Thank you for your interesting analysis. Is then RIPE not a "partner in crime" for such criminal companies? B/c it seems RIPE does not take any action against such evidently criminal members abusing the network and the other members and users. RIPE just says this ( https://www.ripe.net/support/abuse ): " ... At the RIPE NCC, we allocate blocks of IP addresses to ISPs and other organisations, but we have no involvement in how these addresses are used by their users. ... However, we can help you find out who is abusing your network by providing you with the relevant network operator contact details. Our role is to ensure that all abuse contacts are valid and up-to-date in the RIPE Database. From there, it is the responsibility of the network operator to handle your abuse report. There is nothing we can do if a network operator chooses not to reply. ... " IMO, RIPE very well can do some more, and needs to do some more... Natale Maria Bianchi wrote on 11/01/23 19:06:
On Wed, Nov 01, 2023 at 01:55:42PM +0100, John Levine wrote:
It appears that ? ngel Gonzalez Berdasco via anti-abuse-wg <angel.gonzalez@incibe.es> said:
Just block their network 80.94.95.0/24 and forget about it.
organisation: ORG-BA1515-RIPE org-name: BtHoster LTD country: GB org-type: OTHER address: 26, New Kent Road, London, SE1 6TJ, UNITED KINGDOM
If you look at that address on Google stret view, you will see a late 2022 picture of a construction site.
Unless you care enough to contact their transit providers and try and get them disconnected, I wouldn't waste more time on it.
BtHoster is indeed a well known bulletproof hoster, and nothing good can be expected also from the other two blocks announced by AS204428, 87.246.7.0/24 and 212.70.149.0/24 (4media.bg/4vendeta.com, who also have much cleaner ranges directly behind their own AS50360). BtHoster also has AS198465, today announcing 45.129.14.0/24 and 77.90.185.0/24.
Sending abuse reports to these places is - how to say? - a bit naive. Abuse is their core business. You can see for instance BtHoster's ad in https://bitcointalk.org/index.php?topic=5407833.0 :
RDP FOR SCAN/BRUTE - PRICE 10 $ /MONTH WHM FOR PISHING WITH UNLIMITED DOMAIN LICENSE -PRICE 130 $ /MONTH RESELLER FOR RDP WITH PANEL -PRICE 150 $ + IP /MONTH SERVER FOR SCAN/BRUTE 32 GB RAM -PRICE 130 $ /MONTH
So the "ignoring" is fully expected, it is a feature of their hosting offer. The best action is to completely prevent their packets from entering your networks through protection at the network edge. This is precisely what our DROP/EDROP/ASN-DROP free datasets are for: block all packets on the edge router.
Of course, like it or not, the people behind this are members of this community, read these lists, make posts, etc, and of course they would not be connected to the Internet if there weren't facilitating ISPs between them and backbones - in this case the operators of AS47890, AS202425 and the abovementioned AS50360. These are also part of the abuse ecosystem.
The two-layered approach is essential for the stability of their connectivity - otherwise the backbones would just cut them off. When pressure from backbones becomes excessive and the intermediary is forced to disconnect them, they change intermediary or they create a new company, get a new ASN and move the operation so that reputation restarts from zero. These patterns are very established, and cause a considerable ASN turnaround. RIPE NCC apparently noted a high number of ASNs being abandoned [https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-June/013757.h...] but does not seem to note the relation with abuse that should explain a fraction of them.
Natale M Bianchi Spamhaus Project