AFRINIC IP Block Thefts -- The Saga Continues

2020-11-15 Thread Ronald F. Guilmette
South African tech journalist Jan Vermeulen has written a new chapter
in this ongoing saga of greed, theft, and skulduggery.

EXECUTIVE SUMMARY: Maikel Uerlings and Elad Cohen registered a bunch of
new domain names as part of their overall scheme to steal AFRINIC legacy
blocks by fiddling the AFRINIC WHOIS records for the contact persons for
each legacy block that they wanted to steal.  The domain names themselves
were deliberately chosen and tailored to try to minimize suspicion
relating to their numerous legacy block thefts.

https://mybroadband.co.za/news/security/367188-the-great-african-ip-address-heist-south-african-internet-resources-worth-r558-million-usurped-with-shady-domains.html

How exactly these two gentlemen managed to gain the kind of read/write
access to the AFRINIC WHOIS data base which allowed them to fiddle so
many WHOIS records for so many AFRINIC legacy IPv4 blocks is something
that AFRINIC has yet to offer any explanation for, even a full year
after these thefts came to light.


NOTE:  As of the present moment AFRINIC is *still* delegating authority
for reverse DNS for many of the stolen legacy blocks detailed in Jan's
most recent article to name servers that are owned and controled by
Maikel Uerlings and/or Elad Cohen.  In particular, Uerlings and/or Cohen
are still in control of the reverse DNS for all of the stolen legacy
blocks listed in the table below, as well as the reverse DNS for the
very valuable 196.16.0.0/14 block, worth well over $5 million USD.

There is no reasonable excuse for this ongoing inaction by AFRINIC.  As
things stand, it appears that AFRINIC is still refusing to do even the
minimum amount necessary to stop the profiteering of Uerlings and Cohen,
EVEN THOUGH every additional dollar, every additional sheckel, and every
additional ruble that they earn from these ongoing thefts is being used
to fund Cohen's ongoing lawsuit against AFRINIC.

AFRINIC has known about these legacy block thefts for well over a year
now, and yet in all this time AFRINIC has done absolutely nothing to
remediate the fradulent entries in their WHOIS data base, or to remove
the reverse DNS relegations for the 196.16.0.0/14 block and the several
stolen blocks listed below.  Reasonable people can and should ask why.

One theory, currently circulating among people I know is that Mr. Uerlings
and/or Mr. Cohen are in possession of some confidential information that
AFRINIC really hopes will never see the light of day, and that AFRINIC
is being blackmailed into inaction.  Whatever the reason, AFRINIC's
continuing inaction is effectively providing funding for Mr. Cohen's
ongoing lawsuit against AFRINIC.  How this makes any sense at all is
something that remains for AFRINIC to explain.


#
# ORG: (SC) ORG-AISL1-AFRINIC "AECI Information Services (Pty) Ltd"
#
168.80.0.0/15
#
# ORG: (ZA) ORG-AA79-AFRINIC "Agrihold"
#
163.198.0.0/16
#
# ORG: (ZA) ORG-ACSL2-AFRINIC "Affiliated Computing Services (Pty) Ltd"
#
160.116.0.0/16
#
# ORG: (ZA) ORG-FSED1-AFRINIC "Free State Education Department"
#
168.76.0.0/19
168.76.36.0/24
168.76.128.0/20
168.76.144.0/22
168.76.148.0/24
168.76.228.0/22
168.76.232.0/21
168.76.240.0/20
#
# ORG: (ZA) ORG-SCS1-AFRINIC "Safren Computer Services"
#
155.159.0.0/16


Friday Reminder: Web Site Security

2020-05-15 Thread Ronald F. Guilmette
This is your helpful Friday reminder to always pay close attention to
the security settings of all of the web sites under your administration.
Otherwise, anonymous skript kiddiez could show up at any moment and
deface one or more of your web sites.  (It happens a lot.)


https://ipv4.plus/


Re: Don't forget RFG (was: Re: RIPE NCC Executive Board election)

2020-05-15 Thread Ronald F. Guilmette
I want to thank Joe Greco  for his kind and generous
comments.  That having been said, I'm not sure that I either should,
or even want to take credit for having kicked off *with a single message*
"a 100+-message flamefest on NANOG".  That was not my intent, and it is
quite clear that those NANOG subscribers who are interested only in
operational matters rather wish I hadn't.

I also feel compelled to state that the satisfying conclusion of the
RIPE NCC Executive Board election, as already reported here by
Terrence Koeman, most probably has relatively little to do with the
recent traffic on this list, and relatively more to do with the recent
traffic on the RIPE members-discuss list, where the candidate in
question displayed all of the same qualities of tact, diplomacy, and
generosity as he has recently displayed here.

Then again, the results of the just-completed RIPE NCC Board election
may perhaps be even more properly ascribed, primarily, to the candidate's
novel approach to campaigning which, according to numerous credible
reports, apparently included the spamming of some large fraction of
the contact email addresses contained within the RIPE WHOIS data base
with his campaign pitch, including but not limited to varuious abuse@
and noc@ addresses, some of which received multiple copies.  (No word
yet on wether or not the candidate has threatened to sue his own campaign
manager over his subesquently sagging poll numbers.)

Moving right along...

As some of you may have noticed, I have sat silently while being viciously
and falsely maligned here, in multiple ways, by the (now former) candidate.
In response, I'd like to just state a couple of things briefly, once, and
for the record, in order to dispel any doubts that anyone may have entertained.

Firstly, I am not now, nor have I ever been an owner, shareholder, manager,
employee, agent, affiliate, client, or customer of Spamhaus.  I have no
business connection to that organization of any kind, nor have I ever
had any such.  Nor are either they or I contemplating any such for the
forseeable future.  Any suggestion to the contrary has no basis in fact
and is quite simply delusional.  Indeed, as anyone who has known me or
as anyone who has read what I have written over 20+ years of fighting
spam can attest, I am, if anything, a frequent critic of Spamhaus.  I
have often gone on the record to assert my belief that that organization
is too cautious and conservative when meating out what I personally feel
would be just rewards to various provably irredeamable spammers and
cybercriminals.

That having been said, the differences between myself and Spamhaus are
only ones of emphasis, not goals, and just like I do routinely with
innumerable other anti-spam and anti-cybercrime organizations, I do
maintain informal channels of communications with Spamhaus, as I also
do with a vast number of other such commercial and non-commercial
projects with similarly aligned goals.

If my many industry contacts render me a sinister and malevolent agent
of some dark and secretive international cabal, then so be it.  In that
case it would appear that I am not alone, at least judging by the broad
attendance of several hundred individuals and organizations at the last
M3AAWG meeting this past February in San Francisco.  All of us are, in
our own ways, working together to keep the wires open and usable for
normal people.  That goal is more important now, in the age of Covid-19,
than it ever has been.  I do not and will not apologize in any way for
doing this important work, along with so many many others.  Someone
must keep the lunatics from taking over the asylum and flooding it
with spam.  That was true even before Covid-19, and it is even vastly
more true now.

Second and lastly, I am neither a racist nor an antisemite.  I will not
dignify these false, baseless, and defamatory allegations any further,
and I most assuredly feel no compulsion to request any of my many jewish
friends, nor any of my POC friends to come to my defense, especially as
I need none.

These scurrilous allegations have been presented without evidence or
factual basis, and have been supported only by tortured distortions of
my actual words, disturbing attempts to unilaterally (and conveniently)
redefine the meaning of the already well-understood and well-defined
English word "race", and by unambiguously malicious innuendo.  I see
no point in getting down and rolling around in the gutter on these points,
especially not with a man whose low regard for the truth has already been
made so abundantly clear and apparent to the subscribers of this very list.
I will have nothing more to say about this, at least not in this forum.


Regards,
rfg


RIPE NCC Executive Board election

2020-05-13 Thread Ronald F. Guilmette
Many of you here may be dues-paying members of both ARIN and RIPE.

Those of you who are may wish to be aware of the fact that there will
be an election held on (I believe) May 14th, just a day or two from
now, for three open RIPE NCC Executive Board seats.

I have it on good authority that one of the candidates running for
the open RIPE NCC board seats in this election has hired legal
counsel in South Africa, and that said legal counsel has then
proceeded to threaten various officials of the City of Cape Town,
South Africa with possible legal action if they do not relinquish
to him their rights in and title to the 165.25.0.0/16 block, a
block that all historical records, including even ARIN "WhoWas"
historical records show, clearly and unambiguously, has been
legally registered to the City of Cape Town for over twenty years.
(I am assured that at no time did the City of Cape Town ever sell,
trade, or barter away their rights to this valuable IPv4 block,
and that they are defending themselves, as best as they can, against
this attempt to extort them out of their rightful prooperty.)

Where I come from, this kind of thing is called barratry, but you
be the judge.

In any case, prior to the RIPE election, I wanted to let you all
know these facts about the candidate in question, as well as a
number of additional startling facts relating to the people who
nominated this candidate for a RIPE NCC Executive board seat, as
documented by my friend, South African journalist Jan Vermeulen:

https://mybroadband.co.za/news/internet/350973-man-connected-to-african-ip-address-heist-running-for-board-position-at-european-ip-address-organisation.html

I could go into more detail about many of the nominators mentioned
in the above article, but I don't want to make this email too long,
so I'll await some explict request for that additional info.  For now
it should suffice to make at least some of the basic facts more widely
available, a task which is accomplished just by sharing the above link,
IMHO.


Regards,
rfg


P.S.  I have been specifically and explicitly enjoined and constrained
from posting here anything at all that might smack of being either
partisan or of an even vaguely "political" nature, and thus, I will
refrain from doing so.  I would be remiss hoever if I did not at least
note in passing that history records that in times such as these, when
people of good character and good intent are, as they rightly should be,
focused on the health and safety of themselves, their loved ones, and
their professional collegues, and when the gaze of the world is elsewhere,
persons of less than honorable intent reach for power and, with unfortunate
regularity, obtain it.

I cannot and do not ask that those of you who have been saddled with
personal or local crises during this sad time turn away from those
responsibilities to give attention to matters of Internet governance,
however urgent those may appear at the moment.  For all of us, our first-
order duty lies nearby, with family, friends, and collegues.  But for
those of you who still have a few cycles to spare, I do ask that you
consider carefully the newfound and critical importance of this tool,
this Internet, in the lives of so many millions, all around the world,
and the self-evident risks of its governance being handed over, by default
or otherwise, to persons with an interest only in what is best for them
personally, to the exclusion of all else.

P.P.S.  I would be posting this info and the above link also to the
very relevant RIPE members-discuss mailing list, but as I am not a
due-paying member of RIPE, I have no ability to do so.  Separately,
due in no small part to the candidate's own recent and manifest on-list
transgressions on that very list, that list has recently been switched
to a heavy-handed moderation, under which, it seems, even discussion of
the pros and cons of candidates in the upcoming RIPE NCC Executive Board
election are now categorized as "too controversial" and thus, themselves,
are now entirely off-limits.

I cannot help but be reminded of a catch-phrase that I saw somewhere,
not too long ago:

 "Democracy dies in darkness."
  -- anon


Re: Tell me about AS19111

2020-02-09 Thread Ronald F. Guilmette
Sorry to follow up on myself, but it seems that one figure I gave
here regarding the value of the IPv4 space that was gifted to
AFRINIC at its inception was off by roughly an order of magnitude.

I said that at its inception, AFRINIC had been gifted with two /8
IPv4 blocks with a current open market value in excess of $250
million USD.

Checking now, I see that the following blocks are all assigned to
ORG-AFNC1-AFRINIC, which is AFRINIC itself:

41.0.0.0/8
45.192.0.0/12
45.208.0.0/13
45.216.0.0/14
45.220.0.0/15
45.222.0.0/16
102.0.0.0/8
105.0.0.0/8
154.0.0.0/8
196.0.0.0/7

Note: This isn't even counting certain other legacy blocks that AFRINIC
also inherited, back in February of 2005, from other regions, specifically
ARIN and RIPE.

Anyway, the above blocks represent a total of 102,694,912 unique IPv4
addresses.

Assuming a current average market value of $25 USD per address, that
works out to a total value of some $2,567,372,800 USD, or in round
numbers, $2.6 billion USD.

Just wanted to correct the record.  My apologies for my earlier error.


Regards,
rfg


Monetizing IPv4 addresses / DiViNetworks

2020-02-07 Thread Ronald F. Guilmette
My apologies to all.  I previously posted here some inaccurate information,
which I must now retract and correct.

I incorrectly asserted that "DiViNetworks has received $15 million
USD worth of venture capital from the International Finance Corporation,
a commercial lender and member of the World Bank Group."


https://ifcext.ifc.org/ifcext/pressroom/IFCPressRoom.nsf/0/52F1A9E272AAFAB785257BE80051CB53

In fact, a proper reading of the press release above indicated that IFC
only invested $5 million into DiViNetworks.

Other public reports however suggest that the company has received at least
$15 million USD in venture funding.  It is not immediately clear where the
additional $10 million USD might have come from.

https://pitchbook.com/profiles/company/59066-56
https://www.bizety.com/2015/09/10/cool-startup-divinetworks/

As seen at the pitchbook.com link just above, the company may have used
the following address as a U.S. business address in some instances:
   
1680 Michigan Avenue, Suite 700
Miami Beach, FL 33139

This location appears to be associated with "virtual office" rentals:


https://www.davincivirtual.com/loc/us/florida/miami-beach-virtual-offices/facility-1149

On the company's own web site, it provides what would appear to be its one
and only business address:

https://divinetworks.com/

10153 1/2 Riverside Drive #526
Los Angeles, CA

The above address would appear to be home to a business known as "Mailbox
Toluca Lake", which may or may not be a FedEx authorized shipping center:

   https://local.fedex.com/ca/los-angeles/61623/

The above addresses in Miami and Los Angeles would appear to be inconsistant
with other easly findable online documents, including the IFC press release
linked to above, which explicitly asserts that the company is located in
Israel.  It is not immediately clear why an Israeli company would have
need of either (a) a virtual office in Miami or (b) a mail drop in Los
Angeles.

I have been unable to find any evidence of any current or historical state-
level business registration for either "Divi Networks" or "DiviNetworks" or
"Divi Group" in either Florida or California.  The operation of business
addresses in either or both states without registration may possibly be a
violation of law in those states.  It is certainly impossible for any
business to file a state-level business tax return in any state in which
that business is not registered, due to the lack of the required state
business registration number which would have to appear on the tax return
in question.

As discussed in the IFC funding press release, the company appears to
have begun life with the eminently laudable goal to "increase Internet
transmission capacities and free up congested internet connections
in 21 developing countries..."  This is certainly a commendable goal by
anyone's standards, and one fully worthy of funding from the commercial
lending arm of the World Bank.

That having been said, it is certainly within the realm of possibility
that this initial business model may perhaps not have stood the test
of time, and that providing services to developing economies may not have
produced sufficent returns to keep the enterprise viable on a long term
basis.

I have found at least some evidence to suggest that the company may, at
present, be pursuing a different business model.

In the current era, there are two ways in which any party who can beg,
borrow, or steal any large swath of IPv4 address can quickly and effectively
monetize those addresses.  (And these methods are not entirely exclusive
of one another.)

The traditional way of monetizing any large block of IPv4 addresses which
the lessor does not have, or plan to have, a long term interest in is
simply to sub-lease the addresses to snowshoe spammers.  Unfortunately for
those involved, if this strategy is pursued to the exclusion of any other
it renders the IP addresses in question a "wasting asset".  Their value
declines over time as they become ever more widely blacklisted and thus
ever more ineffective for spamming purposes.

An alternative monetization strategy which has become increasingly
prevalent and widspread in recent years and which does not, generally
speaking, engender this "wasting asset" problem (and which also,
conveniently, tends to attract entirely less public attention and
scrutiny) is to "dress up" the IP block(s) in question, to the extent
possible, via relevant RIR WHOIS records, in order to make them appear
to be networks containing only Internet end-user "eyeballs".  Specifically,
the term "residential" is typically used as an integral part of these
subterfuges, and a simple google search for "residential proxies" will,
at present, turn up a veritable plethora of companies offering as a
service exactly such fradulently "dressed up" IPv4 addresses, complete
with pre-configured proxy services.  (An alternative google search that
also gives a window into this little known 

DiViNetworks

2020-02-06 Thread Ronald F. Guilmette
I mention in passing also that at the present time, DiViNetworks has
a grand total of some 6,070 unique route objects registered in the RADB
data base.

Where I come from, that's a lot of routes.

   https://pastebin.com/raw/YeFBd1qZ

I would be gnerally unconcerned if not for the fact that two of these
route objects (for 155.235.0.0/16 and 169.129.0.0/16) exactly cover
two AFRINIC legacy blocks that I feel I have proven to have been stolen
from AFRINIC legacy blocks holders, with the apparent collusion and
connivance of one particular gentleman who, coincidentally, I'm sure,
like DiViNetworks, also just happens to have offices in the greater
Tel Aviv metropolitan area.


Regards,
rfg


P.S.  Online reports suggest that DiViNetworks has received $15 million
USD worth of venture capital from the International Finance Corporation,
a commercial lender and member of the World Bank Group.


https://ifcext.ifc.org/ifcext/pressroom/IFCPressRoom.nsf/0/52F1A9E272AAFAB785257BE80051CB53

https://en.wikipedia.org/wiki/International_Finance_Corporation


Re: DiviNetworks

2020-02-06 Thread Ronald F. Guilmette
Regarding DiviNetworks...

I am not personally persuaded that an Israeli company that inserted
a route object into the RADB data base to act as a cover for the
company's apparent theft of a nice juicy /16 AFRINIC region legacy
block that actually belongs to, and belonged to a South African
state owned oil company (Sasol) is actually worthy of the Internet
equivalent of the Good Houskeeping[tm] seal of approval.


route:  169.129.0.0/16
descr:  This is a DiViNetworks customer route-object which is being 
exported under this origin AS12491 (origin AS). This route object was created 
because no existing route object with the same origin was found. Please contact 
supp...@divinetworks.com if you have any questions regarding this object.
origin: AS12491
mnt-by: MAINT-AS57731
changed:e...@divinetworks.com 20161021  #19:55:26Z
source: RADB


Regards,
rfg


P.S.  My past research into the company formally known as Netstyle Atarim
Ltd.  turned up the following interesting link, which may or may not be
relevant:

https://il.linkedin.com/in/erez-cohen-83402813

P.P.S.  Sasol has taken steps, in recent months to assert and reclaim
complete control over both of their two /16 AFRINIC region legacy blocks.
I have had multiple late night (my time) conversations with officials
there, right up to the Vice President level, regarding the unfortunate
circumstances that led to parties other than Sasol routing one or both
of their valuable AFRINIC legacy /16 blocks.

At last check, Sasol officials were still considering wther or not to file
formal police reports in South Africa regarding this matter.

P.P.P.S.  The above quoted fradulent route object is still present in
the RADB data base as we speak.

It is by no means alone.


Re: Tell me about AS19111

2020-02-06 Thread Ronald F. Guilmette
In message <24124.30737.599536.809...@gargle.gargle.howl>, 
Sandra Murphy  wrote:

>It could measure the extent of the problem and would be within what I
>suggested.
>
>For example if there were only one AS being abused that would make it
>a different priority than 1,000 or 10,000 (some seem to be implying a
>number like that) being abused.
>
>Do we have that number?

I suggested that nobody has that number, to any degree of accuracy,
as of today.

Once again, this is something that I would be happy to be proven
wrong about.


Regards,
rfg


Re: Tell me about AS19111

2020-02-06 Thread Ronald F. Guilmette
In message <24124.27418.388460.814...@gargle.gargle.howl>, 
Barry Shein  wrote:

>Given events including the IPv4 runout etc perhaps it's long overdue
>that the RIRs should hire a professional big-name (we used to call
>them Big 5) accounting firm to audit or at least review IP address,
>ASN, etc. allocation.
>
>I am not talking about money, I am talking about resource allocation.
>
>That would be a step towards accountability.
>...

Not sure how to break this to you, but the concept you appear to
be talking about, i.e. employing an actual accounting firm to,
you know, account for valuable IPv4 assets as, you know, valuable
assets would, as far as i have been able to determine, represent
a truly novel innovation in the world of Regional Internet
Registries.

During my investigation of the goings on down in AFRINIC, I had
occasion to look at the company's audited financial statement for
fiscal year 2015.  This is a company that was effectively gifted
with two /8 blocks, with current market value, as I calculated it
on the back of a napkin, of over $250 million USD.  In the one
specific document that I looked at, which I believe was prepared
by PriceWaterhouseCoopers (PwC) I saw no hint whatsoever of any
part or portion of these assets being accounted for in any way.
It was as if they didn't exist.

I was all set to be freshly outraged at AFRINIC about this until
I realized that it isn't just them.

As far as I am aware at this moment, *no* RIR had ever had its
accountants or auditors account for valuable IPv4 assets as assets.

If I am wrong, which is quite possible, I would be happy to be
proven so.


Regards,
rfg


Re: Tell me about AS19111

2020-02-06 Thread Ronald F. Guilmette
In message 
, 
Shane Ronan  wrote:

>It's not clear to me that HE having reserved AS numbers in THEIR routing
>table is actually a problem. These AS numbers are actually reserved for
>private use. Perhaps they have a customer who wants to do BGP but doesn't
>want to register their own AS number and is single-homed to HE. In this
>case, HE can assign them a reserved AS number to use for the session and as
>long as HE strips that AS number when it leaves THEIR network, things are
>working as intended.

It is not in the least bit clear that such stripping is in fact occuring,
and if anything the available evidence seems to suggest that it may not be.

The key point is accountability.  In the case of bogon ASNs, no one is
responsible, and an aggreived or offended party cannot easily find out
even who to discuss the matter with if they are being hacked, attacked,
or spammed from a range of IPs being routed by a bogon ASN.


Regards,
rfg


P.S.  It does not seem to be the case that only HE internal sensors
are the only ones seeing some of these routes.  Here is what RIPEstat
is telling me right now about routes being announced by AS65000, just
to name one bogon ASN out of many:

46.102.148.0/22
212.93.181.0/24
168.205.156.0/24
93.118.40.0/22
2806:288:800::/40
190.15.126.0/23
197.6.0.0/16
31.207.16.0/20
188.240.32.0/22
89.36.232.0/22
89.42.48.0/23
89.40.108.0/23
188.210.94.0/23
197.5.0.0/18
31.207.8.0/21
82.97.196.0/23
84.247.32.0/22
82.97.192.0/23
213.150.187.0/24
193.124.240.0/22
89.35.164.0/22
197.9.0.0/16
197.4.0.0/16
194.58.24.0/22
93.115.102.0/23
212.93.182.0/24
185.125.64.0/22
81.91.16.0/21
197.7.0.0/16
89.38.106.0/23
186.32.9.0/24
109.232.251.0/24
93.115.48.0/22
31.219.177.0/24
194.135.48.0/22
86.105.160.0/22
89.46.132.0/22
195.122.244.0/24
89.43.68.0/23
2803:ea80::/36
80.240.108.0/23
197.8.0.0/16
188.214.40.0/21
194.58.216.0/22
213.150.185.0/24



Re: Tell me about AS19111

2020-02-05 Thread Ronald F. Guilmette
For all of the people who have elected to pick on me for my less
that diplomatic assertion(s), I can only suggest that your time and
effort would be more well spent by looking at the hard data that
I suggested that everyone look at, and then looking to see if any of
the bogus ASNs being used, day in and day out, are being peered
with by your own upstreams, and if so, composing an appropriately
diplomatic email to said upstreams, asking them why they are peering
with bogon ASN(s).

I do not feel that it is a stretch to say that all of this use of
bogon ASNs is arguably even more shameful than the widespread lack
of adherence to BCP 38, owing to the ease with which it may be seen
and documented.  It represents yet another, and equally or perhaps
even more egregious violation of Internet norms which endangers us
all, and all of our customers, every bit as much as the widespread
and inexcusable failures to conform to BCP 38.

The Internet needs to grow up.  This isn't a little government funded
science experiment anymore.  We have a whole planet's full of end users
watching now, and history will not be kind to those who continue to
shirk their responsibilities to the common man in the interests of
lining their own pockets in the short term.


Regards,
rfg


Re: Tell me about AS19111

2020-02-05 Thread Ronald F. Guilmette
In message <20200206013024.4b0b213c2...@ary.qy>, 
"John Levine"  wrote:

>1800vitamins.org has a web site at 12.180.219.234 which looks like
>they would sell me vitamins should I or my dog need any.
>
>Routeviews tells me that IP is in AS19111, routed via AS7018.  AS7018
>is AT which isn't surprising for a 12/8 address, but ARIN says
>AS19111 doesn't exist.  Huh?

John you have no idea how many folks are using how many bogon ASNs
as we speak.  Nobody does.  Even the guy who is doing weekly routing
table reports isn't listing them all, I think, even after I talked
to him and convinced him to list more things as bogon announcements
than he formerly was listing.  (I think his bogin lists are still not
nearly complete, e.g. if one takes into account bogon ASN announcments.)

Go to bgp.he.net and type in any number from 65000 upwards and look at
all of the effing route announcements!  These are all invalid/reserved
AS numbers which *nobody* should be announcing routes for, at least not
into the global routing table.  And yet the Internet is absolutely awash
in this garbage.

Try to think of a word that is the absolute antonym of "hygiene" and
that's the global routing table.

This stuff would be funny if only it wasn't so sick and pathetic.

Even if we forget about all of the morons who are -using- these invalid
ASNs for actually routing bits to their IPs, you have to ask yourself:
Who are all of the morons who are -peering- with these invalid ASNs?

Regards,
rfg


P.S.  Remember, out of all of the networking engineers in the entire world,
by definition, half of them are of below average intelligence.


Re: AFRINIC: The Saga Continues

2020-01-30 Thread Ronald F. Guilmette
In message , 
Dan Hollis  wrote:

>What can or should be done when a registry goes rogue?

Answering that question is a task which is above my pay grade.  I would
be remiss however if I did not take this opportunity to make a few brief
and relevant points.

*)  There are other and additional shoes yet to drop with respect to
AFRINIC.  I am not free to go into more details regarding that assertion
at this time.

*)  It is implausible on the face of it that only one AFRINIC insider was
stealing all of this stuff and spiriting it all out the backdoor at midnight
while all other AFRINIC employees, management, and board were entirely
clueless and totally in the dark about the fact that any of this was going
on, right under their own roof and right under their noses.  And I have
some not-entirely-speculative reasons to believe that others were involved.

*)  Throughout my investigation, AFRINIC officials and board members have,
almost without exception, avoided answering many simple and relevant
questions regarding this and other matters, even when the questions quite
obviously do not have any relevance whatsoever to AFRINIC's contractual
confidentiality commitments to its member organizations.  If you ask
AFRINIC what time of day it is, they will tell you that that is covered
under an NDA, and that thus, they can't tell you.

It really is almost that bad, and there appears to me to be a pervasive
culture of secrecy within the organization which effectively thwarts
reasonable inquiry and any and all outside accountability.  This appeared
to me to be the case even well before AFRINIC became fully aware of
the activities of their rogue employee, and now, the existance of what
is supposedly a serious police inquiry by the crack Mauritian police
investigators is being used as a basis for AFRINIC to answer even fewer
questions than before, since the whole matter is now said to be "under 
police investigation".

(It is left as an exercise for the reader to deduce whether or not the
high-tech crimes investigative unit of the Mauritian national police is
at all likely to obtain or expose more answers in this case than I and
journalist Jan Vermeulen already have done.  In estimating the odds of
that, it may be of value to keep in mind that the entire nation of
Mauritius, known primarily for sunny beaches and tax avoidance schemes,
has a total population of slighty less than the city of Dallas, Texas.)

*) Ever since the publication of Jan Vermeulen's first article on this
matter on September 1, 2019, it has been alleged that AFRINIC has been
conducting its own internal investigation.  More recently Jan has learned
that AFRINIC's internal investigation may have actually started much
earlier, in April of 2019.  In all this time, neither anyone from AFRINIC
nor anyone from the Mauritian national police have made any effort to ask
either Jan or myself what, if anything, we know about these matters that
has not yet appeared in print.  If they had asked, as part of their
"internal investigation", we could have told them some things. They never
asked.

*)  Entirely separate from the matter of the looting of IPv4 resources
from AFRINIC, it was announced some time ago the AFRINIC's auditor of
many years, PriceWaterhouseCoopers (PwC), has effectively fired its client,
AFRINIC, for reasons that have yet to be revealed, either to the AFRINIC
membership or to the public at large.  This is the same accounting firm
that has been named in numerous recent press reports as having possibly
played some role in the large scale looting of the state coffers of the
southern African country of Angola:

https://www.nytimes.com/2020/01/19/world/africa/isabel-dos-santos-angola.html

https://www.theguardian.com/world/2020/jan/23/pwc-growing-scrutiny-isabel-dos-santos-scandal-luanda-leaks-angola

https://www.icij.org/investigations/luanda-leaks/pwc-head-shocked-and-disappointed-by-luanda-leak-revelations/

This raises the almost unavoidable question:  How bad must AFRINIC's books
be in order to cause even the likes of PriceWaterhouseCoopers to walk away
from their client, AFRINIC, after so many years?  And what is it in those
books that AFRINIC and its board would prefer everyone not know about?

*)  At the present time, and reportedly even well before Jan Vermeulen's
September 1st article which suggested, unambiguously, that there was
something rotten going on within AFRINIC, AFRINIC has been allegedly
endeavoring to investigate itself.  I problems with that are, I believe,
self-evident to any unbiased observer.

I personally have no faith that the full truth or the full facts relating
either to the IPv4 pilfering or to the other and unrelated accounting
issues, whatever they may be, are at all likely to emerge from AFRINIC's
investigation of itself.  Furthermore, I believe that this is itself
considered by the AFRINIC board to be a feature rather than a bug.

If anyone were seriously motivated to get to the full truth of these matters
then the 

AFRINIC: The Saga Continues

2020-01-29 Thread Ronald F. Guilmette
My apologies to all.  Certain of the blocks mentioned in my prior
posting here have already been reclaimed, and are currently being
routed by appropriate parties.  In particular, these ones:

152.108.0.0/16
155.237.0.0/16
165.4.0.0/16
165.5.0.0/16

Also, I somehow managed to miss mentioning a few blocks that were also
quite clearly stolen as part of this extensive and elaborate scheme,
specifically these ones:

160.116.0.0/16
163.198.0.0/16
164.88.0.0/16
196.15.96.0/18

A full list of all of the stolen AFRINIC blocks that are still of
ongoing concern at the present moment, taking into account the above
adjustments, is available here:

https://pastebin.com/raw/71zNNriB

Note that many of the blocks listed at the link above have already
been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
But because routing remains almost entirely decoupled from RIR WHOIS
data bases, much of this "reclaimed" space is still being routed as
I write this.  The only difference is that now the space is being
routed as bogons, rather than as "legitimately" allocated space.

A summary of all of the current routing for all of the stolen AFRINIC
IPv4 address space that is still of concern, including routing for
recently reclaimed address space that AFRINIC will eventually be
returning to its free pool is provided below.  This list is sorted
by the number of constituent stolen /24 blocks being routed by each
listed network, thus showing the most major offenders at the top.
A few footnotes concerning specific ASNs in this list follow below
the listing.

I urge everyone on this mailing list to share this data as widely as
possible in and among the global networking connunity.  In all cases
noted below, the networks in question are unambiguously routing IP
blocks that were obtained, in the first instance, via thefts perpetrated
by one or more AFRINIC insiders and then resold on the black market
in secretive deals.  In many and perhaps most cases listed below, the
relevant networks appear to have been more than happy to accept some
cash in exchange for their services, while not looking all that
carefully at the purported (but fradulent) "LOA" documents they were
handed.  (Repeated use of blatantly fradulent documents has been one
of the consistant features of this entire ongoing criminal enterprise.)

All routing data is derived from current data published by RIPEstat.

