IPv4 squatting -- Courtesy of AS44050, AS58552
Please be advised that the set of IPv4 blocks listed below appear to be squatted on at the present time, with the apparent aid and assistance of AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 -- "PT Multidata Rancana Prima" (Indonesia). These blocks appear to be mostly or entirely very old "legacy" block, primarily from the ARIN region. It should additionally be noted that downstream from AS44050 and AS58552 there appear to be a number of other ASNs which themselves appear to be squatted on, without the consent or permission of the rightful owners, at the present time, and tghat these are the ASNs that are actually routing most or all of the squatted-on IPv4 space listed in teh table below, specifically: AS6603 US CottonWood CyberVentures (NOTE: legacy ASN) AS7309 US The Virtual Marketing Corporation (NOTE: legacy ASN) AS24199 ID Dini Nusa Kusuma, P.T. (allocated: 2011-03-01) AS62927 US Moose-Tec (allocated: 2015-02-20) AS198448 -- unknown/unallocated All parties are advsed to take action as seems appropriate, under the circumstances. Looking at the RIPE Routing History, specifically for AS7309, strongly suggests that this extensive squatting campaign has been ongoing since at least 2019-09-29. The table below only lists currently active squats however. Most or all of these are represented in the (unsecured) RADB data base in association with the somewhat mysterious email addresses <irr@uswo.network> and/or <ipadmin@uswo.network>. The uswo.network domain name was registered on 2020-07-24. It has no associated web site, nor indeed does it or any subdomain associated with it have any IP address. (MX is set to send email to the mail servers of registrar namecheap.com.) #------------------------------------------------------------------------ # COUNT: 1 ORG: (CA) ARENAC "Arena Communications" #------------------------------------------------------------------------ 199.84.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (CA) HUSKY-1 "Husky Energy Inc." #------------------------------------------------------------------------ 199.185.144.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (CA) NINS-1 "AllCore Communications Inc." #------------------------------------------------------------------------ 68.66.48.0/20 #------------------------------------------------------------------------ # COUNT: 16 ORG: (ID) IRT-DNK-ID "PT Dini Nusa Kusuma" #------------------------------------------------------------------------ 202.89.208.0/24 202.89.209.0/24 202.89.210.0/24 202.89.211.0/24 202.89.212.0/24 202.89.213.0/24 202.89.214.0/24 202.89.215.0/24 202.89.216.0/24 202.89.217.0/24 202.89.218.0/24 202.89.219.0/24 202.89.220.0/24 202.89.221.0/24 202.89.222.0/24 202.89.223.0/24 #------------------------------------------------------------------------ # COUNT: 1 ORG: (PT) HS2098-RIPE "Rumos, SA" #------------------------------------------------------------------------ 192.199.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) CORP "Corporate Communications, Inc." #------------------------------------------------------------------------ 207.70.224.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) DHIN "Dean Health Information Network" #------------------------------------------------------------------------ 199.217.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) DTEK "Friends of Synergytics" #------------------------------------------------------------------------ 207.228.192.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) EVANS-25 "Evanston Data & Colocation, Inc." #------------------------------------------------------------------------ 96.45.144.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) FLEXFA "Flexfab Division" #------------------------------------------------------------------------ 204.44.208.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) HASTIN-6 "Hastings Entertainment Inc." #------------------------------------------------------------------------ 204.156.192.0/20 #------------------------------------------------------------------------ # COUNT: 2 ORG: (US) HAWK "Hawk Communications" #------------------------------------------------------------------------ 69.8.64.0/20 69.8.96.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) IE "Enternet Express" #------------------------------------------------------------------------ 206.125.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) MACROV-1 "Rovi Corporation" #------------------------------------------------------------------------ 64.92.224.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) PHSKL "Popham Haik Schnobrich &Kaufman, LTD" #------------------------------------------------------------------------ 204.147.96.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) PLCA "PlanetCable Corp." #------------------------------------------------------------------------ 24.137.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) RPHP "Rush Prudential Health Plans" #------------------------------------------------------------------------ 204.128.32.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) SHC-1 "Sun Health Corporation" #------------------------------------------------------------------------ 198.153.32.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) SYSTEM-71 "Systems and Electronics Inc." #------------------------------------------------------------------------ 199.73.64.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) UPTHE "Upthere, Inc." #------------------------------------------------------------------------ 104.156.144.0/20
