft, and then stolen goods being passed from hand to hand to hand, ultimately ending up in the hands of Mr. Cohen, who has

Re: Elad Cohen

2019-09-18 Thread Ronald F. Guilmette
In message , Masataka Ohta wrote: >Ronald F. Guilmette wrote: > >> It is a well known fundamental tenet of logical reasoning and argument >> that it is not possible for -anyone- to prove a negative, which is what >> you've just asked me to do. > >So, Austra

Re: Elad Cohen

2019-09-18 Thread Ronald F. Guilmette
In message <15744848-5638-ad01-2c9c-a89825f9d...@necom830.hpcl.titech.ac.jp>, Masataka Ohta wrote: >Ronald F. Guilmette wrote: > >> Come now Mr. Cohen, please do tell us who you paid for rights to the >> 168.198.0.0/16 block, which belongs to the Australian gov

Elad Cohen (was: Re: Cogent sales reps who actually respond)

2019-09-18 Thread Ronald F. Guilmette
In message , Elad Cohen wrote: >Please see the following link: > >https://afrinic.net/resource-certification > >As you can see, a MyAFRINIC account is required. > >Yes, route objects for legacy AFRINIC resources in their RIR operated IRRDB > as a fallback for RPKI can be created and they were

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-18 Thread Ronald F. Guilmette
In message <152f0dbc-f7af-2a78-c5a7-f2062effe...@necom830.hpcl.titech.ac.jp>, Masataka Ohta wrote: > From whois information: > >remarks:reg-date:1993-03-22 > >notify: tmiy...@gaijin.co.jp I already talked to the guy who has

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-17 Thread Ronald F. Guilmette
In message <9567b241-12ce-4728-8e73-ff7143907...@apnic.net>, Vivek Nigam wrote: >APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and >brought this matter to their attention. Excellent. Thank you. If possible, it would be Good if APNIC could also make contact with the

Re: Cogent sales reps who actually respond

2019-09-17 Thread Ronald F. Guilmette
In message , Elad Cohen wrote: >The defamatory and invective words, the mudslinging and slander of my name, > by Ronald Guilmette, are not true at all and they are completely false, in > my hand there are all the purchases approval for purchasing ipv4 and that >were paid completely by me. >

Re: Cogent sales reps who actually respond

2019-09-16 Thread Ronald F. Guilmette
In message , "Stephen M." wrote: >Please don't praise or complain like we're supposed to take >it at a total face value. If you don=E2=80=99t like them so much - we are >you're audience. Explain. > >If you like Cogent - explain. >If you don=E2=80=99t like Cogent - explain. I see that many

Re: Cogent sales reps who actually respond

2019-09-16 Thread Ronald F. Guilmette
In message , Owen DeLong wrote: >Given their practice of harvesting whois updates in order to spam newly >acquired AS contacts, any time it is my decision, Cogent is ineligible >as a vendor. So I guess then that their aiding and abetting of fraud and IP block theft, as I documented here

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message , Mel Beckman wrote: >I’m just saying that I randomly checked one fact and it doesn’t meet >the level of positive certainty that you asserted. It’s thus reasonable >to ask you to double check your research all around. I’m not willing >to be your unpaid copy editor, so let me know

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message <67b3e0d5-7d09-42e2-a753-eb6c93859...@getmailspring.com>, Florian Brandstetter wrote: >if you'd open the traceroute you just sent you'd see that the target >is route looping and not actually used by their alleged customer? Yea. So? How is that relevant to my fundamental narrative?