==
  3719  0   ??  UNROUTED IP SPACE
   629  132165  PK  Connect Communication
   512  18013   HK  Asline Limited
   504  19969   US  Joe's Datacenter, LLC
   500  62355   CO  Network Dedicated SAS
   423  202425  SC  IP Volume inc
   286  58895   PK  Ebone Network (PVT.) Limited
   250  136525  PK  Wancom (Pvt) Ltd.
   192  18530   US  Isomedia, Inc.
   186  9009GB  M247 Ltd
   134  262287  BR  Maxihost LTDA
   132  204655  NL  Novogara LTD
79  132116  IN  Ani Network Pvt Ltd
75  136384  PK  Optix Pakistan (Pvt.) Limited
68  132422  HK  Hong Kong Business Telecom Limited
60  137443  HK  Anchnet Asia Limited
48  63956   AU  Colocation Australia Pty Ltd
26  132335  IN  LeapSwitch Networks Pvt Ltd
21  131284  AF  Etisalat Afghan
20  139043  PK  WellNetworks (Private) Limited
19  43092   JP  OSOA Corporation., LTD
17  36351   US  SoftLayer Technologies Inc.
16  56611   NL  REBA Communications BV
16  199267  IL  Netstyle A. Ltd
16  23679   ID  Media Antar Nusa PT.
14  137085  IN  Nixi
10  63018   US  Dedicated.com
 9  136782  JP  Pingtan Hotline Co., Limited
 8  45671   AU  Servers Australia Pty. Ltd
 8  57717   NL  FiberXpress BV
 7  49335   RU  LLC "Server v arendy"
 7  134451  SG  NewMedia Express Pte Ltd
 6  49367   IT  Seflow S.N.C. Di Marco Brame' & C.
 6  26754   ??  {{unknown organization}}
 5  198504  AE  Star Satellite Communications Company - PJSC
 5  198381  AE  Star Satellite Communications Company - PJSC
 4  38001   SG  NewMedia Express Pte Ltd
 4  263812  AR  TL Group SRL ( IPXON Networks )
 4  30827   GB  Extraordinary Managed Services Ltd
 4  42831   GB  UK Dedicated Servers Limited
 4  37200   NG  SimbaNET Nigeria Limited
 4  133495  PK  Vision telecom Private limited
 4  198394  AE  Star Satellite Communications Company - PJSC
 2  44066   DE  First Colo GmbH
 2  198247  AE  Star Satellite Communications Company - PJSC
 2  133933  PK  NetSat Private Limited
 2  328096  UG  truIT Uganda Limited
 2  38713   PK  Satcomm (Pvt.) Ltd.
 2  31122   IE  Digiweb ltd
 2  46562   US  Total Server Solutions L.L.C.
 2  13737   US  Riverfront Internet Systems LLC
 2  11990   US  Unlimited Net, LLC
 2  20860   GB  Iomart Cloud Services Limited
 2  45382   KR  Ehostict
 2  17216   US  Dc74 Llc
 2  16637   ZA  Mtn Sa
 2  53999   CA  Priority Colo Inc
 1  23470   US  ReliableSite.Net LLC
 1  35074  

The curious case of 159.174.0.0/16

2020-01-29 Thread Ronald F. Guilmette
[[ Fair warning to newcomers:  I write and post longish pieces here
   regarding my various investigations of funny business I find going
   on within the IPv4 address space and the allocations and uses thereof.
   If you're looking for a quick 2 minute read then you are advised to
   skip this message now. ]]

I confess that I have been meaning to write about the 159.174.0.0/16
legacy IPv4 block for quite some time now.  What can I say?  I was busy.


The Present State of 159.174.0.0/16
---

I discovered quite some long time ago that this block was getting routing
from a rather unusual place, and that the ASN in question was also
announcing a few other nice juicy /16 legacy blocks, which by itself
was more than a little suspicious.  But that's not imporant now.  Please
allow me to just talk about who is routing this block at present, and
who the alleged legitimate registrants are, going by ARIN's relevant
current WHOIS record for this block:

https://pastebin.com/raw/FBWMN9p3

As you can see, this block is registered to an entity located in Wilton,
Connecticut.  The block appears to have been originally assigned on
1992-05-11, well before the formation of ARIN.  It is thus an unusually
valuable "legacy" block.

The first indication that something might be a bit off about this block
is the contact phone number, +1-407-476-9854.  In this modern era of
number portability the area code portion of that may or may not have
any real-world geographical implications at all, but it turns out to
be notable, in this case, that area code 407 corresponds, historically,
to the greater Orlando, Florida area and surrounding Florida counties.

A quick bit of research reveals that there is in fact an entity calling
itself Dunsnet, LLC and that it is located in Winter Park, Florida,
a northern suburb of Orlando:


http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=EntityName=Initial=DUNSNET%20L120001007590=flal-l12000100759-15618501-6ea8-4b18-898e-6470337507d1=dunsnet=DUNSNET%20L120001007590

Further research on the Florida Secretary of State's web site confirms that
this entity does exist, that it is "active", and that it has one and only
one manager, that being another corporate entity called Ahosting, Inc.:


http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=EntityName=Initial=AHOSTING%20P070001262120=domp-p07000126212-a6386b50-075c-4b07-b36e-ff5a3ba1b33c=ahosting=AHOSTING%20P070001262120

As you can see via the above link, Ahosting, Inc. has only two corporate
directors, i.e.  a Mr. Erkan Ozdogan and a Mr. Adnan Canturk, both
apparently residents of Istanbul, Turkey.

At the present time, 100% of the 159.174.0.0/16 legacy block is being routed
by AS54163, aka Ahosting, Inc.:

https://bgp.he.net/AS54163#_prefixes

The question is: Is this proper?


A Brief History of 159.174.0.0/16
-

When the 159.174.0.0/16 block was first allocated and registered, way back
on 1992-05-11 it was assigned at that time to a unit of the famous Dun &
Bradstreet financial information company for use in connection with one
of the company's early forays into the world of the Internet:

Fortune Magazine, August 19, 1985:

https://archive.fortune.com/magazines/fortune/fortune_archive/1985/08/19/66327/index.htm

"Dun & Bradstreet also operates DunsNet, a $20- million private
telecommunications network completed in March, which connects
customers in 155 cities directly to the company's mainframes."

On June 8th, 1994, Dun & Bradstreet's "Dunsnet" operation announced that
it had elected to partner with a European company named Eunetcom SA, which
was itself a partnership between Deutsche Bundespost Telekom and France
Telecom:

https://www.cbronline.com/news/eunetcom_wins_dunsnet_pact/

In August, 1994, Eunetcom apparently elected to buy out its customer,
Dunsnet:

"The Information Superhighway" (Randall L. Carlson - 1996)
https://bit.ly/2O7kV48

"Eunetcom is actively pursuing customers and entry into the North
American market.  Its first customer was worth $200 million over
five years and was {subequently} acquired by purchasing the
networking services of Dun & Bradstreet's DunsNet.  DunsNet
provides data communications services for the Dun & Bradstreet
companies, a role that Eunetcom now assumes."


https://www.postjobfree.com/resume/pumacu/unix-administrator-technical-analyst-reg-shelton

"In August 1994, DunsNet was acquired by eunetcom, a joint venture
between Deutsche Telekom and France Telecom."

As we all know, unlike the situation today, IPv4 blocks in the 1990s had
essentially no monetary value.  And thus the 159.174.0.0/16 block became
forgotten and abandoned by its rightful owners, which is to say Deutsche
Telekom and France Telecom.

Fast forward some 16 years to June 29, 2011, on which 

Re: AFRINIC: The Saga Continues

2020-01-28 Thread Ronald F. Guilmette
In message , 
thomas brenac  wrote:

>Thank you Ronald, I also heard of governance issue in AFRINIC by some 
>people during the last RIPE meeting so the word is spreading. Now is 
>there any other /16 impacted to your knowledge ? Would be worth pushing 
>to have them in as many Drop list as possible maybe :)

As reported in Jan Vermeulen's article on the web site mybroadband.co.za
published December 4, there has been, and continues to be a large number
of blocks, both "legacy" blocks and other blocks, that were stolen from
the Afrinic free pool.  These blocks are of varying sizes, generally /16
blocks but also some larger ones as well as a few smaller ones.

The list of affected legacy blocks from Jan's article are as follows:

196.10.64.0/19
196.10.61.0/24
196.10.62.0/23
160.121.0.0/16
155.235.0.0/16
152.108.0.0/16
155.237.0.0/16
169.129.0.0/16
165.25.0.0/16
160.122.0.0/16
168.80.0.0/15
165.3.0.0/16
165.4.0.0/16
165.5.0.0/16
160.115.0.0/16

In addition to all of the above, I have some reason to believe that the
following additional legacy block WAS (past tense) stolen, but has now
been reclaimed by, and ressigned to its rightful modern owner:

152.108.0.0/16

It is highly probable that there are other and additional legacy blocks
that have also been stolen.  I have been prevented from fully completing
my research work on this part of the problem by ongoing stonewalling by
Afrinic.  Specifically, despite Afrinic having a defined protocol whereby
legitimate researchers may request confidential access to the unredacted
Afrinic WHOIS data base for legitimate research purposes... a protocol
and a process which is fully supported and operational at all of the other
four global RIRs... Afrinic has, for reasons unknown, elected to only
provide redacted versions of its WHOIS data base which are identical
to what may be obtained at any time, and without any special protocol,
directly from Afrinic's FTP server (via anonymous FTP).  Because the
accurate identification of stolen Afrinic legacy blocks involves the
careful analysis of the *unredacted* contact person: records, access to
only the redacted data base is of no value whatsoever in the task of
identifying stolen Afrinic legacy blocks.

Here is the page on the Afrinic web site where they needlessly torment
legitimate researchers into believing that they will be able to get the
same kind of unredacted WHOIS data base access as is provided, upon
vetting and approval, by all of the other RIRs:

https://www.afrinic.net/services/207-bulk-whois-access

The list of blocks that appear to have been stolen from the Afrinic free
pool, as published in Jan's Dec 4 article are as follows:

"Infoplan"/"Network and Information Technology Limited":
196.16.0.0/14
196.4.36.0/22
196.4.40.0/22
196.4.44.0/23

"Cape of Good Hope Bank"/"CGHB":
165.52.0.0/14
137.171.0.0/16
160.184.0.0/16
168.211.0.0/16
192.96.146.0/24  -- NOTE!!  -- 100% legitimate legacy allocation!

The following additional blocks had also been stolen from the Afrinic free
pool.  I had informed Jan about these blocks also, but for some reason
these were not mentioned in Jan's Dec 4th article.  (I assume that this
was simply a clerical oversight on Jan's part.  I had given him quite
a lot of material to sort through.)

"ITC":
196.194.0.0/15
196.246.0.0/16
196.45.112.0/20
196.42.128.0/17
196.193.0.0/16

"Link Data Group":
160.255.0.0/16
196.62.0.0/16
198.54.232.0/24
196.207.64.0/18
196.192.192.0/18
160.181.0.0/16
213.247.0.0/19

As of this moment, Afrinic has properly reclaimed all of the "ITC" and
"Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks.  Those
blocks are now officially unregistered.  I am informed and believe that
it is Afrinic's intent to place all of these blocks into a "quarantine"
status for a minimum of 1 year, which I think is entirely proper and
prudent, under the circumstances.

I have no explanation for why Afrinic has not yet reclaimed any of the
"Infoplan"/"Network and Information Technology Limited" blocks, especially
the 196.16.0.0/14 block.  This is for me deeply troubling, as I have some
reason to believe that these blocks were stolen by a party or parties,
who were also Afrinic insiders, but people other than the one "insider"
perpetrator of these crimes who has already been identified by myself and
Jan, and who is now the subject of a police investigation in Mauritius.

I am not personally aware of any action that Afrinic has taken to try to
remediate the situation with regards to the stolen legacy blocks, as
listed above.  These blocks all quite provably had their associated
person: contact records fiddled in the WHOIS data base in a manner so
as to redirect both emails and phone calls to either the perpetrators
or those others to whom the perpetrators had re-sold these stolen goods.

In fact, I am not even sure that Afrinic even has the capability to undo
the damage in the case of these legacy blocks and their fiddled contact
person: records.  Quite obviously, proper 

AFRINIC: The Saga Continues

2020-01-27 Thread Ronald F. Guilmette
For the benefit of those of you who may have been living in caves
for the past two months, I would like to share the following links
regarding a massive fraud that appears to have been perpetrated by
at least one AFRINIC insider.  (It has still not been definitively
determined if he had help or not.)

https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html

https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/

https://www.theregister.co.uk/2019/12/17/another_afrinic_scandal/

https://mybroadband.co.za/news/security/335226-here-are-the-police-charges-filed-in-the-great-african-ip-address-heist.html

I hate to say that I told you so, but I told you so.  I reported right
here on the NANOG list, in both 2016 and 2017, that there was quite a
lot of funny business going on down in Africa.  Nobody listened and
there was no meaningful investigation whatsoever by anybody until I
took it upon myself, starting in July of last year, to finally get to
the bottom of this colossal mess.

Here are links to my old public posts relating to this:

November, 2016:
https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html
https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html
https://lists.afrinic.net/pipermail/rpd/2016/006129.html

August, 2017:
https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html
https://mailman.nanog.org/pipermail/nanog/2017-August/091954.html
https://mailman.nanog.org/pipermail/nanog/2017-August/092092.html

AFRINIC supposedly began an investigation of these matters as early
as last April (2019), but here's the funny thing:  Not a single person
from AFRINIC, or from any other part of what passes for "Internet
governance" ever contacted me or asked a single question of me about
any of this.  I can only infer from this that nobody involved in
this so-called investigation had any real or burning interest in
gathering all of the relevant facts.

In light of the facts that have now come out in the press, AFRINIC is
still, allegedly, "investigating" and now, even nearly two months
after the story broke in the press, AFRINIC has still not even reclaimed
100% of the valuable IPv4 space that was provably stolen from their
own free pool.  (Various online criminal enterprises are continuing
to use that IPv4 space aqs we speak.)  Worse yet, AFRINIC has done
nothing whatsoever to address the problem of the large number of
AFRINIC legacy /16 blocks that got stolen via some clever internal
manipulation of AFRINIC's own WHOIS record.  Those manipulations, and
the benefits from them have flowed to various parties who are now all
too well known, including one who previosuly made a brief guest apperance
right here on this mailing list.

In fact, that party has just recently found a brand new helpful and
compliant small-time hosting provider in India to route for him the
stolen 165.25.0.0/16 block, which is and has been "liberated" from
its rightful owners, i.e. the City of Cape Town, South Africa.

https://bgp.he.net/AS393960#_prefixes
https://bgp.he.net/net/165.25.8.0/22#_whois

Note that whereas AS393960 claims to be located in my own state of
California, is is not incorporated here.  It -is- incorporated in the
state of Wyoming, but the owner and CEO, by his own admission, is
actually located in Pune, India:

https://in.linkedin.com/in/kushalraha

(That small detail did not, of course, prevent ARIN, in its infinite
wisdom, from giving the the proprietor of this place his own AS, two
IPv4 /22 blocks and one IPv4 /24 block, all apparently on the basis of
his tissue-thin Wyoming shell company.  But I digress.)

Anyway, I just wanted you all to be aware of all of these fun facts.

Like I always say, just another day in paradise.


Regards,
rfg


Re: Colombia Network Operators Group

2019-09-23 Thread Ronald F. Guilmette
In message <6f2876a6abe02547ba85adb58bd21...@mail.dessus.com>, 
"Keith Medcalf"  wrote:

>Fascinating.  What is the security threat I wonder, that there is no
>JavaScript?

Undoubtedly drug smuggling over HTTP.


Re: Elad Cohen (was: Re: Cogent sales reps who actually respond)

2019-09-19 Thread Ronald F. Guilmette
In message <20190919084649.gc30...@jima.tpb.net>, 
niels=na...@bakker.net wrote:

>* r...@tristatelogic.com (Ronald F. Guilmette) [Thu 19 Sep 2019, 10:05 CEST]:
>>I never like to generalize to entire populations, and I will 
>>therefore refrain from suggesting any endemic or widespread defect 
>>in the Dutch national psyche, but I cannot help but note that, as 
>>pointed out in the MyBroadband.co.za news report, a gentleman named 
>>Maikel Uerlings, who is also Dutch, and who presently appears to be 
>>notably absent from the Netherlands, perhaps due to certain 
>>less-than-friendly legal entanglements, is also, it appears, 
>>intimately connected to Mr. Cohen and to his business, such as it 
>>is.  It would be entirely improper for me to say or even to suggest 
>>that the Dutch are any more inclined toward cybercrime, or toward 
>>looking the other way while it takes place, than anyone else.  I 
>>will instead only paraphrase William Shakespeare and say that there 
>>is something rotten in the Netherlands, and that whatever it is, it 
>>ain't doing their national reputation any good at all.
>
>Couching your racism in some faux plausible deniability by using 
>phrases such as "It would be entirely improper of me to" or "I will 
>refrain from [making a certain racist suggestion]" and then immediately 
>making that racist suggestion, doesn't make your remarks not racist.  
>Nor can you hide behind the classics.
>
>Racism has no place in this community and you would do well to refrain 
>from posting any more such remarks.

Leaving aside the minor quibble that "Dutch" is not, as far as I am aware,
a "race" per se, I do apologize for having improperly and quite wrongly
generalized the apparent confluence of of certain events and actions to
the Dutch people generally.  That was entirely incorrect and improper on
my part and I do sincerly apologize.

Looking back now at one of my own posts here from a couple of years ago,
I do see that at the time, there did seem to be some similar sorts of
undesirable and arguably untowards routing events which were emmanating
from AS260, Xconnect24 Inc., which at the time appeared to me to be an
Amsterdam-based networking company:

https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html

(The company still does appear to have some footprint in Amsterdam.)

Obviously, those historical events have no relation whatsoever to present
circumstances or to recent events, but given that I've not generally seen
much of this kind of stuff from other European locales... with the
exception of Ukraine... it's difficult for me not to infer a possible
pattern.

That having been said, the "pattern" such as it is, is quite obviously
not one that can or should be attributed to the Dutch people generally,
who make the world's best and most admirable chocolate, wooden shoes,
and windmills, by the way.  Rather, the pattern, if there even is one,
seems to be confined exclusively and only to the networking community
and its associated professionals within the city limits of Amsterdam.
And furthermore, I am quite entirely sure that even the majority of this
small group are admirable and honorable people, doing their level best,
day in and day out, to provide quality and honest service to their
neighbors, their countrymen, and to the people of Europe generally.

My hope is that it will not be inappropriate for me to simply express my
sincere desire that this overwehlming majority, i.e. the good men and
women of the Amsterdam networking community will, over time, work to
insure that that all members of their community adhere to the highest
ethical standards in all respects and at all times.


Regards,
rfg


Re: Elad Cohen

2019-09-19 Thread Ronald F. Guilmette
In message <8a49bf73-7a68-4b8f-9dc5-e94b7fe63...@globalone.io>, 
Florian Brandstetter  wrote:

>... this is certainly not a place where you can 
>slander his name or anyone associated with him in any manner for the 
>entertainment of everyone...

If I have slandered anyone, then I shall bear the price for that, in
accordance with law.  I have accepted that risk, in order to say what
I have said, and I have done so from within the most litigious nation
on earth.

Meanwhile, if I am right and if Mr. Cohen is wrong, then what price will he
pay for his misdeeds, and who will see to it that he receives the justice
due him?

Mr. Cohen sits with impunity in Israel, and by remote control appears to
request his California lawyer, the colorful and storied Mr. Bennett Kelley,
to file suit against me, even as Mr. Cohen takes IPv4 space away from
legitimate businesses and governmental entities in South Africa, Australia,
and Japan, also by remote control, and also with the relative impunity
afforded him by his sheer distance from these places.  I have risked
my neck, my reputation, and my entire bank account in order to call him
out, and if you think that I have done so lightly or without evidence you
are wrong.  Meanwhile, what has Mr. Cohen risked?  And who will see to it
that he pays an appropriate price, in Israel, if I am right and he is wrong?


Regards,
rfg


Re: Elad Cohen

2019-09-19 Thread Ronald F. Guilmette
In message , Elad Cohen  wrote:

>Mr. Ronald Guilmette
>
>Everything you did and you wrote in this forum until today, including mud-
>slinging and slandering, including thieves and crooks, they are libel for all
>intents and purposes with everything it implies, and this without to
>display any proof.
>
>We return and say, in our hands are all the agreements of the purchases that
>we've purchased properly with our best money.

Mr. Cohen,

I'm sure that I speak for many when I say that we all very much look
forward to seeing the unredacted copies of those alleged purchase
agreements, whenever you can take time out from your busy schedule to
produce them.

It would also be helpful if you would include whatever additional documents,
as may be necessary, to demonstrate convincingly that whoever you allegedly
bought the blocks from came by them honestly, and not due to some earlier
skulduggery, particularly the ones I have already mentioned, e.g. the
168.198.0.0/16 block, the 139.44.0.0/16 block, the 165.25.0.0/16 block,
and not least the Infoplan/SITA block, 196.16.0.0/14.

>It is hinted from your tongue-lashing, that you are connected clearly with
>Spamhaus and ARIN, that have an interest to receive the ranges, following
>the increase of value of the ranges in the free market and the lack of them.

Gosh darm it!  You caught me!  I'm really a stealth IP speculator.  I didn't
want it publicly known that I have been sitting all this time on an enormous
stash of no fewer than two whole IPv4 addresses.  I also didn't want it
known that I am actually in league with Spamhaus, ARIN, Vladimir Putin,
the Marx Brothers, Boris Johnson, Ricky Gervais, and oh yes, Beelzebub.
But now that the cat is out of the bag, I might as well fess up.  Yes,
we have all been plotting together to steal your valuable stash of IPv4
addresses, and in fact, Cogent is in on the plot too.  I would have told
you sooner, but I was busy eating children... with a nice chianti, of
course.

>All of this subject was transferred to our lawyers, due to the mudslinging
>and slandering and the nicknames you wrote thieves and crooks in this forum
>a libel suit against you will be filed with a high amount, of course that
>all of the written proofs an agreements regarding the legal purchases that
>we've made will be added to the libel suit.

Is the official NANOG historian in the house?

I just want to ruling on this.  Am I the first and only person who has ever
received a cartooney directly on the NANOG list?

I just want to know if I can go ahead and contact the Guinness people, and
get this unique feat recorded officially.


Regards,
rfg


Re: Elad Cohen

2019-09-19 Thread Ronald F. Guilmette
In message ,
Masataka Ohta  wrote:

>Ronald F. Guilmette wrote:
>
> > So, if you are looking for a Crime here, i.e. one defined under law,
> > there isn't one.
>
>You don't know how broadly crime of fraud is defined by the current code.
>
>Just injecting false route information may not be a crime.
>
>However, doing so for financial gain maybe a crime of fraud.

I guess that there is something that either you, or perhaps I, are not
understanding here.

Did you mean to suggest that either Mr. Cohen or any of the friendly networks
that he has persuaded to announce routes for him (by paying them to do so)
are doing any of this just for their health?

Financial gain appears to me to be the obvious motivation for all of this.

>False registration for financial gain by deceiving a registrar
>is definitely a crime, regardless of what is registered.
>
>See the actual code:
>
>   https://www.legislation.gov.au/Details/C2015C00507

Allow me to clarify.

In the case if the APNIC region blocks that I have called out, I have -no-
evidence to suggest that there has been any deception or untoward manipulation
of registry information whatsoever.

With respect to the AFRINIC region blocks I have called out, if you have a
relevant citation from the criminal code of the island nation of Mauritius,
I would be most appreciative if you would share that with me.  It may come
in handy at some point.


Regards,
rfg



Re: Elad Cohen (was: Re: Cogent sales reps who actually respond)

2019-09-19 Thread Ronald F. Guilmette
In message 
Christopher Morrow  wrote:

>"who cares about the sale?"

My apologies.  I see that I have failed to be adequately clear.

There was no "sale".  There was only theft, and then stolen goods
being passed from hand to hand to hand, ultimately ending up in the
hands of Mr. Cohen, who has acted and who is still acting, even as
we speak, as the penultimate monitizer of these purloined resources,
with the ongoing and helpful endorsement, I should note, of the Merit
RADB data base:

https://pastebin.com/raw/115RifX3
https://pastebin.com/raw/r9SRMJJk

Please note in particular, in that first file, Mr. Cohen's route object
for the entire 196.16.0.0/14 block... a block which AFRINIC historical
WHOIS records show clearly was and is the rightful property of a thing
called "Infoplan", which was the South African national government's
captive IT services arm until the passage of the "SITA Act" (1998) in
South Africa, by whose express and explict terms what used to be
"Infoplan" was subsumed and taken over, lock, stock and barrel, by the
South African government's newly formed replacement captive IT services
provider, The State Information and Technology Agency (SITA):

https://pastebin.com/raw/cXLy6QYf

But apparently, by some miracle of persuasiveness, in addition to making
the Right Friends inside that Australian national government AND inside
the administration of the City of Cape Town... at least briefly...  Mr.
Cohen also also deftly persuaded the national government of South Africa
that they really didn't need that $4 million dollar (USD) IPv4 asset after
all (i.e. the 196.16.0.0/14 block) and that they should sell it to him for
an as yet undisclosed price.

>If the outcome of 'someone' controlling IP space is that there is
>abusive activity coming from that space...

Nobody knows what the hell is really going on with that space or what
Mr. Cohen's customers need quite so much IPv4 space for... an amount
that lots of folks in the ARIN region would kill for.

I tried to make some polite inquiries with one of Mr. Cohen's apparent
better and more noteworthy customers, and I am still awaiting some
reply, adequate or otherwise, from that company.  In the meantime,
Mr. Cohen's English language web site became notably scrubbed of the
glowing customer testimonials with which it had been previously adorned,
shortly before I started asking questions.

Nothing at all suspicious about that, now is there?

It would appear that at least one of the companies that are Mr. Cohen's
best customers, and that had previously given Mr. Cohen's company glowing
testimonials no longer wish to have their company names associated with
him or his company, at least not in public.

Now why do you suppose that might be?  And what are THEY doing with the
large and illicitly snatched IPv4 blocks that he has leased to them?

In due course, I will have more to say about Mr. Cohen's customers and
what I believe them to be up to, based on the evidence.

>If the 'rightful owners' of the space need/want it back there's clear
>redress for them via their RIR and the various networks which are /
>were offering transit to these prefixes.

No, actually, there isn't, and that's the point.

Firstly, the RIRs are not the Internet Police, and by and large they
are adamantly unwilling (and allegedly even unable) to interject even
so much as their views or firmly held beliefs into the global BGP system
of routing.  In fact, the overwhelming majority of them are so throughly
cowed, both by their memberships and their respective legal teams, that
they dare not even speak the truth of whether it is night or day for fear
of such public pronouncements being the cause of subsequent litigation.

With regards to transit providers, Mr. Cohen and his ill-gotten resorces
have now, at long last,  been 100% kicked off of Cogent, indicating that
even they, at least, find it no longer plausibly deniable that most or all
of Mr. Cohen's allegedly purchased IPv4 space just simply doesn't belong
to him.  It only took them about 15 days of fiddling to finally come
around to this inescapable conclusion, but better late than never.

With regards to to the various relevant transit providers for the small
group of commonly-owned Dutch networks to which Mr. Cohen has, of late,
been migrating his booty, I have already spent more than a week, politely
browbeating all of these transit providers, as well as an official at
AMS-IX, and I have tried my best to acquaint them all with the plain
facts of this case.

The net effect of all this effort on my part has been that AMS-IX has
shrugged and told me that there is simply nothing they can do, and the
transit providers have politely informed me that they are all "still
investigating".

Meanwhile, Mr. Cohen continues to laugh all the way to the bank, and
continues to enjoy much connectivity, centered primarily in Amsterdam,
and all of it apparently immune to anything resembling "peer pressure".

Th net effects of my 

Re: Elad Cohen

2019-09-18 Thread Ronald F. Guilmette
In message ,
Masataka Ohta  wrote:

>Ronald F. Guilmette wrote:
>
>> It is a well known fundamental tenet of logical reasoning and argument
>> that it is not possible for -anyone- to prove a negative, which is what
>> you've just asked me to do.
>
>So, Australian government does not think it is a victim of a
>crime. Right?

That's a two part question.  I'll answer each part.

Regarding "crime", there are crimes and there are Crimes.

It wasn't a Crime, until well after 2008, to sell stupid and naive
investors so-called "mortgage backed securities" which turned out
to be worthless, based on bogus financial projections.  The law had
not yet caught up to innovation in the financial sector.  But some
of the people who were selling this garbage to unsuspecting rubes
back in 2008 and earlier knew full well, in their heart of hearts,
that they were screwing people.  Mulitple email exchanges that came to
light after that showed these sellers -joking- about how they were
screwing people.  The same thing happened also in the case of Enron,
whose traders joked in email exchanges about how they were screwing
my own home state of California.

At present, the law has likewise not caught up to this "innovation"
called the Internet.  It has had 20+ years to do that, but it still
hasn't, in no small part because legislators the world over understand
the Internet even less than they now understand mortgage backed securities.

So, if you are looking for a Crime here, i.e. one defined under law,
there isn't one.  But the concepts of stealing and unfairness are even
older that the world's so-called oldest profession, and they are so
fundamental and apparent that one does not even need to be a "highly
evolved" human in order to grasp these moral and ethical principals:

https://www.youtube.com/watch?v=meiU6TxysCg

In short, stealing is stealing.  If I steal a watch out of the pocket of
a dead man, it is still stealing, even if there is no specific legislation
of the subject, and even if the dead man unhelpfully declines to file a
police report on the incident.

With respect to the Australian government's knowledge or lack thereof,
I really have no idea.  If you want to know what they know, or do not
know, I encourage you to ask them yourself.  It appears that this will
be rather easier for you to do, than for me to do, since you are in their
same general time zone, and I am not, and thus you have a better shot
at reaching them on the phone, during their working hours, than I do.

The relevant WHOIS contact info is reproduced below, for your convenience.


Regards,
rfg

=
inetnum:168.198.0.0 - 168.198.255.255
netname:DOFD
descr:  DOFD Department of Finance and Deregulation
descr:  Australian Government
country:AU
admin-c:FIAR1-AP
tech-c: FIAR1-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower:  MAINT-AU-DOFD
mnt-routes: MAINT-AU-DOFD
mnt-irt:IRT-DOFD-AU
last-modified:  2013-07-24T04:25:39Z
source: APNIC

irt:IRT-DOFD-AU
address:John Gorton Building, King Edward Terrace, Parkes ACT 2600
e-mail: ipaddressing(at)finance.gov.au
abuse-mailbox:  ipaddressing(at)finance.gov.au
admin-c:FIAR1-AP
tech-c: FIAR1-AP
auth:   # Filtered
mnt-by: MAINT-AU-DOFD
last-modified:  2013-07-23T04:50:09Z
source: APNIC

role:   Finance Internet Address Registry - CIOD
address:John Gorton Building, King Edward Terrace, Parkes ACT 2600
country:AU
phone:  + 61 2 6215 
e-mail: ipaddressing(at)finance.gov.au
admin-c:FIAR1-AP
tech-c: FIAR1-AP
nic-hdl:FIAR1-AP
mnt-by: MAINT-AU-DOFD
last-modified:  2013-07-23T04:27:45Z
source: APNIC



Re: Elad Cohen

2019-09-18 Thread Ronald F. Guilmette
In message <15744848-5638-ad01-2c9c-a89825f9d...@necom830.hpcl.titech.ac.jp>,
Masataka Ohta  wrote:

>Ronald F. Guilmette wrote:
>
>> Come now Mr. Cohen, please do tell us who you paid for rights to the
>> 168.198.0.0/16 block, which belongs to the Australian government,
>
>If you think the Australian government haven't transfer its IP address
>to Mr. Cohen, all you should do is let the Australian government
>accuse Mr. Cohen.

It is a well known fundamental tenet of logical reasoning and argument
that it is not possible for -anyone- to prove a negative, which is what
you've just asked me to do.

