This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Mysteries of the Internet: AS65000
- Previous message (by thread): [anti-abuse-wg] Mysteries of the Internet: AS65000
- Next message (by thread): [anti-abuse-wg] Mysteries of the Internet: AS65000
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Mon Apr 15 08:05:59 CEST 2019
In message <CF75F9DC-0DB0-426B-9E91-AAD0BCD850C8 at gmail.com>, Suresh Ramasubramanian <ops.lists at gmail.com> wrote: >Given that it is RFG raising this, I think it is a pretty safe bet that this >ASN is associated with some abusive activity that he has seen. Well, let's just say that some things that are relavant to AS65000 do appear to be to be a bit, um, questionable. Anyway, since the point has been raised, I will go ahead and say that my questions about AS65000 are really secondary to the -real- question that I'd very much like to have an answer to... from one of the *real* routing experts. (And I do plan to be sending this question to Doug Madory later on, just in case he is not actually reading everything that appears here.) Here is what I am -actually- most directly curious about... I have reason to believe that -somebody- may perhaps/possibly have been announcing a route to the (now unrouted) RIPE IPv4 block 91.244.204.0/22 in the not very distant past, beginning around 2018-10-21 21:01:47 -0000 and for some considerable time thereafter, perhaps exctending into multiple months. I further have reason to believe that this /22 block was in use by some professional snowshoe spammers at some point or points during this same time period. I would very much like to which ASN, exactly, was routing this block in and around that time period. That information would be an enormous help to my investigation of this matter. I have looked on the RIPE web site for an answer, specifically here: https://stat.ripe.net/widget/routing-history#w.resource=91.244.204.0 Switching to "Table View" and then sorting by date first seen, there would appear to be two plausible candidates, i.e.: 91.244.204.0/22 AS56630 2018-08-17 00:00:00 UTC 91.244.204.0/22 AS65000 2018-08-17 00:00:00 UTC I am not aware of any way to tell which of the above listed ASN is more likely to have been the ASN that was actually providing service to the aforementioned professional snowshoe spammers. I have noticed however that quite a number of the routes currently being announced by (reserved) AS65000 are simultaneously also being announced by various other ASNs. This makes the whole situation rather more confusing than I would like, and I am left with no clear answers as to who was/is responsible, If the responsible party is AS56630 then my attribution on this case is complete, I can share my resulting opinions about AS56630 and its predlictions with some other people I know, after which there will be nothing left for me to do but to go and make myself a marguerita. If on the other hand however, it was actually AS65000 that was providing service to the professional snowshoe spammers in this case, then it would appear that I have hit a dead end where no one is responsible, and yet -everyone- is. Needless to say this is not at all a satisfying outcome. I just now looked at the routing history for these additional blocks: 5.133.165.0/24 5.133.166.0/24 91.244.204.0/22 It would appear that the mysterious AS65000 has been sort of shadowing the movements of AS56630 for some time now... over six months, I guess, at least since 2018-08-17, according to the RIPE data on that last route shown above. Eveywhere AS56630 goes, AS65000 goes also. When one moves, the other does also, and on the same day. Quite a romance going on between those two! Regards, rfg P.S. I'm not entirely sure that I understand why a Lithuanian ASN (AS56630) would be called upon to provide routing for an alleged telecom company located in Tbilisi, Georgia (i.e. GE-RAILWAYTELECOM-20120605). That having been said, I personally harbor no doubts whatsoever about what the intentions are for the practical applications of the following blocks which are being routed by AS56630: https://bgp.he.net/net/5.133.165.0/24#_dns https://bgp.he.net/net/130.0.88.0/22#_dns (I must remember to thank HE.NET for their asistance in making abundantly clear that which might otherwise have have been less than entirely persuasive.)
- Previous message (by thread): [anti-abuse-wg] Mysteries of the Internet: AS65000
- Next message (by thread): [anti-abuse-wg] Mysteries of the Internet: AS65000
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]