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message <23540.1567802...@segfault.tristatelogic.com>, I wrote: >Is anyone disputing that 168.198.0.0/16 belongs to the Australian >national government, or that AS174, Cogent was, until quite recently, >routing that down to their pals at FDCServers who then were routing >it down to their

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message <5233b9b9-1bff-425d-bb8f-e3853703b...@beckman.org>, Mel Beckman wrote: >A quick check of one of your facts produces unexpected results, so you might >want to perform more research. According the APNIC, 139.44.0.0/16 does not >“belong unambiguously to the Port Authority of

Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
Few of you here probably know about this, but nearly a week ago now an article appeared in South Africa's largest and most popular online tech publication, MyBroadband.co.za. It detailed many, but certainly not all of the results of my multi-month investigation of a massive and ongoing fraud

The Curious Case of 143.95.0.0/16

2019-08-28 Thread Ronald F. Guilmette
Mel Beckman mel at beckman.org wrote: >I have one question, “of late”, regarding your post: Is it “Antia” or “Anita”? Yes. Sorry. There were multiple small typos in what I posted. Not surprising, since I am an utterly awful typist. The link I gave in my post provides enough redundant

The Curious Case of 143.95.0.0/16

2019-08-28 Thread Ronald F. Guilmette
Fair Warning: Those of you not enamored of my long-winded exposés of various remarkable oddities of the IPv4 address space may wish to click on the tiny little wastebasket icons on your mail clients at this point. For the rest of you, please read on. I think you may find the following story

ARIN Fantasy WHOIS: NET-216-179-183-0-1

2019-08-14 Thread Ronald F. Guilmette
As if to underscore the point I just tried to make about the fundamental unreliability of ARIN WHOIS records, I just stumbled onto this rather curious entity which was apparently given a sub-allocation of 216.179.183.0/24 beneath the 216.179.128.0/17 (Azuki, Inc.) block as of 2012-01-10: OrgName:

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-14 Thread Ronald F. Guilmette
In message <20190810003820.gd2...@jima.tpb.net>, Niels Bakker wrote: >* r...@tristatelogic.com (Ronald F. Guilmette) [Sat 10 Aug 2019, 02:26 CEST]: >>As far as I am aware, no RIR makes any effort whatsoever to vet >>changes to WHOIS records, either for IP blocks or A

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-14 Thread Ronald F. Guilmette
In message <4fcb73bf-224f-e011-f310-522193c86...@efes.iucc.ac.il>, Hank Nussbacher wrote: >Just as an observer to your long resource theft postings: >- Do you attempt to contact directly the organization or person who have >had their resource taken over? To the extent that I can spare the

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Ronald F. Guilmette
In message , John Curran wrote: >Alas, it’s not those who fail to properly configure RPKI that are likely to be >litigating, but rather their impacted customers and those customers' business >partners who all were unable to communicate due to no fault of their own. > >Such a matter will not be

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-13 Thread Ronald F. Guilmette
In message <06570278-e1ad-4bb0-a9fc-11a77bed7...@arin.net>, John Curran wrote: >Even so, we at ARIN are in the midst of a Board-directed review of the RPKI >legal framework to see if any improvements can be made

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message , Eric Kuhnke wrote: rfg>> 4) Filing a "fraud request" with ARIN is a serious step and one that rfg>could quite conceivably end up with the party filing such a formal rfg>report being on the business end of lawsuit, just for having filed rfg>such a report.

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message Ross Tajvar wrote: >Seems like submitting a fraud request to ARIN is more effective than >writing a novel and sending it to NANOG, and doesn't require the latter... As noted in my immediately prior posting, ARIN's careful adjudication of this or any other possible case of fraud

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message , John Curran wrote: >On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette wrote: >> ... >> Unfortunately, we cannot read too much into this change that was made >> to the block's public-facing WHOIS record. Neither the new WHOIS info >> nor even the

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
In message Ross Tajvar wrote: >First he thought that a /17 got stolen (by creating a company with the same >name as the original, now-defunct owner), but he then said he was wrong and >actually it either 1) got transferred against ARIN policy or 2) was made to >look like it was transferred by

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
In message , Brandon Price wrote: > > > 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the >registration of the 216.179.128.0/17 block from itself to the >2009 vintage Delaware entity Azuki, LLC. If this is what happened, >then it is likely that the

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
Further investigation of this case obliges me to post the following correction and retraction. Additional evidence now strongly suggests that the 216.179.128.0/17 IP address block has NOT been "stolen" as I had suggested yesterday. I simply mis-read the ARIN historical registration ("WhoWas")

Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-08 Thread Ronald F. Guilmette
Corporate identity theft is a simple ploy which may be used to illicitly obtain valuable IPv4 address space. Actual use of this fradulent ploy was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ). Quite simply, a party bent on undertaking this ploy may just search the publicly

Re: Russian Anal Probing + Malware

2019-06-22 Thread Ronald F. Guilmette
In message , "Keith Medcalf" wrote: >On Friday, 21 June, 2019 18:14, Ronald F. Guilmette com> wrote: > >>https://twitter.com/GreyNoiseIO/status/1129017971135995904 >>https://twitter.com/JayTHL/status/1128718224965685248 > >Sorry, don't twitt

Russian Anal Probing + Malware

2019-06-21 Thread Ronald F. Guilmette
https://twitter.com/GreyNoiseIO/status/1129017971135995904 https://twitter.com/JayTHL/status/1128718224965685248 Friday Questionaire: Is there anybody on this list who keeps firewall logs and who DOESN'T have numerous hits recorded therein from one or more of the following IP addresses?

AS24940 Hetzner -- non-role contact wanted

2019-04-22 Thread Ronald F. Guilmette
Subtitle: Another Big Mess On Aisle Thirteen. Somebody Grab The Mop! Just over a month ago, I was here, doing what I always do, bitching and moaning about the low-life trash that is typically allowed to roam free and unfettered on the Internet:

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-19 Thread Ronald F. Guilmette
In message , Tom Beecher wrote: >Calling everyone an idiot in the midst of Endless Pontification isn't >really a recipe for success. I did not call "everyone" an idiot. I'm quite completely sure that there are innumerable people in all of the referenced companies who are consumate and

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-19 Thread Ronald F. Guilmette
reading there. ]] In message <50414.162.155.102.254.1553001814.ig...@webmail.iglou.com>, "Jeff McAdams" wrote: >(Disclosure: I, too, work for DigitalOcean as the Manager of Network >Engineering. Nikolas does not work for me, nor I for him.) > >On Tue, March 19, 201

Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-19 Thread Ronald F. Guilmette
Nikolas Geyer wrote: >I have passed your email on to the relevant team within DO to have a look at. Thank you, but that wasn't what I requested, I asked for a contact there. (I know that this may be hard to understand, but it's like the difference between giving a man a fish, and teaching

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-18 Thread Ronald F. Guilmette
In message , Christian Kuhtz wrote: >we are asking Microsoft CDOC to investigate. Thank you. I am not at all sure who the mysterious "we" is intended to represent in that sentence. Perpahs it is just intended as the royal "we" as in "We are not amused." But I don't really care. I am

Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-18 Thread Ronald F. Guilmette
OVH, DigitalOcean, and Microsoft... Is there anybody awake and conscious at any of these places? I mean anybody who someone such as myself... just part of the Great Unwashed Masses... could actually speak to about a real and ongoing problem? Maybe most of you here will think that this is just

Re: Webzilla

2019-03-18 Thread Ronald F. Guilmette
In message , Eric Kuhnke wrote: >Looking at the AS adjacencies for Webzilla, what would prevent them from >disconnecting all of their US/Western Euro based peers and transits, and >remaining online behind a mixed selection of the largest Russian ASes? I do >not think that any amount of

Webzilla

2019-03-16 Thread Ronald F. Guilmette
[[ My apologies to thos eof you who may see this twice. I have posted the message below also to the RIPE Anti-Abuse Working Group mailing list, so any of you who are on that list also will see this twice. But I believe that it is relevant here also. ]]

Crooks on the Intrernet: Episode 6,427

2018-11-21 Thread Ronald F. Guilmette
I just thought that y'all might want to be aware of this. My attention was called recently to a RIPE-issued block of IPv4 addresses assigned to a particular Polish firm (Marton Media: https://martonmedia.pl/) that appears to sell digital TV services. The block in question is 91.149.192.0/18

Summer of Hijacks: My message to RIPE and the RIPE Executive Board

2018-08-09 Thread Ronald F. Guilmette
identities or corporate partners. That does not appear to be the case, based on the evidence. (note - minor edits applied) == From: "Ronald F. Guilmette" To: exec-bo...@ripe.net, db...@ripe.net, routing...@ripe