What the hell is all that crap about Sent from Yahoo Mail on Android On Mon, 30 Nov 2020 at 7:09, Ronald F. Guilmette<rfg@tristatelogic.com> wrote: Please be advised that the set of IPv4 blocks listed below appear to be squatted on at the present time, with the apparent aid and assistance of AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 -- "PT Multidata Rancana Prima" (Indonesia). These blocks appear to be mostly or entirely very old "legacy" block, primarily from the ARIN region. It should additionally be noted that downstream from AS44050 and AS58552 there appear to be a number of other ASNs which themselves appear to be squatted on, without the consent or permission of the rightful owners, at the present time, and tghat these are the ASNs that are actually routing most or all of the squatted-on IPv4 space listed in teh table below, specifically: AS6603 US CottonWood CyberVentures (NOTE: legacy ASN) AS7309 US The Virtual Marketing Corporation (NOTE: legacy ASN) AS24199 ID Dini Nusa Kusuma, P.T. (allocated: 2011-03-01) AS62927 US Moose-Tec (allocated: 2015-02-20) AS198448 -- unknown/unallocated All parties are advsed to take action as seems appropriate, under the circumstances. Looking at the RIPE Routing History, specifically for AS7309, strongly suggests that this extensive squatting campaign has been ongoing since at least 2019-09-29. The table below only lists currently active squats however. Most or all of these are represented in the (unsecured) RADB data base in association with the somewhat mysterious email addresses <irr@uswo.network> and/or <ipadmin@uswo.network>. The uswo.network domain name was registered on 2020-07-24. It has no associated web site, nor indeed does it or any subdomain associated with it have any IP address. (MX is set to send email to the mail servers of registrar namecheap.com.) #------------------------------------------------------------------------ # COUNT: 1 ORG: (CA) ARENAC "Arena Communications" #------------------------------------------------------------------------ 199.84.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (CA) HUSKY-1 "Husky Energy Inc." #------------------------------------------------------------------------ 199.185.144.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (CA) NINS-1 "AllCore Communications Inc." #------------------------------------------------------------------------ 68.66.48.0/20 #------------------------------------------------------------------------ # COUNT: 16 ORG: (ID) IRT-DNK-ID "PT Dini Nusa Kusuma" #------------------------------------------------------------------------ 202.89.208.0/24 202.89.209.0/24 202.89.210.0/24 202.89.211.0/24 202.89.212.0/24 202.89.213.0/24 202.89.214.0/24 202.89.215.0/24 202.89.216.0/24 202.89.217.0/24 202.89.218.0/24 202.89.219.0/24 202.89.220.0/24 202.89.221.0/24 202.89.222.0/24 202.89.223.0/24 #------------------------------------------------------------------------ # COUNT: 1 ORG: (PT) HS2098-RIPE "Rumos, SA" #------------------------------------------------------------------------ 192.199.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) CORP "Corporate Communications, Inc." #------------------------------------------------------------------------ 207.70.224.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) DHIN "Dean Health Information Network" #------------------------------------------------------------------------ 199.217.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) DTEK "Friends of Synergytics" #------------------------------------------------------------------------ 207.228.192.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) EVANS-25 "Evanston Data & Colocation, Inc." #------------------------------------------------------------------------ 96.45.144.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) FLEXFA "Flexfab Division" #------------------------------------------------------------------------ 204.44.208.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) HASTIN-6 "Hastings Entertainment Inc." #------------------------------------------------------------------------ 204.156.192.0/20 #------------------------------------------------------------------------ # COUNT: 2 ORG: (US) HAWK "Hawk Communications" #------------------------------------------------------------------------ 69.8.64.0/20 69.8.96.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) IE "Enternet Express" #------------------------------------------------------------------------ 206.125.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) MACROV-1 "Rovi Corporation" #------------------------------------------------------------------------ 64.92.224.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) PHSKL "Popham Haik Schnobrich &Kaufman, LTD" #------------------------------------------------------------------------ 204.147.96.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) PLCA "PlanetCable Corp." #------------------------------------------------------------------------ 24.137.16.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) RPHP "Rush Prudential Health Plans" #------------------------------------------------------------------------ 204.128.32.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) SHC-1 "Sun Health Corporation" #------------------------------------------------------------------------ 198.153.32.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) SYSTEM-71 "Systems and Electronics Inc." #------------------------------------------------------------------------ 199.73.64.0/20 #------------------------------------------------------------------------ # COUNT: 1 ORG: (US) UPTHE "Upthere, Inc." #------------------------------------------------------------------------ 104.156.144.0/20
Am 30.11.2020 09:15, schrieb Eileen Morris-Ross via anti-abuse-wg:
What the hell is all that crap about
As far as I understand (I'm not a routing expert at all) it's about network abuse by hijacking ip ranges without having actual ownership for the given network blocks. An AS registered with RIPE is involved, as such the mail is on topic for the anti-abuse working group at RIPE, IMHO. If you don't know why you're receiving this mail you should probably ask yourself why you've subscribed to this mailing list. If the majority of list members disagree with MHO I should ask myself why I am subscribed to this list :-) Cheers, Hans-Martin
On 30/11/2020 08:08, Ronald F. Guilmette wrote:
Please be advised that the set of IPv4 blocks listed below appear to be squatted on at the present time, with the apparent aid and assistance of AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 -- "PT Multidata Rancana Prima" (Indonesia).
