Re: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

[Johann]

Hello,

AS29073 seem be visible (for anyone?) on AMS-IX routeserver.
I think that can explain why many ASN peer with this network.
So, thanks for this thread. I have filtered this ASN on AMS-IX RS (99 =>98).

Johann

2017-08-17 5:51 GMT+02:00 Troy Mursch <t...@wolvtech.com>:

> This discussion is not pertaining to a customer of a network service
> provider.  Ecatel / Quasi Networks (AS29073) has an established track
> record of ignoring abuse requests for years.  So much so they are now in
> legal trouble, per court documents published on August 14:
> https://uitspraken.rechtspraak.nl/inziendocument?
> id=ECLI:NL:RBDHA:2017:9026
>
>
> (Use Google Translate if you can’t read Dutch)
>
>
> Setting aside the child porn, phishing sites, route hijacking, copyright
> infringement, and large-scale outbound hacking activities - why would
> anyone peer with another AS who deliberately ignores abuse requests?
>
>
> Yesterday I spoke with BREIN, the organization leading case against
> AS29073, they advised, "Our effort is aimed at outing the actual people
> behind it so they can be held responsible."
>
> If anyone has information regarding AS29073 and would like to share it with
> BREIN you can submit it via this web form:
> https://stichtingbrein.nl/contact.php
>
> __
>
> *Troy Mursch*
>
> Bad Packets Report <https://badpackets.net/>
>
> (702) 509-1248
>
> On Mon, Aug 14, 2017 at 1:17 PM, Siegel, David <dave.sie...@level3.com>
> wrote:
>
> > If you believe that a customer of a network service provider is in
> > violation of that service providers AUP, you should email
> > ab...@serviceprovider.net.  Most large networks have a security team
> that
> > monitors that email address regularly and will cooperate with you to
> > address the problem.
> >
> > Dave
> >
> >
> >
> >
> > -----Original Message-
> > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ronald F.
> > Guilmette
> > Sent: Monday, August 14, 2017 1:50 PM
> > To: nanog@nanog.org
> > Subject: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these
> > schmucks?
> >
> >
> > Sorry for the re-post, but it has been brought to my attention that my
> > inclusion, in my prior posting, of various unsavory FQDNs resolving to
> > various IPv4 addresses on AS29073 has triggered some people's spam
> > filters.  (Can't imagine why. :-)  So I am re-posting this message now,
> > with just a link to where those shady FQDNs and their current forward
> > resolutions may be found.  (I also took the opportunity to clean up some
> > minor typos.)
> >
> > %%%
> >
> > I think that this is primarily Level3's problem to fix.  But you be the
> > judge.  Please, read on.
> >
> > +_+_+_+_+_+_+_+_
> >
> > Over the weekend, I stumbled upon an interesting blog calld "Bad
> Packets",
> > where a fellow named Troy has written about various unsavory goings on
> > involving various newtorks.  One network that he called out in particular
> > was AS29073, formerly called "Ecatel".  on his blog, this fellow Troy has
> > noted at length some break-in attempts originating from AS29073 and his
> > inability to get anyone, in particular RIPE NCC, to give a damn.
> >
> > https://badpackets.net/the-master-needler-80-82-65-66/
> > https://badpackets.net/a-conversation-with-ripe-ncc-regardin
> > g-quasi-networks-ltd/
> > https://badpackets.net/quasi-networks-responds-as-we-witness
> > -the-death-of-the-master-needler-80-82-65-66-for-now/
> >
> > The fact that RIPE NCC declined to accept the role of The Internet Police
> > didn't surprise me at all... they never have and probably never will.
> > But I decided to have a quick look at what this newtork was routing, at
> > present, which can be easily see here:
> >
> > http://bgp.he.net/AS29073#_prefixes
> >
> > So I was looking through the announced routes for AS29073, and it all
> > looked pretty normal... a /24 block, check, a /24 block, check, a /21
> block
> > check... another /24 block, and then ... WAIT A SECOND!  HOLY MOTHER OF
> > GOD!  WHAT'S THIS???  196.16.0.0/14 !!!
> >
> > So how does a little two-bit network with a rather dubious reputation and
> > a grand total of only about a /19 to its name suddenly come to be routing
> > an entire /14 block??
> >
> > And of course, its a legacy (abandoned) Afrinic block.
> >
> > And of course, there's no reverse DNS for any of it, because ther

Re: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

[Troy Mursch]

This discussion is not pertaining to a customer of a network service
provider.  Ecatel / Quasi Networks (AS29073) has an established track
record of ignoring abuse requests for years.  So much so they are now in
legal trouble, per court documents published on August 14:
https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBDHA:2017:9026


(Use Google Translate if you can’t read Dutch)


Setting aside the child porn, phishing sites, route hijacking, copyright
infringement, and large-scale outbound hacking activities - why would
anyone peer with another AS who deliberately ignores abuse requests?