Re: AS205869, AS57166: Featured Hijacker of the Month, July, 2018

2018-07-24 Thread Ronald F. Guilmette
In message <20180724.090316.47077931.sth...@nethelp.no>, sth...@nethelp.no wrote: >All prefixes still visible here (Oslo, Norway), through HE. Here's your >original table augmented with the AS paths I see on our border routers: > >ASN RouteAS path

AS205869, AS57166: Featured Hijacker of the Month, July, 2018

2018-07-23 Thread Ronald F. Guilmette
Before I get into talking about this month's honorary Hijacker of the Month, I really must start by thanking everyone who pitched in and helped to insure an appropriate response and outcome for the BitCanal case, which I reported here last month. You all know who you are, and I won't explicitly

Re: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

2018-06-25 Thread Ronald F. Guilmette
In message , Job Snijders wrote: >On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette >wrote: >> As I always ask, retorically, in cases like this: Where are the grownups? > >You could ask the same about the IXPs that facilitate the reach and impact >of Bitcanal's BG

AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

2018-06-25 Thread Ronald F. Guilmette
Sometimes I see stuff that just makes me shake my head in disbelief. Here is a good example: https://bgp.he.net/AS3266#_prefixes I mean seriously, WTF? As should be blatantly self-evident to pretty much everyone who has ever looked at any of the Internet's innumeriable prior incidents of

Hijacks: AS12506, AS327814, AS44582, AS62135

2017-08-31 Thread Ronald F. Guilmette
The following set of interrelated networks appear to be engaged in hijacking various IPv4 address blocks at the present time: AS12506 Inspiring Networks, B.V. (Netherlands) AS44582 Inspiring Networks, B.V. (Netherlands) AS62135 Inspiring Networks, B.V. (Netherlands) AS327814 Echoband,

Re: Hijack Factories: AS203418, AS205944, and AS203040

2017-08-28 Thread Ronald F. Guilmette
Sorry to follow-up on myself, but I just now realized that I made a small omission in my earlier post. I indicated that AS205944 (MediaClick, LLC) had previously hijacked the 116.79.0.0/16 block. That is true, but it may perhaps have led some people to incorrectly conclude that AS205944 was not

Hijack Factories: AS203418, AS205944, and AS203040

2017-08-28 Thread Ronald F. Guilmette
Executive Summary: AS203418 (Marketigames, LLC), together with its one and only immediate IPv4 upstream, AS203040 (Mint Company, LLC), and its sister network, AS205944 (MediaClick, LLC) either are currently hijacking or have recently hijacked multiple abandoned /16 IPv4

AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

2017-08-14 Thread Ronald F. Guilmette
Sorry for the re-post, but it has been brought to my attention that my inclusion, in my prior posting, of various unsavory FQDNs resolving to various IPv4 addresses on AS29073 has triggered some people's spam filters. (Can't imagine why. :-) So I am re-posting this message now, with just a link

Multicom Hijacks: Do you peer with these turkeys (AS35916)?

2017-08-03 Thread Ronald F. Guilmette
Well, it took less than a day for my last missive here to get the hijacks associated with AS202746 (Nexus Webhosting) taken down. I guess that somebody must have smacked Telia upside the head with a clue-by-four at long last. So, with that out of the way, let's see what else I can accomplish

AS202746 Hijacks: Is Telia (a) stupid, or (b) lazy, or (c) complicit?

2017-08-02 Thread Ronald F. Guilmette
The annotations in the RIPE WHOIS record for AS202746 seem pretty clear to me. This thing is B-O-G-U-S! Even RIPE, which is always reticent to say any bad things about any of its crooked customers... even after they have kicked them out of RIPE altogether, e.g. for being just too obviously

Re: IP Hijacking For Dummies

2017-06-05 Thread Ronald F. Guilmette
In message

Re: IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette
In message William Herrin wrote: >You actually got lost a couple steps back. > >First, you want to control the POC emails for the IP addresses. Controlling >just the POC emails for the AS number won't do you