I certainly cannot prove, to any degree of certainty, that the Australian
national government, in its infinite wisdom, didn't send one of its stealthy
representatives to meet Mr. Cohen in some dark back allley, on some dark
night, somewhere in Canberra, and that this mysterious representaive did
not meet Mr. Cohen and then sell him the government's rights in, and titles
to the 168.198.0.0/16 block.  If that had happened, then I wouldn't know
about it.  None of us would.  (And stranger things quite certainly -have-
happened when it comes to government corruption.) All I can do is make it
quite plain that I believe that this theory of events is somewhere beyond
implausible.

In any event, it is not for me to prove the negative in this case.  Rather,
it is incumbant upon Mr. Cohen to prove his implicit -and- explicit
affirmative assertion that he has or had some rights (i.e. -any- rights)
to the 168.198.0.0/16 block or to any of the numerous other nice juicy and
valuable IPv4 blocks, all of size /16 or greater, that he, with the help
of his friends, appears to have been using of late.

With regards to any of these numerous valuable IPv4 blocks, both legacy
and otherwise, Mr. Cohen offers us not a single shread of proof that he
has now, or ever had, any rights at all to any of these blocks whatsoever,
insisting instead that we all just take his word on faith.

Is this the behaviour of an honest man, attempting, reasonably, to defend
his reputation and his good name?  I think not.

Not to put too fine a point on it, but Mr. Cohen is clearly hiding something.
And not just one thing, but many things.

With respect to the Australian government, none of us needs to wait for it
to wake from its slumber in order to know precisely what happened here.

If I am on the street, near a school or a University, and if I see a man
back a large truck up to a bicycle rack and then see the man get out and
use a large set of bolt cutters to cut the locks on bicycle after bicycle,
loading them one by one into the truck, then I, for one, do not need to
await the arrival of the true owners of said bicycles in order to know
that something is seriously amiss -or- to take action to stop what is going
on.  That may be your approach to such situations, but it is not mine.

The difference is what some people might call "civilization" and without
it we are all doomed.


Regards,
rfg


P.S.  For those who may still harbor any doubts about Mr. Cohen's claims,
I encourage you all to speak with a certain Mr. Alister van Tonder,
(Alister.vanTonder (at) capetown.gov.za - phone: +27-21-400-9080), a
network engineer employed by the City of Cape Town, who I'm sure will
be only to happy to describe to you, as he did to me, the efforts that
he and his collegues were forced to expend in order to just simply take
back the City's rightful property, the 165.25.0.0/16 block, from the
clutches of Mr. Cohen and his allies at FDCServers and Cogent.


Elad Cohen (was: Re: Cogent sales reps who actually respond)

2019-09-18 Thread Ronald F. Guilmette
In message , Elad Cohen  wrote:

>Please see the following link:
>
>https://afrinic.net/resource-certification
>
>As you can see, a MyAFRINIC account is required.
>
>Yes, route objects for legacy AFRINIC resources in their RIR operated IRRDB
> as a fallback for RPKI can be created and they were created by us.


What Mr. Cohen continues to dance around is the inconvenient truth that
even if he had an AFRINIC account, this would neither help nor explain
his thefts of the several AFRINIC -and- APNIC region blocks that I have
already listed here.

RIPE Routing History reveals the truth, for anyone who wishes to consult
that historical data, and I also have plenty of saved traceroutes for
each of those APNIC blocks, as well as all of the others that Mr. Cohen
stole from the AFRINIC region.

Those were all helpfully routed, until quite recently, to Mr. Cohen, and
by Mr. Cohen's dear friends at FDCServers and Cogent.

Come now Mr. Cohen, please do tell us who you paid for rights to the
168.198.0.0/16 block, which belongs to the Australian government, and
which your pals at Cogent and FDCServers were routing to you until
quite recently.  Who did you pay and how much did you pay for your
"rights" to the City of Cape Town's 165.25.0.0/16 block?

It's OK.  No need to be shy.  Show us the your sales reciepts for those
blocks please!  We could all use a good laugh today.

Alternatively, if you can't or won't show us that, then at least have the
decency to admit that you're a liar, a fraud, and a con man, and that
until I caught you, you were stealing all of the IPv4 space that wasn't
nailed down in both the AFRINIC region and the APNIC region.

Did you seriously think that you could get away with all this and that
nobody would even notice?  If so, then you're even dumber that you look
in all of the online pictures of you I've seen.


Regards,
rfg


Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-18 Thread Ronald F. Guilmette
In message <152f0dbc-f7af-2a78-c5a7-f2062effe...@necom830.hpcl.titech.ac.jp>,
Masataka Ohta  wrote:

> From whois information:
>
>remarks:reg-date:1993-03-22
>
>notify: tmiy...@gaijin.co.jp
 


I already talked to the guy who has owned the above domain name for mre than
25+ years.  He's an American, living in Southern California, who these days
runs a solar panel installation company.

He told me that he has no way to find "tmiyoko" anymore and that that guy
was just one of thousands of customers the guy in SoCal had, back 20+ years
ago, for his Japanese ISP business.


Regards,
rfg


Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-17 Thread Ronald F. Guilmette
In message <9567b241-12ce-4728-8e73-ff7143907...@apnic.net>, 
Vivek Nigam  wrote:

>APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and
>brought this matter to their attention.

Excellent.  Thank you.

If possible, it would be Good if APNIC could also make contact with the
rightful owners of the following additional 3 Japanese blocks, all of
which were, of late, routed by Cogent to FDCServers and thence, presumably,
to Mr. Cohen.

143.136.0.0/16
143.253.0.0/16
146.51.0.0/16

I tried to make contact myself with the legit owners of all of the above,
but found it to be quite difficult.  The registered owner of the first
one appears to have gone into hiding on a remote island someplace.  I only
say that because, despite some considerable effort on my part, I was not
able to find him.  Making contact with the legitimate owners of the other
two blocks, both of which belong to Japanese corporations that are still
very much alive, was rather difficult also, because I am only a stupid
gaijin, and don't speak a word of Japanese.


Regards,
rfg


Re: Cogent sales reps who actually respond

2019-09-17 Thread Ronald F. Guilmette
In message , Elad Cohen  wrote:

>The defamatory and invective words, the mudslinging and slander of my name,
> by Ronald Guilmette, are not true at all and they are completely false, in
> my hand there are all the purchases approval for purchasing ipv4 and that
>were paid completely by me.
>
>Anyone who wants confirmation the ips belong to us can sent me a direct
>e-mail and i would be happy to explain and provide evidence. thank you.

You can stop dancing around the issue Mr. Cohen, and come clean, any time
you want.  Like for example right here and right now.  Stop prevaricating.
Put up or shut up.  Either that or have the decency to admit that you are
dyed-in-the-wool con man and fraud, as your onetime pals at Cogent and
FDCServers have apparently finally figured out.

By all means, show us all of these allged "purchase approvals" you have
for the following blocks which you managed... temporarily at least... to
get your compliant pals at Cogent and FDCSewers to route for you:


APNIC region:
168.198.0.0/16 -- Department of Finance and Deregulation (AU)
139.44.0.0/16  -- Port of Melbourne Authority (AU)
143.136.0.0/16
143.253.0.0/16
146.51.0.0/16

AFRINIC region:
168.206.0.0/16
160.122.0.0/16
163.198.0.0/16
165.3.0.0/16
196.16.0.0/14
196.193.0.0/16
155.159.0.0/16
163.197.0.0/16
164.155.0.0/16
165.25.0.0/16 -- City of Cape Town
196.15.64.0/18
160.121.0.0/16
155.235.0.0/16
196.10.64.0/19
160.116.0.0/16
168.206.0.0/16 -- The Atomic Energy Board (South Africa)
165.52.0.0/14  -- Cape of Good Hope Bank (South Africa)


For one little guy, you sure managed to accumulate one hell of huge
stash of IPv4 addresses!  Well over $30 million dollars worth, in fact.

So please Mr. Cohen, by all means, please do tell us what all of these
mountains of IPv4 addresses cost you, who you paid for them, and what
exactly you planned to do with them, and with whom.  Please do show us
any and all documentation you have of your alleged "purchases".  I'm sure
that we are all keen to see how you cleverly outwitted all other bidders
to come out on top in the bidding war for the City of Cape Town's block
or for the one you apparently lifted from the Australian Department of
Finance and Deregulation.

But please, don't insult our intelligence by showing us more of those
blatantly fradulent "LOAs" that were presented in the MyBroadband.co.za
report.  As I've already pointed out here, no self respecting forger
would even have tried to pass those.  The perfectly identical signatures
and vaguely official-looking stamps on all of them render them not even
third-rate forgeries.

Oh!  And by the way Mr. Cohen, as it happens I myself am the proud owner
of a perfectly valid "purchase approval" for the Brooklyn Bridge.  So you
see, we have something in common!

Looking forward to you next missive.


Love and kisses,
rfg


Re: Cogent sales reps who actually respond

2019-09-16 Thread Ronald F. Guilmette
In message , 
"Stephen M."  wrote:

>Please don't praise or complain like we're supposed to take
>it at a total face value. If you don=E2=80=99t like them so much - we are
>you're audience. Explain.
>
>If you like Cogent - explain.
>If you don=E2=80=99t like Cogent - explain.

I see that many others have already chimed in to comment on Cogent's
technical prowess, or lack thereof, and on Cogent's customer service,
or lack thereof.

These things are neither my forte nor my concern.  My issue with the company
is what I believe is, and rightly should be a meta-issue that should be of
overriding concern of all who use or work on the Internet, i.e. the degree
to which the company, wittingly or othewise, has enabled theft or squatting
on -numerous- large chunks of IPv4 space by what amount to Internet criminals.

I already detailed my concerns here, and quite recently:

   https://mailman.nanog.org/pipermail/nanog/2019-September/102944.html

The case is both clear and unambiguous.  Some little guy by the name of Elad
Cohen, living and working in Israel, who has some little two-bit "hosting"
company, has been, in very recent times, rather blatantly squatting on
numerous previously abandoned legacy blocks...  /16 after /16 after /16...
perhaps 20 or more such blocks... all of them being used, self evidently,
by Mr. Cohen, and many most or all of which Mr. Cohen demonstratably has
no legitimate rights to whatsoever... like the blocks he squatted on which
belong to the Australian national government's Department of Finance, and
another seemingly abandoned legacy /16 that belongs to the City of Cape
Town, South Africa.

And who were the primary enablers of all of this fraud and theft?  Well,
it was Mr. Cohen's helpful friends at a hosting company called FDCServers,
headquartered in the one American city most known for its high ideals
and consistantly ethical behavior, Chicago.  FDCServers is not a big
company, so I have to assume that its CEO, Mr. Petr Kral, was not entirely
oblivious to Mr. Cohen's crooked shenanigans, especially after I personally
and explicitly informed him of it all.

https://www.linkedin.com/in/fdcservers

But the thing of it is that FDCServers, which appears to be a major customer
of Cogent, does none of its own routing, preferring instead to have their
bigger pals, Cogent (AS174) route all of this stolen IPv4 real estate to
their customer, Mr. Cohen, on their behalf which Cogent apparently
continued to do, right up through and including this past weekend, e.g.
for the stolen blocks 165.53.0.0/16 and 168.206.0.0/16.

My beef with both Cogent and FDCServers is simple.  They both took Cohen's
money and quite clearly didn't ask -any- reasonable questions, prefering
instead to just accept Cohen's blatant forgeries as "evidence" of his
ownership of the stolen blocks they routed for him.  And they continued
to do that, and only that, until well after I had explicitly and quite
pointedly informed them of the self-evident problems with Mr. Cohen and
his blatantly crooked business model. 

The crimes of Cogent and FDCServers, such as they are, do not rise to the
level of "receiving stolen property", but I do think that they qualify
under the heading of -transporting- stolen property.  And believe me,
if a cop pulls you over while you are driving your van, looks in the
back and finds a whole lot of stolen bicycles that were ripped off from
a nearby University campus, your protestations that you were "only
delivering them to a friend" won't wash to get you out of a short stint
in the Graybar Hotel.

Cohen, with the help of FDCServers and Cogent, stole millions of dollars
worth of valuable IPv4 real estate.  Unfortunately, due to the lack of
sophistication of crinminal authorities, combined with the trans-border
and international nature of these crimes, Cohen will undoubtedly walk,
as will Cogent and FDCServers.  (So much for equal justice under law!)
But I'll tell you straight up that I personally wouldn't trust any of
these clowns to hold my wallet, not even for five minutes, and not even
if it were empty.


Regards,
rfg


Re: Cogent sales reps who actually respond

2019-09-16 Thread Ronald F. Guilmette
In message , 
Owen DeLong  wrote:

>Given their practice of harvesting whois updates in order to spam newly
>acquired AS contacts, any time it is my decision, Cogent is ineligible
>as a vendor.

So I guess then that their aiding and abetting of fraud and IP block
theft, as I documented here recently, is an entirely secondary concern...
as long as they don't spam you, yes?


Regards,
rfg


Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message , 
Mel Beckman  wrote:

>I’m just saying that I randomly checked one fact and it doesn’t meet
>the level of positive certainty that you asserted. It’s thus reasonable
>to ask you to double check your research all around. I’m not willing
>to be your unpaid copy editor, so let me know when you’ve done a double
>check and I’ll be willing to invest time in your story again. 

Well, let's dissect that a bit.  You're asserting an inadequate "level of
positive certainty" but you have not specified about what, in particular.

I posted a link to a list of 71 different RADB entries that were present
in the Merit/RADB data base as of August 17th, all of which gave every
appearance of having been created by Mr. Elad Cohen.  I will assume for
the moment that you are not calling into question the "positive certainty"
that I have about any of that data or about any of those RADB entries.

Out of those 71 routes, most of which appear to be rather clearly fradulent,
you have picked out exactly and only -one- of those 71, and your only
criticism seems to be that I haven't been quite precise enough in my
identification of the exact victim, somewhere in Australia, in that one
particular case.

I just want to make sure that I understand.  You're -not- claiming that
either Mr. Cohen or FDCServers, or Cogent had any legitimate rights or
titles to that specific block (139.44.0.0/16), correct?  You are only
claiming that I have mis-identified the victim of this particular squat as
being `X' when I should more properly have said that the actual victim
was in fact `Y'.  Am I summarizing your criticism accurately?


Regards,
rfg


P.S.  Not that it matters to the point Mel raised, but I would like
to just note in passing that the 139.44.0.0/16 block, may perhaps *not*
in fact be routed by AS174 (Cogent) anymore, although it did appear to
still be routed by AS17, at least to bgp.he.net, as of 05 Sep 2019 20:34
PST:

https://bgp.he.net/net/139.44.0.0/16

More current data from RIPEStat indicates that this entire /16 is now
being routed by Mr. Cohen's new good friends at AS204655, Novogara Ltd.,
which appears to be owned and operated by the same two sterling Dutch
gentlemen, Mr. Ferdinand Reinier Van Eeden and Mr. Bartholomeus Johannes
("Bap") Karreman, who also appear to be the owners/operators of what
is noadays called "IP Volume Inc." and which previously was known as
Quasi Networks, and which was, before that, known as Ecatel.

Novogara appears to have become home to quite a number of sizable IPv4
legacy blocks, from both the AFRINIC region and also the APNIC region,
in very recent days:

   https://bgp.he.net/AS204655#_prefixes

The fact that there seems to be a rather significant correlation between
the IPv4 legacy blocks currently being announced by Mr. Van Eeden's and
Mr. Karreman's several Dutch ASNs and the list of pilfered IPv4 legacy
blocks that Mr. Cohen was kind enough to supply in the RADB data base
should, in my opinion, come as a surprise to exactly no one.


Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message <67b3e0d5-7d09-42e2-a753-eb6c93859...@getmailspring.com>, 
Florian Brandstetter  wrote:

>if you'd open the traceroute you just sent you'd see that the target
>is route looping and not actually used by their alleged customer?

Yea.  So?  How is that relevant to my fundamental narrative?

Cogent was announcing the whole of 168.198.0.0/16.  Do we agree?

Theye were most probably *not* doing so just for laughs or just to
create routing loops.  Do we agree?

Traceroutes show that from Cogent, packets were further being passed
to FDCServers.  Do we agree?

Now, if you want to know who FDCSewer's customer was in this case,
why don't you try asking them?

I am satisfied that the intel that I've already collected indicates
the exceptionally high probability that this entire legacy /16 block...
along with many many others, also of entirely dubious provenance...
were all being routed to and for a certain Mr. Elad Cohen and his
company, Netstyle Atarim, Ltd.:

organisation:   ORG-NAL9-RIPE
org-name:   NETSTYLE A. LTD
org-type:   LIR
address:Derech Menachem Begin 156
address:6492108
address:Tel-Aviv
address:ISRAEL
phone:  +972-1-800-204-404
e-mail: info (at) netstyle.io

>Also, what would the target IP have been in this case, since it was omitted?

If you look carefully, I gave that in the post you are responding to:

>> My apologies. In my furious haste, I botched that one URL. Here is the
>> correct file conatining my traceroute to 168.198.12.242 as performed by
>> me on August 23rd:
>>
>> https://pastebin.com/raw/TrLbGZuW


Regards,
rfg


Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message <23540.1567802...@segfault.tristatelogic.com>, I wrote:

>Is anyone disputing that 168.198.0.0/16 belongs to the Australian
>national government, or that AS174, Cogent was, until quite recently,
>routing that down to their pals at FDCServers who then were routing
>it down to their customer, Elad Cohen?  If so, I ask that people look
>up this network in the RIPE Routing history tool and ALSO that folks
>have a look at, and explain, the following traceroute from August 23:
>
>https://pastebin.com/raw/2nJtbwjs

My apologies.  In my furious haste, I botched that one URL.  Here is the
correct file conatining my traceroute to 168.198.12.242 as performed by
me on August 23rd:

https://pastebin.com/raw/TrLbGZuW


Regards,
rfg


Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
In message <5233b9b9-1bff-425d-bb8f-e3853703b...@beckman.org>, 
Mel Beckman  wrote:

>A quick check of one of your facts produces unexpected results, so you might
>want to perform more research. According the APNIC, 139.44.0.0/16  does not
>“belong unambiguously to the Port Authority of Melbourne”.

Please, let's not start staring at -one- tree out of the sveeral that
I've talked about, and then start arguing about the shape of the pine
cones on that one tree.  Doing that will give short shrift to the
rather larger forrest that I've tried to expose here.

Is anyone disputing that 168.198.0.0/16 belongs to the Australian
national government, or that AS174, Cogent was, until quite recently,
routing that down to their pals at FDCServers who then were routing
it down to their customer, Elad Cohen?  If so, I ask that people look
up this network in the RIPE Routing history tool and ALSO that folks
have a look at, and explain, the following traceroute from August 23:

https://pastebin.com/raw/2nJtbwjs

Is anyone disputing that the 165.25.0.0/16 block rightfully belongs to
the City of Cape Town, or that Cogent -continues- even as we speak, to
announce a competing route to it?  If so, I ask any such parties to please
explain this traceroute from August 20th:

https://pastebin.com/raw/2nJtbwjs

Is anyones disputing that the LOAs that Mr. Cohen has produced in response
to queries about some of the blocks he has stolen, and then routed via
Cogent and FDCServers, are blatant and indeed really bad forgeries?

Is anyone disputing that Mr. Cohen has, in effect, and via the Merit/RADB
data base, claimed rights over more than a million IPv4 addresses, many
of which self-evidently do not belong to him, or that Mr. Cohen's gracious
and helpful providers, FDCSewers and Cogent appear to have effectively
turned a blind eye to all this, or that they continue to do so, even as
we speak?

The Subject line that I used to start this thread may have seemed to some
to be over-the-top and provocative, but to be frank, I think now that I
may have not gone far enough.  Cogent has been announcing a route to
the 165.25.0.0/16 block, which unambiguously belongs to the City of
Cape Town,  At what point does such interference with legitimate
governmental functions an authority, on Cogent's part, cross over from
being merely bad manners and into the realm of criminality?


Regards,
rfg


Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-09-06 Thread Ronald F. Guilmette
Few of you here probably know about this, but nearly a week ago now
an article appeared in South Africa's largest and most popular online
tech publication, MyBroadband.co.za.  It detailed many, but certainly not
all of the results of my multi-month investigation of a massive and
ongoing fraud involving the theft of large numbers of large (generally
/16 or larger) abandoned legacy blocks, taken from the AFRINIC region
and beyond:

https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

For various editorial reasons, the article that was published actually
downplayed the magnitude of the of the thefts quite dramatically.  The
totality of the IPv4 space that has been stolen or squatted, primarily
but not exclusively, from South African companies and South African national
goverment agencies and departments is actually at least 5x bigger than what
was reported in the MyBroadband.co.za article.

The overwhelming majority of this stolen and squatted IPv4 space has
been helpfully routed by Cogent (AS174), to their customer, FDCServers
of Chicago, and then on to the prefered destinations of a certain Mr.
Elad Cohen of Israel, and his company Netstyle Atarim, Ltd.  (I have
saved traceroutes up the wazoo that prove the involvement of FDCServers,
in particular, in all of this.)

Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
activities, basically grabbing everything that wasn't nailed down, both
within the AFRINIC region and also within the APNIC region.

In order to try to legitimize all of these thefts and squats, Mr. Cohen
created quite a sizable number of fradulent route: objects within the
Merit/RADB data base which, as most here should already know, has
essentially zero authentication of any kind before it allows J. Random
Luser to add pretty much any any route: object he wants to the RADB.

Here's a full listing of all of Mr. Cohen's RADB route: objects as they
existed as recently as August 17th:

https://pastebin.com/raw/ZNgNuvtt

And here is the short summary version showing just all of the prefixes/CIDRs
that Mr. Cohen was effectively claiming rights and/or title to as of that
same date:

https://pastebin.com/raw/4LTaCg5R

Plese do note the numerous blocks of size /16 or greater.

The bottom line is that this one tiny little Israeli company was effectively
claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
August 17th, 2019.  (Not too shabby for one lone guy who teaches programming
classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
and generally consists of blocks having sizes of /16 or larger.

Some of Mr. Cohen claims in his RADB entries are as humorous as they
are pathetically fradulent.  For example, Mr. Cohen has effectively
claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
Authority of the City of Melbourne, Australia.  But hell!  That's merely
city property!  Mr. Cohen's limitless appetite for other people's IPv4
space is more vividly on display in his claims to ownerhip over the
168.198.0.0/16 block, which actually belongs to the Department of Finance
of the Australian national government.  And I haven't even mentioned yet
another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
which he did not see fit to create an RADB entry for, but which he's
been squatting on for for quite some time now, quite clearly with the 
aid and assistance of both Cogent and FDCServers.  That one belongs to
th City of Cape Town, South Africa.  That city's engineers have been
struggling to regain control of their block back from Cogent, from
FDCServers, and from Mr. Cohen for some time now.   I know because I've
personally spoken to them about it.  Cogent, in its infinite wisdom, is
continuing to fight the city for control over property that clearly and
righfully belongs to the City of Cape Town, even as we speak:

https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view

When asked for LOAs attesting to his legitimate authority to route at
least a few of these blocks, Mr. Cohen has produced blatantly forged
documents, many of which appeared in the MyBroadband.co.za story.  And
when I say "blatant" that's a gross understatement.  Any half-way decent
forger would consider these documents an embarrasment.  The documents all
bear identical signatures, and identical and vaguely official looking
stamps, and purport to actually be sales reciepts attesting to the
alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
company called Afrivestment, Ltd., which may actually exist in some
faraway galaxy, or in Mr. Cohen's active imagination, but which both
Google and OpenCorporates.com seem to agree exists exactly noplace on
this planet.  Here are the manufactured LOAs supplied by Mr. Cohen:


The Curious Case of 143.95.0.0/16

2019-08-28 Thread Ronald F. Guilmette
Mel Beckman mel at beckman.org wrote:

>I have one question, “of late”, regarding your post: Is it “Antia” or “Anita”? 

Yes.  Sorry.  There were multiple small typos in what I posted.  Not
surprising, since I am an utterly awful typist.

The link I gave in my post provides enough redundant context to work out
the correct answer in this case:

 https://infragard-boston.org/

The gentleman's name is Robert ("Bob") Antia.

Unrelated to that small faux pas on my part, I also would just like to
mention that I have only just now been pointed at an additional relevant
online document that provides more clarity as regards to who, or what,
ended up owning the original Athenix's intangible assets following its
demise.

https://patents.google.com/patent/US5119494

In the case of this patent, ownership seem to have untimately been assigned
to:

  JACKSON, DAVID
  HOOK PARTNERS II C/O DAVID J. HOOK
  KLEINER PERKINS CAUFIELD & BYERS V C/O JAMES LALLY
  COMDISCO, INC.
  INSTITUTIONAL VENTURE MANAGEMENT V C/O PETER THOMAS
  GARROW, ROBERT A.
  INSTITUTIONAL VENTURE PARTNERS FUND V C/O PETER THOMAS
  SINGAPORE ECONOMIC DEVELOPMENT BOARD
  PACVEN INVESTMENT, LTD. C/O LIP-BU TAN

Obviously, this is a more complete list of Athenix's heirs and assigns than
I had included in my earlier post.


Regards,
rfg


The Curious Case of 143.95.0.0/16

2019-08-28 Thread Ronald F. Guilmette
Fair Warning:  Those of you not enamored of my long-winded exposés of
various remarkable oddities of the IPv4 address space may wish to click
on the tiny little wastebasket icons on your mail clients at this
point.  For the rest of you, please read on.  I think you may find the
following story intriguing.  It contains at least a few surprising
twists.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_


Our story today consists of three acts.


Act 1 - It is Born
--

In mid-February of 1990 a new venture-capital backed company was formed in
Sunnyvale, California.  In some ways it was no different than the hundreds
or thousands of hopeful high-tech startups that had been formed in Silicon
Valley, both before and since.  It started with a hopeful dream that, in
the end, just didn't work out.

The founders of this company settled initially on a temporary placeholder
company name, XYZ Corporation:

https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view

The mission of the company was to design and manufacture so-called X-Windows
terminals.  These would be diskless workstations, complete with CPUs, color
(CRT) displays, graphics, memory, and an ethernet interface.  The basic
idea what that such a diskless workstation could run the free X-Windows
client software, and that the system would be cheaper than ordinary PeeCees
due to it not having any hard drives or optical drives.

By some odd twist of fate, I myself was working in the same geographic area
as a software engineer at around the same time, but I worked for a different
Silicon Valley startup, just down the road from XYZ Corporation.  And by a
rather remarkable coincidence, the company I worked for had exactly the
same goal and mission as the XYZ Corporation.  The name of this other
X-Windows workstation startup was Network Computing Devices, or just "NCD"
for short.

Quite obviously, both companies were inherently "network-centric" and thus,
both requested and were granted blocks of IPv4 addresses.  That wasn't at
all within my area of responsibility at NCD, so I don't know who actually
issued those blocks.  My guess, based on published historical accounts,
was that it was most probably Dr. Jon Postel who assigned the blocks.  I'm
sure that someone will correct me if I'm wrong.

Months passed, and eventually the founders of XYZ Corporation settled on
something they would use as a permanent replacement for their temporary
placeholder corporate name.  They decided to call the thing Athenix, Inc.
Once they had settled on that name, they filed papers to update their
records with the California Secretary of State's office:

https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view

At some point, they also and likewise updated the ARIN WHOIS record for the
/16 block which had been assigned to them, on or about 1990-09-06, as was
appropriate to reflect their new permanent corporate identity:

https://pastebin.com/raw/YbH6zYrR

More time passed and eventually it became clear that the entire world was
not in fact breathlessly waiting for -two- companies to bring to market
diskless X-Windows workstations.  In fact, as history now shows, market
demand would not support even one such company over the long term.

Thus it came to pass in the year 1993 that an all-too-familiar end-of-life
ritual played out once again in Silicon Valley.  At Athenix, Inc. HQ in
Sunnyvale, the people were all let go, including the founders.  The desks,
the chairs, the phones, the computers, and the tools were all sold at
auction, with the proceeds going to the preferred shareholders, i.e. the
poor fools who had put up all of the money for this now-failed venture in
the first place, the venture capitalists.  Foremost among those in this
instance, was the venerable Menlo Park venture capital firm Kleiner Perkins.

I've confirmed this historical account of the rise and fall of the original
1990-vintage Athenix, Inc. in multiple phone and email exchanges with both
the original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately
of Los Altos, California, and also the original CTO of the company, Mr. John
Garman, lately of Reno, Nevada.


Act 2 - Rebirth - The Athenix Phoenix
-

Fast forward fifteen years.  On April 22, 2008 a pair of gentlemen in
the Commonwealth of Massachusetts elected to establish a new corporate
entity within the commonwealth. It's name would be Athenic, Inc.[1]

https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view

As you can see in the documents above, a certain Mr. Ofer Inbar and a certain
Mr. Robert Anita, both of the greater Boston area, formed this new corporate
entity in Massachusetts.  At its formation, the younger Mr. Inbar was the
President, while the more senior Mr. Antia served as the corporate secretary
and treasurer.

Various other 

ARIN Fantasy WHOIS: NET-216-179-183-0-1

2019-08-14 Thread Ronald F. Guilmette
As if to underscore the point I just tried to make about the fundamental
unreliability of ARIN WHOIS records, I just stumbled onto this rather
curious entity which was apparently given a sub-allocation of 216.179.183.0/24
beneath the 216.179.128.0/17 (Azuki, Inc.) block as of 2012-01-10:

OrgName:Rogers Communications Inc
OrgId:  RC-82
Address:E 2nd St,Campbell
City:   Gillette
StateProv:  WY
PostalCode: 82716
Country:US
RegDate:2012-01-10
Updated:2012-01-10
Ref:https://rdap.arin.net/registry/entity/RC-82

Other that the fact that it has an oddly similar name to one of Canada's
largest and most well-known Internet and cell phone companies, the only
other thing that's rather remarkable about it is that it was given the
216.179.183.0/24 block, by Azuki, Inc. in 2012.  What's odd about that?
Well, only the fact that this *Wyoming* incarnation of Rogers Communications
had apparently already died and gone to Valhalla some 14 years earlier,
in 1998:

https://wyobiz.wy.gov/Business/FilingDetails.aspx?eFNum=070023242004106130056183154143023082073130141117

Moral of the story:  Don't ever let anybody tell you that ghosts... even
ghosts of long dead companies... aren't real or that they do not walk
among us.  Their immortal auras pervade the very ether we breath.

And they have their own IPs, apparently.

But, you know, if your customers are getting hack attacks emmanating from
216.179.183.0/24... well... to quote the old Ghostbusters tag line "Who
you gonna call?"  (Hint:  Don't waste your time calling the number in the
WHOIS record.  It's just some bloody preschool.)

Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-14 Thread Ronald F. Guilmette
In message <20190810003820.gd2...@jima.tpb.net>, 
Niels Bakker  wrote:

>* r...@tristatelogic.com (Ronald F. Guilmette) [Sat 10 Aug 2019, 02:26 CEST]:
>>As far as I am aware, no RIR makes any effort whatsoever to vet 
>>changes to WHOIS records, either for IP blocks or ASNs or ORG 
>>records.
>
>This is hilarious.  You should hear the whining from any EU-based 
>operator who has to implement the transfer of RIPE NCC resources in 
>a corporate acquisition.
>
>I recently was involved with one of those and the amount of due 
>diligence required by the RIPE NCC was pretty intense.  If I were at 
>an RIR I'd be insulted by your claim of "no... effort whatsoever".

I do not and would not dispute that at least a few RIRs... in particular
ARIN and RIPE... are -very- good and -very- diligent these days in their
vetting of the legitimacy of what the RIRs themselves, and on their
(secret) -internal- books list as "registrants" of number resources.

But what is listed on the internal books of any given RIR is -not- what
appears in the WHOIS records.  It's just that simple.  Your RIR may
have given you a full rectal exam prior to giving you your IP addresses.
But how does that help -me- if you're sending me bad packets and your
WHOIS records says the following?