Yesterday I spoke with BREIN, the organization leading case against
AS29073, they advised, "Our effort is aimed at outing the actual people
behind it so they can be held responsible."

If anyone has information regarding AS29073 and would like to share it with
BREIN you can submit it via this web form:
https://stichtingbrein.nl/contact.php

__

*Troy Mursch*

Bad Packets Report <https://badpackets.net/>

(702) 509-1248

On Mon, Aug 14, 2017 at 1:17 PM, Siegel, David <dave.sie...@level3.com>
wrote:

> If you believe that a customer of a network service provider is in
> violation of that service providers AUP, you should email
> ab...@serviceprovider.net.  Most large networks have a security team that
> monitors that email address regularly and will cooperate with you to
> address the problem.
>
> Dave
>
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ronald F.
> Guilmette
> Sent: Monday, August 14, 2017 1:50 PM
> To: nanog@nanog.org
> Subject: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these
> schmucks?
>
>
> Sorry for the re-post, but it has been brought to my attention that my
> inclusion, in my prior posting, of various unsavory FQDNs resolving to
> various IPv4 addresses on AS29073 has triggered some people's spam
> filters.  (Can't imagine why. :-)  So I am re-posting this message now,
> with just a link to where those shady FQDNs and their current forward
> resolutions may be found.  (I also took the opportunity to clean up some
> minor typos.)
>
> %%%
>
> I think that this is primarily Level3's problem to fix.  But you be the
> judge.  Please, read on.
>
> +_+_+_+_+_+_+_+_
>
> Over the weekend, I stumbled upon an interesting blog calld "Bad Packets",
> where a fellow named Troy has written about various unsavory goings on
> involving various newtorks.  One network that he called out in particular
> was AS29073, formerly called "Ecatel".  on his blog, this fellow Troy has
> noted at length some break-in attempts originating from AS29073 and his
> inability to get anyone, in particular RIPE NCC, to give a damn.
>
> https://badpackets.net/the-master-needler-80-82-65-66/
> https://badpackets.net/a-conversation-with-ripe-ncc-regardin
> g-quasi-networks-ltd/
> https://badpackets.net/quasi-networks-responds-as-we-witness
> -the-death-of-the-master-needler-80-82-65-66-for-now/
>
> The fact that RIPE NCC declined to accept the role of The Internet Police
> didn't surprise me at all... they never have and probably never will.
> But I decided to have a quick look at what this newtork was routing, at
> present, which can be easily see here:
>
> http://bgp.he.net/AS29073#_prefixes
>
> So I was looking through the announced routes for AS29073, and it all
> looked pretty normal... a /24 block, check, a /24 block, check, a /21 block
> check... another /24 block, and then ... WAIT A SECOND!  HOLY MOTHER OF
> GOD!  WHAT'S THIS???  196.16.0.0/14 !!!
>
> So how does a little two-bit network with a rather dubious reputation and
> a grand total of only about a /19 to its name suddenly come to be routing
> an entire /14 block??
>
> And of course, its a legacy (abandoned) Afrinic block.
>
> And of course, there's no reverse DNS for any of it, because there is no
> valid delegation for the reverse DNS for any of it... usually a good sign
> that whoever is routing the block right now -does not- have legit rights to
> do so.  (If they did, then they would have presented their LOAs or whatever
> to Afrinic and thus gotten the reverse DNS properly delegated to their own
> name servers.)
>
> I've seen this movie before.  You all have.  This gives every indication
> of being just another sad chapter in the ongoing mass pillaging of unused
> Afrinic legacy IPv4 space, by various actors with evil intent.
> I've already documented this hightly unfortunate fad right here on
> multiple occasions:
>
> https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html
> https://mailman.nanog

Re: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

[Suresh Ramasubramanian]

1. They aren’t the internet police either or so quite a few of them think 

2. Hanlon’s razor

--srs

> On 15-Aug-2017, at 2:17 AM, Baldur Norddahl  wrote:
> 
> Why are domain registrars allowing some of those domains, which are clearly
> advertising highly illegal content that will get you in jail in most of the
> world?

