[anti-abuse-wg] Hijack Factory: AS201640 / AS200002

Dear Ronald and all,

The RIPE NCC investigates reports about Internet number resource
registrations. These fall into different categories:

- Violation of RIPE Policies and RIPE NCC Procedures
- Provision of untruthful information to the RIPE NCC
- Bankruptcy, liquidation or insolvency
- Incorrect contact information in the RIPE Database

You can read more about the procedure together with a link for
submitting a report at: https://www.ripe.net/contact/reporting-procedure

Kind regards,

Laura Cobley
Customer Services Manager
RIPE NCC


On 05/11/14 21:38, Ronald F. Guilmette wrote:
> How does one go about making a formal request to RIPE NCC to investigate
> a given AS registrant/registration?
> 
> Given that AS201640 appears to exist exclusively for the purpose of
> hijacking multiple/numerous blocks of IPv4 space that it rather clearly
> has no rights to, I would like to formally lodge exactly such a request.
> 
> http://blogs.cisco.com/security/talos/help-my-ip-address-has-been-hijacked/
> 
> http://mailman.nanog.org/pipermail/nanog/2014-October/071056.html
> 
> This is ongoing, as we speak.  Among the many IP blocks being hijacked,
> one of them even belongs to the Taiwan Network Information Center.
> 
> Note that the hijacked IP space is being used, perhaps by multiple
> parties, by also by at least one convicted felon, and for one very
> specific purpose...
> 
> http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  To be clear, I would like to see there be an investigation of
> _both_ AS201640 and also the one and only other AS that appears to
> connect AS201640 to the rest of the world, i.e. AS200002.
> 
> Somebody please help me here.  I did try to read at least one of the
> official RIPE NCC registration requirement documents yesterday, and
> I was left with the impression... perhaps incorrect on my part... that
> in order to obtain an AS, the network in question must be multi-homed.
> Doesn't that mean that the network in question must have connectivity
> to the outside world via *more than one* other AS?
> 
> 
> P.P.S.  Unlike RIPE number resource allocations, it _is_ easily possible
> to find the registration date for most domain names in most TLDs.  The
> AS primarily at issue here is AS201640 and it seems to be associated
> with a (contact) domain name of "grimhosting.com".  (The associated web
> site, by the way, is _not_ hosted within any IP space which is being
> announced by AS201640.  Rather it is hosted on Cloudflare.)  Anyway,
> the registration date for the domain name grimhosting.com is 2014-06-18.
> 
> The person name on the registration for both the AS and that domain name
> is "Bogomil Simeonov".   In the domain name registration, this name is
> associated with the e-mail address <simeonov_zepter at abv.bg>.  That address
> in turn seems to be associated with some company named Zepter Bulgaria Ltd.,
> which is apparently a "direct sales" organization, and also, perhaps, with
> the young man who is pictured in/on this web page:
> 
> http://cv-simeonov.hit.bg/
> 
> 
>