These blocks appear to be mostly or entirely very old "legacy" block, primarily from the ARIN region.
Only a few of them are listed on https://www.spamhaus.org/drop/
#------------------------------------------------------------------------ # COUNT: 1 ORG: (CA) NINS-1 "AllCore Communications Inc." #------------------------------------------------------------------------ 68.66.48.0/20
68.66.48.0 -> spamhaus-drop/drop.txt:68.66.48.0/20 ; SBL502548
#------------------------------------------------------------------------ # COUNT: 1 ORG: (US) EVANS-25 "Evanston Data & Colocation, Inc." #------------------------------------------------------------------------ 96.45.144.0/20
96.45.144.0 -> spamhaus-drop/drop.txt:96.45.144.0/20 ; SBL502550
#------------------------------------------------------------------------ # COUNT: 2 ORG: (US) HAWK "Hawk Communications" #------------------------------------------------------------------------ 69.8.64.0/20 69.8.96.0/20
69.8.64.0 -> spamhaus-drop/drop.txt:69.8.64.0/20 ; SBL502549
#------------------------------------------------------------------------ # COUNT: 1 ORG: (US) PLCA "PlanetCable Corp." #------------------------------------------------------------------------ 24.137.16.0/20
24.137.16.0 -> spamhaus-drop/drop.txt:24.137.16.0/20 ; SBL502541
#------------------------------------------------------------------------ # COUNT: 1 ORG: (US) SYSTEM-71 "Systems and Electronics Inc." #------------------------------------------------------------------------ 199.73.64.0/20
199.73.64.0 -> spamhaus-drop/drop.txt:199.73.64.0/20 ; SBL502551
In message <d3230863-c17a-7fe7-e7b6-c0742bcdadfb@tana.it>, Alessandro Vesely <vesely@tana.it> wrote:
Only a few of them are listed on https://www.spamhaus.org/drop/
I have some hope and faith that that state of affairs will be rectified in due course, and likely before too long, now that I have shared this info widely. Regards, rfg
In message <d3230863-c17a-7fe7-e7b6-c0742bcdadfb@tana.it>, Alessandro Vesely <vesely@tana.it> writes
These blocks appear to be mostly or entirely very old "legacy" block, primarily from the ARIN region.
Only a few of them are listed on https://www.spamhaus.org/drop/
Spamhaus have built that table from what they know of previous hijacking events (because they observed that there was some repetition in the prefixes that the hijackers chose). So announcing a prefix that is on that list is not a good sign (indeed far from it) -- but don't expect a "new" hijacker to only choose from that list or indeed to pick any prefixes from that list at all. -- Dr Richard Clayton <richard.clayton@cl.cam.ac.uk> Director, Cambridge Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570
In article <k6GaYeBxPMxfFAZo@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:
Only a few of them are listed on https://www.spamhaus.org/drop/
So announcing a prefix that is on that list is not a good sign (indeed far from it) -- but don't expect a "new" hijacker to only choose from that list or indeed to pick any prefixes from that list at all.
Spamhaus have very conservative criteria for their DROP list, so it's not surprising that you wouldn't immediately find all those hijacked blocks on it. On the other hand, they update it frequently and I see they added a bunch of new blocks to it today.
On Mon 30/Nov/2020 22:56:22 +0100 John Levine wrote:
In article <k6GaYeBxPMxfFAZo@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:
Only a few of them are listed on https://www.spamhaus.org/drop/
So announcing a prefix that is on that list is not a good sign (indeed far from it) -- but don't expect a "new" hijacker to only choose from that list or indeed to pick any prefixes from that list at all.