Registrant:Salvador Dali
Address:   12345 Moon St., The Universe, 9
Phone: <>

Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-14 Thread Ronald F. Guilmette
In message <4fcb73bf-224f-e011-f310-522193c86...@efes.iucc.ac.il>, 
Hank Nussbacher  wrote:

>Just as an observer to your long resource theft postings:
>- Do you attempt to contact directly the organization or person who have 
>had their resource taken over?

To the extent that I can spare the time, and to the extent that I am able
to do so, (which is often limited by time zone differences) yes, I do.

>- Do they care or are they apathetic?

Before answering let me clarify first the two different classes of problems
that I've most often been looking at.

Everybody including myself has in the past used the term "hijack" but
I'm going to try to stop doing that, in future, and instead use the more
precise terms "squatting" and "theft", where "theft" involves a case
where the relevant WHOIS records have been materially "fiddled" by the
usurper.

In both cases, the usurpers generally aim, first and foremost, for the
low hanging fruit, which is to say legacy blocks that were abandoned
years and years ago, sometimes even decades ago, back when IP addresses
had zero monitizable value.

When contacted, victims in these cases are typically at first utterly
perplexed, and when I explain to them that I am trying to give them
back stuff that they already own, and which in some cases is worth
considerable money on the open market, they *do* look a gift horse
in the mouth, and they assume, quite reasonably I think, given the
current way of the world, that *I* am trying to run some kind of
elaboarate scam on them.  It takes a lot of talking on my part to
convince them that no. I'm actually just a good samaritan, and that no,
I am -not- going to be asking them to first send any sort of "release
fee" via WesterUnion or Bitcoin or WebMoney before they can have their
own blocks back.

Even after they have been convinced that this ain't a scam and that they
do own the stuff I say they own, most are often entirely lackadaisical
about getting off their butts and then working with the relevant RIRs
to get their own stuff back.  Even when I try to get them fired up
by telling them that "cybercriminals" have stolen their blocks, and
the fact that evil that is being done under their names may negatively
affect THEIR public reputations, it's still like watching paint dry,
for me anyway.  Clearly, nobody but me has any sense of urgency about
these things at all.

>- If the resource owner is no where to be found, why should we as a 
>community care?

I'm so glad you asked.

Before answering I should first note that it is actually quite rare when
a sufficient amount of research on my part fails to turn up a relevant
"successor or assign" which would, by rights, be the modern day entity
with a legitimate claim on the asset.  So the "nowhere to be found" case
is by far the exception, rather than the rule.

Regardless, in -either- the case where no heir can be found -or- in the
case where the rightful heir is either just too dumb or just too lazy
to take the minimal steps necessary to reclaim the property (and/or before
this has ocurred) the community should care because the kind of people who
either steal or squat on IPv4 blocks are, almost without exception, not the
kind of people who anybody sane wants to be accepting packets from, let
alone peering with.  There is, in my opinion and experience, a high
degree of correlation between skulduggery with respect to -obtaining-
(illicitly) IPv4 address blocks and using those addresses in a manner
which is not at all conducive to the general welfare of the Internet or
its users.

>Report it on some webpage and call it "Internet 
>Resources stolen", document every incident as you do via email, send a 
>copy to the appropriate RIR and upstream ISP allowing the hijack in 
>question to show that you did the appropriate effort and we can then 
>move on.

I can and will stop posting here, and go off an blog about this stuff
instead, if the consensus is that I'm utterly off-topic or utterly
uninteresting and useless.  But a few folks have told me they find
this stuff interesting, and it has operational significance, I think.
So for now, at least, I'd like to continue to share here.

As regards to reporting to RIRs or upstreams, what makes you think that
either of those would care one wit?  The RIRs are not the Internet
Police, or so I am told.  They don't configure routers.  Upstreams are,
in my experience utterly intransigent and unresponsive, especially in
the absence of public exposure of the self-evident problem(s) like
the time I tried to get Telecom Italia to get off their asses and do
something... anything... about their criminal mass squatting customer.
It wasn't until much later on, after WhiteOps and Google had exposed
the massive click fraud operation that was behind all that that Telecom
Italia saw fit to lift even a single finger to actaully DO anything at
all.  And the last time I looked, Telecom Italia was *still* peering
with the exact same crooked ASN, even though most or all of 

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Ronald F. Guilmette
In message , 
John Curran  wrote:

>Alas, it’s not those who fail to properly configure RPKI that are likely to be
>litigating, but rather their impacted customers and those customers' business
>partners who all were unable to communicate due to no fault of their own. 
>
>Such a matter will not be thrown out of court, but will be the start of a long
>and very expensive process involving claims, discovery, experts, etc...

Perhaps.  There are certainly some big players (AWS) that if routing were
interrupted for even, say, 12 hours, a lot of folks would get really mad
about.

Correct me if I'm wrong, but one of your presentation slides seemed to
suggest that a separate arms-length legal entity could be established
to do the RPKI stuff, thus offloading most or all of the potential
liability onto and into this separate entity, which could conveniently
have minimal assets of the kind that might inspire members of the
plaintiff's bar who are looking for deep pockets.

Is that an actual possibility, or did you just throw that in there for the
sake of completness?

Personally, I don't much care how the problem gets solved, as long as it
gets solved.  The fundamental BGP problem has been known and discussed
now for 20+ years and it is only getting more dire and ominous, day by day.


Regards,
rfg


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-13 Thread Ronald F. Guilmette
In message <06570278-e1ad-4bb0-a9fc-11a77bed7...@arin.net>, 
John Curran  wrote:

>Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
>legal framework to see if any improvements can be made vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf>  – I will
>provide further updates once it is completed. 

This is an excellent presentation John, and I'm real glad to see that you
have done such a nice job on it and touched on all of the important points.

In particular, I'm glad that you clarified that if everyone is just doing
what they ought to be doing, i.e. following best practices, then even if
RPKI central and all of its sister satellites should all be simultaneously
hit by metorites, then in theory at least, nobody should be any worse off
than they already are today.

And yes, I can't argue and won't argue that some folks aren't going to be
bozos and screw up their RPKI deployment, and then some of them -may-
possibly want to blame ARIN for -their- screw ups, but I continue to have
trouble envisioning how this would ever traslate into a lawsuit that
wouldn't simply be laughed out of court in about five seconds if handled
properly.

Some arguably proximate historical analogs might be relevant here.

In the past, there have occasionally been problems when one or more of
the root name servers have been DDoSd or have otherwise had issues.
I don't recall anybody lining up to sue ICANN in those instances.

Spamhaus and other public anti-spam services publish their stuff to all
comers, without demanding indemnification.  Yes, they have been sued
from time to time, but none of that has ever resulted in any meaningful
damages, and if the company itself had just been more consistant in
obtaining sound legal advice, none of those events would even have been
all that bothersome.

So, what makes ARIN so special that it can't do what these others are doing
and just simply publish some information?  ARIN is in the State of Virginia
the last time I checked, and I do believe that the First Amendment still
applies in the State of Virginia, and indeed in all 50 states.  I mean it
isn't as if ARIN is going to go around yelling "Fire!" in a crowded theater
for God's sake!

So, you just slap a label on the whole bloody RPKI thing that says "Use at
your own risk" and that ought to do it, I think.  I understand that Steve
Ryan may not see it that way, but it's his job not to see it that way.
In practice, there is no need for -both- belt -and- suspenders.


Regards,
rfg


P.S.  Proactive failure testing (slide #15) is an excellent idea.  You could
and probably should fail the whole thing deliberately for 24 hours once a
year, just as a way of shaking the trees to see what idiots fall out.  It
would be like DNS Flag Day, on steroids.



Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message ,
Eric Kuhnke  wrote:

rfg>>   4)  Filing a "fraud request" with ARIN is a serious step and one that
rfg>could quite conceivably end up with the party filing such a formal
rfg>report being on the business end of lawsuit, just for having filed
rfg>such a report.
rfg>
>What makes you think that the sort of persons who would hijack a /17 sized
>piece of space, for spam generation purposes, would sue you over some
>formal submission you might make to ARIN, but would not already have sued
>you over your already exhaustively detailed posts to the public NANOG list?

Let me see if I understand this.  You don't have any argument with the
other three reasons I gave for sending my alert to the NANOG list, but you
-would- like to quible with reason #4.  Have I understood you clearly?

Assuming so, let me answer your question with a question (or two).

Is my fear of the potential for lawsuits actually LESS reasonable than
ARIN's use of the same vague and non-specific bogeyman to thwart and
impede, on a global scale, the more widespread adoption of RPKI...
adoption which would, if it ever became universal, put an end to most
or all of these nefarious and malevolent IP block hanky panky games?

The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide.  Ah yes, here it is...

   https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI.  I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of something.  We're not even sure what ``something''
actually is in this case, other than some demented lawsuit from some
deranged ``lone wolf'' individual, but since ARIN demanded that we sign
it, the thing had to go to -our- lawyers, and they took one look at it and
said, in effect, ``F that!  We are NOT going to accept any new potential
liability if we don't have to'', so that was the end of that."

As I have often said, if we all only did things that had been pre-cleared
as being ``utterly safe'' by our respective lawyers, then none of us would
ever even get out of bed in the morning.

Regadless of whether ARIN was in any way indemnified against such an event,
the Micfo guy elected to name ARIN in a lawsuit.  This is a matter of
public record.  It's ludicrous and laughable, obviously, but he apparently
sued ARIN when they woudn't just roll over and allow him to continue to
play his ridiculous little fraud games.  Like I say, in this country, at
least (USA), you run the risk of getting sued if you even so much as get
out a bed in the morning.  BUT SO BLOODY WHAT?  Neither we as individuals
nor ARIN as an organization should cower in fear in our caves because of a
bogeyman that may never come to pass, or that may be totally inconsequential 
even if it does, as in the case of Mr. Micfo's joke of a lawsuit. 

So I put it to everyone here... Are ARIN policies and its over-hyped fear
of the vague bogeyman of lawsuits materially impeding the adoption of
RPKI, and if so, what should be done about this?

In the meantime, I decline to accept criticism of -my- perhaps misplaced
fears of lawsuits.  Mine have essentially no real world consequences.
ARIN's, on the other hand, appear to be keeping some finite non-zero
fraction of 85% of the world's route announcements unchecked, at least
for any meaningful sense of the word "checked".


Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message 

Ross Tajvar  wrote:

>Seems like submitting a fraud request to ARIN is more effective than
>writing a novel and sending it to NANOG, and doesn't require the latter...

As noted in my immediately prior posting, ARIN's careful adjudication of
this or any other possible case of fraud could take weeks or even months.
And even if, after careful and thoughtful deliberation, ARIN concludes
that there is indeed something wrong here, ARIN has neither the power nor
the authority to tell anyone how to configure their routers, and thus,
any decision or conclusion made by ARIN, regarding this or any other case
of possible fraud, will have no immediate effect on the flow of bad packets.


Regards,
rfg


P.S.  I do apologize for my verbosity.  As the late Carl Sagan often said,
extraordinary claims require extraordinary evidence.  I made the extraordinary
claim, on this public mailing list, that -something- fradulent had gone on
with respect to the 216.179.128.0/17 block which has resulted in the WHOIS
record for that bearing little or no relationship to actual reality.
Having made the claim, I felt a duty to explain and to provide the evidence,
not in 140 characters, but in detail.


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message , 
John Curran  wrote:

>On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette  wrote:
>> ...
>> Unfortunately, we cannot read too much into this change that was made
>> to the block's public-facing WHOIS record.  Neither the new WHOIS info
>> nor even the old WHOIS info can be used to reliably infer who or what
>> is the legitimate registrant of the block at any point in time.  This
>> is because ARIN, like all of the other Regional Internet Registries,
>> allows registrants to put essentially any bovine excrement they desire
>> into their public-facing WHOIS records.
>
>That is not the case – ARIN confirms the legal status of organizations
>receiving number resources. 

This is NOT the message that I got from our recent discussion of the giant
Micfo fraud on the ARIN Public Policy Mailing List.  When I raised
questions about why various of the Micfo phoney baloney shell companies
has block with WHOIS records saying they were located in states that
they were obviously not located in, I believe that you said that once
a black has been allocated, by ARIN, to some (properly vetted) entity,
that after that point in time, the entity could -change- the relevant
WHOIS record to say any bloody thing it wanted, and that such -changes-
to ARIN WHOIS records are not vetted in any way.

If I got the Wrong Impression from your prior statements, then by all
means, please do correct me.  And then please do explain why several of
the Micfo phony shell companies did in fact have WHOIS records for ARIN-
issued IPv4 space that gave street addreses in states where none of these
phony shell companies were actually registered to do business.

>> (And, it should be noted, the
>> man behind the recent large scale "Micfo" fraud apparently availed
>> himself of this exact opportunity far subterfuge, in spades.)
>
>As previously noted on this list, such was only possible because of the
>use of falsely notarized documents. 

I -do- understand that the fradulent documents that were originally
presented to you/ARIN provided information indicating that the phoney
Micfo shell companies -did- actually exist in -some- state (Delaware?),
and that ARIN -did- verify, to the best of its ability, that those
companies -did- exist, legally spekaing, in their originally declared
home state(s).  But that fact is just skirting the real issue here,
which is the question of whether or not ARIN even looks at -changes_
that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
-after- those blocks have been assigned.

It appears from where I am sitting that ARIN dos not do so.  And thus,
I stand by my comment that a registrant -can- in fact put any bloody
nonsense they want into their WHOIS records, at least as long as they
do it via -changes- and not in the original/initial WHOIS records.

>> Regardless, the available records suggest that there are only two likely
>> possibilities in this case:
>>
>> {trimmed}
>> 1) 216.179.128.0/17 was transferred in violation of ARIN policy.
>>
>> 2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
 
>That is easy to address:  submit a fraud request, and it will be reviewed
>and corrected if it was done fraudulently.

I would do that, but for the following four things:

1)  ARIN is not the Internet Police and has no power to affect routing
decisions of anybody.

2)  Getting the info out here, on the NANOG list, allows people to make
up their own minds and to ignore the relevant route announcements
and/or cease peering if they are persuaded that 216.179.128.0/17
is likely a source of "undesirable" packets.

3)  An investigation by ARIN of 216.179.128.0/17 could take weeks or
perhaps even months.  In contrast, packets, including bad ones,
travel from one end of the planet to another in milliseconds.
ARIN and its careful review processes are a sure and steady and
reliable check on fradulent behavior over the longer term.  But
they will not do much to addres the bad packets that may be
flowing out of 216.179.128.0/17 this week, or even next.

4)  Filing a "fraud request" with ARIN is a serious step and one that
could quite conceivably end up with the party filing such a formal
report being on the business end of lawsuit, just for having filed
such a report.

Does ARIN indemnify the parties who file such reports against such
claims, as ARIN is currently asking ARIN-region networks to do for
ARIN if they want to avail themselves of the added security of RPKI?


Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
In message 
Ross Tajvar  wrote:

>First he thought that a /17 got stolen (by creating a company with the same
>name as the original, now-defunct owner), but he then said he was wrong and
>actually it either 1) got transferred against ARIN policy or 2) was made to
>look like it was transferred by altering the whois data.

Yes.  What he said.

Although he left out the imporant detail that the whole thing appears to
be just a smokescreen cover for a large spamming operation, which apparently
targets primarily the Japanese market and which appears to have been ongoing
since at least 2004:

https://yomi.tokyo/agate/toki/bouhan/1103682730/1-/a

Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
In message , Brandon Price  wrote:

>
>
> 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
>registration of the 216.179.128.0/17 block from itself to the
>2009 vintage Delaware entity Azuki, LLC.  If this is what happened,
>then it is likely that the transfer was performed in violation
>of the applicable ARIN trasfer policy that was in force at the time.
>(Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
>barrel in 2010.  California records show that HHSI, Inc. continued
>to be an active California corporation until at least 02/12/2014,
>and probably well beyond that date.)
>
>
>The Arin policy in affect at the time of the transfer would absolutely allow
>this as an 8.2 mergers and acquisitions sale. There is no policy requirement
>for a "lock, stock, and barrel" buy-out as you say.
>
>>From the 2010.1 version published 13 JAN 2010, ref: https://www.arin.net/va=
>ult/policy/archive/nrpm_20100113.pdf
>
>
>"ARIN will consider requests for the transfer of number resources
>in the case of mergers and acquisitions upon receipt of
>evidence that the new entity has acquired the assets which
>had, as of the date of the acquisition or proposed
>reorganization, justified the current entity's use of the number
>resource. Examples of assets that justify use of the number
>resource include, but are not limited to:
>* Existing customer base
>* Qualified hardware inventory"
>
>So they bought the customers and routers that were using that /17. What's
>the big deal?

Firstly, there is no clear evidence that I am aware of that there are any
"customers" per se in this case.  Spamhaus has, in effect, judged the
entire 216.179.128.0/17 block as being just one big spamming operation,
and I personally have no reason at this instant to take issue with that
judgement.  (Please note also that a generally reliable source informs
me that Spamhaus has had this SBL listing for the entire 216.179.128.0/17
block active and in place since circa 2010-03-02, i.e. a full 9 years now.)

So anyway, in this case we are really only talking about equipment and not
"customers" per se.  If I am wrong about that, please post the evidence.

Second and more to the point, I think that you and I have dramatically
different understandings of the plain meanings of the terms "merger" and
"aquisition".

The evidence indicates that HHSI, Inc. neither merged with nor was aquired
by Azuki, LLC.  Rather, HHSI continued to have, and to actively maintain
its own separate legal existance through at least 2014... several years
*after* the moment in time, on or about 02-17-2010, when the -apparent-
ownership of the 216.179.128.0/17 block (going by the WHOIS records)
somehow magically passed from HHSI, Inc. to Azuki, LLC.

It is not my understanding of mergers and/or aquisitions that the merged
(or acquired) entity continues to have and maintain a separate legal
existance from the other merged (or acquiring) entity following the
merger or acquisition.  You, it seems, may have a different conception.

Theoretically, HHSI, Inc may have been acquired by Azuki, LLC and may have
then become a wholly owned subsidiary of Azuki, LLC.  This would explain
it's continued, simultaneous, and parallel legal existance in the years
2010 through 2014, along with Azuki, LLC.  But even if this rather remote
possibility applied, it would still not serve to explain the apparent
2010 transfer of the 216.179.128.0/17 block from the wholly owned subsidary
to the parent entity.  Why would such a transfer be either necessary or
even desirable?  And how would such a transfer comport with the ARIN
transfer regulations in place at the time?  Those regulations, as you
have quoted them, DO NOT obviously sanction transfers from subsidiaries
to parent entities in cases where both survive as separate legal entities.
And it is not even in the least bit clear that there even was any such
parent/subsididiary relationship between these two corporate entities at
the time of the transfer.

But in answer to your larger question, "What's the big deal?", the answer
is that -all- WHOIS records for -all- IP address blocks adminstered by
-all- RIRs are fundementally unvetted and thus untrustworthy.  This one
case is a clear and blatant example of that fundemental problem with the
way all RIRs are behaving.

As far as I am aware, no RIR makes any effort whatsoever to vet changes
to WHOIS records, either for IP blocks or ASNs or ORG records.  (And this
fact was abundantly evident in the Micfo fraud case, where the man behind
that fiddled the majority of the street address and other contact information
appearing in the public-facing WHOIS records for the blocks assigned to his
various phony baloney shell companies in a now-obvious attempt to mislead
both the public and also anti-abuse investigators.)

Someday soon, because of policies in place at all of the RIRs, you're
going to get some spam, or a hack attempt from a 

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
Further investigation of this case obliges me to post the following
correction and retraction.

Additional evidence now strongly suggests that the 216.179.128.0/17
IP address block has NOT been "stolen" as I had suggested yesterday.
I simply mis-read the ARIN historical registration ("WhoWas") data
with repect to this block.

In fact, the ARIN historical "WhoWas" registration data for this
block indicates that when the block was first assigned, by ARIN...
which the historical WhoWas records show as occuring on 06-24-2002...
the block was assigned to a Southern California company named HHSI, Inc.

Records available on the California Secretary of State's web site
indicate that this company was first registered with the State of
California 02/11/2002.  Oddly, some seven years would pass after the
registration of this California corporation before any documents
were filed with California which would designate any officers of
the company.  On 03/02/2009 however a filing was made indicating
the President of the company was a gentleman named Koji Ban.
Additional corporate filings in subsequent years indicate that
both Mr. Ban and the company, HHSI, Inc. were located at 20 Arches,
Irvine, CA 92603.

On or about 02-17-2010 the public WHOIS record for the 216.179.128.0/17
block was changed so that instead of designating HHSI, Inc. (California)
as the block's registrant, the WHOIS record for the block would henceforth
say instead that the registrant of the block was the 2009 vintage
Delaware LLC called Azuki, LLC.

Unfortunately, we cannot read too much into this change that was made
to the block's public-facing WHOIS record.  Neither the new WHOIS info
nor even the old WHOIS info can be used to reliably infer who or what
is the legitimate registrant of the block at any point in time.  This
is because ARIN, like all of the other Regional Internet Registries,
allows registrants to put essentially any bovine excrement they desire
into their public-facing WHOIS records.  (And, it should be noted, the
man behind the recent large scale "Micfo" fraud apparently availed
himself of this exact opportunity far subterfuge, in spades.)

Regardless, the available records suggest that there are only two likely
possibilities in this case:

 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
registration of the 216.179.128.0/17 block from itself to the
2009 vintage Delaware entity Azuki, LLC.  If this is what happened,
then it is likely that the transfer was performed in violation
of the applicable ARIN trasfer policy that was in force at the time.
(Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
barrel in 2010.  California records show that HHSI, Inc. continued
to be an active California corporation until at least 02/12/2014,
and probably well beyond that date.)

 2) Alternatively, on or about 02-17-2010 HHSI, Inc. (California) simply
altered what would henceforth appear in the public-facing WHOIS
record for the the 216.179.128.0/17 block to make it appear... to
everyone except ARIN staff, who knew better... that the block was
now registered to Azuki, LLC in Delaware.

Only ARIN staff can tell us which of these possibilities actually applies.
But due to ARIN's strict adherence to contractual confidentiality with
respect to all of their resource holders, I do not anticipate that ARIN
will actually provide any clarity on this case anytime soon.

To summarize, either the block was transferred in 2010 in violation of
ARIN's own transfer policy or else the information that we have all been
looking at in this block's WHOIS record since 02-17-2010 is and has been
nothing other than a very deliberate and bald-faced lie.  There is no
third option.

Regardless of which of the two possible scenarios applies, it is a dead
certainty that the registration of the 216.179.128.0/17 block was indeed
transferred away from HHSI, Inc. at some point in time, and in a manner that
most probably did not comport with applicable ARIN transfer restrictions
in place at the time.  I say this without fear of contradiction because
the State of California currently lists HHSI, Inc. as "suspended".  Legally
speaking, it no longer exists.  It cannot therefore still be a valid
contractual counterparty, with ARIN, or with respect to the registration
of *any* ARIN-administered resources.

All of this ambiguity, and all of these crooked deception games are enabled
and materially aided and abetted by the disastrous interplay of two
longstanding policies that are and have been in force, for many many years,
both at ARIN an also at all of the other RIRs, namely:

   *)  Excessive anal retentiveness with respect to corporate confidentiality
   which deprives the public at large from even knowing even so much as
   the accurate and correct legal names of resource holders.

   *)  Policies which permit resource holders to place any 

Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-08 Thread Ronald F. Guilmette
Corporate identity theft is a simple ploy which may be used to illicitly
obtain valuable IPv4 address space.  Actual use of this fradulent ploy
was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).

Quite simply, a party bent on undertaking this ploy may just search
the publicly available IP block WHOIS records, looking for abandoned and
unrouted IPv4 address blocks belonging to companies or organizations
which no longer exist.  Upon finding any such, the thief may simply
undertake to formally register, with relevant government authorities,
a new corporate entity with the same or a very similar name as the now
defunct entity that is still listed in the WHOIS records as the registrant
of the coveted IPv4 address block(s).

Note that so-called "legacy" address blocks, i.e. those which were
assigned prior to the formation of ARIN in early 1997, are especially
prized by IPv4 address thieves because such blocks may be less subject
to effective control or regulation by Regional Internet Registries.

Publicly available evidence strongly suggests that a corporate identity
theft has occurred with respect to a former Delaware corporate entity
known as Azuki, LLC and also with respect to its valuable legacy IPv4
address block, 216.179.128.0/17.

The corporate search function of the Delaware Secretary of State's web
site may be used to obtain records relevant to corporate entities
registered in Delaware:

https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx

At present, the Delaware SoS's web site indicates that there are or have
been two different corporate entities, both named Azuki, LLC, that have
been registered in the State of Delaware.  The file numbers for these
entities are 2810116 and 4751384.

The former entity was first registered in Delaware on or about 10/20/1997.
It's current operating status cannot be known without paying a fee.  My
own personal speculation is that it most likely ceased operation well
more than a decade ago.

The latter entity was registered in Delaware on or about 11/9/2009.

According to the current live ARIN WHOIS record for the 216.179.128.0/17
address block (NET-216-179-128-0-1), this block was first allocated by ARIN
to Azuki, LLC on or about 1999-01-07.  Quite obviously, this assignment
must have been made by ARIN to the original 1997 Azuki, LLC because the
one that was registered in Delaware in 2009 did not yet exist at that time.

Nontheless the mailing address currently present in the ARIN WHOIS
record for the 216.179.128.0/17 IPv4 address block, and the one which
is also present in the ARIN WHOIS record for the 2009 vintage ASN,
AS13389 (Azuki, LLC), i.e. 3500 South DuPont Hwy, Dover, DE, 19901,
matches exactly with the address given in Delaware corporate records
for the particular Azuki, LLC that was registered in Delaware in 2009.
(The corporate address that is still on file in Delaware for the original
1997 Azuki, LLC is located in a different Delaware city altogether.)

These evident inconsistancies, by themselves, are strongly indicative 
of a probable case of corporate identity theft.  Additional indicators
are however also present in this case.

In particular, the contact email address for both the Azuki, LLC ASN
(AS13389) and the Azuki, LLC IPv4 address block (216.179.128.0/17), i.e.
tech_dep (at) azukinet.com, make reference to the azukinet.com domain
which was, according to the relevant GoDaddy WHOIS record, registered
anew on or about 2011-05-12, some twelve years -after- the original
assignment, by ARIN, of the 216.179.128.0/17 block to Azuki, LLC.

The absence of evidence of the contnuous registration of this one and
only contact domain name since the original 1999 assignment, by ARIN,
of the 216.179.128.0/17 address block also tends to support the theory
that this valuable address block has been illicitly and perhaps illegally
appropriated by some party or parties unknown, and specifically via the
fradulent ruse of a corporate identity theft.  Quite simply, my theory
is that following the demise of the original Azuki, LLC, sometime in
the 2000s, some enterprising crook registered the domain name azukinet.com
in order to successfully impersonate the actual and original Azuki, LLC,
specifically when interacting with ARIN staff members.  This simple ruse
appears to have worked successfully for its intended purpose.

Additionally, attempts to call the contact phone number for Azuki, LLC,
(+1-213-304-6809) as currently listed in both the relevant ASN and the
relevant IP block WHOIS records, during normal business hours, Eastern
Daylight Time, yield only an anonymous answering machine recording.
(The recorded message does not even state the company name.)  This is
yet another indicator of possible deliberate deception.

Last but not least, the widely-respected Spamhaus anti-spam organization
has had the entirety of the 216.179.128.0/17 block listed on its anti-spam
SBL list since 2019-06-08, i.e. two full months, dating backwards 

Re: Russian Anal Probing + Malware

2019-06-22 Thread Ronald F. Guilmette
In message , 
"Keith Medcalf"  wrote:

>On Friday, 21 June, 2019 18:14, Ronald F. Guilmette com> wrote:
>
>>https://twitter.com/GreyNoiseIO/status/1129017971135995904
>>https://twitter.com/JayTHL/status/1128718224965685248
>
>Sorry, don't twitter ...  Too much malicious JavaScript there.

Can you be more, um, specific?

>>80.82.64.21 scanner29.openportstats.com
>>...
>
>Why do you think it is a problem and not just run-of-the-mill background
>radiation on the Internet?  

It's not a problem for me personally... other than the fact that these
goofballs are filling up my log files to no good end.  I just wanted
others to be aware of this (apparently ongoing) garbage.

And I wouldn't want anyone to be fooled by the mere fact that this
openportstats.com domain has a sort-of a web site.  It's still 100%
illegitimate.

>Do you (or your endpoints) not have a firewall to block such things?

I do, and I hope everyone else does also.

>What malware slinging?  I see none of that.

You didn't look at the Twitter reports.

>>https://bit.ly/2ZBayc4
>
>Malicious link detected.

If you say so. (It's actually just a cute picture.)


Regards,
rfg


Russian Anal Probing + Malware

2019-06-21 Thread Ronald F. Guilmette
https://twitter.com/GreyNoiseIO/status/1129017971135995904
https://twitter.com/JayTHL/status/1128718224965685248

Friday Questionaire:

Is there anybody on this list who keeps firewall logs and who
DOESN'T have numerous hits recorded therein from one or more
of the following IP addresses?

80.82.64.21 scanner29.openportstats.com
80.82.70.2 scanner8.openportstats.com
80.82.70.198 scanner21.openportstats.com
80.82.70.216 scanner13.openportstats.com
80.82.78.104 scanner151.openportstats.com
89.248.160.132 scanner15.openportstats.com
89.248.162.168 scanner5.openportstats.com
89.248.168.62 scanner1.openportstats.com
89.248.168.63 scanner2.openportstats.com
89.248.168.73 scanner3.openportstats.com
89.248.168.74 scanner4.openportstats.com
89.248.168.170 scanner17.openportstats.com
89.248.168.196 scanner16.openportstats.com
89.248.171.38 scanner7.openportstats.com
89.248.171.57 scanner20.openportstats.com
89.248.172.18 scanner25.openportstats.com
89.248.172.23 scanner27.openportstats.com
93.174.91.31 scanner10.openportstats.com
93.174.91.34 scanner11.openportstats.com
93.174.91.35 scanner12.openportstats.com
93.174.93.98 scanner18.openportstats.com
93.174.93.149 scanner6.openportstats.com
93.174.93.241 scanner14.openportstats.com
93.174.95.37 scanner19.openportstats.com
93.174.95.42 scanner8.openportstats.com
94.102.51.31 scanner31.openportstats.com
94.102.51.98 scanner55.openportstats.com
94.102.52.245 scanner9.openportstats.com


NOTE:  Dshield has already assigned an 8 rating on their Badness Richter
Scale to the specific one of the above addresses that's been poking me
personally in recent days:

https://www.dshield.org/ipinfo.html?ip=89.248.162.168
https://www.dshield.org/ipdetails.html?ip=89.248.162.168

And the Dshield rating is *just* based on the probing.  The addition of
malware slinging also puts this whole mess over the top entirely.

Oh!  And I'll save you all the time looking it up 100% of the IPs
listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles
Islands, where the employees and management are no doubt enjoying their
luxurious and expansive new corporate headquarters...

https://bit.ly/2ZBayc4


Regards,
rfg


P.S.  This is the kind of thing that everybody really should expect
when the U.S. Department of Defense takes it upon itself to start up
its own little private and unauthorized (cyber)war on Russia, wthout
first obtaining the consent of Congress... you know, kinda like that
ancient yellowed document that nobody in this country reads anymore
says they should.  And apparently, the DoD was understandably not
anxious to brief even the President about all this...

https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6

(Not that anybody can really blame them for THAT.)


AS24940 Hetzner -- non-role contact wanted

2019-04-22 Thread Ronald F. Guilmette


Subtitle: Another Big Mess On Aisle Thirteen.  Somebody Grab The Mop!

