[anti-abuse-wg] Hijack Factory: AS201640 / AS200002

[[ I'm adopting now the new terminology that I learned yesterday.  What
   has happened in this case, and what is happening, is ``IP squatting''
   rather than ``IP hijacking'' because the IP space involved was not
   otherwise routed.  ]]

In message <CAArzuotwSMkjWWe==94aD0arquoY5pSRUMX83obgcdXJe2ODOA at mail.gmail.com>
Suresh Ramasubramanian <ops.lists at gmail.com> wrote:

>This simply means that LE or the appropriate regulator in either country
>where the different parts of this contract exist (the Netherlands - opta or
>dutch high tech crime police, and whoever are their peers in Romania)
>should be able to act on this information.

Given the history of LE globally, specifically how ineffectual most of
them end up being in these sorts of matters, particularly in the absence
of readily identifiable monetary harm to some well-healed local or
multinational corporation, I for one will not be holding my breath
waiting for that particular cavalry to arrive and save the day.  I would
however like to see... and would most probably be satisfied with...
some sort of a blacklist entry which would insure that these same
miscreants are not able to sneak in and obtain any form of arguably
legitimate number resource registrations again in the future, ever.

However I am still mightily puzzled by by the question of how they
managed to even get an AS number _this time_.  As I understand it,
an AS number is just a sort of device or artifice, useful when one
needs to do some routing, i.e. of some IP space which one, presumably,
already has a legitimate claim to.  But as far as I can tell, this
thing, MEGA - SPRED LTD, does not have, and indeed may never have
had even a single IP address which was or is legitmately there's.
Are AS numbers given out, by _any_ RiR, to people or entities which
have -zero- IPs that need routing?

>U.S. LE as well given that the actual perpetrators are there.

As noted in the Krebs article, the spammer Michael Persaud, a resident
of San Diego, California, claims to have simply contracted for rights
to use some portion of the squatted IP space from some other party.
Persaud  did not give Krebs, the reporter, any indication of who or
where that other party might be.  Based on the evidence, a reasonable
first order supposition might be that the other party in this case...
the one which sold Persaud the squatted IP space... was most probably
MEGA - SPRED LTD, which claims to be located in Sofia, Bulgaria.  It
would thus appear to be a vast over-simplification to say that ``the
actual perpetrators are {located in the United States}'', and/or that
thus, as a consequence, US LE would have even the slightest interest
in this case.

I would be willing to bet money right now that U.S. LE would have no such
interest, even if they did take the time to speak with Persaud himself.
He would just repeat the claim he's already made to Krebs, i.e. that
he was simply duped by some fast-talking IP salesmen located elsewhere,
and that he is as much of a victim as anybody.

I would love to see U.S. LE nail him for violations of the CAN-SPAM Act
(which he is apparently not fully complying with, i.e. by failing to
provide a snail mail opt-out address in each spam), but as regards to
his potentially non-existant role in the IP space squatting, I highly
doubt that any evidence exists for that, either in the city of Sofia
or elsewhere, which has not already been destroyed.  No evidence means
no case.

More to the point however, as far as I know IP space squatting is not
illegal under U.S. law, nor even under any of the many flavors of EU
law.  So the squatting itself is most likely non-prosecutable anywhere.
(It might be an entirely different story if these ``squats'' had instead
been actual ``hijacks'' and if some servers which had been located
in the IP space involved had been effectively disconnected from the
Internet due to one of these route announcements.  But there is no
evidence of that for any of these bogus route announcements.)

Ignoring the legal non-issue of squatting, there is still the possibility
of prosecutable fraud.

Fraud is a fairly old, fairly well-defined, and fairly universal
legal concept which is prosecutable virtually everywhere.  If and only
if MEGA - SPRED LTD submitted some false documentation to RIPE NCC,
_and_ if RIPE NCC felt like pressing charges... which might not actually
be worth either their time or effort to do... then European LE might
perhaps become involved.  But that is a lot of ``ifs''.

As I've said, I for one will be happy if all that happens is that these
bastards have their AS registration revoked, and if they are summarily
kicked out of RIPE altogether, and permanently, and the sooner the better.


Regards,
rfg


P.S.  Among the many many things that I remain puzzled by about this case,
I should mention also, just in passing, that I am puzzled by the fact that
at least one Cisco security guy blogged about AS201640 and its hijacking
activities over a month ago, documenting it rather admirably.  Yet it
seems that he made no effort at all to follow-up, e.g. to see if the one
route hijack that he noticed and documented was going to be short-lived
or long-lived, whether the AS in question was already known for this sort
of thing, or whether the bogus route he blogged about had any brothers or
sisters.  (As we now know, it did, and does, and 100% of AS201640's routes
appear to be of this bogus variety, and most probably always have been.)

Are network security researchers everywhere nowadays so completely jaded
about these kinds of events that new and blatant instances of route
squatting/hijacking elicit no more than a yawn and a return to other
business?  If so, then I think we have bigger problems than just those
generated by AS201640.

(Of course it is possible that the Cisco guy in question _did_ notice,
over a month ago, all of the badness that AS201640 was up to, and just
didn't feel like sharing that information with anybody outside of Cicso.
If so, then that is a trend which would worry me too... sort of like
hording your own private stash of 0-days.)