This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Hijack Factory: AS201640 / AS200002
- Previous message (by thread): [anti-abuse-wg] Hijack Factory: AS201640 / AS200002
- Next message (by thread): [anti-abuse-wg] Hijack Factory: AS201640 / AS200002
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Nov 7 03:55:33 CET 2014
[[ I'm adopting now the new terminology that I learned yesterday. What has happened in this case, and what is happening, is ``IP squatting'' rather than ``IP hijacking'' because the IP space involved was not otherwise routed. ]] In message <CAArzuotwSMkjWWe==94aD0arquoY5pSRUMX83obgcdXJe2ODOA at mail.gmail.com> Suresh Ramasubramanian <ops.lists at gmail.com> wrote: >This simply means that LE or the appropriate regulator in either country >where the different parts of this contract exist (the Netherlands - opta or >dutch high tech crime police, and whoever are their peers in Romania) >should be able to act on this information. Given the history of LE globally, specifically how ineffectual most of them end up being in these sorts of matters, particularly in the absence of readily identifiable monetary harm to some well-healed local or multinational corporation, I for one will not be holding my breath waiting for that particular cavalry to arrive and save the day. I would however like to see... and would most probably be satisfied with... some sort of a blacklist entry which would insure that these same miscreants are not able to sneak in and obtain any form of arguably legitimate number resource registrations again in the future, ever. However I am still mightily puzzled by by the question of how they managed to even get an AS number _this time_. As I understand it, an AS number is just a sort of device or artifice, useful when one needs to do some routing, i.e. of some IP space which one, presumably, already has a legitimate claim to. But as far as I can tell, this thing, MEGA - SPRED LTD, does not have, and indeed may never have had even a single IP address which was or is legitmately there's. Are AS numbers given out, by _any_ RiR, to people or entities which have -zero- IPs that need routing? >U.S. LE as well given that the actual perpetrators are there. As noted in the Krebs article, the spammer Michael Persaud, a resident of San Diego, California, claims to have simply contracted for rights to use some portion of the squatted IP space from some other party. Persaud did not give Krebs, the reporter, any indication of who or where that other party might be. Based on the evidence, a reasonable first order supposition might be that the other party in this case... the one which sold Persaud the squatted IP space... was most probably MEGA - SPRED LTD, which claims to be located in Sofia, Bulgaria. It would thus appear to be a vast over-simplification to say that ``the actual perpetrators are {located in the United States}'', and/or that thus, as a consequence, US LE would have even the slightest interest in this case. I would be willing to bet money right now that U.S. LE would have no such interest, even if they did take the time to speak with Persaud himself. He would just repeat the claim he's already made to Krebs, i.e. that he was simply duped by some fast-talking IP salesmen located elsewhere, and that he is as much of a victim as anybody. I would love to see U.S. LE nail him for violations of the CAN-SPAM Act (which he is apparently not fully complying with, i.e. by failing to provide a snail mail opt-out address in each spam), but as regards to his potentially non-existant role in the IP space squatting, I highly doubt that any evidence exists for that, either in the city of Sofia or elsewhere, which has not already been destroyed. No evidence means no case. More to the point however, as far as I know IP space squatting is not illegal under U.S. law, nor even under any of the many flavors of EU law. So the squatting itself is most likely non-prosecutable anywhere. (It might be an entirely different story if these ``squats'' had instead been actual ``hijacks'' and if some servers which had been located in the IP space involved had been effectively disconnected from the Internet due to one of these route announcements. But there is no evidence of that for any of these bogus route announcements.) Ignoring the legal non-issue of squatting, there is still the possibility of prosecutable fraud. Fraud is a fairly old, fairly well-defined, and fairly universal legal concept which is prosecutable virtually everywhere. If and only if MEGA - SPRED LTD submitted some false documentation to RIPE NCC, _and_ if RIPE NCC felt like pressing charges... which might not actually be worth either their time or effort to do... then European LE might perhaps become involved. But that is a lot of ``ifs''. As I've said, I for one will be happy if all that happens is that these bastards have their AS registration revoked, and if they are summarily kicked out of RIPE altogether, and permanently, and the sooner the better. Regards, rfg P.S. Among the many many things that I remain puzzled by about this case, I should mention also, just in passing, that I am puzzled by the fact that at least one Cisco security guy blogged about AS201640 and its hijacking activities over a month ago, documenting it rather admirably. Yet it seems that he made no effort at all to follow-up, e.g. to see if the one route hijack that he noticed and documented was going to be short-lived or long-lived, whether the AS in question was already known for this sort of thing, or whether the bogus route he blogged about had any brothers or sisters. (As we now know, it did, and does, and 100% of AS201640's routes appear to be of this bogus variety, and most probably always have been.) Are network security researchers everywhere nowadays so completely jaded about these kinds of events that new and blatant instances of route squatting/hijacking elicit no more than a yawn and a return to other business? If so, then I think we have bigger problems than just those generated by AS201640. (Of course it is possible that the Cisco guy in question _did_ notice, over a month ago, all of the badness that AS201640 was up to, and just didn't feel like sharing that information with anybody outside of Cicso. If so, then that is a trend which would worry me too... sort of like hording your own private stash of 0-days.)
- Previous message (by thread): [anti-abuse-wg] Hijack Factory: AS201640 / AS200002
- Next message (by thread): [anti-abuse-wg] Hijack Factory: AS201640 / AS200002
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]