Re: IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette
In message Christopher Morrow wrote: >most times i've seen isp DIA links bgp was 'free' or had been.. > >> talking about the cost of adding an upstream BGP session. > >ok. so either free or some

IP Hijacking For Dummies

2017-06-05 Thread Ronald F. Guilmette
Late last night, I put together the following simple annotated listing of the routes being announced by AS34991. Beyond the quite apparent fact that this "Bulgarian" network is announcing a bunch of routes for blocks of IPv4 space allocated to various parties within the nation of Columbia

Re: IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette
In message Christopher Morrow wrote: >that doesn't seem to be what's happening in ron's example though... > >it looks, to me, like the example ron has is more a case of: > 1) register contacts for

IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette
The more I know, the less I understand. Maybe some of you kind folks can help. Please explain for me the following scenario, and how this all actually works in practice. Let's say that you're a malevolent Bad Actor and all you want to do is to get hold of some ASN that nobody is watching too

Re: Avalanche botnet takedown

2016-12-09 Thread Ronald F. Guilmette
In message <20161201201124.982f2...@m0086238.ppops.net>, sur...@mauigateway.com wrote: >In message <20161201124527.9be45...@m0087798.ppops.net>, >sur...@mauigateway.com wrote: > >>What is your suggestion to keep the sky from falling? > >My full answer, if fully elaborated, would bore you and

Re: Avalanche botnet takedown

2016-12-01 Thread Ronald F. Guilmette
In message <20161201205647.ga8...@gsp.org>, Rich Kulawiec wrote: >2. As an aside, I've been doing a little research project for a >few years, focused on domains. I've become convinced that *at least* >99% of domains belong to abusers: spammers, phishers, typosquatters, >malware

Re: Avalanche botnet takedown

2016-12-01 Thread Ronald F. Guilmette
In message <20161201124527.9be45...@m0087798.ppops.net>, sur...@mauigateway.com wrote: >What is your suggestion to keep the sky from falling? My full answer, if fully elaborated, would bore you and everybody else to tears, so I'll try to give you an abbreviated version. It seems to be that it

Re: Avalanche botnet takedown

2016-12-01 Thread Ronald F. Guilmette
In message <20161201173426.2861.qm...@ary.lan>, "John Levine" wrote: >More info here: > >https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation I'm always happy when even a small handful of miscreants are

Paging Olav van Doorn, Jan Willem Meijer, and Rutger Bevaart

2016-11-17 Thread Ronald F. Guilmette
If anybody can give me an email for any of these principals of Xconnect42, Inc. (Neatherlands) aka AS260, I'd appreciate it. I tried to reach somebody (anybody) at their company via the address I found online for the company but never got any response. That was a week

Re: NEVERMIND! (was: Seeking Google reverse DNS delegation

2016-11-14 Thread Ronald F. Guilmette
In message <7077df16-64ae-822d-8ce0-ba44129e2...@gmx.com>, Large Hadron Collider wrote: >> And that includes the bogus info you put into your WHOIS records too! >> Seriously, I give you credit for at least picking out a valid random >> street address, somewhere

Re: NEVERMIND! (was: Seeking Google reverse DNS delegation

2016-11-13 Thread Ronald F. Guilmette
In message <20161114004152.ga27...@panix.com>, Brett Frankenberger wrote: >On Sun, Nov 13, 2016 at 03:57:19PM -0800, Christopher Morrow wrote: >> So... actually someone did tell arin to aim these at >> ns1/2google.com... >> I'll go ask arin to 'fix the glitch'. > >For

AS37135, AS6560, AS32714, AS14029 - Squatted or not? You be the judge.

