196.52.0.0/14 revoked, cleanup efforts needed
Hi, 196.52.0.0/14 was recently revoked. Before it was revoked, the whois for this /14 was:
inetnum: 196.52.0.0 - 196.55.255.255 netname: LogicWeb-Inc descr: LogicWeb Inc. descr: 3003 Woodbridge Ave descr: Edison, NJ 08837 country: ZA remarks: ============REMARK==================== remarks: The custodianship of this IP prefix is presently remarks: in dispute. A police investigation is on-going remarks: and AFRINIC reserves the right to remarks: reclaim this IP prefix at anytime. remarks: ============REMARK===================
From about 71 unique ASN's This is a BOGON, unallocated space. I would appreciate if any network that is on that list and on this mailing
However, now, this /14 has been revoked by AFRINIC. Do a whois on it and you will see, it's unallocated. I believe this /14 was under control from our big friend from Israel, but I don't remember. This does not matter however. But, sadly there are about 367 ip ranges being announced from this /14 https://pastebin.com/raw/MHaW3nPe list, would stop announcing parts of this hijacked /14. I reached out to RADB to remove all the radb entries concerning this /14, however after 72 hours they still haven't.
This is not an ignored ticket, we have escalated internally with our RADb admins and they are looking into it. I will let them know that you are looking for a update and we will provide it as soon as possible.
How is it possible that they can't just delete all entries? It is UNALLOCATED SPACE, it shouldn't be routed, it shouldn't have radb. https://www.radb.net/query?advanced_query=1&keywords=-M+196.52.0.0%2F14&-T+option=&ip_option=&-i+option=&db=RADB I have also tried to post about this massive source of BOGONS on the nanog mailing list, however, they rejected my posts. Most likely because it possibly concerns "that one guy from Israel", however the nanog moderators refused to comment while continuing to reject my posts. Their self-censorship is very destructive and harmful. I hope that if this list is moderated, I will not have any trouble posting about this issue. Greetings, Ostap.
Ostap, Just to clarify, this list is moderated where necessary, in line with https://www.ripe.net/participate/mail/ripe-mailing-list-ripe-forum-code-of-c... and certainly we would generally ask users to be very careful in what they post about named individuals. Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Ostap Efremov <kkind690@gmail.com> Sent: Wednesday 20 January 2021 01:00 To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] 196.52.0.0/14 revoked, cleanup efforts needed CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. Hi, 196.52.0.0/14<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2F196.52.0.0%2F14&data=04%7C01%7C%7Ca713fe080f3a458f024e08d8bcdef0fb%7Ccd9e8269dfb648e082538b7baf8d3391%7C0%7C0%7C637467013018583234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qBwRVD0Gt7l%2BJfy4xQeRi6tYstxHUUB4r7TpjOKCHbU%3D&reserved=0> was recently revoked. Before it was revoked, the whois for this /14 was: inetnum: 196.52.0.0 - 196.55.255.255 netname: LogicWeb-Inc descr: LogicWeb Inc. descr: 3003 Woodbridge Ave descr: Edison, NJ 08837 country: ZA remarks: ============REMARK==================== remarks: The custodianship of this IP prefix is presently remarks: in dispute. A police investigation is on-going remarks: and AFRINIC reserves the right to remarks: reclaim this IP prefix at anytime. remarks: ============REMARK=================== However, now, this /14 has been revoked by AFRINIC. Do a whois on it and you will see, it's unallocated. I believe this /14 was under control from our big friend from Israel, but I don't remember. This does not matter however. But, sadly there are about 367 ip ranges being announced from this /14 https://pastebin.com/raw/MHaW3nPe<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2Fraw%2FMHaW3nPe&data=04%7C01%7C%7Ca713fe080f3a458f024e08d8bcdef0fb%7Ccd9e8269dfb648e082538b7baf8d3391%7C0%7C0%7C637467013018593189%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mNhl8YTKsHyPA1ftdlEDqB%2BN%2FDZ0kgQsW7N11O9M1So%3D&reserved=0>
From about 71 unique ASN's This is a BOGON, unallocated space. I would appreciate if any network that is on that list and on this mailing list, would stop announcing parts of this hijacked /14. I reached out to RADB to remove all the radb entries concerning this /14, however after 72 hours they still haven't. This is not an ignored ticket, we have escalated internally with our RADb admins and they are looking into it. I will let them know that you are looking for a update and we will provide it as soon as possible. How is it possible that they can't just delete all entries? It is UNALLOCATED SPACE, it shouldn't be routed, it shouldn't have radb. https://www.radb.net/query?advanced_query=1&keywords=-M+196.52.0.0%2F14&-T+option=&ip_option=&-i+option=&db=RADB<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.radb.net%2Fquery%3Fadvanced_query%3D1%26keywords%3D-M%2B196.52.0.0%252F14%26-T%2Boption%3D%26ip_option%3D%26-i%2Boption%3D%26db%3DRADB&data=04%7C01%7C%7Ca713fe080f3a458f024e08d8bcdef0fb%7Ccd9e8269dfb648e082538b7baf8d3391%7C0%7C0%7C637467013018593189%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pHHbx6EsZY12V6VoW7Mkvb1kWvBL2f7HF4Q97k7J6qc%3D&reserved=0> I have also tried to post about this massive source of BOGONS on the nanog mailing list, however, they rejected my posts. Most likely because it possibly concerns "that one guy from Israel", however the nanog moderators refused to comment while continuing to reject my posts. Their self-censorship is very destructive and harmful. I hope that if this list is moderated, I will not have any trouble posting about this issue.
