This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] Second Notice: Squatting / Fraud / Identity theft by AS13259 - Delta Telesystems Ltd. (RU)

Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5,000+)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ronald F. Guilmette rfg at tristatelogic.com
Sun Jan 3 02:44:36 CET 2021

Greetings all and Happy New Year.

It is my sad duty to report to you all that since my posting of 2020-12-21
noting the several squats onto various IPv4 address blocks and multiple
ASNs, little if anything has changed.  Here is a link to that prior posting:

https://www.ripe.net/ripe/mail/archives/routing-wg/2020-December/004212.html

(Note that there was one minor typo in that posting -- I wrote "AS1065" in
one place where I should have written "AS10650".)

As noted in that prior posting, all of this illicit activity quite clearly
traces back to AS13259 - Delta Telesystems Ltd. (RU).  Several abandoned
AS numbers were and are being used in an attempt to disguise that fact,
but the evidence is clear that 100% of these squats are tracable back to
AS13259.

The only thing that appears to have changed since my original report of
2020-12-21 is that now, instead of using fradulent RADB route objects to
try to frame up an apparently innocent party (Leaseweb Deutschland GmbH)
the perpetrator of these squats has removed those prior fradulent RADB
route objects and has simpley replaced them with a new set of fradulent
RADB route objects which now attempt to shift blame instead onto a different
German company, specifically the owners of AS8208, Teamware GmbH.  It is
easy to see past this new deception however, since all of the same old
squatted blocks are still being squatted.

A full listing of the affected squatted blocks is given below, along with
annotations that show, for each block, the identity of the legitimate
registrant organization and also the identity of the organization that
is routing each squatted block.

As noted in my prior report, many of these ASNs are themselves being squatted
on, specifically:

AS39325 - Viptelecom LLC
AS41762 - PE Logvinov Vladimir Vladimirovich
AS56968 - TemirLan Net Ltd
AS34498 - Jilcomservice
AS10650 - Extreme Internet

The non-squatted ASNs that are still active & willing participants in these
ongoing frauds are as follows:

AS13259  - Delta Telesystems Ltd. (RU)
AS9009   - M247 Ltd (UK)
AS397373 - H4Y Technologies LLC (US)

Given that this entire mess quite evidently originates from within the RIPE
region, it would be Nice if more could be done, by RIPE and/or the RIPE
community to put a stop to these ongoing squats.


Regards,
rfg


P.S. Most of you will no doubt have heard by now about the large and ongoing
SolarWinds[tm] hack/scandal, and probably also the belief, expressed by some,
that this gigantic hack originated in Russia.

Nobody has had the courtesy to show me the hard evidence which supports
that attribution, so I personally remain entirely ambivalent about it.
That hack, wherever it originated, does however provide me with the
opportunity to remind all of you here of the age-old differention between
abuse "on the Internet" versus abuse "of the Internet".

Regardless of origin, the SolarWinds[tm] hack did not and does not in any
way threaten the stability of the Internet.  It thus must be properly
categorized as being a kind of abuse "on the Internet"... and shame on
all those whose security missteps, on the receiving end, allowed it to
happen.

In contrast, what I have described with respect to these squats is, I think,
quite clearly abuse "of the Internet", and as such I hope that this sort
of skulduggery will earn truly international and non-partisan condemnation,
and suitably immediate attention from all quarters.  It is not in the
interests of any faction or any nation to see the Internet descend into
lawless routing chaos.


#------------------------------------------------------------------------
# ORG: (KZ) ORG-TNL11-RIPE "TemirLan Net Ltd"
#------------------------------------------------------------------------
91.229.148.0/22 - routed by AS56968  - TemirLan Net Ltd (KZ)
#------------------------------------------------------------------------
# ORG: (RU) ORG-CC3-RIPE "Gorodskaya elektronnaya svyaz Ltd"
#------------------------------------------------------------------------
85.28.48.0/20 - routed by AS13259 - Delta Telesystems Ltd. (RU)
#------------------------------------------------------------------------
# ORG: (RU) ORG-OA780-RIPE "OOO \"IT-Region\""
#------------------------------------------------------------------------
79.173.104.0/21 - routed by AS13259 - Delta Telesystems Ltd. (RU)
#------------------------------------------------------------------------
# ORG: (RU) ORG-PL249-RIPE "Prime-Service LLC"
#------------------------------------------------------------------------
128.0.80.0/20 - routed by AS34498 - Jilcomservice (RU)
#------------------------------------------------------------------------
# ORG: (RU) ORG-TCUL3-RIPE "Telecommunications center UMOS, LLC"
#------------------------------------------------------------------------
85.89.104.0/21 - routed by AS13259 - Delta Telesystems Ltd. (RU)
#------------------------------------------------------------------------
# ORG: (UA) ORG-FA278-RIPE "Filite Ltd"
#------------------------------------------------------------------------
62.182.160.0/21 - routed by AS39325  - Viptelecom LLC (RU)
#------------------------------------------------------------------------
# ORG: (UA) ORG-TNOO1-RIPE "The national operator of wireless communication \"WiMAX-Ukraine\""
#------------------------------------------------------------------------
89.187.8.0/21 - routed by AS41762 - PE Logvinov Vladimir Vladimirovich (UA)
#------------------------------------------------------------------------
# ORG: (US) CIS-341 "CoreComm Internet Services Inc"
#------------------------------------------------------------------------
216.93.0.0/19 - unrouted
#------------------------------------------------------------------------
# ORG: (US) CSXINT "CSX Intermodal"
#------------------------------------------------------------------------
205.134.96.0/19 - routed by AS10650 - Extreme Internet (US)
#------------------------------------------------------------------------
# ORG: (US) HONEY-13 "Honeywell International Inc."
#------------------------------------------------------------------------
199.61.32.0/19 - 50% routed by AS9009 - M247 Ltd (UK) / 50% unrouted
#------------------------------------------------------------------------
# ORG: (US) MSGM "Mortgage Sytems Group (MSG)"
#------------------------------------------------------------------------
205.148.96.0/19 - routed by AS397373 - H4Y Technologies LLC (US)

Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5,000+)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]