Just over a month ago, I was here, doing what I always do, bitching
and moaning about the low-life trash that is typically allowed to roam
free and unfettered on the Internet:

https://mailman.nanog.org/pipermail/nanog/2019-March/100135.html

Shortly thereafter, it appeared that perhaps that effort on my part had
not been a total waste of electrons.  The extortion spams stopped, for
awhile anyway, and it started to look like Digital Ocean had in fact
kicked the perp's as the curb.  So, you know, case closed, right?  Well,
not really.  Once this kind of clown gets a taste for the easy money,
it's hard to go back to actually washing dishes for a living again.  So,
you know, HE'S BACK.

https://twitter.com/SpamAuditor/status/1120473072354635779

(And for those of you who may want to claim that I'm being sexist, and
that I can't know for sure if it is a man or a woman behind this shit,
I just have one word:  No.  Women don't do this shit.  Perhaps they
have more respect for their fellow humans, or whatever.  But the reality
is, of all the low-life scumbag spammers that I've ID'd over the past 20+
years... and there have been plenty of them... 99,99% have been men.
That's just a fact.)

So anyway, based on the current evidence, it's looking like Digital
Ocean -may- possibly have actually -tried- to kick this guy off their
network, or maybe not.  (See below.)  It's possible that they just told
him that they would be happy to keep on taking his money, but that he
just shouldn't spam from their network anymore.  I don't really have
any way of knowing.  They didn't tell me the crook's name, so who the
hell knows?

In any case, now it appears that this same specific spammer and con-man
si now doing his extortion spamming 100% from AS24940 Hetzner.  Here is
a freshly updated list of all of his spam spewer FQDNs, and the IPv4
addresses that all of them are pointed at right now:

https://pastebin.com/raw/3fbACedn

If and only if Digital Ocean (AS14061) really did kick this scumbag's
ass to the curb... or if they at least tried to do so... then that
eliminates all of the IP address shown in the above list that are
prefixed with Digital Ocean's ASN (14061) from the ilst, at least as
far as outbound spamming is concerned.  That would leave us with only
the AS24940 Hetzner IP addresses as current live spam spewers:

https://pastebin.com/raw/t9Rs4HMT

(In case it isn't obvious, I do advise all parties not to accept any
incoming email from any of the above listed IPs or domain names until
this all gets cleaned up.)

Meanwhile, I'd like to get hold of a (non-role) contact email address
for any warm body at Hetzner who may actually give a shit about any of
this.  I understand that this may be a REAL big ask.  I have been
informed, just today, by a reliable source that fundamentally, Hetzner
just doesn't do shit about spam reports sent their way.

And anyway, why would they?  Apparently, none of the other big hosting
providers do anything but ignore the spam reports that are sent to them
either.  And just as Digital Ocean had done to me one month ago, when I had
occasion to send Hetzner a report about some totally unrelated spam that
I received, just today, from their network, about 30 seconds later I got
back what can only be called an "ignore bot" automated email reply, telling
me ... just as Digital Ocean has done to me previously... that while it
was perfectly OK with them if their customers spammed my via the medium
of email, that there was nontheless no frekin' way that THEY would entertain
any reports about that VIA EMAIL.  So I was told to fill out some web form
on the Hetzner web site, so that Hetzner staff could remain anonymous, and
could anonymously receive that report, and then immediately and with all
due haste dispatch it forthwith directly to /dev/null.  Swell.

So, you know, it may not do a bit of good, but I really would like to be
able to find out for myself if Hetzner is just totally staffed by mindless
robots, utterly lacking in compassion and empathy and also any sense of
ethics, or if there is at least one live engineer there... someone with
a name and a face and maybe ever a friend or relative who has been conned
by one in this endless parade of unaccountable Internet fraudsters.  I'd
like to find out, in other words, if there is any warm body there who even
gives a shit.

So, if any fo you who are reading this happen to know any live humans at
Hetzner, please do send me their contact info.   I am most certainly
*not* going to flll out Hetzner's dumb-ass watse-of-my-time web form just
for the honor of informing THEM of THEIR freekin't problem child customer,
especially guven the high probability that my attempt to report this to
them will go straight to the but bucket.

I actually don't mind lending a hand to help mega providers like this to
clean their own toilets.  I do mind however when they go out of their way

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-19 Thread Ronald F. Guilmette


In message 
, 
Tom Beecher  wrote:

>Calling everyone an idiot in the midst of Endless Pontification isn't
>really a recipe for success.

I did not call "everyone" an idiot.  I'm quite completely sure that there
are innumerable people in all of the referenced companies who are consumate
and hardworking professionals who excel at ther jobs.  I do believe however,
based on considerable experience and much hard evidence, that the abuse
handling departnments at OVH and DigitalOcean, and indeed at essentially
-every- sizable hosting company are less than entirely well staffed, less
than entirely well trained, less than entirely well funded, and often
inadequately effective, either due to their limited willingness or their
limited authority, as circumscribed by management, when it comes to the
execution of their assigned duties.  The abuse handling function at *every*
Internet company is the ugly stepchild, ignored whenever possible, and
typically starved of resources by management whose overriding consideration
is this quarter's P statement, and by extension, the nearest upcoming
executive bonus period.


Regards,
rfg



Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-19 Thread Ronald F. Guilmette


[[ I've just collected some new information about the length of time
   that this specific bincoin extortion spamming bad actor has been
   on Digital Ocean's network.  For those who may only have an interest
   in that one detail, you can just skip down to the line of plus signs
   and start reading there. ]]


In message <50414.162.155.102.254.1553001814.ig...@webmail.iglou.com>, 
"Jeff McAdams"  wrote:

>(Disclosure: I, too, work for DigitalOcean as the Manager of Network
>Engineering.  Nikolas does not work for me, nor I for him.)
>
>On Tue, March 19, 2019 02:17, Ronald F. Guilmette wrote:
>>
>
>> Nikolas Geyer  wrote:
>>> I have passed your email on to the relevant team within DO to have a
>>> look at.
>
>> Thank you, but that wasn't what I requested,  I asked for a contact
>> there.
>
>Oh, is that how this works?  I ask that you FedEx me a million dollars
>cash, in small bills.  I await the arrival of said parcel.

In my experience, if you don't ask for something, you aren't likely to
get it.  There's no harm in asking.

In any case, I offer you the pertinent observation also that "small bills"
are s last century.  These days, as should now be abundantly
clear, payment in bitcoin is the preferable currency for such requests.  :-)

>> In any case, I would be more than happy to have you tell me the "right
>> way" to engage with any actual live human beings at either of these
>> companies, especially if you also are able to identify one or more such
>> receptive individuals by name and email address, which is what I was
>> requesting in the first place.
>
>Would you really be happy with that?  You derided another good-faith
>respondent to your screed with a rant about not being willing to fill out
>web forms to report abuse because it offends your sensibilities.

I stand by what I wrote.  I don't like dealing with anonymous web forms
that, for all I know, and based on the available evidence, are or may be
aliased to /dev/null.  I prefer the human touch, especially in cases
where I am seeking to find someone who may be held accountable when and
if no actual action ensues.

>We would prefer, but don't require, that you use the web form because that
>is integrated into the workflow of the groups that respond to those
>reports.  If they choose to give you their individualized contact
>information, then they can do that.  It is not my place, nor Nikolas', to
>give out individual contact information for our co-workers out to anyone
>who asks.  That would be irresponsible and obnoxious for us to do that.

I am not just "anyone who asks".  I am a guy who's been spammed from your
network.  If you read my earlier report, then you should know that I am
also the guy who took the time to carefully resarch this, and to provide
your company with information about this specific crook/spammer...
information that, it seems, you folks yourselves have apparently been
largely or entirely unaware of, and for some considerable time now.
Given that context, am I really entirely undeserving of even being
informed of the mere email address of the head of DigitalOcean's abuse
handling department, assuming, at least for the sake of argument, that
such an inddividual does in fact exist?  Wouldn't it be a Good Thing
if that person and I could communicate direct?

And more to the point, what would be the downside, exactly, if that
person's name and email address were not only given to me, but also
scattered to the four winds an given out to everyone on the planet?
Are you implicitly asserting that that person might then have to (gasp!)
deal with some additional influx of spam into his or her inbox?  If so,
then I can't help but wonder aloud why that person should NOT join the
rest of us mere mortals in that shared and miserable club.  Perhaps it
would even be of some benefit for that person to come down out of the
clouds at least long enough to experience what the rest of us poor
sods have to deal with on a routine and daily basis.  The experience
might even enhance that person's understanding of, and appreciation of
the very kinds of (spamming) problem that he or she is being paid to
attend to.  Stranger things have happened.

I'll be generous here and will refrain from leaping to any conclusions
that the person in question does not want his or her identity to be
generally known for fear that he/she might then be personally criticised
for his/her work and/or the lack thereof.  But other than that, and a
possible desire to avoid receiving any of this same spam-slime that the
rest of us poor slobs get coated in on a daily basis, I really can't
imagine what other reasons there might be that would cause Digital
Ocean's abuse handling staff and/or the managment thereof to be so
overwhelmingly discreet.

What I can say, rather definitively now, is that

Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-19 Thread Ronald F. Guilmette


Nikolas Geyer  wrote:

>I have passed your email on to the relevant team within DO to have a look at.

Thank you, but that wasn't what I requested,  I asked for a contact there.
(I know that this may be hard to understand, but it's like the difference
between giving a man a fish, and teaching him how to fish.  I'm sure that
you would make a fine long term conduit between me and whatever mystery people
you think you have made contact with at DigitalOcean, but really, it would
be best if you would simply introduce me to those people directly.  That way,
if you die or go on vacation, incidents like these won't need to be put on
hold until you get back and resume your role as our designated go-between.)

>I'd like to thank you for your deriding commentary to bring attention
>to this problem.

No problem.  My pleasure.

>I am not sure it is the most effective way to try and engage the wider
>industry on a public list, but each to their own.

I am not sure that there is any other way that a lone outsider can or
could engage either OVH or DigitalOcean in a way that would actually
cause either company to take action on the issues I've reported on.
Complaints from ordinary Internet end-lusers about this, which both
companies must surely be drowing in by now, don't seem to be doing the
job.

In any case, I would be more than happy to have you tell me the "right
way" to engage with any actual live human beings at either of these
companies, especially if you also are able to identify one or more
such receptive individuals by name and email address, which is what I
was requesting in the first place.

>Oh, and additionally, as an Australian citizen with many Aussie and
>Kiwi colleagues working at DO of various religious persuasions; your
>postscript relating this back to the recent terror attacks is abhorrent
>and disgusting. You should be completely ashamed. 

It's pretty clear to me that you have rather dramatically misread my
the aforementioned postscript to my earlier post, and that a fair and
clear-eyed reading of that should be quite entirely inoffensive to all,
with the possible exception of some few people who work in mass media
and/or the "news" business, such as it currently is.

In that postscript, I merely used a recent mass media controversy relating
specifically and only to the social media -handling- of recent events to
illustrate two blatant absurdities at opposite ends of a spectrum, neither
of which itself has anything at all do do with those recent news events
specifically, much less with the race, creed, color or gender of any of
the people who have, most sadly and regretably, been caught up in those
events.

Please consider again the two polar opposite absurdities that I was
actually attempting to call attention to.

One the one hand,  we have TV talking heads, with essentially no technical
knowledge whatsoever, wondering aloud why social media tech companies cannot
do what is clearly technically impossible, and even more absurdly, why they
can't do it in real time no less.

On the other hand, and in contrast to that absurdity, we have the present
example of this spamming operation that appears to be well and truly
ensconsed on the networks of both OVH and DigitalOcean, where even large
multi-billion dollar Internet hosting companies seem utterly unable to
spot even trivial and easily identifiable patterns of bad behavior, in
and among their own respective customer bases, even though, as I have now
illustrated, a single lone unpaid volunteer guy, sitting in his basement
and in his sweaty underwear and a bathrobe -can- easily and quickly spot
the problem, within just a couple of hours in fact, provided that he has
access to a decent quality passive DNS service and an ample supply of
electricity, margaritas and cigarettes.

I'm only kidding, of course.  I don't actually have a basement.


Regards,
rfg


P.S.  Your apparent misreading of my earlier postscript is entirely
understandable and forgiveable in light of the rather unfortunate quip
that I made just prior to that, about sending this specific miscreant
to Guantanamo if his skin color was sufficiently dark.

I seriously regret and apologize for that inartful phrasing, and ask
every charitable person to believe me when I say that that was said
entirely in jest (albeit a bad one), and that if anything, it was
intended to be an expression of my own personal outrage about my own
country's abundant inequity and unfairness when dealing with people of
color, either within our so-called justice system or elsewhere.  Our
justice system should be color blind.  Alas, there is much evidence
that it falls far short of this goal at the present time.


Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-18 Thread Ronald F. Guilmette


In message 
,
 
Christian Kuhtz  wrote:

>we are asking Microsoft CDOC to investigate.

Thank you.  I am not at all sure who the mysterious "we" is intended to
represent in that sentence.  Perpahs it is just intended as the royal
"we" as in "We are not amused."  But I don't really care.  I am greatful
for any assitance from whatever quarter.

>You can find a variety of ways to report issues at their website as well:
>https://www.microsoft.com/en-us/msrc/cdoc

I do not use web forms to report spam incidents, even those as widespread
and blatantly criminal as in this instance.  It's a matter of principal.

Why should companies such as these hide behind impersonal web forms, even
as their paying customers are allowed to incessantly badger and harass me,
and millions of others, via the medium of email?  Are they too good to get
down in the muck of email with the rest of us mere peasants?  It appears
that they think so.  And in any event, where is the evidence that filling
in such a form would result in any actual action whatsoever?  I don't
see any.  Quite the opposite.  What I see, and what is exemplified by this
specific case, is that EVEN IF people do actually jump through all of the
ridiculous hoops, spammers like this are allowed to just go on and on an
on.  Where is the accountability, either personal or corporate?  Who,
specifically, should be blamed, or can be blamed, if the output of such a
web form is improperly being diverted, on a routine basis, to /dev/null?

If I'm going to invest (or waste?) my time in meticulously explaining to
some large corporation, exactly how they are screwing up, and/or exactly
who and where their bad customers are, then is it really asking too much
to hope and expect that these same companies should, at the very least,
make available some actual human being with whom I can interact, as
necessary, in order to make sure that they understand what I have taken
my time to research and explain to them?

It's a serious question, and I am constantly befuddled by the apparent
desire of large corporations... even and perhaps especially those in the
"communications" business...  to isolate themselves from any and all
outside communications, even those which might be helpful and beneficial
to the corporations themselves.   In short, would it really kill your
people in your Digital Crimes Unit to just simply publish their names
and email addresses, you know, sort of like the rest of us mere mortals
do?

Furthermore, I am compelled to ask this additional question:  Why should
it even be incumbant upon an unpaid volunteer Internet firefighters, such
as myself, to inform various multi-billion dollar corporations that they
have a problem?  Are they really incapable of keeping a close eye on their
own networks and figuring this out for themselves?  I confess that on some
days it would seem so.

I now have your email address, which I see is in the microsoft.com domain.
And I thank you for that.  I hope that you won't begrudge me too awfully
much if, the next time such a situation arises, I make use of it.  As I
have bemoaned at length now, it is both rare and difficult to find an
actual and/or accountable human at most of the large corporations that
run so much of the modern Internet, and thus, I am greatful to have one
more such contact in my back pocket, especially given that you have already
demonstrated that you both care and will take at least some action in
response to serious ongoing situations such as this one.   I thank you,
and only ask that you please stay healthy and do not seek employment
elsewhere, at least until my own demise or until the sun goes nova,
whichever comes first.


Regards,
rfg



Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

2019-03-18 Thread Ronald F. Guilmette


OVH, DigitalOcean, and Microsoft...

Is there anybody awake and conscious at any of these places?  I mean
anybody who someone such as myself... just part of the Great Unwashed
Masses... could actually speak to about a real and ongoing problem?

Maybe most of you here will think that this is just a trivial problem, and
one that's not even worth mentioning on NANOG.  So be it. Make up you own
minds.  Here is the problem...

For some time now, there has been an ongoing campaign of bitcoin
extortion spamming going on which originates primarily or perhaps
exclusively from IPv4 addresses owned by OVH and DigitalOcean.
These scam spams have now been publicised in multiple places:

   https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/

Yea, that's just one place, I know, but there's also no shortage of people
tweeting about this crap also, in multiple languages even!

https://twitter.com/SpamAuditor/status/1107365604636278784
https://twitter.com/dvk01uk/status/1107510553621266433
https://twitter.com/bortzmeyer/status/1107737034049900544
https://twitter.com/ariestess69/status/1107468838596038656
https://twitter.com/bernhard_mahr/status/1107513313020297216
https://twitter.com/jzmurdock/status/1107679858945974272
https://twitter.com/gamamb/status/1107384186548207617
https://twitter.com/davidgsIoT/status/1107725201331097606
https://twitter.com/cybers_guards/status/1107675396076560384
https://twitter.com/ThatHostingCo/status/1107588660831105024
https://twitter.com/fladna9/status/1107554090765242368
https://twitter.com/JUSTADACHI/status/1107549777607184384
https://twitter.com/okhin/status/1107627379650908160
https://twitter.com/Purple_Wyrm/status/1107454618705887232
https://twitter.com/LadyOFyre/status/110734900550144
https://twitter.com/laurelvail/status/1107345980062523392
https://twitter.com/Alex__Rubio/status/1107595560440217600

The thing of it is that ALL of this crap... al of these scam spams... are
quite obviously originating out of the networks of OVH and DigitalOcean.
And it's not even all that hard to figure out where from, exactly and
specifically.  I generated the following survey, on the fly, last night,
based on a simple reverse DNS scan of the evidently relevant addrdess
ranges:

https://pastebin.com/raw/WtM0Y5yC

As anyone who isn't as blind as a bat can easily see, there's a bit of a
pattern here.  All of the spam source IPs are on just two ASNs:

   AS16276 - OVH SAS
   AS4061 - DigitalOcean, LLC

It's equally clear that there have already been numerous reports about this
ongoing and blatantly criminal activity that have been sent to the low-level
high school dropout interns that these companies, like most others on the
Internet these days, choose to employ as their first-level minions in their
"not a profit center" abuse handling departments.  So, guess what?  Surprise,
surprise!  None of those clue-deprived flunkies have apparently yet managed
to figure out that there's a pattern here.  Duh!.  As a result, the scamming
and the spamming just go on and on and on, and the spammer-scammer just
keeps on getting fresh new IP addresess on both of these networks... and
fresh (and utterly free) new domain names from the equally careless company
called Freenom.

So, you know, I really would appreciate it if someone could either put me
in touch with some actual sentient being at either OVH or DigitalOcean...
assuming that any such actually exist... or at the very least, try to find
one to whom clue may be passed about all this, because although these scam
spams were kind of humorous and novel at first, the novelty has now worn off
and they're really not all that funny anymore.

Oh!   And while we are on the subject, I'd also like to obtain a contact,
preferbly one which is also and likewise in possession of something roughly
approximating clue, at this place:

   AS200517 - Microsoft Deutschland MCIO GmbH

The reason is that although MS Deutschland is most probably not the source
of any of the spams, they, or at least their 51.18.39.107 address, do appear
to be mixed up in all of this somehow:

https://pastebin.com/raw/ziVNCmZ8

I dunno.  Maybe Microsoft has managed to engineer a merger with the CIA (?)
If not, then maybe they would be so kind as to rat out this specific criminal
customer of their's to appropriate authorities.

Don't get me wrong. I heartily applaud Microsoft's Digital Crimes Unit for
all of the admirable work they do, but you know the old saying... charity
begins at home.  So my hope is that they will seek to get this low-life off
their network immediately, if not sooner, and then also seek to arrange
suitable long term accomodations for him in, say, Florence, Colorado, or,
if he/she/it has a higher than average level of tan, I hope that they will
make all necessary inquiries to find out if there are still any open bunks
available in Gitmo.


Regards,
rfg


P.S.  In recent days, the popular media has 

Re: Webzilla

2019-03-18 Thread Ronald F. Guilmette


In message ,
Eric Kuhnke  wrote:

>Looking at the AS adjacencies for Webzilla, what would prevent them from
>disconnecting all of their US/Western Euro based peers and transits, and
>remaining online behind a mixed selection of the largest Russian ASes? I do
>not think that any amount of well-researched papers and appeals to ethical
>ISPs on the NANOG mailing list will bring down those relationships.

Everything you say may be correct, but I personally would feel remiss if
I failed to point out the facts of this case to an audience that has it
within its power to do something about the issue.

And the facts in this case could not be more plain.  At best, it can only
be said that Webzilla, and all of its various faces, simply doesn't care
about the majority of us who just want to use the Internet in peace and
security.  (And that abundant lack of care seems to be the overriding
message of the reports I have cited.)

At worst, the company and its various nefarious customers present a clear
and present danger, if not to Western democracies then perhaps just to
anyone and anything that's connected to the Internet.  And all of the
companies peering with the various Webzilla companies have a choice --
to support Webzilla and the harmful activities of all of its customers,
many of whom have proven themselves, time and again, to be outright
dangerous to the rest of us, or alternatively, to take reasonable measures,
and do what they can to save themselves, their customers, and people around
the world from so easily, conveniently, and inexpensively being hacked,
fiddled, hoodwinked and penetrated.

So this is the question.  Can Western companies really justify, to themselves,
to their stockholders, and to their customers, their acts which make it
easier than it has to be for the likes of Webzilla to have connectivity? 
Should these companies, whose profitability and mere existance rests on
both the freedom and justice, such as they are, that is commonly available
in Western liberal democracies... should these companies continue to support,
even if only indirectly, those who would undermine that same freedom and
justice on which the companies themselves depend?  And even setting aside
THAT consequential question, are the long term best interests of these
same Western companies best served by an Internet that is known to the
public at large as a place primarily characterized by scamming, scheming,
and skulduggery?  And finally, is it a persuasive arguement to say that
because there is crime in the world, and always has been, and likely always
will be, that we, and each of us, should harbor and abet criminals simply
because it is convenient for us to do so, and perhaps even profitable in the
short run?

You may think me naive, but I say that the answer each and all of these
questions is a resounding "no".  It shall not profit any of these companies
who provide peering to Webzilla, even if they gain the whole world, if they
lose their souls.  Will there still be a thriving and growing market for
moving bits when nobody in his or her right mind trusts the Internet anymore?

Although I am cloaking my arguments, at least to some extent, in moral and
ethical terms, I do understand that such considerations are not at all
likely to be persuasive when it comes to the world of commerce.  That's
perfectly OK, because in this instance I believe that I am also arguing in
favor of enlightened self-interest.  Are any of the customers of any of the
companies that provide peering to Webzilla and/or its various parts and
pieces better off or worse off because of that peering?  I believe that
sober and informed reflection on this simple question will yield the Right
Answer.

In the early years of the 20th century, Vladimir Lenin, leader of the
Bolshevik, revolution, famously quipped to his communist collegues that
"The capitalists will sell us the rope to hang them with."  His prescient
words have endured even the fall of the empire he founded because they
clarify a simple and fundamental truth -- in capitalist systems, short
term greed often overrides both rationality and simple common sense.
My hope is that it will not be so on this occasion, and that enligtened
long-term self interest will prevail, at least among those companies that
are peering with any of Webzilla's ASNs.

I would be happy to see Webzilla be given no choice other than to beat a
retreat, back to Russia, and to have the company seek connectivity there
and only there.  If the company wishes to continue either its support for,
or its abject tolerance of the kind of nefarious activities documented
in detail in the report I cited, then I say let them do that, let them
connect only via Russia, and let the company's true allegiances be revealed
for all to see.  If, as now seems evident, the company wants to continue
to flaunt the norms and traditions of the civilized portions of the Internet,
then I don't see it as being in anyone else's best interests for Webzilla
to 

Webzilla

2019-03-16 Thread Ronald F. Guilmette


[[ My apologies to thos eof you who may see this twice.  I have posted the
   message below also to the RIPE Anti-Abuse Working Group mailing list,
   so any of you who are on that list also will see this twice.  But I
   believe that it is relevant here also. ]]



Perhaps some folks here might be interested to read these two reports,
the first of which is a fresh news report published just a couple of
days ago, and the other one is a far more detailed investigative report
that was completed some time ago now.

https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-hackers-dnc

https://www.documentcloud.org/documents/5770258-Fti.html

Please share these links widely.

The detailed technical report makes it quite abundantly clear that
Webzilla, and all of its various tentacles... many of which even I didn't
know about until seeing this report... most probably qualifies as, and
has qualified as a "bullet proof hosting" operation for some considerable
time now.  As the report notes, the company has received over 400,000
complaints or reports of bad behavior, and it is not clear to me, from
reading the report, if anyone at the company even bothered to read any
more than a small handful of those.

I have two comments about this.

First, I am inclined to wonder aloud why anyone is even still peering
with any of the several ASNs mentioned in the report.  To me, the mere
fact that any of these ASNs still have connectivity represents a clear
and self-evident failure of "self policing" in and among the networks
that comprise the Internet.

Second, its has already been a well know fact, both to me and to many
others, for some years now, that Webzilla is by no means alone in the
category commonly refered to as "bullet proof hosters".  This fact
itself raises some obvious questions.

It is clear and apparent, not only from the report linked to above, but
from the continuous and years-long existance of -many- "bullet proof
hosters" on the Internet that there is no shortage of a market for the
services of such hosting companies.  The demand for "bullet proof"
services is clearly there, and it is not likely to go away any time
soon.  In addition to the criminal element, there are also various
mischevious governments, or their agents, that will always be more
than happy to pay premium prices for no-questions-asked connectivity.

So the question naturally arises:  Other than de-peering by other networks,
are there any other steps that can be taken to disincentivize networks
from participating in this "bullet proof" market and/or to incentivize
them to give a damn about their received network abuse complaints?

I have no answers for this question myself, but I felt that it was about
time that someone at least posed the question.

The industry generally, and especially in the RIPE region, has a clear
and evident problem that traditional "self policing" is not solving.
Worse yet, it is not even discussed much, and that is allowing it to
fester and worsen, over time.

It would be Good if there was some actual leadership on this issue, at
least from -some- quarter.  So far I have not noticed any such worth
mentioning.  And even looking out towards the future horizon, I don't
see any arriving any time soon.


Regards,
rfg


Crooks on the Intrernet: Episode 6,427

2018-11-21 Thread Ronald F. Guilmette


I just thought that y'all might want to be aware of this.

My attention was called recently to a RIPE-issued block of IPv4 addresses
assigned to a particular Polish firm (Marton Media: https://martonmedia.pl/)
that appears to sell digital TV services.

The block in question is 91.149.192.0/18 aka "PL-MARTON-20061120".

It appears that perhaps this company didn't quite need all of that /18 that
it got from RIPE, so it looks like they parceled out some sub-parts of that
/18 to at least a couple of other parties, to wit:

"Hostermatrix LLC" aka "ORG-HL183-RIPE":
91.149.232.0/22
91.149.252.0/22

"Real Tone Hosting LLC" aka "ORG-RTHL1-RIPE"
91.149.224.0/21
91.149.236.0/22
91.149.240.0/21
91.149.248.0/22

Ignoring, for the moment, the fact that neither of these companies actually
seem to exist anywhere... at least not on -this- planet... my attention was
further called to the pair of /22 blocks that have been sub-allocated by
Marton Media (Poland) to this thing they are calling "Hostermatrix LLC".

The reverse DNS for those blocks looked like this, just a few short
days ago, on November 16th:

https://pastebin.com/raw/hjWG5KxA

But apparently, that all has been changed rather substantially, just in the
past few days, so now it all looks like this instead:

https://pastebin.com/raw/58qCdPrc

(You might call this the "Schrodinger Effect".  When researching bad guys on
the Internet, their stuff may change, even as you are looking at it, and
perhaps even -because- you are looking at it.)

Anyway, the rDNS listing, as it was on the 16th, looked more than a little
fishy.  Why would anyone need quite this many different outbound SMTP servers?

The one and only second-level domain name that appeared in the rDNS listing
as of the 16th was "sm-smtp.net".  I did a bit of research on that domain
name and found that historical passive DNS associates that domain, quite
unambiguously, with another domain name, sendermatrix.net.

It didn't take much more research for me to find out that a company called
Sender Matrix, LLC is in fact registered in the State of Florida to a Mr.
Jay Passerino.  Mr. Passerino appears to have registered a number of different
Florida companies:

Haggle USA Corp.
Mahem Partners, Inc.
Sourcehire, LLC
Boat App, LLC,
All In Nutraceuticals, LLC
Miami Suppliments, LLC
Balladex Enterprises, LLC
Sender Matrix, LLC (http://sendermatrix.com/)
Gasher, Inc.
Digital Platinum, Inc. (http://digital-platinum.com/)
BB Ventures, Inc.

Of course, there's nothing at all wrong with Mr. Passerino having prolific
and multiple business interests, however a fellow who also, coincidentally,
has the name Jay Passerino, and who also, coincidentally, hails from the
State of Florida seems to have gotten into what the Brits might call "a spot
of bother" with respect to not one but -two- U.S. federal regulatory agencies
of late, specifically the SEC and the CFTC, both of which appear to have
taken serious issue with this Mr. Jay Passerino's business practices, along
with those of several of his cohorts:

CFTC Press Release:
https://www.cftc.gov/PressRoom/PressReleases/7807-18

SEC Press Release:
https://www.sec.gov/news/press-release/2018-216

As you can see, both the SEC and the CFTC elected to take issue... on the
exact same day, by the way... with this Mr. Jay Passerino's activities on
the Internet, and specifically relating to "pump and dump" email scams.

Returning now to the subject of the two /22 sub-allocations that were made
by this Polish outfit, Marton Media, to this apparently non-existant corporate
entity called "Hostermatrix LLC", i hope that it will not escape anoyone's
notice that whereas the IPv4 blocks in question have been provided... seemingly
to an Internet crook named Jay Passerino... by a Polish company, the actual
-routing- of each of these blocks shows the participation of some other
actors within two more (different) European countries:

91.149.232.0/22 -
  routed by AS51765 (Oy Creanova Hosting Solutions Ltd. - Finland)

91.149.252.0/22 -
  routed by AS24768 (ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA -
 Portugal)

The only observation I can offer with respect to all of the forgoing, is the
rather obvious one:  All of this is, to say the least, rather suspicious.

But wait!  There's more!

It appears that Mr. Passerino's IPv4 assets are not strictly limited to
RIPEland.  Theres also a Direct Allocation block of ARIN IPv4 space
(138.128.224.0/22) that is explicitly registered to Sender Matrix LLC
of Miami, Florida:

https://pastebin.com/raw/cZcsPYrL

This block is routed by AS62519, Netrouting Inc., also, according to ARIN
records, of Miami, Florida:

https://pastebin.com/raw/mJKnJX6w

Curiously, the one and only route being announced by AS62519 is for the /22
registered to Mr. Passerino's Sender Matrix LLC:


Summer of Hijacks: My message to RIPE and the RIPE Executive Board

2018-08-09 Thread Ronald F. Guilmette


Found yet another big hijacking operation.  Coming out of RIPEland, again.
See below for full details.

I didn't really want to post again to NANOG on this topic (hijacks) quite
this soon, but the bloody European crooks, spammers, and hijackers aren't
really giving me a break, and I can't abide just sitting in silence and
stewing about it for another month or three.  I mean this stuff is just
getting ridiculous.  And I do wory that the Internet community is just
starting to accept this stuff as "normal behavior", which it isn't.

Maybe the following will finally get somebody's attention in RIPEland,
but I'm not holding my breath for what I personally consider a Good
Outcome (which would include full disclosure about what the hell they
are actually going to do about any of this, which is probably far too
much to even hope for).

I'll probably be permanently banned from all of the relevant RIPE mailing
lists for having posted this.  I just skimmed over RIPE's Code of Conduct
for their mailing lists and it basically says that Thou Shalt Not Say
Anything Bad About Anybody Specifically, Ever, and I'm pretty sure that
I just broke that rule, in spades.

Oh well.  May God bless the First Amendment, and may God bless NANOG!

P.S.  It was just now brough to my attention that AS197328, Istanbuldc,
is -only- routing 176.116.0.0/19, which looks to be one of the few
routes that are maintained by MNT-SERVERSGET that are actually for
legitimately allocated IPv4 blocks.