Greetings, Ostap.
Hi Ostap, First of all this mailing list is not intended to discuss individual cases of abuse (especially ones not related to the RIPE NCC), but rather to discuss and develop new methods for dealing with it in general. (Brian, please correct me if I am wrong here) Nonetheless, while I certainly don't represent them, I believe RADb does delete objects if you email them and can show proof that you are the holder of that IP space. -Cynthia On Wed, Jan 20, 2021 at 11:58 AM Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Ostap,
Just to clarify, this list is moderated where necessary, in line with https://www.ripe.net/participate/mail/ripe-mailing-list-ripe-forum-code-of-c... and certainly we would generally ask users to be very careful in what they post about named individuals.
Thanks,
Brian Co-Chair, RIPE AA-WG
Brian Nisbet
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nisbet@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270 ------------------------------ *From:* anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Ostap Efremov <kkind690@gmail.com> *Sent:* Wednesday 20 January 2021 01:00 *To:* anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> *Subject:* [anti-abuse-wg] 196.52.0.0/14 revoked, cleanup efforts needed
CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe.
Hi,
196.52.0.0/14 <https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2F196.52.0.0%2F14&data=04%7C01%7C%7Ca713fe080f3a458f024e08d8bcdef0fb%7Ccd9e8269dfb648e082538b7baf8d3391%7C0%7C0%7C637467013018583234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qBwRVD0Gt7l%2BJfy4xQeRi6tYstxHUUB4r7TpjOKCHbU%3D&reserved=0> was recently revoked. Before it was revoked, the whois for this /14 was:
inetnum: 196.52.0.0 - 196.55.255.255 netname: LogicWeb-Inc descr: LogicWeb Inc. descr: 3003 Woodbridge Ave descr: Edison, NJ 08837 country: ZA remarks: ============REMARK==================== remarks: The custodianship of this IP prefix is presently remarks: in dispute. A police investigation is on-going remarks: and AFRINIC reserves the right to remarks: reclaim this IP prefix at anytime. remarks: ============REMARK===================
However, now, this /14 has been revoked by AFRINIC. Do a whois on it and you will see, it's unallocated. I believe this /14 was under control from our big friend from Israel, but I don't remember. This does not matter however. But, sadly there are about 367 ip ranges being announced from this /14 https://pastebin.com/raw/MHaW3nPe <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2Fraw%2FMHaW3nPe&data=04%7C01%7C%7Ca713fe080f3a458f024e08d8bcdef0fb%7Ccd9e8269dfb648e082538b7baf8d3391%7C0%7C0%7C637467013018593189%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mNhl8YTKsHyPA1ftdlEDqB%2BN%2FDZ0kgQsW7N11O9M1So%3D&reserved=0> From about 71 unique ASN's This is a BOGON, unallocated space. I would appreciate if any network that is on that list and on this mailing list, would stop announcing parts of this hijacked /14. I reached out to RADB to remove all the radb entries concerning this /14, however after 72 hours they still haven't.