Spamhaus have very conservative criteria for their DROP list, so it's not surprising that you wouldn't immediately find all those hijacked blocks on it. On the other hand, they update it frequently and I see they added a bunch of new blocks to it today.
Indeed. As I have the command still in bash's history, matches increased from 5 to 17, nearly one half of Ronald's post: 199.84.16.0 -> spamhaus-drop/drop.txt:199.84.16.0/20 ; SBL503515 199.185.144.0 -> spamhaus-drop/drop.txt:199.185.144.0/20 ; SBL503521 68.66.48.0 -> spamhaus-drop/drop.txt:68.66.48.0/20 ; SBL502548 207.70.224.0 -> spamhaus-drop/drop.txt:207.70.224.0/20 ; SBL503527 207.228.192.0 -> spamhaus-drop/drop.txt:207.228.192.0/20 ; SBL503528 96.45.144.0 -> spamhaus-drop/drop.txt:96.45.144.0/20 ; SBL502550 204.44.208.0 -> spamhaus-drop/drop.txt:204.44.208.0/20 ; SBL503530 204.156.192.0 -> spamhaus-drop/drop.txt:204.156.192.0/20 ; SBL503537 69.8.64.0 -> spamhaus-drop/drop.txt:69.8.64.0/20 ; SBL502549 69.8.96.0 -> spamhaus-drop/drop.txt:69.8.96.0/20 ; SBL503524 206.125.16.0 -> spamhaus-drop/drop.txt:206.125.16.0/20 ; SBL503526 64.92.224.0 -> spamhaus-drop/drop.txt:64.92.224.0/20 ; SBL503523 204.147.96.0 -> spamhaus-drop/drop.txt:204.147.96.0/20 ; SBL503525 24.137.16.0 -> spamhaus-drop/drop.txt:24.137.16.0/20 ; SBL502541 204.128.32.0 -> spamhaus-drop/drop.txt:204.128.32.0/20 ; SBL503533 199.73.64.0 -> spamhaus-drop/drop.txt:199.73.64.0/20 ; SBL502551 104.156.144.0 -> spamhaus-drop/drop.txt:104.156.144.0/20 ; SBL503516 Best Ale --
Amongst the greatest mysteries of the shady underbelly of the internet: how to pronounce "Guilmette" --
Amongst the greatest mysteries of the shady underbelly of the internet: how to pronounce "Guilmette"
speaking of anti-abuse; back in the '80s we agreed that making fun of others' typos, misspellings, personal names, etc. was impolite. randy
In message <m2im9mpap8.wl-randy@psg.com>, Randy Bush <randy@psg.com> wrote:
Amongst the greatest mysteries of the shady underbelly of the internet: how to pronounce "Guilmette"
speaking of anti-abuse; back in the '80s we agreed that making fun of others' typos, misspellings, personal names, etc. was impolite.
I do not believe the original poster was making fun of my name, and I likely would not take exception even if the OP had done so. There have certainly been far more scurrilous and disturbing things said about me personally, on various mailing lists, so I am somewhat inoculated against taking too much offense nowadays about virtually anything personal. If one is fortunate to live long enough, one develops a thick skin. Regards, rfg
Ronald, I'm glad you aren't offended/upset, but I agree with Randy's interpretation, especially as the initial email added no light/signal to the conversation at all. Despite what may be believed the Co-Chairs don't like putting people in moderation, but we will if we have to. However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc, and I suspect that's what led to the other exclamation of surprise. I'm not saying information should be hidden, but perhaps two separate emails might be, sadly, needed? Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Ronald F. Guilmette <rfg@tristatelogic.com> Sent: Tuesday 1 December 2020 05:12 To: apnic-talk@lists.apnic.net <apnic-talk@lists.apnic.net>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. In message <m2im9mpap8.wl-randy@psg.com>, Randy Bush <randy@psg.com> wrote:
Amongst the greatest mysteries of the shady underbelly of the internet: how to pronounce "Guilmette"
speaking of anti-abuse; back in the '80s we agreed that making fun of others' typos, misspellings, personal names, etc. was impolite.
I do not believe the original poster was making fun of my name, and I likely would not take exception even if the OP had done so. There have certainly been far more scurrilous and disturbing things said about me personally, on various mailing lists, so I am somewhat inoculated against taking too much offense nowadays about virtually anything personal. If one is fortunate to live long enough, one develops a thick skin. Regards, rfg
In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod. outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc...
