AS200439 (LLC Stadis) hijacking IP space
Just in case someone is not aware of this and is interested, AS200439 is actively engaged in announcing unallocated APNIC IP ranges and using them to pump out spam. Excerpt from http://bgp.he.net/AS200439#_bogons : Bogon Prefixes # Prefix Type 1 103.9.132.0/22 unallocated 2 103.10.44.0/22 unallocated 3 103.10.172.0/22 unallocated 4 103.10.236.0/22 unallocated 5 103.11.0.0/22 unallocated 6 103.20.68.0/22 unallocated 7 103.21.8.0/22 unallocated 8 103.21.236.0/22 unallocated 9 103.22.140.0/22 unallocated 10 103.22.204.0/22 unallocated 11 103.22.244.0/22 unallocated 12 103.23.204.0/22 unallocated 13 103.25.120.0/22 unallocated 14 103.26.76.0/22 unallocated 15 160.19.228.0/22 unallocated 16 160.20.16.0/22 unallocated 17 160.20.36.0/22 unallocated 18 160.20.76.0/22 unallocated 19 160.20.104.0/22 unallocated 20 163.227.216.0/22 unallocated 21 203.148.88.0/22 unallocated 22 203.160.132.0/22 unallocated 23 203.176.124.0/22 unallocated 24 203.189.248.0/22 unallocated 25 203.189.252.0/22 unallocated 26 203.190.32.0/22 unallocated 27 203.212.28.0/22 unallocated 28 203.217.164.0/22 unallocated 29 220.247.132.0/22 unallocated 30 223.25.252.0/22 unallocated These gentlemen appear to be a relatively new LIR, less than 4 months old. Without doubt the activity is some terrible mistake caused by a young sysop that will be fired on the spot, but the possibility that their BGP equipment has been hacked or had a virus inside should obviously also considered. aut-num: AS200439 as-name: STADIS-LLC-AS descr: LLC Stadis org: ORG-LS213-RIPE sponsoring-org: ORG-TL122-RIPE import: from AS35297 accept ANY export: to AS35297 announce AS200439 import: from AS12695 accept ANY export: to AS12695 announce AS200439 admin-c: SO3128-RIPE import: from AS58271 accept ANY export: to AS58271 announce AS200439 tech-c: SO3128-RIPE remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources status: ASSIGNED mnt-by: RIPE-NCC-END-MNT mnt-by: STADIS-MNT mnt-routes: STADIS-MNT created: 2015-07-03T08:34:46Z last-modified: 2015-07-20T17:23:57Z source: RIPE # Filtered organisation: ORG-LS213-RIPE org-name: LLC Stadis org-type: OTHER address: Russia, Ekaterinburg, str. A.Valeka 13, office 401 mnt-ref: STADIS-MNT mnt-by: STADIS-MNT created: 2015-07-01T11:18:09Z last-modified: 2015-07-01T11:18:09Z source: RIPE # Filtered furio
what their up stream say On Thu, Oct 29, 2015 at 12:53 PM, furio ercolessi <furio+as@spin.it> wrote:
Just in case someone is not aware of this and is interested, AS200439 is actively engaged in announcing unallocated APNIC IP ranges and using them to pump out spam.
Excerpt from http://bgp.he.net/AS200439#_bogons :
Bogon Prefixes
# Prefix Type 1 103.9.132.0/22 unallocated 2 103.10.44.0/22 unallocated 3 103.10.172.0/22 unallocated 4 103.10.236.0/22 unallocated 5 103.11.0.0/22 unallocated 6 103.20.68.0/22 unallocated 7 103.21.8.0/22 unallocated 8 103.21.236.0/22 unallocated 9 103.22.140.0/22 unallocated 10 103.22.204.0/22 unallocated 11 103.22.244.0/22 unallocated 12 103.23.204.0/22 unallocated 13 103.25.120.0/22 unallocated 14 103.26.76.0/22 unallocated 15 160.19.228.0/22 unallocated 16 160.20.16.0/22 unallocated 17 160.20.36.0/22 unallocated 18 160.20.76.0/22 unallocated 19 160.20.104.0/22 unallocated 20 163.227.216.0/22 unallocated 21 203.148.88.0/22 unallocated 22 203.160.132.0/22 unallocated 23 203.176.124.0/22 unallocated 24 203.189.248.0/22 unallocated 25 203.189.252.0/22 unallocated 26 203.190.32.0/22 unallocated 27 203.212.28.0/22 unallocated 28 203.217.164.0/22 unallocated 29 220.247.132.0/22 unallocated 30 223.25.252.0/22 unallocated
These gentlemen appear to be a relatively new LIR, less than 4 months old.
