This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] The Great AFRINIC Heist -- The Enablers
- Previous message (by thread): [anti-abuse-wg] ORG-DTL20-RIPE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jan 30 07:14:36 CET 2020
As the primary investigator pursuing this case, I have invested more than a little effort into continuing to track what has been going on as AFRINIC attempts to remediate the effects of these thefts. I would like now to provide you all with some insight into the current situation and status relating to the affected stolen AFRINIC blocks and the multiple parties in your own region who are continuing, at present, to provide routing to the various bits and pieces of the stolen AFRINIC IPv4 space. My hope, of course, is that you will all join with me in trying to persuade these networks to cease all routing to all of the stolen AFRINIC address space. A full list of all of the stolen AFRINIC blocks that are still of ongoing concern at the present moment is available here: https://pastebin.com/raw/71zNNriB Note that many of the blocks listed at the link above have already been "reclaimed" as far as the AFRINIC WHOIS records are concerned. But because routing remains almost entirely decoupled from RIR WHOIS data bases, much of this "reclaimed" space is still being routed as I write this. The only difference is that now the space is being routed as bogons, rather than as "legitimately" allocated space. A summary of all of the current routing for all of the stolen AFRINIC IPv4 address space that is still of concern (including routing for recently reclaimed address space that AFRINIC will eventually be returning to its free pool) is provided below. This list is sorted by the number of constituent stolen /24 blocks being routed by each listed network, thus showing the most major offenders at the top. A few footnotes concerning specific ASNs in this list follow below the listing. I urge everyone on this mailing list to share this data as widely as possible in and among the global networking community. In all cases noted below, the networks in question are unambiguously routing IP blocks that were obtained, in the first instance, via thefts perpetrated by one or more AFRINIC insiders and then resold on the black market in secretive deals. In many and perhaps most cases listed below, the relevant networks appear to have been more than happy to accept some cash in exchange for their services, while not looking all that carefully at the purported (but fradulent) "LOA" documents that they were given in order to persuade them to announce routes to stolen IP space. (Repeated use of blatantly fradulent documents has been one of the consistant features of this entire ongoing criminal enterprise.) I would also like to request the assistance of every person on this mailing list in the task of informing all of the networks that are mentioned in the list below, and that are within your own geographic region, that they are each currently announcing routes to stolen IP space. Of course, it is my hope that you will also encourage them, in no uncertain terms, to stop doing this immediately, if not sooner. As you can see below, this Internet crime spree is a globe-spanning and ongoing disaster. There is no way that I can get all of this mess cleaned up on my own. I am therefore relying on all people of honesty and good will, in all regions, to assist me in getting the word to the networks mentioned below, and telling them, very directly, that they are each facilitating a colossal fraud that affects the whole of the global Internet community. (I know for a fact that there is ongoing criminal activity which is being perpetrated from at least some of this provably stolen IP address space, so it is in the self interest of every honest netizen to get this all turned off and shut down.) All routing data is derived from current data published by RIPEstat. ====================================================================== 3719 0 ?? UNROUTED IP SPACE 629 132165 PK Connect Communication 512 18013 HK Asline Limited 504 19969 US Joe's Datacenter, LLC 500 62355 CO Network Dedicated SAS 423 202425 SC IP Volume inc 286 58895 PK Ebone Network (PVT.) Limited 250 136525 PK Wancom (Pvt) Ltd. 192 18530 US Isomedia, Inc. 186 9009 GB M247 Ltd 134 262287 BR Maxihost LTDA 132 204655 NL Novogara LTD 79 132116 IN Ani Network Pvt Ltd 75 136384 PK Optix Pakistan (Pvt.) Limited 68 132422 HK Hong Kong Business Telecom Limited 60 137443 HK Anchnet Asia Limited 48 63956 AU Colocation Australia Pty Ltd 26 132335 IN LeapSwitch Networks Pvt Ltd 21 131284 AF Etisalat Afghan 20 139043 PK WellNetworks (Private) Limited 19 43092 JP OSOA Corporation., LTD 17 36351 US SoftLayer Technologies Inc. 16 56611 NL REBA Communications BV 16 