Re: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

[Baldur Norddahl]

Den 14. aug. 2017 21.51 skrev "Ronald F. Guilmette" :


Sorry for the re-post, but it has been brought to my attention that
my inclusion, in my prior posting, of various unsavory FQDNs resolving
to various IPv4 addresses on AS29073 has triggered some people's
spam filters.  (Can't imagine why. :-)  So I am re-posting this message
now, with just a link to where those shady FQDNs and their current
forward resolutions may be found.  (I also took the opportunity to
clean up some minor typos.)


Why are domain registrars allowing some of those domains, which are clearly
advertising highly illegal content that will get you in jail in most of the
world?

RE: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

[Siegel, David]

If you believe that a customer of a network service provider is in violation of 
that service providers AUP, you should email ab...@serviceprovider.net.  Most 
large networks have a security team that monitors that email address regularly 
and will cooperate with you to address the problem.

Dave




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ronald F. Guilmette
Sent: Monday, August 14, 2017 1:50 PM
To: nanog@nanog.org
Subject: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these 
schmucks?


Sorry for the re-post, but it has been brought to my attention that my 
inclusion, in my prior posting, of various unsavory FQDNs resolving to various 
IPv4 addresses on AS29073 has triggered some people's spam filters.  (Can't 
imagine why. :-)  So I am re-posting this message now, with just a link to 
where those shady FQDNs and their current forward resolutions may be found.  (I 
also took the opportunity to clean up some minor typos.)

%%%

I think that this is primarily Level3's problem to fix.  But you be the judge.  
Please, read on.

+_+_+_+_+_+_+_+_

Over the weekend, I stumbled upon an interesting blog calld "Bad Packets", 
where a fellow named Troy has written about various unsavory goings on 
involving various newtorks.  One network that he called out in particular was 
AS29073, formerly called "Ecatel".  on his blog, this fellow Troy has noted at 
length some break-in attempts originating from AS29073 and his inability to get 
anyone, in particular RIPE NCC, to give a damn.

https://badpackets.net/the-master-needler-80-82-65-66/

https://badpackets.net/a-conversation-with-ripe-ncc-regarding-quasi-networks-ltd/

https://badpackets.net/quasi-networks-responds-as-we-witness-the-death-of-the-master-needler-80-82-65-66-for-now/

The fact that RIPE NCC declined to accept the role of The Internet Police 
didn't surprise me at all... they never have and probably never will.
But I decided to have a quick look at what this newtork was routing, at 
present, which can be easily see here:

http://bgp.he.net/AS29073#_prefixes

So I was looking through the announced routes for AS29073, and it all looked 
pretty normal... a /24 block, check, a /24 block, check, a /21 block check... 
another /24 block, and then ... WAIT A SECOND!  HOLY MOTHER OF GOD!  WHAT'S 
THIS???  196.16.0.0/14 !!!

So how does a little two-bit network with a rather dubious reputation and a 
grand total of only about a /19 to its name suddenly come to be routing an 
entire /14 block??

And of course, its a legacy (abandoned) Afrinic block.

And of course, there's no reverse DNS for any of it, because there is no valid 
delegation for the reverse DNS for any of it... usually a good sign that 
whoever is routing the block right now -does not- have legit rights to do so.  
(If they did, then they would have presented their LOAs or whatever to Afrinic 
and thus gotten the reverse DNS properly delegated to their own name servers.)

I've seen this movie before.  You all have.  This gives every indication of 
being just another sad chapter in the ongoing mass pillaging of unused Afrinic 
legacy IPv4 space, by various actors with evil intent.
I've already documented this hightly unfortunate fad right here on multiple 
occasions:

https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html
https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html

This incident is a bit different from the others however, in that it -does not- 
appear that the 196.16.0.0/14 block has been filed to the brim with snowshoe 
spammers.  Well, not yet anyway.

But if in fact the stories are correct, and if AS29073 does indeed have a 
history of hosting outbound hacking activities, then the mind reels when 
thinking about how much mischief such bad actors could get into if given an 
entire /14 to play with.  (And by the way, this is a new world's record I 
think, for largest single-route deliberate hijack.
I've seen plenty of /16s go walkabout before, and even a whole /15.
But an entire /14?!?! That is uniquely brazen.)

In addition to the above, and the points raised within the Bad Packets blog 
(see links above) I found, via passive DNS, a number of other causes for 
concern about AS29073, to wit:

Shady FQDNs (incl possible child porn ones) on AS29073 moved here:
https://pastebin.com/raw/f4M09UKL

(In addition to the above, I've also found plenty more domain names associated 
with AS29073 which incorporate the names "Apple" "AirBnB", "Facebook", and 
"Groupon", as well as dozens of other legitimate companies and organizations.)