It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.) Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions. Regards, rfg
First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote:
In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod. outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc...
It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.)
Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions.
Regards, rfg
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
Folks, I should be clear here, the Co-Chairs have no objection to the first post, nothing at all. Personally I'm happy for misbehaviour to be called out, while obviously ensuring that people aren't unfairly tarred with bad brushes. My comments about the apnic-talk address was that I wasn't sure if that list was used to the kind of content, and I was worried that it might not get Ronald's message where it would it best for it to go. However I'm not sure (without looking it up) what the best reporting mechanisms for APNIC members are. My comments there were advisory, nothing more. I too would love a discussion where we didn't feel like we had to say a word about the civility of posting, trust me! And thankfully we have had quite a few of those! Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> Sent: Wednesday 2 December 2020 08:12 To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote:
In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod. outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc...
It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.)
Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions.
Regards, rfg
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.first....
In message <DB7PR06MB50173157978D7621C6C0C11294F30@DB7PR06MB5017.eurprd06.prod.outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
My comments about the apnic-talk address was that I wasn't sure if that list was used to the kind of content, and I was worried that it might not get Ronald's message where it would it best for it to go...
I've looked around and frankly, the pickings, when it comes to APNIC mailing lists, are rather on the lean/sparse side. That region doesn't have a "abuse" working group or mailing list. It does have a "Routing Security" Special Interest Group (SIG) and an associated mailing lists for that, and you're right, Brian, that I might have been better off to send my notice there, rather than sending it to apnic-talk, as I did do, but then again it could be argued, albeit a bit tongue-in-cheek, that what I posted had more to do with routing IN-security than it did with routing security, per se. Not that any of this matters much anyway. As I have been infomred several thousand times, none of the RIRs are "the Internet Police" and thus all are utterly powerless to even so much as officially -care- about such matters. But given the general difficulty of finding anybody anywhere who cares about such events/schemes, I confess that I do have a tendency to just shout into the wind and hope that someone somwhere who has the authority to act will see what I have written, will care, and will act. Regards, rfg
I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg < anti-abuse-wg@ripe.net> wrote:
First of: Congrats and thank you Ronald for this work.
What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently.
It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time.
I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it.
Best Serge
In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod. outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
However I suspect that X-posting to a list like apnic-talk may not be
On 01.12.20 22:48, Ronald F. Guilmette wrote: the
wisest idea, given the different populations etc...
It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.)
Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions.
Regards, rfg
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
+1 – most of the activity on this list has been people from the anti abuse community come up with suggestions that the RIPE regulars find unworkable, and then many people spend lots of time pointing out why the proposal is unworkable. So far I have not seen one case of a proposal coming in from the other side on what can be done instead to achieve the goals of the unworkable proposal, but have a chance of working under RIPE policies and procedures. From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of IP Abuse Research <ipabuseresearch@gmail.com> Date: Wednesday, 2 December 2020 at 7:25 PM To: Serge Droz <serge.droz@first.org> Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote: First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote:
In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod. outlook.com<http://outlook.com>>, Brian Nisbet <brian.nisbet@heanet.ie<mailto:brian.nisbet@heanet.ie>> wrote:
However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc...
It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.)
Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions.
Regards, rfg
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
I don’t think it’s simply a matter of two sides, which your language attempts to categorise it as. Some of us refuse to have our processes and businesses dictated to by people who won’t listen to reasonable arguments against their unworkable proposals -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Suresh Ramasubramanian <ops.lists@gmail.com> Date: Wednesday 2 December 2020 at 14:06 To: IP Abuse Research <ipabuseresearch@gmail.com>, Serge Droz <serge.droz@first.org> Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 +1 – most of the activity on this list has been people from the anti abuse community come up with suggestions that the RIPE regulars find unworkable, and then many people spend lots of time pointing out why the proposal is unworkable. So far I have not seen one case of a proposal coming in from the other side on what can be done instead to achieve the goals of the unworkable proposal, but have a chance of working under RIPE policies and procedures. From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of IP Abuse Research <ipabuseresearch@gmail.com> Date: Wednesday, 2 December 2020 at 7:25 PM To: Serge Droz <serge.droz@first.org> Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote: First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote:
In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod. outlook.com<http://outlook.com>>, Brian Nisbet <brian.nisbet@heanet.ie<mailto:brian.nisbet@heanet.ie>> wrote:
However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc...