199267 IL Netstyle A. Ltd 16 23679 ID Media Antar Nusa PT. 14 137085 IN Nixi 10 63018 US Dedicated.com 9 136782 JP Pingtan Hotline Co., Limited 8 45671 AU Servers Australia Pty. Ltd 8 57717 NL FiberXpress BV 7 49335 RU LLC "Server v arendy" 7 134451 SG NewMedia Express Pte Ltd 6 49367 IT Seflow S.N.C. Di Marco Brame' & C. 6 26754 ?? {{unknown organization}} 5 198504 AE Star Satellite Communications Company - PJSC 5 198381 AE Star Satellite Communications Company - PJSC 4 38001 SG NewMedia Express Pte Ltd 4 263812 AR TL Group SRL ( IPXON Networks ) 4 30827 GB Extraordinary Managed Services Ltd 4 42831 GB UK Dedicated Servers Limited 4 37200 NG SimbaNET Nigeria Limited 4 133495 PK Vision telecom Private limited 4 198394 AE Star Satellite Communications Company - PJSC 2 44066 DE First Colo GmbH 2 198247 AE Star Satellite Communications Company - PJSC 2 133933 PK NetSat Private Limited 2 328096 UG truIT Uganda Limited 2 38713 PK Satcomm (Pvt.) Ltd. 2 31122 IE Digiweb ltd 2 46562 US Total Server Solutions L.L.C. 2 13737 US Riverfront Internet Systems LLC 2 11990 US Unlimited Net, LLC 2 20860 GB Iomart Cloud Services Limited 2 45382 KR Ehostict 2 17216 US Dc74 Llc 2 16637 ZA Mtn Sa 2 53999 CA Priority Colo Inc 1 23470 US ReliableSite.Net LLC 1 35074 NG Cobranet Limited 1 19832 ZA Link Data Group 1 43945 IL Netstyle A. Ltd 1 134917 IN Ragsaa Communication pvt. ltd. 1 203833 DE First Colo GmbH ====================================================================== The actual current route announcements corresponding to all of the above are listed in the table given here, which is sorted by ASN: https://pastebin.com/raw/XQyJ8EK2 Footnotes: [1] AS62355 gives all indications of being a false front fradulent network, possibly one that was set up by one or more of the black market dealers involved in this case. There is no actual web site associated with its contact domain (networkdedicated.com) at present, the alleged contact phone number in the associated AS WHOIS record was non-working when I tried it, and the street address given for this entity in Bogotá, Columbia, is one that Google maps cannot locate. Traceroutes to the one and only IPv4 block that is being routed by this AS and that is actually registed to the company itself (185.39.8.0/22 -- issued by RIPE NCC) do not terminate in Columbia, South America, as one would expect based on the WHOIS, but rather such traceroutes dead-end somwhere on the network of core-backbone.com (Core-Backbone GmbH, Germany) in the general vicinity of Amsterdam, Netherlands. Please note also that AS62355 appears to be a "leaf" ASN which is connected to the Internet only via AS202425, IP Volume, Ltd. -- Seyhelles. (See below.) https://bgp.he.net/AS62355 [2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655 (Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV - Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all believed by me to be onwed and controled by a certain pair of Dutch gentlemen named Mr. Ferdinand Reinier Van Eeden and Mr. Bartholomeus Johannes ("Bap") Karreman, both of whom I have previously posted about to the NANOG mailing list. For more information on these characters, please google for "Ecatel" and/or "Quasi Networks". Both of those are, I believe, demonstratably the predecessors of what is nowadays being called "IP volume, Inc." [3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. - Israel) belongs to the Israeli gentleman featured in Jan Vermeulen's detailed December 4th report on this whole AFRINIC caper. This is the specific fellow who has been going around passing out fradulent LOAs of such shockingly low quality that one wonders why he even bothers. (But I guess they work well enough in the case of many cash-starved networks hungry fo new customers.) [4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned to the entirely fictitious business entity called "ITC'. That entity appears to have just been an imaginary concoction of Mr. Ernest Byaruhanga, formerly a senior employee of AFRINIC (and now the target of an ongoing crimininal investigation) and/or other AFRINIC insiders who worked with or along side Mr. Byaruhanga to criminally strip assets from AFRINIC and its legacy block holders. The registration for this AS number has now been withdrawn by AFRINIC, thus rendering the ASN itself a bogon. [5] AS19832 ("Link Data Group") is yet another fiction that was manufactured out of (nearly) whole cloth, either by Mr. Byaruhanga and/or by other AFRINIC insiders who were working with him. It is not immediately clear why this ASN is still registered, let alone why its route announcements are still being accepted or propagated anywhere.
- Previous message (by thread): [anti-abuse-wg] ORG-DTL20-RIPE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]