2016-11-11 Thread Ronald F. Guilmette
At least one person has now asserted to me in private email that my suggestion that AS30186 was being squatted on was in fact accurate. Thus, I now feel confident enough to provide here the rest of the story which goes along with that. In a nutshell, AS30186 and also two other ASNs, together

NEVERMIND! (was: Seeking Google reverse DNS delegation contact)

2016-11-10 Thread Ronald F. Guilmette
My profuse apologies to everyone. It seems that Google is not in fact involved in any way with providing reverse DNS for the 204.8.136.0/21 IP address block. I was deceived into believing it was by some unusual trickey on the part of the spammer-controlled name servers ns1.saversagreeable.com

Seeking Google reverse DNS delegation contact

2016-11-10 Thread Ronald F. Guilmette
Does anyone here happen to know who at Google I should be talking to if I want to ask a question about their reverse DNS services? I'd just like to ask someone there why anyone at Google thought that it would be a Good Idea for Google to provide reverse DNS services for the 204.8.136.0/21 IP

AS30186 - Squatted or not? You be the judge.

2016-11-10 Thread Ronald F. Guilmette
I kinda messed up the last time I posted something here about possible IP address block squatting, so I'm not going to make any definitive assertions regarding conclusion this time. I'm just going to lay out the facts and let all of you good folks decide for yourselves. AS30186 is registered to

Re: Here we go again.

2016-11-09 Thread Ronald F. Guilmette
In message <1624203180.33527.1478724998723.javamail.zim...@baylink.com>, "Jay R. Ashworth" wrote: >The list is not the proper forum for a debate on this topic, and I'm not >trying to start one. > >But ask yourself *now* what happens if you get these kinds of orders, so >that

Re: Spitballing IoT Security

2016-11-07 Thread Ronald F. Guilmette
In message <20161108035148.2904b5970...@rock.dv.isc.org>, Mark Andrews wrote: >* Deploying regulation in one country means that it is less likely > to be a source of bad traffic. Manufactures are lazy. With > sensible regulation in single country everyone else benefits as >

Re: Spitballing IoT Security

2016-10-29 Thread Ronald F. Guilmette
In message <20161030044342.ga18...@thyrsus.com>, "Eric S. Raymond" <e...@thyrsus.com> wrote: >Ronald F. Guilmette <r...@tristatelogic.com>: >> Two kids with a modest amount of knowledge >> and a lot of time on their hands can do

Death of WHOIS, Film at 11

2016-10-29 Thread Ronald F. Guilmette
In message <58150673.5090...@foobar.org>, Nick Hilliard wrote: >David Conrad already pointed out that this problem has been solved using >RDAP which supports referrals. Try installing the nicinfo command from: > >https://github.com/arineng/nicinfo > >At a guess, I'd say

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette
In message <5815013f.2080...@foobar.org>, Nick Hilliard wrote: >> But my overall point remains. If there were ever to be an election where >> we were all asked who we wanted to see become the once and future Routing >> Police, the RIRs would not be my own personal first

Re: Spitballing IoT Security

2016-10-29 Thread Ronald F. Guilmette
In message <20161029180730.ga10...@thyrsus.com>, "Eric S. Raymond" wrote: >You don't build or hire a botnet on Mirai's scale with pocket change. Proof please? Sorry, but I am compelled to call B.S. on the above statement. This is a really important point that I, Krebs, and

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette
In message <58146e84.3030...@foobar.org>, Nick Hilliard wrote: >> P.S. I may be wrong about this, but it has come to my attention that >> many, most, or all of the WHOIS records reflecting allocations made by >> the AFRINIC RIR are utterly devoid of either (a) information

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette
In message <5814696f.3060...@foobar.org>, Nick Hilliard <n...@foobar.org> wrote: >Ronald F. Guilmette wrote: >> I always start with whatver whois.iana.org has to >> say. And it says that that 103.0.0.0/8 belongs to APNIC, so of course, >> I only looked at what

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette
In message <5813e03e.6060...@foobar.org>, Mark Andrews wrote: >Mark Andrews wrote: >> It's not the RIR's job. They already provide the framework for >> ISP's to do the job of policing route announcements themselves. >> ISP's just need to use that framework. > >Ron thinks

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette
In message <5813dacd.3000...@foobar.org>, Nick Hilliard <n...@foobar.org> wrote: >Ronald F. Guilmette wrote: >> Will never happen. The RiRs have been crystal clear, and also utterly >> consistant... "Not our job man! We am not the Internetz Police." &g

  1   2   >