[anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552

In message <CALZ3u+aah7xMfoTV6P2H9PGaVkNk9uJ0LA96PRiJ7cyr4ERuHg at mail.gmail.com>, 
=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <ximaera at gmail.com> wrote:

>> Neither AS44050 nor AS58552 was never announcing any of the squatted
>> prefixes themselves directly.
>> Rather AS44050 was... for reasons which have yet to be explained... peering
>> with the set of four apparently squatted ASNs
>
>Yes, this is understood.  There's no peering anymore. See e.g.:

Very good.  I have confirmed.

>> If you are in a position to have one more short conversation with the
>> owners and/or operators of AS44050, Petersburg Internet Network Ltd.,
>> then please be so kind as to ask them on my behalf why they were
>> peering with those four different apparently squatted & abandoned ASNs.
>
>I don't think I'm anywhere close to a position where I can ask them
>questions like that.

OK.  Just give me the contact information that was used to have this
previous "brief conversation" with them, and I will ask them myself.

See, I'm not like most folks who just shrug and move on after an incident
like this.  I sort of like to find out what really happened, why, and who
is actually responsible.

Either Petersburg Internet Network did this themselves, or else *somebody*
was paying them a *lot* of money to get them to provide peering & transit
to all of these bogus squatted ASNs.

>> The name "Petersburg Internet" has come up, time and time again,
>> in relation to online skulduggery and malfesance. [..]
>> https://krebsonsecurity.com/page/2/?s=3DPetersburg+Internet&x=3D0&y=3D0
>
>This search yields all the results containing "petersburg" OR
>"internet".  There's no doubt there would be many in this case.

That's actually not correct, but it turns out that we were both half
right and both half wrong about Brian Kerbs' web site search function.

I looked into this, and it now appears that if you search for "Petersburg
Internet" on Brian's site, you *do not* get the results for "Petersburg
OR Internet" and you also *do not* get results for "Petersburg AND Internet".
In fact, it looks like the search function just ignores the second word
entirely, so the search is effectively for just "Petersburg".

In any case, you may wish to have a loook at the following article in
which the company *is* mentioned, and not in any good way:

https://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/

I would also recommend perusing page 28 of the following expert witness
statement, which relates to botnet command & control servers:

http://cdn.cnn.com/cnn/2019/images/03/15/xbt.doc.248.2.pdf

See also page 5 of this academic paper about automated Internet attacks:

https://grehack.fr/data/2017/slides/GreHack17_Automation_Attacks_at_Scale_paper.pdf

>AS44050 is basically the SOHO provider for the St. Petersburg Internet
>Exchange.  St. Petersburg's population is slightly below 5 million
>people, not counting satellite cities and suburbs (which, if counted,
>would contribute another 2 millions I think), and the city has quite
>got a reputation for hidden criminal activity.  It's Chicago-style if
>you will.  Surely there are also quite a few criminals in one of the
>largest ISP networks of the city.

Yes, but if any of -our- criminals attack people or businesses located in
other countries, we will allow them to be extradited to those other countries
to face trial.  Your country, I am sad to say, instead protects online
miscreants, and insures that they never have to face justice.  You know
that, I know that, everybody who knows even the first thing about online
cybercrime knows that.  It's not exactly a secret.


Regards,
rfg