Without doubt the activity is some terrible mistake caused by a young sysop that will be fired on the spot, but the possibility that their BGP equipment has been hacked or had a virus inside should obviously also considered.
aut-num: AS200439 as-name: STADIS-LLC-AS descr: LLC Stadis org: ORG-LS213-RIPE sponsoring-org: ORG-TL122-RIPE import: from AS35297 accept ANY export: to AS35297 announce AS200439 import: from AS12695 accept ANY export: to AS12695 announce AS200439 admin-c: SO3128-RIPE import: from AS58271 accept ANY export: to AS58271 announce AS200439 tech-c: SO3128-RIPE remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources status: ASSIGNED mnt-by: RIPE-NCC-END-MNT mnt-by: STADIS-MNT mnt-routes: STADIS-MNT created: 2015-07-03T08:34:46Z last-modified: 2015-07-20T17:23:57Z source: RIPE # Filtered
organisation: ORG-LS213-RIPE org-name: LLC Stadis org-type: OTHER address: Russia, Ekaterinburg, str. A.Valeka 13, office 401 mnt-ref: STADIS-MNT mnt-by: STADIS-MNT created: 2015-07-01T11:18:09Z last-modified: 2015-07-01T11:18:09Z source: RIPE # Filtered
furio
-- -- Kind regards. Lu
Has anyone tried to contact them directly? -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 On 29/10/2015, 11:53 a.m., "anti-abuse-wg on behalf of furio ercolessi" <anti-abuse-wg-bounces@ripe.net on behalf of furio+as@spin.it> wrote:
Just in case someone is not aware of this and is interested, AS200439 is actively engaged in announcing unallocated APNIC IP ranges and using them to pump out spam.
Excerpt from http://bgp.he.net/AS200439#_bogons :
Bogon Prefixes
# Prefix Type 1 103.9.132.0/22 unallocated 2 103.10.44.0/22 unallocated 3 103.10.172.0/22 unallocated 4 103.10.236.0/22 unallocated 5 103.11.0.0/22 unallocated 6 103.20.68.0/22 unallocated 7 103.21.8.0/22 unallocated 8 103.21.236.0/22 unallocated 9 103.22.140.0/22 unallocated 10 103.22.204.0/22 unallocated 11 103.22.244.0/22 unallocated 12 103.23.204.0/22 unallocated 13 103.25.120.0/22 unallocated 14 103.26.76.0/22 unallocated 15 160.19.228.0/22 unallocated 16 160.20.16.0/22 unallocated 17 160.20.36.0/22 unallocated 18 160.20.76.0/22 unallocated 19 160.20.104.0/22 unallocated 20 163.227.216.0/22 unallocated 21 203.148.88.0/22 unallocated 22 203.160.132.0/22 unallocated 23 203.176.124.0/22 unallocated 24 203.189.248.0/22 unallocated 25 203.189.252.0/22 unallocated 26 203.190.32.0/22 unallocated 27 203.212.28.0/22 unallocated 28 203.217.164.0/22 unallocated 29 220.247.132.0/22 unallocated 30 223.25.252.0/22 unallocated
These gentlemen appear to be a relatively new LIR, less than 4 months old.