It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.)
Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions.
Regards, rfg
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
Please feel free to come up with workable proposals then 😊 At leat that way the conversation stays operational From: Michele Neylon - Blacknight <michele@blacknight.com> Date: Wednesday, 2 December 2020 at 8:14 PM To: Suresh Ramasubramanian <ops.lists@gmail.com>, IP Abuse Research <ipabuseresearch@gmail.com>, Serge Droz <serge.droz@first.org> Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I don’t think it’s simply a matter of two sides, which your language attempts to categorise it as. Some of us refuse to have our processes and businesses dictated to by people who won’t listen to reasonable arguments against their unworkable proposals -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Suresh Ramasubramanian <ops.lists@gmail.com> Date: Wednesday 2 December 2020 at 14:06 To: IP Abuse Research <ipabuseresearch@gmail.com>, Serge Droz <serge.droz@first.org> Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 +1 – most of the activity on this list has been people from the anti abuse community come up with suggestions that the RIPE regulars find unworkable, and then many people spend lots of time pointing out why the proposal is unworkable. So far I have not seen one case of a proposal coming in from the other side on what can be done instead to achieve the goals of the unworkable proposal, but have a chance of working under RIPE policies and procedures. From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of IP Abuse Research <ipabuseresearch@gmail.com> Date: Wednesday, 2 December 2020 at 7:25 PM To: Serge Droz <serge.droz@first.org> Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote: First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote:
In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod. outlook.com<http://outlook.com>>, Brian Nisbet <brian.nisbet@heanet.ie<mailto:brian.nisbet@heanet.ie>> wrote:
However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc...
It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.)
Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions.
Regards, rfg
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
In message <CA+E3quJWF96vhbDmfX-taQ-AJaTGNfsV9q5kKLLWnmm1F+1GUw@mail.gmail.com>, IP Abuse Research <ipabuseresearch@gmail.com> wrote:
What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse?
If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon?
This kind of stuff certainly could be done, but this would be a serious research project, requiring sme serious manpower expenditure. That's not to say that it would not be worth the investment. I think it would be. But someone or something would have to step up to make the investment. In the meantime, there is other work, and other steps that would obviously be worthwhile. The first is doing everything possible to try to get RPKI adopted more widely. The second is persuading everyone, certainly including Petersburg Internet, to stop even trying to use an data from RADB. That thing has -zero- security. Any fool can use that at any time to create any route object he/she/it wants. And speaking of which, I for one would love to know if Petersburg Internet was performing -any- checking on those route announcements it was passing on behalf of its customer in this case. If not, then that right there constitutes some "low hanging fruit" in terms of moving things forward so as to prevent repeats of this kind of situation. Regards, rfg
Peace, On Fri, Dec 4, 2020, 12:40 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
The first is doing everything possible to try to get RPKI adopted more widely.
Totally agree, The second is persuading everyone, certainly including Petersburg Internet,
to stop even trying to use an data from RADB. That thing has -zero- security. Any fool can use that at any time to create any route object he/she/it wants.
And as sad as it might sound, this is also true. -- Töma
Peace, On Mon, Nov 30, 2020 at 10:09 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Please be advised that the set of IPv4 blocks listed below appear to be squatted on at the present time, with the apparent aid and assistance of AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 -- "PT Multidata Rancana Prima" (Indonesia).
Please be informed that after a (pretty short) conversation AS44050 is not announcing those prefixes anymore. (removed the routing WG from CC b/c I don' think this belongs there) -- Töma
In message <CALZ3u+ZTVoeYejJx09e7FaHjEEM5AGcmS2DR=YLa43wY7Kb=9w@mail.gmail.com> =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <ximaera@gmail.com> wrote:
On Mon, Nov 30, 2020 at 10:09 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Please be advised that the set of IPv4 blocks listed below appear to be squatted on at the present time, with the apparent aid and assistance of AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 "PT Multidata Rancana Prima" (Indonesia).
Please be informed that after a (pretty short) conversation AS44050 is not announcing those prefixes anymore.