For the record, I do not dispute that some of the routes maintained by
MNT-SERVERSGET are for legitimately allocated space.  I will and do
however dispute any assertion that ALL such routes are for IP space that
has been legitimately allocated to either Mr. Alexander Samuilov or to
his various corporate identities or corporate partners.  That does not
appear to be the case, based on the evidence.

(note - minor edits applied)
==
From: "Ronald F. Guilmette" 
To: exec-bo...@ripe.net, db...@ripe.net, routing...@ripe.net,
anti-abuse...@ripe.net, n...@ripe.net,
Subject: The Ongoing Summer of Hijacks: MNT-SERVERSGET / dnsget.top


The entire set of objects in the RIPE WHOIS data base that are currently
registered with mnt-by: MNT-SERVERSGET is listed here:

https://pastebin.com/raw/GiYWxHMh

Among this set of objects there are 235 separate route objects.

Evidence indicates persuasively that some sizable fraction of these RIPE-
registered route objects are fradulent and are simply there to provide
cover for multiple IPv4 address block hijacks.

The presence of these objects in the data base permits the following
set of ASNs to claim that they are acting "legitimately" even as they
route these hijacked blocks:

AS9009 M247 Ltd (UK)
AS43350NFOrce Internet Sevices (Netherlands)
AS57129Optibit, LLC (Russia)
AS197328   Istanbuldc Veri Merkezi Ltd. Sti (Turkey) -- SEE NOTE ABOVE
AS202287   Men Danil Valentinovich (Russia)
AS204895   Santa Plus, LLC (Russia)

The total amount of IPv4 space encompassed within the set of route objects
registered with mnt-by: MNT-SERVERSGET at the present time amounts to
eight hundred and fifty nine (859) /24 blocks.  Of these, only three
hundred and five (305) actually have correctly functioning and properly
delegated reverse DNS at the present time, and even among those, only
two hundred and two (202) have functioning reverse DNS delegations to
the prefered name servers of MNT-SERVERSGET, which is to say the name
servers ns5.dnsget.top and ns6.dnsget.top.

The bottom line is that it appears that, at the present time, something
less than 1/4 of all of the IPv4 address space currently registered in the
RIPE data base (via route objects) by and to MNT-SERVERSGET is space for
which a plausible case could be made that the blocks in question are actually
legitimately assigned to and/or under the legitimate control of MNT-SERVERSGET
aka Mr. Alexander Samuilov.  The other 3/4ths of the IPv4 space in question
has provenance which is, at best, dubious.

Due to its use of little country-of-registration flags for each IP address
block, the web site bgp.he.net provides the most visually obvious indications
of at least two of the specific block hijacks in this case, specifically
the hijacks of 27.103.192.0/19 and 36.0.192.0/19 by AS57129:

https://bgp.he.net/AS57129#_prefixes

Based upon the foregoing, I hereby respectfully request RIPE NCC to undertake
an immediate and conmprehensive review of all objects in the data base that
are currently registered with mnt-by: MNT-SERVERSGET.

Additionally, I also respectfully request RIPE NCC to publish the results
of this review to the mailing lists of the Database Working Group and the
Anti-Abuse Working Group.  The charters of both of these Working Groups 
are directly relevant to this issue, and there exists neither need nor
reason to simply sweep this 

Re: AS205869, AS57166: Featured Hijacker of the Month, July, 2018

2018-07-24 Thread Ronald F. Guilmette


In message <20180724.090316.47077931.sth...@nethelp.no>, 
sth...@nethelp.no wrote:

>All prefixes still visible here (Oslo, Norway), through HE. Here's your
>original table augmented with the AS paths I see on our border routers:
>
>ASN   RouteAS path
>---
>10510 216.238.64.0/18  6939 205869 32226 10510
>10737 207.183.96.0/20  6939 205869 7827 10737
>10800 192.110.32.0/19  6939 205869 11717 10800
>19529 104.143.112.0/20 6939 205869 11324 19529
>19529 198.14.0.0/206939 205869 7827 19529
>19529 198.32.208.0/20  6939 205869 7827 19529
>19529 206.41.128.0/20  6939 205869 11324 19529
>30237 192.73.128.0/20  6939 205869 11717 30237
>30237 192.73.144.0/20  6939 205869 11717 30237
>30237 192.73.160.0/20  6939 205869 11717 30237
>30237 192.73.176.0/20  6939 205869 11717 30237

Thanks for checking this.  I gather from the other posts in this thread
that this has already been rectified, and that the above CIDRs are no
longer reachable via HE.NET, correct?

Even if that's the case, I'm still left scratching my head.  There's a
bit of a mystery here, or at least something that I don't quite understand.
(NOTE: I've never laid claim to being anything like an "expert" when it
comes to all this routing stuff.  I just muddle along and try to do the
best I can with the limited knowledge and understanding that I have.)

So, here's what's perplexing me.  You reported that all eleven of the
routes in the table above had AS paths that directly connected
Universal IP Solution Corp. (AS205869) to Hurricane Electric (AS6939).
And yet, when I looked at the following page, both yesterday and today,
I see no reported connection between those two ASNs:

 https://bgp.he.net/AS205869#_peers

I already knew before now that each of the alleged peerings reported on
similar pages on the bgp.he.net web site had to be taken with a grain of
salt, mostly or entirely because of the kinds of hanky panky and path
forgery being undertaken by various bad guys.  In at least some cases,
these screwy games appear to have caused bgp.he.net to list peerings that
didn't actually exist.

But this is a rather entirely different case.  In this case, it seems
that one very notable peering that -did- in fact exist, between AS205869
and AS6939, was not reported at all on the bgp.he.net page linked to above.

To be clear, I most definitely am *not* suggeting any sort of deliberate
obfsucation here, on anybody's part.  Rather, I just suspect that some
of the algorithms that are used to produce the peers lists on bgp.he.net
could use some... ah... fine tuning.  It certainly seems to be  true that
in this case, one very important peering was utterly missed by the algorithms
that power bgp.he.net.


Regards,
rfg


AS205869, AS57166: Featured Hijacker of the Month, July, 2018

2018-07-23 Thread Ronald F. Guilmette


Before I get into talking about this month's honorary Hijacker of
the Month, I really must start by thanking everyone who pitched in and
helped to insure an appropriate response and outcome for the BitCanal
case, which I reported here last month.  You all know who you are, and
I won't explicitly name you here, only because most of you have expressed
to me privately that you would prefer it if I didn't.  But you folks
deserve the lion's share of the credit, and I, in contrast, played
only the most minor supporting role.

I must also say that I was astonished and very pleasantly surprised by
the very effective and, to-date, very nearly 100% effective response to
my call to action with respect to Bitcanal.  This thief, Joao Silveira,
aka Mr. Bitcanal, and his business are still limping along, and, I'm sure,
trying desperately to get back online after everybody with half a brain
became convinced of what he has been up to for lo these past several
years.  He's apparently managed to at least get his main web site
(www.bitcanal.com) back online, but now he's totally dependent on
GoDaddy hosting for that. :-)  I guess that he doesn't have a whole
lot of IP space to call his own anymore, or any least not very much
of it that he can actually get anyone to route for him.

I should also offer my apologies for the rather deliberately rude way
that I got right up into the faces of Cogent, GTT, and Level3, right
here on the NANOG list, with regards to BitCanal.  I see now that that
was really rather completely unfair and uncalled for.  All three took
swift and appropriate action once they became fully aware of the
issue/problem, and I am grateful to all of them for their prompt action,
and also, of course, I am equally grateful also to the many other
providers and IXes who also took appropriate action in this case.

Following my posting last month about BitCanal, at least one person
rightly took me to task for the rude way I approached the problem, and
even moreso for the fact that I escalated the problem to this list
as my first response to the whole issue.  With 20/20 hindsight, I can
now only agree with those criticisms.  I shouldn't have done that.
I am pleased with the final result, i.e. Bitcanal being kicked from
essentially the whole Internet, but the ends do not justify the rather
hamfisted means I elected to employ.  I will try to do better in future.

With that in mind, when I recently found another such operation...
another entity performing an entire set of obviously very deliberate
hijacks, evidently for the purpose of leasing the hijacked space to
snowshoe spammers... I took what I had learned from the BitCanal case
and applied it.  In particular, rather than me having a very public
tantrum and getting on the cases of each and every company that bgp.he.net
said might be connected to the hijacker somehow, I instead began by running
traceroutes to all of the relevant hijacked blocks.  (If I would have had
the good sense to have done this in the BitCanal case, I most probably
would have begun by just hasseling Cogent alone, and privately, off list,
since from where I sit, all of the traceroutes to all the blocks that
Bitcvanal stole had Cogent as the next-to-last hop.  YMMV)

Anyway, in this new case I found that the next-to-last hop for all of
the relevant traceroutes was a set of routers belonging to Telecom Italia.
Rather than calling them out here, this time I had the good sense to
just message TelecomItalia directly about the issue.  it took me a couple
of tries, but I was eventually able to find a proper contact address for
a proper sort of person to discuss this matter with @ Telecom Italia.
The two links below are (1) my message to them and (2) their very nice
and proactive response back to me:

  Me -> Telecom Italia
  https://pastebin.com/raw/Ek3mxKCR

  Telecom Italia -> Me
  https://pastebin.com/raw/mtcA4Ehy

Given that I sent my message to them well after business hours on Friday, 
I consider their response, sent on Monday, to be super-fast and very
responsive.  Of course, I am absolutely ecstatic also that they have
elected to stop all routing to the particular bunch of of badness that
I explicitly called out to them, at least for the time being.

As you can all see, my message to TelecomItalia describes the issue/problem
with AS205869  - Universal IP Solution Corp. in some considerable detail.
In a nutshell, these guys are criminals and they've been reselling the
IPv4 space they've hijacked, specifically but perhaps not only to snowshoe
spammers.  (Specific evidence available upon request.)  Of course, one can
easily imagine even vastly worse uses that may be made of stolen IP space.

By the time that I personally became aware of what these specific jerks
were up to, they had already used, abused, and tossed aside several other
IPv4 blocks -and- also a number of other previously abandoned ASNs.  (They
have been absconding with -both- abandoned IPv4 address blocks -and- also
a 

Re: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

2018-06-25 Thread Ronald F. Guilmette


In message 
, 
Job Snijders  wrote:

>On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette 
>wrote:
>> As I always ask, retorically, in cases like this:  Where are the grownups?
>
>You could ask the same about the IXPs that facilitate the reach and impact
>of Bitcanal's BGP hijacks by allowing that network on their platform:
>https://bgp.he.net/AS197426#_ix

I can and I do ask that question.  Indeed it would appear that at least one
such IX was persuaded, via a Spamhaus escalation last year, to appropriately
kick Mr. Silveira's ass to the curb:

April, 2017:
https://www.isptoday.nl/nieuws/de-cix-door-spamhaus-op-de-bon-geslingerd/

DE-CIX:
   "We are in direct contact with Spamhouse regarding this, in order to
   avoid such incidents in the future, and are counting on an open and
   direct dialog with our Spamhouse colleagues."

But first things first.  As I have stated, bgp.he.net shows that more than
three fourths of Mr. Silveira's connectivity is coming to him via just the
three companies I named, Cogent, GTT, and Level3.  Without them, both the
financial and political burden of supporting this crook would fall onto a
motley collection of smaller and more easily influenced players... ones who
might be more easily persuaded to cease and desist from their ongoing support
of IP address space theft.

But the first step is to make it clear to the various law abiding customers
of Cogent, GTT, and Level3 that these three companies are acting irresponsibly
in their continued peering with Mr. Silveira's various ASNs, and that this
-does- negatively affect everyone, or at least everyone who has an email
inbox, and/or anyone and everyone who still believes that the formal system
of IP address allocation, as administered by the five RiRs, prevents chaos
from breaking out across the entire Internet.


Regards,
rfg


AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

2018-06-25 Thread Ronald F. Guilmette


Sometimes I see stuff that just makes me shake my head in disbelief.
Here is a good example:

https://bgp.he.net/AS3266#_prefixes

I mean seriously, WTF?

As should be blatantly self-evident to pretty much everyone who has ever
looked at any of the Internet's innumeriable prior incidents of very
deliberately engineered IP space hijackings, all of the routes currently
being announced by AS3266 (Bitcanal, Portugal) except for the ones in
213/8 are bloody obvious hijacks.  (And to their credit, even Spamhaus
has a couple of the U.S. legacy /16 blocks explicitly listed as such.)

That's 39 deliberately hijacked routes, at least going by the data
visible on bgp.he.net.  But even that data from bgp.he.net dramatically
understates the case, I'm sorry to say.  According to the more complete
and up-to-the-minute data that I just now fetched from RIPEstat, the real
number of hijacked routes is more on the order of 130 separate hijacked
routes for a total of 224,512 IPv4 addresses:

https://pastebin.com/raw/Jw1my9Bb

In simpler terms, Bitcanal has made off with the rough equivalent of an
entire /14 block of IPv4 addresses that never belonged to them.  (And of
course, they haven't paid a dime to anyone for any of that space.)

Of couse we could all be shocked (Shocked!) at this turn of events if
it were not for the fact that Bitcanal already has a rich, longstanding,
and sordid history of involvement with IP space hijacks.  All one has to
do is google for "Bitcanal" and "hijack" to find that out.  This isn't
exactly a state secret.  In fact if you lookup "IP space hijacking" in
any modern Internet dictionary you'll find Mr. Joao Silveira's picture
next to the definition: https://twitter.com/bitcanal :-)

This guy Silveira has obviously decided that he is a law unto himself,
and can grab whatever IP space happens to be lying around for his own
purposes... and no need to fill out any tedious forms -or- pay any fees
for using any of this space to any of those annoying Regional Internet
Registries.

As usual, and as I have said here previously, I generally don't mind too
much when these kinds of greedy idiots decide to color outside the lines.
As long as they just confine themselves to hijacking abandoned IP blocks
belonging to banks and/or government agencies, well then it's no skin off
my nose.  But when they start reselling their stolen IP space to spammers,
as Mr.  Silveira is apparently in the habit of doing, then I get ticked off.
And actually, Mr. Silveira must be *exceptionally* greedy in that he is
apparently not satisfied to just sub-lease his own legitimate IP space to
snowshoe spammers, as he is clearly doing:

https://pastebin.com/raw/5P5rnQ2y

Obviously, merely hosting snowshoe spammers in his own IP space isn't enough
to keep Mr. Silveira in the style to which he has become accustomned, so he
has to go out and rip off other people's IP space and then resell that to
spammers also.

The fact that there exists a jerk like this on the Internet isn't really
all that surprising.  What I personally -do- find rather surprising is that
three companies that each outght to know better, namely Cogent, GTT, and
Level3 are collectively supplying more than 3/4ths of this guy's IPv4
connectivity, at least according to the graph displayed here:

https://bgp.he.net/AS197426

Without the generous support of Cogent, GTT, and Level3 this dumbass
lowlife IP address space thief would be largely if not entirely toast.
So what are they waiting for?  Why don't their turf this jackass?  Are
they waiting for an engraved invitation or what?

As I always ask, retorically, in cases like this:  Where are the grownups?

I would like everyone reading this who is a customer of Cogent, GTT, or
Level3 to try to contact these companies and ask them why they are providing
connectivity/peering to a hijacking jerk like this Silveira character.
Ask them why -you- have to endure more spam in your inbox just so that
-they- can make another one tenth of one percent profit by peering with
this hijacking, spammer-loving miscreant.  I would ask them myself, but
I personally am not a direct customer of any of them, so they would all,
most probably, just tell me to go pound sand.

If you do manage to make contact, please be sure to mention all three of
Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266.  And don't let
whoever you talk to try to weasel out of responsibility for this travesty,
e.g. by claiming that they don't know anything about what's been going on
with all those hijacks announced by AS3266, and/or that they only provide
peering for AS197426.  The hijacks may all be originating from Mr. Silveira's
AS3266, but bgp.he.net makes clear that AS3266 has one, and only one peer,
i.e. Mr. Silveira's AS197426:

https://bgp.he.net/AS3266

So basically, Cogent, GTT, and Level3 are the prime enablers of this
massive theft of IP space.  (They might try to claim that BitCanal's
historical propensity to engage in hijacks is 

Hijacks: AS12506, AS327814, AS44582, AS62135

2017-08-31 Thread Ronald F. Guilmette

The following set of interrelated networks appear to be engaged in
hijacking various IPv4 address blocks at the present time:

AS12506   Inspiring Networks, B.V. (Netherlands)
AS44582   Inspiring Networks, B.V. (Netherlands)
AS62135   Inspiring Networks, B.V. (Netherlands)
AS327814  Echoband, Ltd. (Ghana)

The specific routes that are unambiguously being hijacked by each of
these networks are as follows:

AS12506:
152.108.0.0/16
155.159.0.0/16
196.15.64.0/18

AS327814:
163.198.0.0/18
164.88.0.0/16
168.80.0.0/17
168.80.128.0/17

AS44582:
175.53.0.0/17
175.53.128.0/17
175.54.0.0/17
175.54.128.0/17

AS62135:
160.116.32.0/20
160.116.128.0/20
160.116.240.0/20
160.122.144.0/20

Screenshots of the bgp.he.net prefixes reports for the above networks are
archived here:

http://i.imgur.com/5HuDRYX.png   (AS12506)
http://i.imgur.com/YishDCK.png   (AS44582)
http://i.imgur.com/lgiAKWz.png   (AS62135)
http://i.imgur.com/IM9Wf5h.png   (AS327814)

(Note that the set of routes announced by the four networks in question
has changed slightly since the last bgp.he.net update -- 30 Aug 2017 14:48
PST.  The route for 163.198.0.0/18 has been dropped and the routes for
160.116.128.0/20 and 160.122.144.0/20 have been added.)

As seen in previous hijackings, and as is consistant with the general nature
of such hijackings, no individual IP addresses within any of the above listed
routes have any functioning reverse DNS delegation.

Note that AS44582 (Inspiring Networks) and AS62135 (Inspiring Networks)
really only have a single upstream connection to the Internet, at least
as far as public BGP is concerned, and that is AS12506 (Inspiring Networks).

Meanwhile, AS12506 (Inspiring Networks) has only a single BGP upstream,
which is AS49544 i3D.net B.V (Netherlands).  Therefore, the majority of
this hijacking activity is only made possible via the generous help and
assistance of AS49544, i3D.net B.V.

Inspiring Networks is apparently run by one Maikel Jozef Gerardus Uerlings,
:

https://labs.ripe.net/Members/maikel_uerlings
https://nl.linkedin.com/in/maikel-uerlings-072aaa65
https://twitter.com/maikeluerlings
(recently disappeared) https://www.facebook.com/maikel.uerlings
http://uerlings.nl/

On February 24, 2013, over four years ago, Mr. Uerlings apparently promised
his Facebook friends and fans that his new corporate web site would be
"launched soon".  As of today however, Mr. Uerlings' corporate web site
for Inspiring Networks stil contains only generic/boilerplate "Lorem ipsum"
type filler text:

https://inspiringnetworks.com/

It would thus appear that Mr. Uerlings has other ways of attracting customers,
other than his minimalist placeholder corporate web site.

In any case, Mr. Uerlings has apparently gotten some bad press on a couple
of occasions, for example the following blog post by some anonymous spammer
who felt that Mr. Uerlings didn't actually deliver on his promises of
"fresh IPs for mailing":

http://maikel-uerlings-inspiring-networks.blogspot.com/

Mr. Uerlings' name also came up in the context of a 2013 attempt by Microsoft
to take down a certain botnet:

Microsoft v. Botnet
United States Court for the Western District of Texas
Case: A-13-CV-1014SS
http://botnetlegalnotice.com/zeroaccess/files/Summons_Does_1-8.pdf
(... Care of: Maikel Uerlings, cust...@serverius.com ...)

Other folks also have, or had, a rather unfavorable opinion of Mr. Uerlings
also, it would seem:

https://www.mywot.com/en/scorecard/uerlings.nl
https://www.scamwarners.com/forum/viewtopic.php?p=123180
https://unapprovedpharmacy.com/category/counterfeit-drugs-alert/page/12/

As usual, I wouldn't even mind about any of this hijacking activity if it
were not for the fact that at least some porgtion of the hijacked IPv4
space appears to have been populated with snowshoe spammer domains:

 https://pastebin.com/raw/As9nVCMV

I cannot help but wonder if there is something in the water supply in the
Netherlands that may be causing so much hijacking activity to originate
from that country.  I do understand that Netherlands has what I gather is
the best connectivity in all of Europe, but even that does not fully explain,
I think, the Netherland's disproportionate share of these sorts of events
and incidents, in this case involving Inspiring Networks, B.V. and clearly
supported by AS49544, i3D.net B.V, also of the Netherlands.


Regards,
rfg


P.s.  Don't be fooled by hijackings of IP blocks that were historically
allocated by AFRINIC to various corporate entities in the Seychelles Islands.
Many of those corporate entities have long since died, and their associated
IPv4 blocks have thus been abandoned.  Unfortunately, due to the unique
and very strict corporate secrecy laws in the Seychelles, it is not
possible for any outsider to find out even if these entiries still exist
or not, let alone who their corporate officers are or might have been.
Thus, literally 

Re: Hijack Factories: AS203418, AS205944, and AS203040

2017-08-28 Thread Ronald F. Guilmette

Sorry to follow-up on myself, but I just now realized that I made
a small omission in my earlier post.  I indicated that AS205944
(MediaClick, LLC) had previously hijacked the 116.79.0.0/16 block.
That is true, but it may perhaps have led some people to incorrectly
conclude that AS205944 was not -currently- hijacking anything.

Unfortunately, nothing could be further from the truth.

As shown here

https://bgp.he.net/AS205944#_prefixes

and as archived here:

http://i.imgur.com/gkW6LUh.png

AS205944 is currently announcing 13 IPv4 routes, all of which, except
for the five that are for blocks legitimately allocated to either
Marketigames, LLC or to Mint Company, LLP appear to be hijacked sub-parts
of various legacy ARIN blocks.

So, to set the record straight, AS205944 is *currently* engaged in a
whole lotta hijacking, as we speak.

I should also mention that MediaClick, LLC is actually a defunct
Wyoming LLC.  It has been struck off the rolls of active Wyoming
companies for having failed to pay even its (minimal) Wyoming
corporate taxes.  RIPE NCC, in its infinite wisdom, will no doubt
allow it to continue to exist, and to hold various number resources,
indefinitely, but as far as the law is concerned it no longer exists.
(The contact phone number for this ASN, as shown in the RIPE WHOIS
record for AS205944 is also D.O.A. and probably has been for some
time now.  Perhaps forever.  It may perhaps -never-  have worked.
RIPE NCC can't be bothered to ever actually check such things.)

The good news is that corporate documents archived on the Wyoming
Secretary of State's web site indicate clearly and persuasively the
identity of the guy behind MediaClick, LLC.

That is apparently a frenchman by the name of Mathieu Jean Guillaume,
, who is also, apparently the proprietor of
a couple of other French companies, i.e. ClicMe, SARL and also something
called "YAQ Production" (yaqproduction.com) which appears to have one
of these perpetual "under construction" web sites.

(Apparently, Mathieu Jean Guillaume fancies himself as a budding film
producer.  Maybe he could be that, someday, if he ever decides to
stop being a lame-ass low-life spammer and hijacker.)

Sadly, this schmuck is probably a distant relative of mine.  I may
perhaps email him and ask why he was unable or unwilling to find some
honest way of making a living, and why he turned to Internet crime
instead.

In the meantime, I repeat my suggestion that everyone who can do so
should immediately de-peer from AS203040, which appears to be the
roots of all this evil.


Regards,
rfg


Hijack Factories: AS203418, AS205944, and AS203040

2017-08-28 Thread Ronald F. Guilmette

Executive Summary:

AS203418 (Marketigames, LLC), together with its one and only
immediate IPv4 upstream, AS203040 (Mint Company, LLC), and its
sister network, AS205944 (MediaClick, LLC) either are currently
hijacking or have recently hijacked multiple abandoned /16 IPv4
address blocks, apparently with the intent of leasing out this
hijacked IPv4 space to snowshoe spammers, in particular, to
Clickjet Media (clickjetmedia.com).  Readers who may be peering
with AS203040, in particular, are encouraged to cease doing so.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_

I believe that this listing of 13 separate /16 routes makes it self-evident
what is going on here:

https://bgp.he.net/AS203418#_prefixes

(Please note that a screenshot of the above page has been archived here for
posterity: http://i.imgur.com/Ws2aKkz.png)

The hijacks currently being perpetrated by this ASN (AS203418 - Marketigames,
LLC) are, in my opinion, both brazen and audacious.  I wouldn't mind, but
other evidence indicates persuasively that at least one of these hijacked
/16 blocks (140.167.0.0/16) has already been put into use as a snowshoe
spamming source.

The following file contains a listing of numerous domain names that currently
have associated SPF TXT records permitting these domains to send outbound
emails from various parts of the (hijacked) 140.167.0.0/16 block:

https://pastebin.com/raw/0EjThpR8

It is also interesting that a great many of the domain names listed in the
above file in fact resolve to the IPv4 address 216.128.69.220, which is
within a /24 block (216.128.69.0/24) which is ostensibly registered to an
entity calling itself "Big Hosting Plus" (aka bighostingplus.com) allegedly
of Albuquerque, New Mexico.  A brief perusal of the WHOIS record associated
with the contact domain name for that IPv4 block (bighostingplus.com) shows
however the identity of the party that is actually pulling the strings here,
i.e. a company called Clickjet Media of Glendale, California, aka
clickjetmedia.com:

https://pastebin.com/raw/h9cuGSdK

I should note that the ARIN sub-SWIP for the 216.128.69.0/24 block is not the
only instance in which Clickjet Media has followed this exact same playbook.
I have previously identified the following four additional fradulent ARIN
sub-SWIPs where ClickJet Media is, evidently, the real entity behind the
deliberately fictitious ARIN sub-SWIPs:

High Point Host ARB-69-1-227-0 (NET-69-1-227-0-1) 69.1.227.0 - 69.1.227.255
Pleasant Hosting ARB-69-1-228-0 (NET-69-1-228-0-1) 69.1.228.0 - 69.1.228.255
Quasi Hosting ARB-69-1-254-0 (NET-69-1-254-0-1) 69.1.254.0 - 69.1.254.255
Green River Hosting ARB-69-1-255-0 (NET-69-1-255-0-1) 69.1.255.0 - 
69.1.255.255

Here is the archived evidence supporting my contentions as they relate to the
above four ARIN sub-SWIPs:

  ARIN sub-SWIP records:

https://pastebin.com/raw/UDBQKDiC
https://pastebin.com/raw/hpDUqLFF
https://pastebin.com/raw/7zdZLw01
https://pastebin.com/raw/gvXNwbJW

  Associated domain WHOIS records:

https://pastebin.com/raw/pHLGRJux  (highpointhost.com)
https://pastebin.com/raw/V91DTsX1  (pleasanthosting.com)
https://pastebin.com/raw/SxqzQy2v  (quasihosting.com)
https://pastebin.com/raw/2qv5xDsE  (greenriverhosting.com)

I should note for the sake of completeness that the listing of the 13 hijacked
/16 blocks linked to above, as currently presented on the bgp.he.net web site,
is in fact a somewhat stale listing.  All of those thirteen /16 blocks were
in fact hijacked by AS203418 as of yesterday, however as of this writing, it
would appear that only the following nine /16 blocks are still hijacked at
this moment (although this is hardly a cause for celebration):

116.79.0.0/16
116.144.0.0/16
116.152.0.0/16
116.166.0.0/16
116.181.0.0/16
128.13.0.0/16
134.22.0.0/16
140.167.0.0/16
148.154.0.0/16

Naturally, readers will ask "Who or what is AS203418?"  It is registered using
the name Marketigames, LLC, which is apparently a properly registered Delaware
LLC.  Beyond that it is difficult to find any other definitive info.  The main
web site for this entity (http://marketigames.biz/) is mostly devoid of any
information that would allow us to know who is really behind this entity.
Contact information is provided on the web site however, as follows:

MarketiGames LLC,
4283 Express Lane,Suite 315-592, Sarasota, FL 34238
Phone :  217-717-9384

Googling the street address indicates that it is most often associated
with fradulent activity on the Internet (e.g. frudulent attempts to order
products).  The area code 217 is associated with the Chicago area, not
Florida and not Delaware.

Although this entity (MarketiGames) does have its own ASN, it also appears to
have a number of valid ARIN IP block allocations which are not currently
routed by its own ASN:

104.218.224.0/22   (NET-104-218-224-0-1)

AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

2017-08-14 Thread Ronald F. Guilmette

Sorry for the re-post, but it has been brought to my attention that
my inclusion, in my prior posting, of various unsavory FQDNs resolving
to various IPv4 addresses on AS29073 has triggered some people's
spam filters.  (Can't imagine why. :-)  So I am re-posting this message
now, with just a link to where those shady FQDNs and their current
forward resolutions may be found.  (I also took the opportunity to
clean up some minor typos.)

%%%

I think that this is primarily Level3's problem to fix.  But you be
the judge.  Please, read on.

+_+_+_+_+_+_+_+_

Over the weekend, I stumbled upon an interesting blog calld "Bad Packets",
where a fellow named Troy has written about various unsavory goings on
involving various newtorks.  One network that he called out in particular
was AS29073, formerly called "Ecatel".  on his blog, this fellow Troy has
noted at length some break-in attempts originating from AS29073 and his
inability to get anyone, in particular RIPE NCC, to give a damn.

https://badpackets.net/the-master-needler-80-82-65-66/

https://badpackets.net/a-conversation-with-ripe-ncc-regarding-quasi-networks-ltd/

https://badpackets.net/quasi-networks-responds-as-we-witness-the-death-of-the-master-needler-80-82-65-66-for-now/

The fact that RIPE NCC declined to accept the role of The Internet Police
didn't surprise me at all... they never have and probably never will.
But I decided to have a quick look at what this newtork was routing, at
present, which can be easily see here:

http://bgp.he.net/AS29073#_prefixes

So I was looking through the announced routes for AS29073, and it all
looked pretty normal... a /24 block, check, a /24 block, check, a /21
block check... another /24 block, and then ... WAIT A SECOND!  HOLY
MOTHER OF GOD!  WHAT'S THIS???  196.16.0.0/14 !!!

So how does a little two-bit network with a rather dubious reputation
and a grand total of only about a /19 to its name suddenly come to
be routing an entire /14 block??

And of course, its a legacy (abandoned) Afrinic block.

And of course, there's no reverse DNS for any of it, because there is
no valid delegation for the reverse DNS for any of it... usually a good
sign that whoever is routing the block right now -does not- have legit
rights to do so.  (If they did, then they would have presented their
LOAs or whatever to Afrinic and thus gotten the reverse DNS properly
delegated to their own name servers.)

I've seen this movie before.  You all have.  This gives every indication
of being just another sad chapter in the ongoing mass pillaging of
unused Afrinic legacy IPv4 space, by various actors with evil intent.
I've already documented this hightly unfortunate fad right here on
multiple occasions:

https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html
https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html

This incident is a bit different from the others however, in that it
-does not- appear that the 196.16.0.0/14 block has been filed to the
brim with snowshoe spammers.  Well, not yet anyway.

But if in fact the stories are correct, and if AS29073 does indeed have
a history of hosting outbound hacking activities, then the mind reels
when thinking about how much mischief such bad actors could get into
if given an entire /14 to play with.  (And by the way, this is a new
world's record I think, for largest single-route deliberate hijack.
I've seen plenty of /16s go walkabout before, and even a whole /15.
But an entire /14?!?! That is uniquely brazen.)

In addition to the above, and the points raised within the Bad Packets
blog (see links above) I found, via passive DNS, a number of other
causes for concern about AS29073, to wit:

Shady FQDNs (incl possible child porn ones) on AS29073 moved here:
https://pastebin.com/raw/f4M09UKL

(In addition to the above, I've also found plenty more domain names
associated with AS29073 which incorporate the names "Apple" "AirBnB",
"Facebook", and "Groupon", as well as dozens of other legitimate companies
and organizations.)