This is not an ignored ticket, we have escalated internally with our RADb admins and they are looking into it. I will let them know that you are looking for a update and we will provide it as soon as possible.
How is it possible that they can't just delete all entries? It is UNALLOCATED SPACE, it shouldn't be routed, it shouldn't have radb.
https://www.radb.net/query?advanced_query=1&keywords=-M+196.52.0.0%2F14&-T+option=&ip_option=&-i+option=&db=RADB <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.radb.net%2Fquery%3Fadvanced_query%3D1%26keywords%3D-M%2B196.52.0.0%252F14%26-T%2Boption%3D%26ip_option%3D%26-i%2Boption%3D%26db%3DRADB&data=04%7C01%7C%7Ca713fe080f3a458f024e08d8bcdef0fb%7Ccd9e8269dfb648e082538b7baf8d3391%7C0%7C0%7C637467013018593189%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pHHbx6EsZY12V6VoW7Mkvb1kWvBL2f7HF4Q97k7J6qc%3D&reserved=0> I have also tried to post about this massive source of BOGONS on the nanog mailing list, however, they rejected my posts. Most likely because it possibly concerns "that one guy from Israel", however the nanog moderators refused to comment while continuing to reject my posts. Their self-censorship is very destructive and harmful. I hope that if this list is moderated, I will not have any trouble posting about this issue.
Greetings, Ostap.
Cynthia Revström via anti-abuse-wg wrote on 20/01/2021 13:40:
First of all this mailing list is not intended to discuss individual cases of abuse (especially ones not related to the RIPE NCC), but rather to discuss and develop new methods for dealing with it in general. (Brian, please correct me if I am wrong here)
Nonetheless, while I certainly don't represent them, I believe RADb does delete objects if you email them and can show proof that you are the holder of that IP space.
there is a RIPE policy aspect to this, namely what to do with RIPE IRRDB objects of address space which is revoked by other RIRs. In this specific situation, there are a bunch of route: entries in the RIPE-NONAUTH DB, and maybe it would be good for the DBWG to have a think about this? http://irrexplorer.nlnog.net/search/196.52.0.0/16 http://irrexplorer.nlnog.net/search/196.53.0.0/16 http://irrexplorer.nlnog.net/search/196.54.0.0/16 http://irrexplorer.nlnog.net/search/196.55.0.0/16 Ostap, can you bring this up on DB-WG? Nick
In message <CAOGGzqzmG0wUNbsYo=hjd=+RcNaosOWGLN0jqWBgTJmxPhpR-A@mail.gmail.com>, Ostap Efremov <kkind690@gmail.com> wrote:
196.52.0.0/14 was recently revoked.
Confirmed. It appears that AFRINIC returned that /14 to its free pool.
Before it was revoked, the whois for this /14 was:
inetnum: 196.52.0.0 - 196.55.255.255 netname: LogicWeb-Inc descr: LogicWeb Inc. descr: 3003 Woodbridge Ave descr: Edison, NJ 08837 country: ZA
Confirmed. Please note however that contrary to all rumors, Edison, New Jersey is -not- actually located in "ZA" (South Africa).
I believe this /14 was under control from our big friend from Israel...
No. This block -somehow- made its way... for some several years anyway... directly into the hands of a certain Mr. Chad Abizeid, proprietor of LogicWeb, in New Jersey, most specifically the one that's located in in the U.S.. There's no involvement of any Israeli personages with this specific block as far as I can determine.
This is a BOGON, unallocated space.
Yes. *Now* it is.
I would appreciate if any network that is on that list and on this mailing list, would stop announcing parts of this hijacked /14.
That would be Good, yes.
I reached out to RADB to remove all the radb entries concerning this /14, however after 72 hours they still haven't.
In my experience, neither accuracy nor security are among RADB's strong suits.
How is it possible that they can't just delete all entries?
Other things just take priority sometimes, you know. Have you never heard of Tetris?
It is UNALLOCATED SPACE, it shouldn't be routed, it shouldn't have radb.
Well, yea. But also, we in these United States should not have had to live with four full years of totally unprecedented social lunacy, the likes of which none of us have ever before known in our entire lives. But we have fixed that now. Sometimes you just have to be patient. These things take time. Regards, rfg
participants (5)
-
Brian Nisbet -
Cynthia Revström -
Nick Hilliard -
Ostap Efremov -
Ronald F. Guilmette