[grnog] Fwd: [anti-abuse-wg] The Great AFRINIC Heist -- The Enablers
Antonios Chariton (daknob)
daknob at daknob.net
Thu Jan 30 09:02:45 CET 2020
Ενδιαφέρον e-mail σήμερα σε RIPE Mailing List για την κατάσταση με την κλοπή IPv4 από το AFRINIC..
Begin forwarded message:
> From: "Ronald F. Guilmette" <rfg at tristatelogic.com>
> Date: 30 January 2020 - 08:14:59 EET
> To: routing-wg at ripe.net, anti-abuse-wg at ripe.net
> Subject: [anti-abuse-wg] The Great AFRINIC Heist -- The Enablers
>
> As the primary investigator pursuing this case, I have invested more
> than a little effort into continuing to track what has been going
> on as AFRINIC attempts to remediate the effects of these thefts.
> I would like now to provide you all with some insight into the current
> situation and status relating to the affected stolen AFRINIC blocks
> and the multiple parties in your own region who are continuing, at
> present, to provide routing to the various bits and pieces of the
> stolen AFRINIC IPv4 space.
>
> My hope, of course, is that you will all join with me in trying to
> persuade these networks to cease all routing to all of the stolen
> AFRINIC address space.
>
> A full list of all of the stolen AFRINIC blocks that are still of
> ongoing concern at the present moment is available here:
>
> https://pastebin.com/raw/71zNNriB
>
> Note that many of the blocks listed at the link above have already
> been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
> But because routing remains almost entirely decoupled from RIR WHOIS
> data bases, much of this "reclaimed" space is still being routed as
> I write this. The only difference is that now the space is being
> routed as bogons, rather than as "legitimately" allocated space.
>
> A summary of all of the current routing for all of the stolen AFRINIC
> IPv4 address space that is still of concern (including routing for
> recently reclaimed address space that AFRINIC will eventually be
> returning to its free pool) is provided below. This list is sorted
> by the number of constituent stolen /24 blocks being routed by each
> listed network, thus showing the most major offenders at the top.
> A few footnotes concerning specific ASNs in this list follow below
> the listing.
>
> I urge everyone on this mailing list to share this data as widely as
> possible in and among the global networking community. In all cases
> noted below, the networks in question are unambiguously routing IP
> blocks that were obtained, in the first instance, via thefts perpetrated
> by one or more AFRINIC insiders and then resold on the black market
> in secretive deals. In many and perhaps most cases listed below, the
> relevant networks appear to have been more than happy to accept some
> cash in exchange for their services, while not looking all that
> carefully at the purported (but fradulent) "LOA" documents that they
> were given in order to persuade them to announce routes to stolen IP
> space. (Repeated use of blatantly fradulent documents has been one
> of the consistant features of this entire ongoing criminal enterprise.)
>
> I would also like to request the assistance of every person on this
> mailing list in the task of informing all of the networks that are
> mentioned in the list below, and that are within your own geographic
> region, that they are each currently announcing routes to stolen IP
> space. Of course, it is my hope that you will also encourage them,
> in no uncertain terms, to stop doing this immediately, if not sooner.
>
> As you can see below, this Internet crime spree is a globe-spanning
> and ongoing disaster. There is no way that I can get all of this
> mess cleaned up on my own. I am therefore relying on all people of
> honesty and good will, in all regions, to assist me in getting the
> word to the networks mentioned below, and telling them, very directly,
> that they are each facilitating a colossal fraud that affects the
> whole of the global Internet community. (I know for a fact that
> there is ongoing criminal activity which is being perpetrated from
> at least some of this provably stolen IP address space, so it is in
> the self interest of every honest netizen to get this all turned
> off and shut down.)
>
> All routing data is derived from current data published by RIPEstat.
>
> ======================================================================
> 3719 0 ?? UNROUTED IP SPACE
> 629 132165 PK Connect Communication
> 512 18013 HK Asline Limited
> 504 19969 US Joe's Datacenter, LLC
> 500 62355 CO Network Dedicated SAS
> 423 202425 SC IP Volume inc
> 286 58895 PK Ebone Network (PVT.) Limited
> 250 136525 PK Wancom (Pvt) Ltd.
> 192 18530 US Isomedia, Inc.
> 186 9009 GB M247 Ltd
> 134 262287 BR Maxihost LTDA
> 132 204655 NL Novogara LTD
> 79 132116 IN Ani Network Pvt Ltd
> 75 136384 PK Optix Pakistan (Pvt.) Limited
> 68 132422 HK Hong Kong Business Telecom Limited
> 60 137443 HK Anchnet Asia Limited
> 48 63956 AU Colocation Australia Pty Ltd
> 26 132335 IN LeapSwitch Networks Pvt Ltd
> 21 131284 AF Etisalat Afghan
> 20 139043 PK WellNetworks (Private) Limited
> 19 43092 JP OSOA Corporation., LTD
> 17 36351 US SoftLayer Technologies Inc.
> 16 56611 NL REBA Communications BV
> 16 199267 IL Netstyle A. Ltd
> 16 23679 ID Media Antar Nusa PT.