Without doubt the activity is some terrible mistake caused by a young sysop that will be fired on the spot, but the possibility that their BGP equipment has been hacked or had a virus inside should obviously also considered.
aut-num: AS200439 as-name: STADIS-LLC-AS descr: LLC Stadis org: ORG-LS213-RIPE sponsoring-org: ORG-TL122-RIPE import: from AS35297 accept ANY export: to AS35297 announce AS200439 import: from AS12695 accept ANY export: to AS12695 announce AS200439 admin-c: SO3128-RIPE import: from AS58271 accept ANY export: to AS58271 announce AS200439 tech-c: SO3128-RIPE remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources status: ASSIGNED mnt-by: RIPE-NCC-END-MNT mnt-by: STADIS-MNT mnt-routes: STADIS-MNT created: 2015-07-03T08:34:46Z last-modified: 2015-07-20T17:23:57Z source: RIPE # Filtered
organisation: ORG-LS213-RIPE org-name: LLC Stadis org-type: OTHER address: Russia, Ekaterinburg, str. A.Valeka 13, office 401 mnt-ref: STADIS-MNT mnt-by: STADIS-MNT created: 2015-07-01T11:18:09Z last-modified: 2015-07-01T11:18:09Z source: RIPE # Filtered
furio
How can they create route objects? route: 103.9.132.0/22 descr: LLC Stadis origin: AS200439 mnt-by: STADIS-MNT created: 2015-10-13T16:14:01Z last-modified: 2015-10-13T16:14:01Z source: RIPE route: 103.10.44.0/22 descr: LLC Stadis origin: AS200439 mnt-by: STADIS-MNT created: 2015-10-13T16:14:36Z last-modified: 2015-10-13T16:14:36Z source: RIPE Is it possible for anyone in APNIC? Cheers, Daniel On Thu, 29 Oct 2015, furio ercolessi wrote:
Just in case someone is not aware of this and is interested, AS200439 is actively engaged in announcing unallocated APNIC IP ranges and using them to pump out spam.
Excerpt from http://bgp.he.net/AS200439#_bogons :
Bogon Prefixes
# Prefix Type 1 103.9.132.0/22 unallocated 2 103.10.44.0/22 unallocated 3 103.10.172.0/22 unallocated 4 103.10.236.0/22 unallocated 5 103.11.0.0/22 unallocated 6 103.20.68.0/22 unallocated 7 103.21.8.0/22 unallocated 8 103.21.236.0/22 unallocated 9 103.22.140.0/22 unallocated 10 103.22.204.0/22 unallocated 11 103.22.244.0/22 unallocated 12 103.23.204.0/22 unallocated 13 103.25.120.0/22 unallocated 14 103.26.76.0/22 unallocated 15 160.19.228.0/22 unallocated 16 160.20.16.0/22 unallocated 17 160.20.36.0/22 unallocated 18 160.20.76.0/22 unallocated 19 160.20.104.0/22 unallocated 20 163.227.216.0/22 unallocated 21 203.148.88.0/22 unallocated 22 203.160.132.0/22 unallocated 23 203.176.124.0/22 unallocated 24 203.189.248.0/22 unallocated 25 203.189.252.0/22 unallocated 26 203.190.32.0/22 unallocated 27 203.212.28.0/22 unallocated 28 203.217.164.0/22 unallocated 29 220.247.132.0/22 unallocated 30 223.25.252.0/22 unallocated
These gentlemen appear to be a relatively new LIR, less than 4 months old.