I confess that I have not had the time to look at any of the web sites that may 
or may not be associated with any of the above FQDNs, but the domain names 
themselves are certainly strongly suggestive of (a) the possible hos

AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these schmucks?

[Ronald F. Guilmette]

Sorry for the re-post, but it has been brought to my attention that
my inclusion, in my prior posting, of various unsavory FQDNs resolving
to various IPv4 addresses on AS29073 has triggered some people's
spam filters.  (Can't imagine why. :-)  So I am re-posting this message
now, with just a link to where those shady FQDNs and their current
forward resolutions may be found.  (I also took the opportunity to
clean up some minor typos.)

%%%

I think that this is primarily Level3's problem to fix.  But you be
the judge.  Please, read on.

+_+_+_+_+_+_+_+_

Over the weekend, I stumbled upon an interesting blog calld "Bad Packets",
where a fellow named Troy has written about various unsavory goings on
involving various newtorks.  One network that he called out in particular
was AS29073, formerly called "Ecatel".  on his blog, this fellow Troy has
noted at length some break-in attempts originating from AS29073 and his
inability to get anyone, in particular RIPE NCC, to give a damn.

https://badpackets.net/the-master-needler-80-82-65-66/

https://badpackets.net/a-conversation-with-ripe-ncc-regarding-quasi-networks-ltd/

https://badpackets.net/quasi-networks-responds-as-we-witness-the-death-of-the-master-needler-80-82-65-66-for-now/

The fact that RIPE NCC declined to accept the role of The Internet Police
didn't surprise me at all... they never have and probably never will.
But I decided to have a quick look at what this newtork was routing, at
present, which can be easily see here:

http://bgp.he.net/AS29073#_prefixes

So I was looking through the announced routes for AS29073, and it all
looked pretty normal... a /24 block, check, a /24 block, check, a /21
block check... another /24 block, and then ... WAIT A SECOND!  HOLY
MOTHER OF GOD!  WHAT'S THIS???  196.16.0.0/14 !!!

So how does a little two-bit network with a rather dubious reputation
and a grand total of only about a /19 to its name suddenly come to
be routing an entire /14 block??

And of course, its a legacy (abandoned) Afrinic block.

And of course, there's no reverse DNS for any of it, because there is
no valid delegation for the reverse DNS for any of it... usually a good
sign that whoever is routing the block right now -does not- have legit
rights to do so.  (If they did, then they would have presented their
LOAs or whatever to Afrinic and thus gotten the reverse DNS properly
delegated to their own name servers.)

I've seen this movie before.  You all have.  This gives every indication
of being just another sad chapter in the ongoing mass pillaging of
unused Afrinic legacy IPv4 space, by various actors with evil intent.
I've already documented this hightly unfortunate fad right here on
multiple occasions:

https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html
https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html

This incident is a bit different from the others however, in that it
-does not- appear that the 196.16.0.0/14 block has been filed to the
brim with snowshoe spammers.  Well, not yet anyway.

But if in fact the stories are correct, and if AS29073 does indeed have
a history of hosting outbound hacking activities, then the mind reels
when thinking about how much mischief such bad actors could get into
if given an entire /14 to play with.  (And by the way, this is a new
world's record I think, for largest single-route deliberate hijack.
I've seen plenty of /16s go walkabout before, and even a whole /15.
But an entire /14?!?! That is uniquely brazen.)

In addition to the above, and the points raised within the Bad Packets
blog (see links above) I found, via passive DNS, a number of other
causes for concern about AS29073, to wit:

Shady FQDNs (incl possible child porn ones) on AS29073 moved here:
https://pastebin.com/raw/f4M09UKL

(In addition to the above, I've also found plenty more domain names
associated with AS29073 which incorporate the names "Apple" "AirBnB",
"Facebook", and "Groupon", as well as dozens of other legitimate companies
and organizations.)

I confess that I have not had the time to look at any of the web sites that
may or may not be associated with any of the above FQDNs, but the domain names
themselves are certainly strongly suggestive of (a) the possible hosting of
child porn and also and separately (b) the possible hosting of phishing sites.

So, given the history of this network (as is well documented on the Bad
Packets blog) and given all of the above, and given what would appear to
be the unauthorized "liberation" of the entire 196.16.0.0/14 block by
AS29073, one cannot help but wonder: Why does anybody still even peer
with these jerks?

The always helpful and informative web site bgp.he.net indicates that very
nearly 50% of the connectivity currently enjoyed by AS29073 is being provided
to them by Level3.  I would thus like to ask Level3 to reconsider that peering
arrangement in light of the