> 14 137085 IN Nixi
> 10 63018 US Dedicated.com
> 9 136782 JP Pingtan Hotline Co., Limited
> 8 45671 AU Servers Australia Pty. Ltd
> 8 57717 NL FiberXpress BV
> 7 49335 RU LLC "Server v arendy"
> 7 134451 SG NewMedia Express Pte Ltd
> 6 49367 IT Seflow S.N.C. Di Marco Brame' & C.
> 6 26754 ?? {{unknown organization}}
> 5 198504 AE Star Satellite Communications Company - PJSC
> 5 198381 AE Star Satellite Communications Company - PJSC
> 4 38001 SG NewMedia Express Pte Ltd
> 4 263812 AR TL Group SRL ( IPXON Networks )
> 4 30827 GB Extraordinary Managed Services Ltd
> 4 42831 GB UK Dedicated Servers Limited
> 4 37200 NG SimbaNET Nigeria Limited
> 4 133495 PK Vision telecom Private limited
> 4 198394 AE Star Satellite Communications Company - PJSC
> 2 44066 DE First Colo GmbH
> 2 198247 AE Star Satellite Communications Company - PJSC
> 2 133933 PK NetSat Private Limited
> 2 328096 UG truIT Uganda Limited
> 2 38713 PK Satcomm (Pvt.) Ltd.
> 2 31122 IE Digiweb ltd
> 2 46562 US Total Server Solutions L.L.C.
> 2 13737 US Riverfront Internet Systems LLC
> 2 11990 US Unlimited Net, LLC
> 2 20860 GB Iomart Cloud Services Limited
> 2 45382 KR Ehostict
> 2 17216 US Dc74 Llc
> 2 16637 ZA Mtn Sa
> 2 53999 CA Priority Colo Inc
> 1 23470 US ReliableSite.Net LLC
> 1 35074 NG Cobranet Limited
> 1 19832 ZA Link Data Group
> 1 43945 IL Netstyle A. Ltd
> 1 134917 IN Ragsaa Communication pvt. ltd.
> 1 203833 DE First Colo GmbH
> ======================================================================
>
> The actual current route announcements corresponding to all of the above
> are listed in the table given here, which is sorted by ASN:
>
> https://pastebin.com/raw/XQyJ8EK2
>
> Footnotes:
>
> [1] AS62355 gives all indications of being a false front fradulent
> network, possibly one that was set up by one or more of the black
> market dealers involved in this case. There is no actual web site
> associated with its contact domain (networkdedicated.com) at present,
> the alleged contact phone number in the associated AS WHOIS record
> was non-working when I tried it, and the street address given for
> this entity in Bogotá, Columbia, is one that Google maps cannot
> locate. Traceroutes to the one and only IPv4 block that is being
> routed by this AS and that is actually registed to the company itself
> (185.39.8.0/22 -- issued by RIPE NCC) do not terminate in Columbia,
> South America, as one would expect based on the WHOIS, but rather
> such traceroutes dead-end somwhere on the network of core-backbone.com
> (Core-Backbone GmbH, Germany) in the general vicinity of Amsterdam,
> Netherlands.
>
> Please note also that AS62355 appears to be a "leaf" ASN which is
> connected to the Internet only via AS202425, IP Volume, Ltd. --
> Seyhelles. (See below.)
>
> https://bgp.he.net/AS62355
>
>
> [2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655
> (Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV -
> Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all
> believed by me to be onwed and controled by a certain pair of Dutch
> gentlemen named Mr. Ferdinand Reinier Van Eeden and Mr. Bartholomeus
> Johannes ("Bap") Karreman, both of whom I have previously posted about
> to the NANOG mailing list. For more information on these characters,
> please google for "Ecatel" and/or "Quasi Networks". Both of those are,
> I believe, demonstratably the predecessors of what is nowadays being
> called "IP volume, Inc."
>
> [3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. -
> Israel) belongs to the Israeli gentleman featured in Jan Vermeulen's
> detailed December 4th report on this whole AFRINIC caper. This is the
> specific fellow who has been going around passing out fradulent LOAs
> of such shockingly low quality that one wonders why he even bothers.
> (But I guess they work well enough in the case of many cash-starved
> networks hungry fo new customers.)
>
> [4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned
> to the entirely fictitious business entity called "ITC'. That entity
> appears to have just been an imaginary concoction of Mr. Ernest
> Byaruhanga, formerly a senior employee of AFRINIC (and now the target
> of an ongoing crimininal investigation) and/or other AFRINIC insiders
> who worked with or along side Mr. Byaruhanga to criminally strip
> assets from AFRINIC and its legacy block holders. The registration
> for this AS number has now been withdrawn by AFRINIC, thus rendering
> the ASN itself a bogon.
>
> [5] AS19832 ("Link Data Group") is yet another fiction that was
> manufactured out of (nearly) whole cloth, either by Mr. Byaruhanga
> and/or by other AFRINIC insiders who were working with him. It is
> not immediately clear why this ASN is still registered, let alone why
> its route announcements are still being accepted or propagated
> anywhere.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nogalliance.org/pipermail/grnog-members/attachments/20200130/8c42d5ef/attachment-0001.htm>
More information about the grnog-members
mailing list