Without doubt the activity is some terrible mistake caused by a young sysop that will be fired on the spot, but the possibility that their BGP equipment has been hacked or had a virus inside should obviously also considered.
aut-num: AS200439 as-name: STADIS-LLC-AS descr: LLC Stadis org: ORG-LS213-RIPE sponsoring-org: ORG-TL122-RIPE import: from AS35297 accept ANY export: to AS35297 announce AS200439 import: from AS12695 accept ANY export: to AS12695 announce AS200439 admin-c: SO3128-RIPE import: from AS58271 accept ANY export: to AS58271 announce AS200439 tech-c: SO3128-RIPE remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources status: ASSIGNED mnt-by: RIPE-NCC-END-MNT mnt-by: STADIS-MNT mnt-routes: STADIS-MNT created: 2015-07-03T08:34:46Z last-modified: 2015-07-20T17:23:57Z source: RIPE # Filtered
organisation: ORG-LS213-RIPE org-name: LLC Stadis org-type: OTHER address: Russia, Ekaterinburg, str. A.Valeka 13, office 401 mnt-ref: STADIS-MNT mnt-by: STADIS-MNT created: 2015-07-01T11:18:09Z last-modified: 2015-07-01T11:18:09Z source: RIPE # Filtered
furio
_________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
In message <20151029115334.GA3155@allog.giato>, furio ercolessi <furio+as@spin.it> wrote:
Just in case someone is not aware of this and is interested, AS200439 is actively engaged in announcing unallocated APNIC IP ranges and using them to pump out spam.
Interestingly, it would appear that the upstream AS is announcing bogons also: http://bgp.he.net/AS204223 This is a bit more than a coincidence, I think. Regards, rfg
In message <48863.1446236786@server1.tristatelogic.com>, I wrote:
In message <20151029115334.GA3155@allog.giato>, furio ercolessi <furio+as@spin.it> wrote:
Just in case someone is not aware of this and is interested, AS200439 is actively engaged in announcing unallocated APNIC IP ranges and using them to pump out spam.
Interestingly, it would appear that the upstream AS is announcing bogons also:
This is a bit more than a coincidence, I think.
Ummm... WOW! This gets more interesting by the minute. Checking with the nice RIPE routing history tool on the base address of one of the bogon ranges currently announced by AS204223, i.e. 165.101.64.0/19 it would appear that this exact same bogon route was also announced... perhaps only briefly... by a different AS, i.e. AS204224 on or about 2015-09-14. According to RIPE WHOIS records it would appear that AS204223 and AS204224 were created on the same day, within 7 minutes of each other (2015-07-23T10:43:55Z, 2015-07-23T10:50:23Z). At present, bgp.he.net is showing AS204224 (CJSC Mashzavod-Marketing-Servis) as announcing the following four /19 bogons, all from APNIC address space: 165.101.96.0/19 202.61.64.0/19 202.66.160.0/19 202.136.64.0/19 This bears further scrutiny. Regards, rfg P.S. Oh well! Nothing to worry about. Mashzavod Marketing Servis Private Joint Stock Company is categorized as being in the "farm supply" business: https://www.businessvibes.com/companyprofile/Mashzavod-Marketing-Servis-Priv...
In message <49289.1446238946@server1.tristatelogic.com>, I wrote:
P.S. Oh well! Nothing to worry about. Mashzavod Marketing Servis Private Joint Stock Company is categorized as being in the "farm supply" business:
https://www.businessvibes.com/companyprofile/Mashzavod-Marketing-Servis-Priv...
I was wrong. Apparently Joint Stock Company Mashzavod-Marketing-Service, founded in 1999, is a supplier of "spare parts and component asemblies... for the oil and gas industry.": https://translate.google.com/translate?hl=en&sl=ru&u=http://www.zaomms.ru/index.php&prev=search One wonders why a 16 year old oil & gas parts supplier company would suddenly decide, on July 23rd of this year, to register its own RIPE AS (AS204224) _and_ then to promptly begin hijacking multiple APNIC /19 bogons. Branching out perhaps? Regards, rfg P.S. The phone number in the WHOIS record for AS204224 checks out. It appers that it does (or did) belong to the aforementioned oil & gas parts supplier company: https://translate.google.com/translate?hl=en&sl=ru&u=http://b2binform.ru/c/1281167.html&prev=search
participants (5)
-
Daniel Stolpe -
furio ercolessi -
Lu Heng -
Michele Neylon - Blacknight -
Ronald F. Guilmette