Neither AS44050 nor AS58552 was never announcing any of the squatted prefixes themselves directly. Rather AS44050 was... for reasons which have yet to be explained... peering with the set of four apparently squatted ASNs which were in turn announcing the various squatted prefixes. If you are in a position to have one more short conversation with the owners and/or operators of AS44050, Petersburg Internet Network Ltd., then please be so kind as to ask them on my behalf why they were peering with those four different apparently squatted & abandoned ASNs. If, as I suspect, they wish to blame some other party for all of this apparent skulduggery, and if they wish such an excuse to be believable, then at the very least they should be willing to identify whatever other party they would like to shift the blame to. Not that any of their lame excuses will be too awfully believable in any event. The name "Petersburg Internet" has come up, time and time again, in relation to online skulduggery and malfesance. And not just among the anti-abuse people that I hang out with. I just now did a search on the web site of journalist Brian Krebs for the name "Petersburg Internet" and found no fewer than 19 different stories, written by Krebs, that featured this network, in some supporting role or another... and not in any good way. https://krebsonsecurity.com/page/2/?s=Petersburg+Internet&x=0&y=0 (Full disclosure: I have direct personal knowledge of, and had direct participation in the development of some, but certainly not all of those Krebs stories.) Regards, rfg
Peace, On Wed, Dec 2, 2020 at 1:53 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Please be advised that the set of IPv4 blocks listed below appear to be squatted on at the present time, with the apparent aid and assistance of AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 "PT Multidata Rancana Prima" (Indonesia).
Please be informed that after a (pretty short) conversation AS44050 is not announcing those prefixes anymore.
Neither AS44050 nor AS58552 was never announcing any of the squatted prefixes themselves directly. Rather AS44050 was... for reasons which have yet to be explained... peering with the set of four apparently squatted ASNs
Yes, this is understood. There's no peering anymore. See e.g.: https://radar.qrator.net/as24199/providers#startDate=2020-08-30&endDate=2020-11-30&tab=current
If you are in a position to have one more short conversation with the owners and/or operators of AS44050, Petersburg Internet Network Ltd., then please be so kind as to ask them on my behalf why they were peering with those four different apparently squatted & abandoned ASNs.
I don't think I'm anywhere close to a position where I can ask them questions like that.
The name "Petersburg Internet" has come up, time and time again, in relation to online skulduggery and malfesance. [..] https://krebsonsecurity.com/page/2/?s=Petersburg+Internet&x=0&y=0
This search yields all the results containing "petersburg" OR "internet". There's no doubt there would be many in this case. AS44050 is basically the SOHO provider for the St. Petersburg Internet Exchange. St. Petersburg's population is slightly below 5 million people, not counting satellite cities and suburbs (which, if counted, would contribute another 2 millions I think), and the city has quite got a reputation for hidden criminal activity. It's Chicago-style if you will. Surely there are also quite a few criminals in one of the largest ISP networks of the city. To put it into some shape for your understanding: I think the likes of Centu, ah sorry, Lumen or Comcast would've got a reputation very close to what PIN has got in your eyes if not for their location close to you in the United States. E.g. Lumen has allowed a route leak incident on their network quite recently; and there's no doubt they won't vouch for every customer of theirs. -- Töma
Peace, On Wed, Dec 2, 2020 at 12:42 PM Töma Gavrichenkov <ximaera@gmail.com> wrote:
AS44050 is basically the SOHO provider for the St. Petersburg Internet Exchange. St. Petersburg's population is slightly below 5 million people, not counting satellite cities and suburbs (which, if counted, would contribute another 2 millions I think), and the city has quite got a reputation for hidden criminal activity. It's Chicago-style if you will. Surely there are also quite a few criminals in one of the largest ISP networks of the city.
To avoid blatant misunderstanding and inappropriate jokes: that's a few criminals AS CUSTOMERS of the largest SOHO ISP network of the city. There's no reason at this point to suspect intentional harm from the employees. -- Töma
In message <CALZ3u+YfXHHtwZjSkndF=8H=1cz-m2cyCkAYVubKtbTHMR8RZw@mail.gmail.com> =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <ximaera@gmail.com> wrote:
On Wed, Dec 2, 2020 at 12:42 PM T=C3=B6ma Gavrichenkov <ximaera@gmail.com> = wrote:
AS44050 is basically the SOHO provider for the St. Petersburg Internet Exchange. St. Petersburg's population is slightly below 5 million people, not counting satellite cities and suburbs (which, if counted, would contribute another 2 millions I think), and the city has quite got a reputation for hidden criminal activity. It's Chicago-style if you will. Surely there are also quite a few criminals in one of the largest ISP networks of the city.