I confess that I have not had the time to look at any of the web sites that
may or may not be associated with any of the above FQDNs, but the domain names
themselves are certainly strongly suggestive of (a) the possible hosting of
child porn and also and separately (b) the possible hosting of phishing sites.

So, given the history of this network (as is well documented on the Bad
Packets blog) and given all of the above, and given what would appear to
be the unauthorized "liberation" of the entire 196.16.0.0/14 block by
AS29073, one cannot help but wonder: Why does anybody still even peer
with these jerks?

The always helpful and informative web site bgp.he.net indicates that very
nearly 50% of the connectivity currently enjoyed by AS29073 is being provided
to them by Level3.  I would thus like to ask Level3 to reconsider that peering
arrangement in light of the 

Multicom Hijacks: Do you peer with these turkeys (AS35916)?

2017-08-03 Thread Ronald F. Guilmette

Well, it took less than a day for my last missive here to get the
hijacks associated with AS202746 (Nexus Webhosting) taken down.
I guess that somebody must have smacked Telia upside the head with
a clue-by-four at long last.

So, with that out of the way, let's see what else I can accomplish
this week.

As I understand it, the theory is that the thing that keeps the
entire Internet from descending into the final stages of a totally
broken "tragedy of the commons" is peer pressure.  As everyone knows,
there is no "Internet Police", so the whole system relies on the
ability and willingness of networks to de-peer from other networks
when those other networks are demonstratably behaving badly.

Let's find out if that actually works, in practice, shall we?

According to bgp.he.net, the top three peers of AS35916 (Multacom)
are as follows:

AS2914  NTT America, Inc.
AS3223  Voxility S.R.L.
AS209   Qwest Communications Company, LLC

I'd like help from any and all subscribers to this mailing list who
might have contacts in these companies.  I'd like you to call their
attention to Multacom's routing of the following block specifically:

163.198.0.0/16

This is a long-abandoned Afrinic block belonging to a semi-defunct
company called "Agrihold".  In fact, this block was a part of the
massive number of hijacked legacy Afrinic /16 blocks that I pointed
out, right here on this maling list, way back last November:

   https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html

After that posting, whoever was responsible for all those blatant
hijackings got cold feet, apparently, and stopped passing all of those
bogus route announcements out through their pals at AS260, Xconnect24 Inc.

And so, for a brief time at least, the wanton pillaging of legacy Afrinic
/16 blocks, and the reselling of those stolen blocks to various snowshoe
spammers stopped... for awhile.

But it appears that on or about January 6th of this year, Mulutacom
lept into the breach and re-hijacked both the 163.198.0.0/16 block
and also the additional Afrinic legacy block, 160.115.0.0/16.  (They
apparently stopped routing this latter block some time ago, for reasons
unknown.  But that fact that Multacom was indeed routing this second
purloined legacy Afrinic /16 block also is in the historical records
now, and cannot be denied.  Multicom's routing of both blocks began
around January 6th or so of this year, 2017.)

Just as a courtesy, I sent the block absconders at Multacom a short email,
earlier today, asking them if they had an LOA which demonstrates that
they have rights/permission to be routing the 163.198.0.0/16 block.  Of
course, the mystery person (noc@) who emailed me back claimed that they
did, but unfortunately, he was not under oath at the time.  I asked
if he could show me a copy of this purported LOA, and I haven't heard
back from anybody at Mulatcom ever since.

I don't really think there is any big mystery here, nor do I think
that Multacom has or had, at any time, any rights to be routing these
two legacy Afrinic /16 blocks.  But they have done so, and continue
to do so, in the case of the 163.198.0.0/16 block at least, quite
obviously because -somebody- is paying them to do it, even in the total
absence of a legitimate LOA.

And as it turns out, it is quite easy to figure out who Multacom has
been routing these two hijacked legacy Afrinic /16 blocks both for and
to.

It's trivially easy to run a traceroute to any arbitrary IP address
within the 163.198.0.0/16 block.  No matter which one you pick, the
traceroute always passes through a particular IP address, 178.250.191.162,
before the remainder of the traceroute gets deliberately blocked.

That IP address is registered *not* to some long lost African concern, but
rather to a Romanian networking company called Architecture Iq Data S.R.L.

That company itself is apparently owned by a fellow by the name of
Alexandru ("Andrei") Stanciu who hails from the city of Suceava, Romania.
(Note that this is apparently *not* the same Alexandru Stanciu who the FBI
arrested on bank and wire fraud charges in 2014.  That one apparently hailed
from Bucharest.)

Anyway, "networking" seems to be only one of our Mr. Stanciu's many and
varied business interest.  His networking company, Architecture Iq Data
S.R.L. has a web site (http://architekiq.ro/) but it is "shallow" to
say the least.  Many, and perhaps evenmost of the links on the home page
of that company's web site seem to lead nowhere.

In cotrast, Mr. Stanciu has the following other well-developed web sites
and companies:

ads.com.ro
promoart.ro
largeformatprinting.ro

Promoart S.R.L.
Advertising Distribution Supplies S.R.L.

Mostly, he seems to be in the advertising business, as evidenced by the
above web sites, and also by his membership in the "Email Marketing Gurus"
special interest group over on LinkedIn:

 https://ro.linkedin.com/in/alexandru-stanciu-8846aa12a

Given Mr. 

AS202746 Hijacks: Is Telia (a) stupid, or (b) lazy, or (c) complicit?

2017-08-02 Thread Ronald F. Guilmette

The annotations in the RIPE WHOIS record for AS202746 seem pretty clear to me.
This thing is B-O-G-U-S!

Even RIPE, which is always reticent to say any bad things about any of its
crooked customers... even after they have kicked them out of RIPE altogether,
e.g. for being just too obviously and blatantly crooked...  was able to
determine that this particular AS is rubbish, and said so, right in the
WHOIS record:

   remarks: this object has been locked by the RIPE NCC pending deregistration

So, you know, what's up with Telia (AS1299) which is the one and only peer of
this stupid thing (AS202746)?

I only ask because AS202746 is currently blatantly and obviously hijacking the
following four separate Brazillian /22 blocks:

200.220.160.0/22
200.220.164.0/22
200.220.168.0/22
200.220.172.0/22

Unlike a lot of other cases I've seen of late, Telia can't even fall back on
the lame excuse that "Oh!  Gosh!  We are only passing those routes through
for our customer because they have corresponding route objects properly
registered in the RIPE IRR telling us that it's A-OK for them to route this
stuff."

Whoever the actual hijacker is in this case, he/she/it didn't even bother to
create bogus route objects in the RIPE data base, even though it is trivially
easy for any criminal who can fog a mirror to do that.

So, as the Subject line above says, I'd like to hear opinions on the following
pertinent question:

   Is Telia (a) stupid, or (b) lazy, or (c) complicit?

Vote early!  Vote often!

(I wouldn't even mind about these blatant hijackings if it were not for the
fact that all of those hijacked /22 blocks have, quite predictably, been
filed to the brim with outbound mail servers belonging to some snowshoe
spammer... which is par for the course these days when it comes to IPv4
space hijackings.)


Regards,
rfg


P.S.   Over on some of the RIPE mailing lists, they've recently been discussing
whether or not to continue allowing Joe Random Criminal to create totally
unauthorized and totally unchecked/unverified (and typically bogus) route
objects in the RIPE data base for so-called "out of region" IP address block
resources.  Of course, if anybody had any brains or any backbone over on that
side of the pond, they would have done this already ten years ago.  But such
is the pace of change in the Old World, where even the most obvious things
can't be implemented until everybody and his brother agrees, including even
the stupid kid.

My point, of course, is that even when and if those crazy europeans get around
to doing the obviously rational thing... like locking the door to the bank
before you leave at night... even that won't and wouldn't have made one wit
of difference to this case of Telia's passing of the bogus/hijacked routes
being announced by AS202746, which is ongoing, as we speak.  There's no
authority anywhere that I am aware of that is telling the Telia folks that
it is OK for either them or their customer to pass out those routes.  They
are just doing it, because, quite obviously, they are being -paid- to do it,
and screw everybody else.  We can all just shut up and eat our spam, I guess.


Re: IP Hijacking For Dummies

2017-06-05 Thread Ronald F. Guilmette

In message 

Re: IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette

In message 
William Herrin  wrote:

>You actually got lost a couple steps back.
>
>First, you want to control the POC emails for the IP addresses. Controlling
>just the POC emails for the AS number won't do you any good.

Ummm... in this case there doesn't seem to be any reason to believe
that the hijacker(s) have gotten anywhere near to controlling the POC
emails for any, let alone -all- of the relevant (Columbian) IP blocks...
only the POC emails for the ASN.

But you are suggesting that they -did- get control of those, all essentially
simultaneously (or anyway sometime during the past 2 months), for all
of about five or six or seven separate and different Columbian entities.

That theory would seem to fail the Occam's razor test.  It just doesn't
seem at all liklely.

>Let's say you have gained control of the POC emails for the IP address
>block. Stay completely away from the historical BGP peers. They might know
>the real registrant and get suspicious when you show up.

Good point!  I'll have to remember to put that in the book. :-)

>Go to somebody
>else, dummy up some letterhead for the purported registrant and write
>yourself a letter authorizing the ISP to whom the letter is presented to
>route those IP addresses. Explain that you're a networking contractor
>working for the organization holding the registration and give them
>adequate contact information for yourself: postal address, email, phone.
>Not "1234 Main, box 30" but "1234 Main, Suite 30". Paid for with the
>cash-bought debit card. You get the idea.

Yes.  The whole general identity theft ruse isn't that complicated to
understand.  I still don't get how these crooks managed to get past
that occular biometric scan, but I guess the check cleared, so maybe
that goes a long way towards explaining -that- mystery. :-)

>Then you pay the ISP to connect you to the Internet and present your
>letter. Until the inevitable complaints roll it, that's it: you have
>control of those IP addresses.

I guess that I must be hoplessly naive to believe that the likes of
either Hurricane or Level3 might employ some warm body, at least part
time, to actually look for this kind of blatant gibberish, and flag
it for further inquiry when it arises.  I would volunteer to do the
job for them if they would just keep me in Cheetos.  (Cheetos are my
new favorite snack ever since last November's election. :-)

>I've read article after article after article bemoanging the fact that
>> "BGP isn't secure",
>
>They're talking about a different problem: ISPs are supposed to configure
>end-user BGP sessions per BCP38 which limits which BGP announcements the
>customer can make. Some ISPs are sloppy and incompetent and don't do this.

Yea.  I kinda thought that most or all of the very public hand-wringing
over the "insecurity" of BGP was indeed about this other aspect of the
problem.  But I just wanted to be sure that I was clear in my own mind
about this.  The insecurity -isn't- that any Joe Blow can just willy nilly
connect up to any router on the Internet and push bogus routes into it.
The insecurity is only that people/entities you know, trust, and have
actual business relationships with can (and apparently do), in many cases, 
pass goofy stuff to you, and if you are not fastidious enough about washing
up after such contacts, then you pass those bits of nonsense along to
everybody else who you have relationships with...  sort-of like chlamydia.


Regards,
rfg


Re: IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette

In message 
Christopher Morrow  wrote:

>most times i've seen isp DIA links bgp was 'free' or had been..
>
>> talking about the cost of adding an upstream BGP session.
>
>ok. so either free or some up-charge by the isp.

Wait a minute.  I just wanna make sure that I am getting this.

So you're saying that whichever criminal is behind this stuff, that he
maybe could have pulled it all off for the astounding and impressive
sum of zero dollars and zero cents ($0.00) ?

(Well, I guess that's not quite accurate.  I guess that he at least had
to pay for the cost of re-registering the wirelessnetbg.info domain name.
I don't know what .info domains cost anymore, but the last time I looked
you could get one of those for less than ten bucks.  I suppose that Internet
criminals everwhere will be greatly heartened by the low cost of entry
into this game.  I'm guessing that it probably costs much much more to
become an Amway distributor, for example.  Even second-story men have to
invest more than this for a set of appropriate tools.)


Regards,
rfg


IP Hijacking For Dummies

2017-06-05 Thread Ronald F. Guilmette

Late last night, I put together the following simple annotated listing of
the routes being announced by AS34991.

Beyond the quite apparent fact that this "Bulgarian" network is announcing
a bunch of routes for blocks of IPv4 space allocated to various parties
within the nation of Columbia (including the National University thereof)
the other thing that struck me about this was the apparent relevance of
a company called "host-offshore.com".

Looking at the web site for that, it provides only a single contact
phone number which is unambiguously a -Pakistani- phone number.  But
of course, that makes perfect sense, because Pakistan is just down the
street from Bulgaria (NOT!)

It did also strike me as passing strange that this company has apparently
elected to not actually put its own web server, name servers, or mail
server anywhere within its own duly allocated IPv4 blocks.

Things got even a bit more interesting when I tried to actually order a
server from this company.  Apparently, all of their virtual servers
are "sold out".  However... and please, somebody check me on this...
I guess that all of the browsers on all of the platforms I have ready
access to are broken or something, because try as I might, I could never
quite succeed at reaching any page on this company's web site where I
could order up -any- kind of server, virtual, dedicated, or otherwise.

So, you know, this hosting company appears somewhat unique and unusual,
at least from where I am sitting, in the sense that it is perhaps the
only such "hosting" company that I've ever run across in my travels that
doesn't actually have -anything- for sale.

Personally, I don't really give a rat's ass if this site is just a cover
for some inept criminals, or for Panstani ISI, or for the FSB, or for
some of Putin's patriots, or even if it belongs to the NSA.  But I cannot
help but bemoan the fact that here we are, and it is 2017 already, and
yet, whichever bunch of lame-ass jerks are in fact behind this thing,
apparently aren't even capable of slapping together a cover web site
that is more than just some entirely shallow and not very effective false
front.

As a researcher and student of such things, I just think that by now,
in 2017, we should have a somewhat more skilled class of frauds, rogues,
criminals and spies on the Internet.  I mean this is just baby stuff,
and it only takes a couple of minutes and few clicks to see past such
transparent gibberish.

So c'mon all ye criminals, rogues and spys!  You need to up your game
fer cryin' out loud!  At least present us with something a bit more
challenging than -this- kind of very superflous crap.  I mean, have you
no self-respect?

Gssshhh!


Regards,
rfg



===
79.124.77.0/24  -- Bulgaria -- host-offshore.com
82.118.233.0/24 -- Blugaria -- wirelessnetbg.info
91.92.144.0/24  -- Bulgaria -- host-offshore.com
130.185.254.0/24 -- Belize? -- host-offshore.com - formerly routed by Verdina)
152.204.132.0/24 -- Columbia
152.204.133.0/24 -- Columbia
152.231.25.0/24 -- Columbia
152.231.28.0/24 -- Columbia
168.176.187.0/24 -- Columbia, National University of
168.176.192.0/24 -- Columbia, National University of
168.176.194.0/24 -- Columbia, National University of
168.176.218.0/24 -- Columbia, National University of
168.176.219.0/24 -- Columbia, National University of
179.1.71.0/24 -- Columbia
181.57.40.0/24 -- Columbia
186.113.13.0/24 -- Columbia
186.113.15.0/24 -- Columbia
186.147.230.0/24 -- Columbia
190.90.31.0/24 -- Columbia
190.90.88.0/24 -- Columbia
200.1.65.0/24 -- Columbia
200.14.44.0/24 -- Columbia
200.24.3.0/24 -- Columbia
200.24.5.0/24 -- Columbia



Re: IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette

In message 
Christopher Morrow  wrote:

>that doesn't seem to be what's happening in ron's example though...
>
>it looks, to me, like the example ron has is more a case of:
>  1) register contacts for lost asn (AS34991)
>  2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with
>another shill/lost-child asn (AS206776)

I'm perplexed at why you would call AS206776 a "lost child", so perhaps
you could explain that.  From where I'm sitting, it does look rather
entirely dodgy... being (allegedly) located as it is in the British
Virgin Islands, and having only been created (manufactured?) circa
2016-11-04.  But bpg.he.net is showing that it has 35 peers, and that
it is peering even with the likes of big boys like HE.net and Level3,
just to name a few.

>  3) start doing the bgps with the IX fabric's route-server

Yeabut again, I personally would like to be enlightened about the basic
mechanics of how one causes this to happen.  If I am Joe Blow criminal
and I somehow manage to finnagle my way into having a machine which is
physically present within some IX at some locale, somewhere on planet
earth, then does that mean that, by definition, I know -where- to inject
bogus routes and -how- to inject bogus routes and that I have the
-capability- in inject bogus routes into the kind of "fabric route
server" you speak of?

And by the way, I see now that I botched the Subject: for this thread
that I started.  I meant to say "IP Hijacking for Dummies".  Obviously,
this activity has become so popular that it is high time that somebody
wrote one of those "XYZ for Dummies" books, you know, with the yellow
and black covers, so that aspiring but ignorant criminals don't have to
always start from scratch and learn how to do this stuff from the ground up,
based just on piecing together little scraps and fragments of information
scattered all over the Internet.

>  4) profit (or something)

Yea.  I don't think that hijackers are doing this stuff just for fun.
But they've already figured out how to MAKE MONEY FAST from the purloined
IP space, so that part probably doesn't even need to go in the book.

>err, you'll have to better explain this I think.
>
>Are you saying: "get an ASN from RIR that costs 100USD" (might, probably
>does)
>
>this doesn't get you a peering/transit contract though...

Yea, this is a part of what I'm still mystified about.

Have AS206776 and AS57344 been paid to pass the routes given to them
by AS34991 ?  And have they been paid an extra premium, above and beyond
the normal fee for this service, you know, to look the other way and
do the old Muhammad Ali rope-a-dope and act stupid/innocent when and
if anybody ever calls them out for this rather entirely blatant and
brazen bogosity?

I've seen this movie before, and not that long ago.  And it's just not
nearly as entertaining the second time around.  The upstreams shrug and
offer the lame excuse of "Oh... well... the routes are all properly
registered in the RIPE route registry, so, you know, how could we have
possibly known that anything was amiss?"  But as I learned last time
this lame excuse was used, any baboon with a keyboard and a pulse can
get himself a RIPE account and then create all of the bogus route objects
he or she desires.  And since it took me less than a day to find out this
ludicrous but true fact last time, I have to wonder if network operators,
and particularly those in the RIPE region, are in some cases being
-willfully ignorant- of the fact that a route object's presence within
the RIPE data base has a reliability value roughly equal to that of a
three dollar bill.


Regards,
rfg


P.S.  I'll be more than happy to take it upon myself... even being the
basically unknown nobody and non-network-operator that I am... to send
polite emails to both AS206776 and AS57344, asking them, as politely as
I can manage, to please explain just WTF they think they are doing.  But
if past experience from the last such event is any guide, these emails
will have no effect whatsoever.  So that leads me to ask the obvious
next question:  Is it at all likely that anybody at, say, HE.net and/or
Level3 might give enough of a damn about any of this ludicrous and clearly
malevolent bogosity so that they mught actually be inclined to have a
friendly word with the folks at AS206776 and AS57344?  And if so, how
might I get in touch with any such people (at HE and/or Level3)?


IPv4 Hijacking For Idiots

2017-06-05 Thread Ronald F. Guilmette

The more I know, the less I understand.

Maybe some of you kind folks can help.

Please explain for me the following scenario, and how this all actually
works in practice.

Let's say that you're a malevolent Bad Actor and all you want to do is
to get hold of some ASN that nobody is watching too closely, and then
use that to announce some routes to some IPv4 space that nobody is
watching too closely, so that you can then parcel out that IP space
to your snowshoe spammer pals... at least until somebody gets wise.

OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
programatically walk your way through it, looking for contact email
addresses on ASN records where the domain of the contact email address
has become unregistered.  Say for example the one for AS34991.  So
then you re-register that contact domain, fresh, and then you start
telling all of your friends and enemies that you -are- AS34991.

That part seems simple enough, and indeed, I've seen -this- part of the
movie several times before.  However once you have stepped into the
identity of the former owners of the ASN, if you then want to actually
proceed to -announce- some routes, and actually ave those routes make
it out onto the Internet generally, then you still have to -peer- with
somebody, right?

So, I guess then, if you're clever, you look and see who the ASN you've
just successfully hijacked has historically peered with, and then you
somehow arrange to send route announcements to those guys, right?
(I'm talking about AS206776 and AS57344 here, BTW.)

But see, this is where I get lost.  I mean how do you push your route
announcements to these guys?  (I don't actually know that much about
how BGP actually works in practice, so please bear with me.)  How do
you know what IP address to send your announcements to?  And if you are
going to push your route announcements out to, say, the specific routers
that are run by AS206776 and AS57344, i.e. the ones that will send your
desired route announcements out to the rest of the Internet... well..
how do you find out the IP addresses of those routers on those other
networks?  Do you call up the NOCs at those other networks and do a bit
of social engineering on them to find out the IP addresses you need to
send to?  And can you just send BGP messages to the routers on those
other networks without -any- authentication or anything and have those
routers just blindly accept them -and- relay them on to the whole rest
of the Internet??

I've read article after article after article bemoanging the fact that
"BGP isn't secure", but now I'm starting to wonder just how massively
and unbelieveably unsecure it actually is.  I mean would these routers
being run by AS206776 and AS57344 just blindly accept -any- route
announcements sent to them from literally -any- IP address?  (That seems
positively looney tunes to me!  I mean things can't really be THAT
colossally and unbelievably stupid, can they?)

Thanks in advance for any enlightenment.


Regards,
rfg


P.S.  It would appear to be the case that since some time in April of this
year the "Bulgarian" network, AS34991, had evinced a rather sudden and
pronounced affinity for various portion of the IPv4 address space nominally
associated with the nation of Columbia, including at least five /24 blocks
within 168.176.0.0/16 which, from where I am sitting, would appear to belong
to the National University of Columbia.

Oh well.  They apparently haven't been missing those five gaping holes in
their /16 since the time the more specifics started showing up in April.

And anyway, so far it looks like the new owners of AS34991 haven't actually
sub-leased any of those /24s to any spammers yet.  Only the 190.90.88.0/24
block seems to be filled, wall-to-all, with snowshoe spammers so far.




Re: Avalanche botnet takedown

2016-12-09 Thread Ronald F. Guilmette

In message <20161201201124.982f2...@m0086238.ppops.net>, 
sur...@mauigateway.com wrote:

>In message <20161201124527.9be45...@m0087798.ppops.net>, 
>sur...@mauigateway.com wrote:
>
>>What is your suggestion to keep the sky from falling?
>
>My full answer, if fully elaborated, would bore you and 
>everybody else to tears, so I'll try to give you an 
>abbreviated version.
>
>It seems to be that it comes down to three things... 
>acceptance, leadership, and new thinking.
>--
>
>In acceptance you seem to want various laws made to 
>control it.  

Yes.

>In leadership you seem to want the masses to uprise against 
>the "tier 1" folks and force it there.

Actually, I'm not 100% sure even that would do it.  Look at the banks,
who are now widley loathed, and yet they still continue to get away
with massive crimes and nobody is seriously punished.  But wider public
awarness of jsut what the problems are, and just who can and should be
working to correct them would be helpful.

>In new thinking you seem to want various governments to
>band together to form a "law of cyber" coalition

Yes.

>and for a "you must be this tall to ride the internet" measurement.

No, I never said that.  I don't care how tall you are, or how young or
how old or how whatever you are.  You should be able to use the Internet.
But with privledges should come some accountability, and that is entirely
lacking at present.

>You also mention "When is the industry going to start 
>admitting to itself that individual end-lusers can be
>dangerous, sometimes even to the tune of $tens of millions 
>of dollars?  In short, when is this industry going to start 
>vetting people..."
>
>I believe 'this industry' does recognize it and no one can 
>get a list of everyone on this planet that is allowed to 
>'play' on the internet.

Correct.  And that is a major part of the problem.

>Did I get the gist of your response correct?

Partially.  See above.


Regards,
rfg


Re: Avalanche botnet takedown

2016-12-01 Thread Ronald F. Guilmette

In message <20161201205647.ga8...@gsp.org>, 
Rich Kulawiec  wrote:

>2. As an aside, I've been doing a little research project for a
>few years, focused on domains.  I've become convinced that *at least*
>99% of domains belong to abusers: spammers, phishers, typosquatters,
>malware distributors, domaineers, combinations of these, etc. 

As you probably know Rich, that's not exactly a novel observation.  Vixie
was already saying it a full six years ago, and things have only gotten
worse since then.

http://www.circleid.com/posts/20100728_taking_back_the_dns/

Regards,
rfg


Re: Avalanche botnet takedown

2016-12-01 Thread Ronald F. Guilmette

In message <20161201124527.9be45...@m0087798.ppops.net>, 
sur...@mauigateway.com wrote:

>What is your suggestion to keep the sky from falling?

My full answer, if fully elaborated, would bore you and everybody else
to tears, so I'll try to give you an abbreviated version.

It seems to be that it comes down to three things... acceptance, leadership,
and new thinking.

Acceptance
We, the people of this planet, including end users, small ISPs,
big ISPs, Tier-1 providers, ICANN, and all of the dangling tentacles
that derive their authority and power therefrom, law enforcement
globally, and judicial systems globally, have to begin by accepting
the undeniable reality that traditional law enforcement and judicial
processes have already been utterly overwhelmed by the new phenomenon
of international cybercrime, *and*, more importantly, that they always
will be.  If a teenager can hack your bank account in ten minutes,
but it takes three years to bring him to trial, after which he
gets a slap on the write and probation... well... any idiot can
see that this is an ongoing recipie for disaster on a grand scale.
(And in a way, announcements like the one today about a small
handful of Internet criminals being busted are actually a bad
thing, becase they only serve to perpetuate this comforting but
incredibly incorrect mass delusion that traditional law enforcement
has the new world of cyberspace well in hand.  They don't, and never
will.  And in fact they are just falling further and further behind
with each passing year.)

Leadership
This has to come from the folks at the top of the food chain, the
Tier-1 providers, and sadly, they have become like the banks...
everybody hates them, but we all know that we can't live without
them, and they are free to make money hand over fist while showing
no signs of accountability whatsoever.  (And don't kid yourself
that there is anything even remotely like independence in any of
the bits and pieces, starting from ICANN on down, that currently
pass for what is laughingly called "Internet Governance".  All of
these structures take their cue, and their marching orders, from
the Internet industry, and the industry, such as it is, can't change
a damn thing without buy-in from the Tier-1 providers.)

Unfortunately, in this just-past election, one party's Presidential
candidate was criticized for being "too close to the banks", in
particular, Goldman Sachs, and the other one has just selected a
former Goldman Sachs banker pal of his to run the treasury
department in the new administration.  This shows that without a
massive sea change in the level of anger among the general populace,
nothing will change, ever.  And so it is also with the Internet
industry.  End users and consumers need to wake up and start actively
demanding that the industry grow up, grow a pair, and stop just
sitting idly by while the current ongoing hacking free-for-all
claims new victims every goddamn day.  When and if that ever happens,
perhaps one or more CEOs of Tier-1 providers will finally wake up,
smell the coffee, and understand that over a time horizon longer than
this coming quarter, they need to start showing some leadership,
and help guide the whole industry towards a better and safer future.

New Thinking
Even miltary men have, for some time now, been calling cyberspace
"a new domain of battle, like air, land, sea, and space".  Why then
do our law enforcement and judicial systems, worldwide, fail to
also and likewise accept and begin to deal with this new reality?

Everywhere on earth, law enforcement, judicial systems, and
governments are, by and large, still trying to pretend that
cybercrime is a strictly a local matter.  It isn't, and hasn't
been, for about 30 years now.

Internationalized legal structures are hard to assemble, but they
are not hardly without precedent.  Why should there not be an
international Internet equivalent of the "Law of the Sea"?

It is quite common for cybercrimes to cross national borders, and yet
I personally have so far never heard of a single instance in which
any cybercriminal has been brought before the International Criminal
Court in the Hague to stand trial.  Why not?  Russia and China may
(and indeed do) seem to have more than a little reluctance to allow
extradition of their cybercriminals to the U.S. to stand trial.  OK
then.  What will be their excuse if we instead say that such defendants
should be rendered unto, and be brought before the bar in The Hague?


Re: Avalanche botnet takedown

2016-12-01 Thread Ronald F. Guilmette

In message <20161201173426.2861.qm...@ary.lan>, 
"John Levine"  wrote:

>More info here:
>
>https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

I'm always happy when even a small handful of miscreants are captured
and taken off the Internet, but...

The press release itself says that this botnet had been running since
2009.  So, you know, are we supposed to break out the champaign and
start celebrating because it "only" took LE *seven years* to take down
this one botnet and capture a grand total of five cybercriminals?

Like I say, I'm happy that this one botnet was killed, but to my way
of thinking, the fact that it took seven years to do so is a testament
*not* to the spectacular 21st century capabilities of modern law
enforcement, but rather to the ever widening gap between the time
scales of law enforcment processes, typically measured in months or
years, and the time scales of malicious packets flying around the
Internet, usually measured in miliseconds.

The Internet, viewed as an organism, quite clearly has, at present,
numerous autoimmune diseases.  It is attacking itself.  And its immune
system, such as it is, clearly ain't working.  There's going to come
a day of reckoning when it will no longer be possible to paper over
this sad and self-evident fact.  (And no, I'm *not* talking about
the fabled "Digital Pearl Harbor".  I'm talking instead about the
Internet equivalent of the meteor that wiped out the dinosaurs.)


Regards,
rfg


P.S.  WTF is "double fast flux[tm]"?  Is that anything like "double secret
probation" from Animal House?

P.P.S.  I love this part of the press release, because it is so telling:

 "The successful takedown of this server infrastructure was supported
 by ... Registrar of Last Resort, ICANN..."

Hahahahaha!  Yea.  Translation, for those of you who do not speak
diplomacy-speak:  "It isn't hardly just you unofficial anti-spammers and
anti-cybercrime volunteers and private security companies that can't
manage to get many domain registrars and somtimes even domain registries
to lift a finger to help.  Even some of us international law enforcement
guys, who have badges and everything, were also told to go pound sand by
several of the world's worst and most unhelpful registrars and registries.
In fact, they were s colossally unhelpful that in the end, we
finally had to go and plead our case all the way up to ICANN, just in
order to get anything done."


Paging Olav van Doorn, Jan Willem Meijer, and Rutger Bevaart

2016-11-17 Thread Ronald F. Guilmette

If anybody can give me an email for any of these principals of
Xconnect42, Inc. (Neatherlands) aka AS260, I'd appreciate it.

I tried to reach somebody (anybody) at their company via the address
I found online for the company  but never
got any response.  That was a week ago.

I'm real interested to have these guys explain to me why they are
peering with the following ASNs, which all appear to have one and
only one BGP peer, i.e. Xconnect24, Inc.

AS7971
AS10505
AS6560
AS14029
AS37135
AS37137

Note that each and every one of the above six Afrinic-issued ASNs
appears to be announcing routes to gobs and gobs of IPv4 space...
mostly prevously abandoned AFRINIC space, but also, in the case of
AS10505, numerous /17 hunks of Chinese IPv4 space... to which the
ASNs in question do not appear to have any relationship, and where
a great deal of the relevant IPv4 address space has been filed up
to the brim by U.S.A. based snowshoe spammers, including, apparently,
at least one convicted felon and former drug trafficker.

Note also that two of the /17 routes currently being announced by
AS10505 are for IPv4 space allocated by APNIC to Aliyun Computing, Ltd.
which Bloomberg lists as a subsidiary of retail giant Alibaba,
currently having a market cap of $232.4 bellion dollars (USD).

I dunno.  maybe it's just me, but I somehow think that a Chinese
company worth almost a quarter of a trillion dollars probably doesn't
really need to enlist the help of a long-dead South African ISP to
route parts of their space for them.

http://imgur.com/a/uR0qQ

So anyway, I'd really like to have a brief chat with any or all of
the following three gentlemen about all this:

CEO - Olav van Doorn
https://nl.linkedin.com/in/olavvandoorn
Co-founder Jan Willem Meijer:
https://www.loth.nl/company-profile-custom-connect/
CTO - Rutger Bevaart
https://nl.linkedin.com/in/rutgerbevaart

If anybody can put me in touch, I'd apperciate it.  Thanks.


Regards,
rfg


Re: NEVERMIND! (was: Seeking Google reverse DNS delegation

2016-11-14 Thread Ronald F. Guilmette

In message <7077df16-64ae-822d-8ce0-ba44129e2...@gmx.com>, 
Large Hadron Collider  wrote:

>> And that includes the bogus info you put into your WHOIS records too!
>> Seriously, I give you credit for at least picking out a valid random
>> street address, somewhere in fly-over country, but if you're going to
>> go to all the trouble to pick yourself out a domain name, set it all
>> up and then somehow snooker ARIN into delegating an entire /21's worth
>> of reverse DNS to it, then my god, at least pick out something that has
>> an air of believability to it, you know, like austin4u.net or texnets.net
>> or something... not saversagreeable.com which is so totally and transparently
>> bogus.
>What if it was originally going to be a forum site for couponers who 
>aren't arrogant about it, and then they got sidetracked?

Yea.  Right.  And I'm sure they thought that they were gonna need an
entire /21 to host one web site.

The smell from this is so bad it almost defies description.


Regards,
rfg


Re: NEVERMIND! (was: Seeking Google reverse DNS delegation

2016-11-13 Thread Ronald F. Guilmette

In message <20161114004152.ga27...@panix.com>, 
Brett Frankenberger  wrote:

>On Sun, Nov 13, 2016 at 03:57:19PM -0800, Christopher Morrow wrote:
>> So... actually someone did tell arin to aim these at
>> ns1/2google.com...
>> I'll go ask arin to 'fix the glitch'.
>
>For 138.8.204.in-addr.arpa ...
>
>ARIN is delegating to ns[12].saversagreeable.com
>
>The NS records on the saversagreeable.com servers are pointing to
>ns[12].google.com.
>
>> > http://pastebin.com/raw/VNwmgMHh


Right, which is what I said.

To borrow a word from our former Dear Leader, I misunderestimated the
level of either (a) devilish deception or else (b) ordinary garden-
variety sheer technical incompence on the part of the current illicit
inhabitants of 204.8.136.0/21.  And really, I don't even give them
much credit for brains, so it is probably the latter, which is
somewhat depressing.

I mean seriously geeezz!  What's the world coming to?  It seems that
the clubs for the low-life deadbeat spammers and IP hijackers are letting
*anybody* in these days.  I am always annoyed by spam and spammers, but
I get REALLY annoyed when I get spammed by nitwits who can't even find
their own asses with both hands when it comes to something as simple as
setiing up their DNS properly.  Next thing you know, they'll be making
bonehead novice mistakes like leaving out the trailing periods in the
Right Places in their zone files.

Honstly, there ought to be a law.  If you're gonna spam me and use all
these different levels and kinds of deception... massivley violating
even the minimalist CAN-SPAM Act in the process...  then at least have
the courtesy, decency, and self-respect to at least do it in a workmanlike
and competent fashion!  I mean come on!

And that includes the bogus info you put into your WHOIS records too!
Seriously, I give you credit for at least picking out a valid random
street address, somewhere in fly-over country, but if you're going to
go to all the trouble to pick yourself out a domain name, set it all
up and then somehow snooker ARIN into delegating an entire /21's worth
of reverse DNS to it, then my god, at least pick out something that has 
an air of believability to it, you know, like austin4u.net or texnets.net
or something... not saversagreeable.com which is so totally and transparently
bogus.

And while you're at it, you should also at least make the WHOIS street
address and the phone number area code line up, if not with the place
you are pretending to be (Austin, TX) then at least with each other.
Honestly, Christ!  I've looked at enough phone numbers in enough spammer
WHOIS records that I haven't needed to Google area code 702 in years to
know that it ain't nowhere near Indianapolis.  (Duh!)

Look, spammers are gonna spam and hijackers are gonna hijack.  We all
know this, and for the most part, we've all come to accept it, because
there are just too many crooks and/or too many incompetents at every
level in the system to ever make it all go away.  But if you're gonna
spam and/or squat on IP space that clearly isn't your's, then at least
have the dignity to actually *earn* your ill-gotten gains, you know,
by setting up your deceptions properly.  This crap in 204.8.136.0/21
may fool the folks at ARIN, but nobody else is buying it, because you
set it up so badly.  You are a discredit to spammers and hijackers,
and that's saying a lot.  This is your "job" fer chrissake?  Don't you
have any pride?

'nuff said.


P.S.  Sorry for the rant everybody, but sometimes it just really gets
to me when I see quite this level of stoopid in the spammer community.
In general I loath and despise spammers, but for some of them at least,
I have a grudging respect, because at least they are good at their jobs.
But these guys ain't among them.  Everything the've done here is so
transparently bogus that my dog could spot it, and he's blind in one
eye.


AS37135, AS6560, AS32714, AS14029 - Squatted or not? You be the judge.

2016-11-11 Thread Ronald F. Guilmette

At least one person has now asserted to me in private email that
my suggestion that AS30186 was being squatted on was in fact accurate.
Thus, I now feel confident enough to provide here the rest of the story
which goes along with that.

In a nutshell, AS30186 and also two other ASNs, together appear to all
be parts of a single large multi-ASN squat.

In addition to what appears to be a squat on AS30186 (the former
Ross Technology Inc. of Austin, Texas, which even Wikipedia says
has been dead for lo these past 18 years) it appears to me, based
on the evidence, that the exact same large scale spamming company
is, at present, also usurping and squatting on two additional
AFRINIC ASNs, namely AS37135 and AS6560.  I provide here listings
of the current forward resolutions of a sizable number of snowshoe
spammer nonsense domain names (more than 1,400 in total) which are
currently associated with various portion of several apparently
illicitly appropriated AFRINIC /16 blocks:

AS37135:
  http://pastebin.com/raw/PkBagrpJ
AS6560
  http://pastebin.com/raw/zg9W2agN

The affected, and apparently long-orphaned AFRINIC IPv4 blocks involved
are as follows.  Note that these have each have their own AFRINIC block
registration records which indicate that they belong to, among others, a
chemicals & power company (155.237.0.0/16), a manufacturer of stainless
steel products (160.115.0.0/16), an international mining company
(163.197.0.0/16), a manufacturer of fertilizers and nitrogen compounds
(163.198.0.0/16), an agricultural chemicals company (164.155.0.0/16),
the Directorate of Information Services for the South African government
(165.25.0.0), a Seychelles Islands ISP (168.80.16.0/15), and a South
African outsourcing and business services company (196.9.0.0/16).
Despite these "official" IPv4 block registrations, based on the evidence
as shown in the above Pastebin reports, I am forced to conclude that
somehow, magically, all of these long-dormant African entities recently
began hosting parts of a large scale snowshoe spamming operation,
including even the Directorate of Information Services for the South
African government, as well as the South African Post Office (196.10.0.0./16),
both of which appear to be kindly lending a hand to these spammers also.

Here is the list of affected AFRINIC-allocatded IPv4 blocks:

152.108.0.0/16
155.159.0.0/16
155.235.0.0/16
155.237.0.0/16
160.115.0.0/16
160.116.0.0/16
160.122.0.0/16
163.197.0.0/16
163.198.0.0/16
164.155.0.0/16
165.25.0.0/16
168.76.0.0/16
168.80.16.0/15
196.9.0.0/16
196.10.0.0./16
196.16.0.0/14
196.15.64.0/18

Note that AS37135 and AS6560, which I contend are themselves being squatted
on, are currently announcing numerous discrete and discreet /20, /21, and
/19 blocks out of the above large blocks, perhaps with a view to the future
and to switching their announcements to other and different sub-blocks within
these same containing blocks, e.g. when they have so throughly sullied the
reputations of the blocks they are currently using so as to have caused
those blocks to be universally blacklisted everywhere.

In any case, here are the current announcements being made by AS37135
and AS6560, respectively.  Note that the set of announcements from these
ASNs has changed, and significantly, even just within the past 24 hours.
What you are seeing here is just the routes being announced by these
two suspicious ASNs as I write this.

AS37135:
152.108.0.0/19
155.235.80.0/20
155.235.128.0/19
155.235.224.0/19
155.237.128.0/21
155.237.128.0/19
160.115.32.0/20
160.115.48.0/20
160.115.64.0/20
160.115.80.0/20
160.115.96.0/20
160.115.112.0/20
160.116.112.0/20
160.116.160.0/20
160.116.192.0/20
160.122.0.0/19
160.122.128.0/21
160.122.240.0/21
163.198.0.0/20
163.198.64.0/20
168.76.128.0/20  -- Free State Education Department (not routed earlier today)
196.9.32.0/20
196.9.128.0/20

AS6560:
155.159.128.0/20
155.237.64.0/20
155.237.208.0/20
155.237.224.0/20
155.237.240.0/20
163.197.112.0/20
163.197.144.0/20
163.197.176.0/20
163.197.208.0/20
163.197.240.0/20
163.198.16.0/20
163.198.80.0/20
163.198.96.0/20
163.198.144.0/20
163.198.192.0/20
163.198.224.0/20
164.155.0.0/20
164.155.64.0/20
164.155.128.0/20
164.155.192.0/20
165.25.0.0/20
165.25.32.0/20
165.25.64.0/20
165.25.96.0/20
165.25.128.0/20
165.25.160.0/20
165.25.192.0/20
165.25.224.0/20
168.80.16.0/20
168.80.48.0/20
168.80.80.0/20
168.81.16.0/20
168.81.64.0/20
168.81.176.0/20
168.81.224.0/20
196.9.0.0/20
196.9.16.0/20
196.15.64.0/20
196.15.96.0/20

As I was preparing this post, two furter and additional dodgy looking
ASNs also came to my attention, and preliminary analysis suggests that
these two additional AFRINIC ASNs, AS32714, and AS14029, together with
all of the IP space they are announcing, may perhaps also be squatted on
at the present time.  Given below are the current announcements from
these two additional ASNs.  Note that AS32714 is currently 

NEVERMIND! (was: Seeking Google reverse DNS delegation contact)

2016-11-10 Thread Ronald F. Guilmette


My profuse apologies to everyone.  It seems that Google is not in fact
involved in any way with providing reverse DNS for the 204.8.136.0/21
IP address block.  I was deceived into believing it was by some
unusual trickey on the part of the spammer-controlled name servers
ns1.saversagreeable.com and ns2.saversagreeable.com.  You can see
the clever deception toward the very end of the dig +trace listing
I posted:

http://pastebin.com/raw/VNwmgMHh

It seems those clever rascal spammers tried to implicate Google's
name servers, but it is only their's which are giving out the
reverse DNS which suoorts their snowshoe spamming efforts in the
204.8.136.0/21 block.

Sorry for my mistake everyone.  I wasn't expecting quite this level
or kind of reverse DNS delegation trickery.


Regards,
rfg


Seeking Google reverse DNS delegation contact

2016-11-10 Thread Ronald F. Guilmette

Does anyone here happen to know who at Google I should be talking
to if I want to ask a question about their reverse DNS services?

I'd just like to ask someone there why anyone at Google thought
that it would be a Good Idea for Google to provide reverse DNS
services for the 204.8.136.0/21 IP address block, a block that
appears to be chock-full to the brim of snowshoe spamming domains.

http://pastebin.com/raw/VNwmgMHh
http://pastebin.com/raw/Hk3SKGvp


P.S. I gave up on the "evil" part some time ago.  Now, I'm willing to
settle for them just not being spammish.


AS30186 - Squatted or not? You be the judge.

2016-11-10 Thread Ronald F. Guilmette

I kinda messed up the last time I posted something here about possible
IP address block squatting, so I'm not going to make any definitive
assertions regarding conclusion this time.  I'm just going to lay out
the facts and let all of you good folks decide for yourselves.

AS30186 is registered to Ross Technology Inc. of Austin, Texas.  Also
registered to this same entity are the following IPv4 address blocks:

143.187.0.0/16
204.8.136.0/21

Wikipedia kindly provides us with information about this (former) company:

   https://en.wikipedia.org/wiki/Ross_Technology

  "Ross Technology, Inc. was a semiconductor design and manufacturing
  company, specializing in SPARC microprocessors. It was founded in
  Austin, Texas in August 1988 by Dr. Roger D. Ross,...

  ... Ross Technology closed down in 1998 and all its assets and patents
  became the property of Fujitsu Ltd."

So, it would appear that we hve a zombie company, with its very own ASN
and valuable /16 and /21 IPv4 address blocks to boot.  According to the
above history, these are all the rightful property of Fujitsu Ltd.

Fujitsu Ltd. is not a small or insignificant company, and to the best of
my knowledge it is not currently in any sort of financial straits or
difficulties.  It would thus seem somewhat implausible that Fujitsu,
a big "household name" Japanese company would elect to either sell off
or sub-lease out their ASN or either of their valuable Ross-related IPv4
address blocks to scumbag snowshoe spammers.  Despite this fact however,
abundant evidence I've collected recently indicates rather convincingly
that both AS30186 and also, at least, the 204.8.136.0/21 address block
are, at the present time, inhabited completely and only by a large scale
snowshoe spamming operation.  Current forward resilutions of numerous
interrelated snowshoe spamming domains provide clear evidence of this:

http://pastebin.com/raw/hEY1nxct

AS30186 is announcing the following routes at the present moment:

143.187.0.0/24
143.187.1.0/24
143.187.2.0/24
143.187.3.0/24
143.187.4.0/22
143.187.8.0/21
143.187.16.0/20
143.187.32.0/19
143.187.64.0/18
143.187.128.0/24
143.187.129.0/24
143.187.130.0/24
143.187.131.0/24
143.187.132.0/22
143.187.136.0/21
143.187.144.0/20
143.187.160.0/19
143.187.192.0/20
143.187.208.0/20
143.187.224.0/20
143.187.240.0/21
143.187.248.0/21
204.8.136.0/21

I have today personally made a number of diligent efforts to contact any
warm body at Fujutsu who both (a) speaks English and who also (b) knows
hat an ASN is so that I could discuss this matter with some appropriate
network administrator, but I was thwarted at every turn by Fujutsu's
bureaucracy, despite having spoken by phone to individuals who I was told
could help with this sort of thing, first in San Jose, then in Sunnyvale,
and finally in the Phillipines.

In the event that, as the evidence suggests, some party not associated
with Fujutsu is currently making use of Fujutsu's /16 and /21 blocks,
one would think that -someone- at the company might be eager to take back
possession of these valuable assets, but apparently no one is.

Data obtained by me from bgp.he.net suggests that AS30186 is currently
connectedf to the Internet only by the following other ASNs:

AS19257 - SUBRIGO CORPORATION
AS3491  - PCCW Global

I have already attempted to make contact via email with both of these
companies regarding AS30186, but am still awating any reply from either.
So far it is not looking good.

In the meantime, I do encourage everyone to look over the content of the
pastebin report whose URL is given above, and I encourage everyone to make
up his or her own mind regarding the advisability of accepting traffic
at the present time from any IPv4 space routed by AS30186.


Regards,
rfg


P.S.  The domains associated with the former Ross Technology, Inc. ASN
and IPv4 address blocks appear to be part of a larger pattern upon which
I will elaborate further in the near future.


Re: Here we go again.

2016-11-09 Thread Ronald F. Guilmette

In message <1624203180.33527.1478724998723.javamail.zim...@baylink.com>, 
"Jay R. Ashworth"  wrote:

>The list is not the proper forum for a debate on this topic, and I'm not
>trying to start one.
>
>But ask yourself *now* what happens if you get these kinds of orders, so
>that you can give a reasoned answer.
>
>  https://plus.google.com/+LaurenWeinstein/posts/TYxXkeQ2jPW

There are plenty of reasons for thinking people to be terrified today.
I don't know why you've chosen to focus on such a small one.  Here's a
bigger one:

http://bit.ly/2fTdmiG


P.S.  I agree completely that this is not the proper forum for either
discussion or debate on these matters.  But given that adherence to
the ordinary rules of politness and proper decorum quite clearly did
nothing, in the end, to prevent last night's outcome, I for one am
willing to forgo them, within limits, e.g. when some of the elephants
in the room become just too big to ignore.


Re: Spitballing IoT Security

2016-11-07 Thread Ronald F. Guilmette

In message <20161108035148.2904b5970...@rock.dv.isc.org>, 
Mark Andrews  wrote:

>* Deploying regulation in one country means that it is less likely
>  to be a source of bad traffic.  Manufactures are lazy.  With
>  sensible regulation in single country everyone else benefits as
>  manufactures will use a single code base when they can.

I said that too, although not as concisely.

>* Automated updates do reduce the numbers of vulnerable machines
>  to known issues.  There are risks but they are nowhere as bad as
>  not doing automated updating.

I still maintain, based upon the abundant evidence, that generallized
hopes that timely and effective updates for all manner of devices will
be available throughout the practical lifetime of any such IoT thingies
is a mirage.  We will just never be there, in practice.  And thus,
manufacturers should be encouraged, by force of law if necessary, to
design software with a belt-and-suspenders margin of safety built in
from the first day of shipping.

You don't send out a spacecraft, or a medical radiation machine, without
such addtional constraints built in from day one.  You don't send out
such things and say "Oh, we can always send out of firmware update later
on if there is an issue."

>From a software perspective, building extra layers of constraints is not
that hard to do, and people have been doing this kind of thing already
for decades.  It's called engineering.  The problem isn't in anybody's
ability or inability to do safety engineering in the firmware of IoT
things.  The only problem is providing the proper motivation to cause
it to happen.


Regards,
rfg


Re: Spitballing IoT Security

2016-10-29 Thread Ronald F. Guilmette

In message <20161030044342.ga18...@thyrsus.com>, 
"Eric S. Raymond" <e...@thyrsus.com> wrote:

>Ronald F. Guilmette <r...@tristatelogic.com>:
>> Two kids with a modest amount of knowledge
>> and a lot of time on their hands can do it from their mom's basement.
>
>I in turn have to call BS on this.  If it were really that easy, we'd
>be inundated by Mirais -- we'd have several attacks a *day*.


You need to get out more.

http://www.nab.org/cybersecurity/Verisign-report-ddos-trends-Q22016.pdf

It *is* happening every day.  You just don't hear about it on CNN because
a "little"  80Mbps DDoS isn't even worthy of a headline anymore, even
though such an attack could CRUSH a local bank, and even many regional
banks into utter oblivion.

Now, where did I put those bitcoins...  It's ransom time!


Regards,
rfg


P.S.  Of course, things were oh so much better, ya know, back in those
idylic halcyon days a decade and a half ago...

Denial of e-commerce
Feb 10th 2000 
http://www.economist.com/node/281531

  "... The Computer Emergency Response Team of Carnegie Mellon University
  hears of roughly four DOS attacks a day..."

Whew!  I guess we need to count our blessings that insightful visionary
industry leaders came forward, back in the early 00s, and spearheaded
the global changes necessary to insure that DDoS attacks would become a
thing of the past, and a distant memory.

Oh!  Wait!  Nevermind.  Sorry.  I guess that I was dozing off and dreaming
again.

At the current rate of progress I think that I can confidently predict
that the Internet industry ought to have this whole problem completely
licked by the early 23rd century, you know, at the very latest.


Death of WHOIS, Film at 11

2016-10-29 Thread Ronald F. Guilmette

In message <58150673.5090...@foobar.org>, 
Nick Hilliard  wrote:

>David Conrad already pointed out that this problem has been solved using
>RDAP which supports referrals.  Try installing the nicinfo command from:
>
>https://github.com/arineng/nicinfo
>
>At a guess, I'd say referrals haven't been implemented in whois because
>the whois "protocol" is unfixably broken and unsuitable for distributed
>information sharing.

So basically, you're saying that the fact that port 43 is still open and
still providing answers... known inaccurante answers... at all of the
following places is just one big tease?

whois.iana.org
whois.arin.net
whois.ripe.net
whois.apnic.net
whois.lacnic.net
whois.afrinic.net

So the overall game plan is to continue to have these things all give
out inaccurate and/or misleanding answers until such time as all of
the trusting old school hacks like me either die out or get the memo
telling us to just stop using this stuff?

If so, thanks for telling me.  Nobody else has so far had the courtesy
to do so.


Regards,
rfg


P.S.  Traditional WHOIS supports referrals.  For an example, try this:

 whois -h whois.iana.org 1197

(Providing referrals in traditional WHOIS isn't exactly rocket surgery.
The fact that certain RIRs may be too... umm... preoccupied to take
the time to properly populate their data bases with such referrals
notwithstanding.)


Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette

In message <5815013f.2080...@foobar.org>, 
Nick Hilliard  wrote:

>> But my overall point remains.  If there were ever to be an election where
>> we were all asked who we wanted to see become the once and future Routing
>> Police, the RIRs would not be my own personal first choice.
>
>Great, we're agreed then.  So why do you keep on bringing them up in
>this context and criticising them whenever someone squats some block of
>address space?

References please?

*I* didn't introduce the topic of RIRs into this thread.  It would appear
that Ken Chase did that:

   http://mailman.nanog.org/pipermail/nanog/2016-October/088943.html

Later on, I bemoaned what I still feel is a rather lousey WHOIS referrals
system, among and between the various RIR WHOIS data bases... with
respect to *allocations* (not route registrations)... and it was
entirely appropriate for me to mention that, in this thread, as the
problem most definitely did impact not only _my_ ability to figure
out who the bleep, if anyone, 103.11.67.0/24 is actually registered
to, but actually, anyone's ability to do so, including, apparently,
bgp.he.net.

But this criticism has/had nothing whatever to do, specifically, with
either routing or the (hypothetical) Routing Police.  If the totality
of the RIR WHOIS data bases are needlessly difficult to extract accurate
information out of, then this negatively affects *all* uses (and all
users) of these data bases, whether one is investigating possible
routing squats, or whether one is just trying to figure out who
currently owns the block that all of your corporate intellectual
property has just been surreptitiously exfiltrated to.


Regards,
rfg


Re: Spitballing IoT Security

2016-10-29 Thread Ronald F. Guilmette

In message <20161029180730.ga10...@thyrsus.com>, 
"Eric S. Raymond"  wrote:

>You don't build or hire a botnet on Mirai's scale with pocket change.

Proof please?

Sorry, but I am compelled to call B.S. on the above statement.  This
is a really important point that I, Krebs, and others have been trying
to drive home:  In an era when you've got a half million CCTV cams
just lying around without even passwords on them, and in an era when
nobody makes any fuss anymore about the dozens or hundreds or people
and/or organizations (e.g. Shodan) that are out there scanning your
box and my box and everybody's boxes, every damn day, you don't need
to be either an omnious "state actor" or even SPECTER to assemble a
truly massive packet weapon.  Two kids with a modest amount of knowledge
and a lot of time on their hands can do it from their mom's basement.

It is comforting, for some, to think that this is not the case, just
as it is, to this day, comforting, for some, to believe, based on scant
evidence, that it -wasn't- just some lone nut case who killed President
Kennedy.  Psychologically, people have trouble coming to terms with
great impactful tragedies unless they can be blamed on large, unseen,
but enormously capable dark forces.  And the actual available hard
evidence relating to such events does not diminish the human yearning
for a convenient comic book supervillain to pin it all on.

>And the M.O. doesn't fit a criminal organization - no ransom demand,
>no attempt to steal data.

Allow me to refer you to an alternative possible motivation:

   https://en.wiktionary.org/wiki/lulz

>That means the motive was prep for terrorism or cyberwar by a
>state-level actor.

Frankly, I am dismayed to see a well-known Internet persona with a respected
name spreading this kind of absurd, alarmist, over-the-top, retorical fear-
mongering inference, which is without clear basis in either fact or evidence.

Even the hardest of the hard-core dyed-in-the-wool Clinton surrogates are
too circumspect in their pronouncements (i.e. with respect to Russia's
"obvious" connection to the DNC hack) to ever reach anything like this
level of unfounded hyperbole.  (And for the record, I am no Trump supporter
either.  I find myself equally disgusted when either side employs the
currently fashionable verbal sleight-of-hand that politicians of all stripes
have, of late, adopted whenever they want to say something without
themselves having to take responsibility for its truth or accuracy.  I get
angry when I hear Clinton surrogates using the "Some people are saying..."
dodge, e.g. when it comes to alleged nefarious Russian involvement with
anything and everything evil, just as I do when Trump uses the exact same
dodge in reference to... well... everything.)

>Bruce Schneier is right and is only saying what
>everybody else on the InfoSec side I've spoken with is thinking - the
>People's Liberation Army is the top suspect, with the Russian FSB
>operating through proxies in Bulgaria or Romania as a fairly distant
>second.

Yes, but I believe that Schneier was a bit more careful to separate the
known facts from his personal speculations.

In any case, all of this searching for who is to blame isn't contributing
a damn thing towards actually fixing the problem.  And if we really need
to find someone to blame, I think we should all just look in the mirror.

We, society, but especially those of us with more-than-average techno savvy,
have for years been only too eager to lap up whatever whiz-bang new techno
gadgets industry could crank out, with barely an afterthought given to
the longer term implications, like security and also how the hell we are
ever going to be able to recycle any of this s***.  We've all been doing
the exact same thing, since at least Windows 3.1 or earlier, and yet we
continue to expect a different outcome.  We eagerly grab for new capabilities
and new gadgets, thinking about security last or, more often, not at all.
In short, to quote Pogo, "We have met the enemy and he is us."


Regards,
rfg


P.S.  Even if the evidence were to support the view that only a superpower-
level nation-state could have pulled off the Dyn attack... and I'm not at
all persuaded that it does... it kills me that everyone seems to jump,
within a millisecond, immediately from -that- unwarranted conclusion to
the separate unwarranted conclusion that it must have been either Russia
or China.  Apparently, nobody even stops to consider the *other* elephant
in the room, the one that stretches from sea to shining sea, and which
itself has been heard to publically brag about its own cyber-offensive
capabilities of late.

In short, maybe our own guys did this.

OK, so maybe this theory -is- worthy of le Carre, but that don't mean it
ain't possible.  I mean we aren't stupid.  We don't build warehouses full
of nuclear weapons without at least testing the design once or twice first,
you know, to make sure they aren't all gonna end up being duds 

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette

In message <58146e84.3030...@foobar.org>, 
Nick Hilliard  wrote:

>> P.S.  I may be wrong about this, but it has come to my attention that
>> many, most, or all of the WHOIS records reflecting allocations made by
>> the AFRINIC RIR are utterly devoid of either (a) information specifying
>> the dates on which the relevant allocations were made or (b) email
>> contact addresses for the relevant number resource registrants.
>
>Works fine for me.  Did you use the "-B" flag when querying the Afrinic
>irrdb?

I wasn't talking about irrdb.  I was just talking about the WHOIS records
for IPv4 allocations within the AFRINIC region.

Anyway, yes, I do believe that  used the -B flag.  But nontheless, I
really did see some AFRINIC WHOIS records that had -no- email contacts,
nor any date information.

I will have to try to see if I can dredge those out again.

But my overall point remains.  If there were ever to be an election where
we were all asked who we wanted to see become the once and future Routing
Police, the RIRs would not be my own personal first choice.


Regards,
rfg


Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-29 Thread Ronald F. Guilmette

In message <5814696f.3060...@foobar.org>, 
Nick Hilliard <n...@foobar.org> wrote:

>Ronald F. Guilmette wrote:
>>  I always start with whatver whois.iana.org has to
>> say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
>> I only looked at what whois.apnic.net had to say about 103.11.67.105.
>
>yeah, this prefix was transferred from APNIC to ARIN.  You can search
>for the details here:
>
>https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-logs

Oh, gz!  ...

Showing 1 to 10 of 1,823 entries

>> This isn't the first time I've wished that the right hand knew (or cared)
>> what the left hand was doing.  I've asked the folks at IANA about this
>> sort of thing in the past, i.e. them giving pointers to the apparently
>> wrong RiR whois server, and they just won't fix it.
>
>It's not an IANA problem to fix.  IANA handles the initial allocation...

You are correct.  In this case, it would have been helpful if APNIC's WHOIS
server returned something, when queried about 103.11.67.105, that would
include an explicit referral to the ARIN WHOIS server.  I mean they
obviously know all the transfers they've made.

But I guess that somebody somwhere decided that that's just too much
trouble.


Regards,
rfg


Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette

In message <5813e03e.6060...@foobar.org>, 
Mark Andrews  wrote:

>Mark Andrews wrote:
>> It's not the RIR's job.  They already provide the framework for
>> ISP's to do the job of policing route announcements themselves.
>> ISP's just need to use that framework.
>
>Ron thinks otherwise.

No, I don't.  You have made a incorrect inference from the text of my
actual comment.

In my actual comment I merely noted that RIRs are in fact -not- the
Internet Police, and that none of them have ever displayed even the
slightest desire to become that (and indeed, when asked, they have,
without exception, exhibited a clear desire -not- to be assigned any
such role).

These observations on my part are all merely recitations of well-
established historical facts, all of which are easily verifiable by
anyone with a browser.  I made no comment at all about who, if anyone,
should be tasked to take on the role of The Routing Police.

And indeed, if asked, I would express some degree of skepticism about
the ability of RIRs to even reliably execute their existing data base
maintenance responsibilities to a level which I personally would find
entirely satisfactory.  (The apparent goofyness relating to 103.11.64.0/22
is just one very small example of this, there being also many other and
more serious issues that I could also cite, if pressed, relating strictly
to allocation functions and/or to WHOIS data base issues.)

Given that I do not have an entirely unequivocal admiration for the
quality and consistancy of the work that RIRs are already clearly
responsible for, do you really believe that it would be my first
choice to assign an entirely seperate but equally critical set of
-new- authorities and responsibilities to the RiRs?  If so, please
allow me to disabuse you of that notion.  (I am also and likewise not
likely to support any effort any any part of the United States federal
government to assign new authorities and responsibilities to the Office
of Personnel Management.)


Regards,
rfg


P.S.  I may be wrong about this, but it has come to my attention that
many, most, or all of the WHOIS records reflecting allocations made by
the AFRINIC RIR are utterly devoid of either (a) information specifying
the dates on which the relevant allocations were made or (b) email
contact addresses for the relevant number resource registrants.

I am, of course, utterly appalled by the apparent inability of this RIR
to maintain a WHOIS data base which even approximates the modest and
minimal level of relevant information commonly available from the WHOIS
data bases of other and older RIRs.


Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

2016-10-28 Thread Ronald F. Guilmette

In message <5813dacd.3000...@foobar.org>, 
Nick Hilliard <n...@foobar.org> wrote:

>Ronald F. Guilmette wrote:
>> Will never happen.  The RiRs have been crystal clear, and also utterly
>> consistant... "Not our job man!  We am not the Internetz Police."
>
>Ron,
>
>Maybe you could suggest some ideas about how the RIRs can stop someone
>from illegally squatting space?

Oh, don't get me wrong.  I never said that I either could or would
suggest how to convert RiRs into The Internet Police.  Nor did I suggest
that such a conversion would even be either prudent or advisable.
(I am not persuaded that it would be.)

We have a longstanding 20 or 30 year tradition/precedent and a division
of labor that -does not- allocate to RiRs any responsibility for, or
authority over anything to do with what routes people announce, and I
am certainly not even nearly so presumptive as to believe that I either
can or should try to roll back 30 years of history and ask everyone to
start all over again and build governance structures anew, from scratch.
(Doing so would be both silly and the very height of arrogance on my part.)

I nontheless feel free to note, and to bemoan, the current utter lack
of -any- authority which routinely notices apparent routing funny business
and/or which works, on a routine basis, to try to put a stop to it all.

I do not suggest that RiRs should be "minding the store" with respect to
route announcements.  I do think it would be helpful if -somebody- were
doing so.  My own occasional and srictly ad hoc efforts have only succeded
in convincing me of how extensive the problem is, and how dire a need there
is for a more rigorous solution.


Regards,
rfg


  1   2   >