To avoid blatant misunderstanding and inappropriate jokes: that's a few criminals AS CUSTOMERS of the largest SOHO ISP network of the city.
I, for one, am not offended. We do indeed have plenty of our own criminals right here in the U.S. of A., including in Chicago, and that includes cyber- criminals.
There's no reason at this point to suspect intentional harm from the employees.
OK, who then? Someone is responsible, even if no one wishes to take responsibility. Those several bogus route announcements did not create themselves. And this shouldn't be a hard question to get an answer to. The fact that it is, for some unexplained reason, is indicative of just how far trust & cooperation in the "Internet community" have deteriorated to the point where they are nothing more that the butts of jokes. Regards, rfg
In message <CALZ3u+aah7xMfoTV6P2H9PGaVkNk9uJ0LA96PRiJ7cyr4ERuHg@mail.gmail.com>, =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <ximaera@gmail.com> wrote:
Neither AS44050 nor AS58552 was never announcing any of the squatted prefixes themselves directly. Rather AS44050 was... for reasons which have yet to be explained... peering with the set of four apparently squatted ASNs
Yes, this is understood. There's no peering anymore. See e.g.:
Very good. I have confirmed.
If you are in a position to have one more short conversation with the owners and/or operators of AS44050, Petersburg Internet Network Ltd., then please be so kind as to ask them on my behalf why they were peering with those four different apparently squatted & abandoned ASNs.
I don't think I'm anywhere close to a position where I can ask them questions like that.
OK. Just give me the contact information that was used to have this previous "brief conversation" with them, and I will ask them myself. See, I'm not like most folks who just shrug and move on after an incident like this. I sort of like to find out what really happened, why, and who is actually responsible. Either Petersburg Internet Network did this themselves, or else *somebody* was paying them a *lot* of money to get them to provide peering & transit to all of these bogus squatted ASNs.
The name "Petersburg Internet" has come up, time and time again, in relation to online skulduggery and malfesance. [..] https://krebsonsecurity.com/page/2/?s=3DPetersburg+Internet&x=3D0&y=3D0
This search yields all the results containing "petersburg" OR "internet". There's no doubt there would be many in this case.
That's actually not correct, but it turns out that we were both half right and both half wrong about Brian Kerbs' web site search function. I looked into this, and it now appears that if you search for "Petersburg Internet" on Brian's site, you *do not* get the results for "Petersburg OR Internet" and you also *do not* get results for "Petersburg AND Internet". In fact, it looks like the search function just ignores the second word entirely, so the search is effectively for just "Petersburg". In any case, you may wish to have a loook at the following article in which the company *is* mentioned, and not in any good way: https://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-f... I would also recommend perusing page 28 of the following expert witness statement, which relates to botnet command & control servers: http://cdn.cnn.com/cnn/2019/images/03/15/xbt.doc.248.2.pdf See also page 5 of this academic paper about automated Internet attacks: https://grehack.fr/data/2017/slides/GreHack17_Automation_Attacks_at_Scale_pa...
AS44050 is basically the SOHO provider for the St. Petersburg Internet Exchange. St. Petersburg's population is slightly below 5 million people, not counting satellite cities and suburbs (which, if counted, would contribute another 2 millions I think), and the city has quite got a reputation for hidden criminal activity. It's Chicago-style if you will. Surely there are also quite a few criminals in one of the largest ISP networks of the city.
Yes, but if any of -our- criminals attack people or businesses located in other countries, we will allow them to be extradited to those other countries to face trial. Your country, I am sad to say, instead protects online miscreants, and insures that they never have to face justice. You know that, I know that, everybody who knows even the first thing about online cybercrime knows that. It's not exactly a secret. Regards, rfg
Peace, On Thu, Dec 3, 2020, 1:48 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Yes, but if any of -our- criminals attack people or businesses located in other countries, we will allow them to be extradited to those other countries to face trial.
This is slowly sliding into the territory of off-topic, but you're not exactly correct here. https://en.m.wikipedia.org/wiki/List_of_United_States_extradition_treaties -- Töma
participants (14)
-
Alessandro Vesely -
Brian Nisbet -
Eileen Morris-Ross -
Hans-Martin Mosner -
IP Abuse Research -
John Levine -
Michele Neylon - Blacknight -
PP -
Randy Bush -
Richard Clayton -
Ronald F. Guilmette -
Serge Droz -
Suresh Ramasubramanian -
Töma Gavrichenkov