[lacnog] The Great AFRINIC Heist -- The Enablers

Fernando Frediani fhfrediani en gmail.com
Jue Ene 30 16:35:56 GMT+3 2020


Hello Ronald.

Thanks for you valuable work being done in this area. In my view this 
investigation has been a remarkable thing in the try to fix these things 
been done by greed and dishonest people.

Agree about trying to contact Transit providers to stop routing these 
prefixes. The only thing that needs to be careful how it is done is to 
never mark them as some kind of 'dirty ' prefixes so it doesn't harm the 
future users of these prefixes. I will review the full list and see if I 
have contact with any of those NOCs in order to try make the message to 
be delivered.

Two things I wanted to ask is:

- From the Tier 1's how many of them is already confirmed for have 
stopped to route these prefixes anymore ?
- I have checked some of the prefixes that are in that list in some of 
the known IRRs and in fact they are still there. Has contact been tried 
with them to clean up that information from there and what were they 
response about ?

Regards
Fernando

On 30/01/2020 02:48, Ronald F. Guilmette wrote:
> By now I hope that you all have read about or heard about the events
> in the AFRINIC region relating to the apparent theft, by an AFRINIC
> insider, of a large quantity of valuable IPv4 address space, consisting
> both of space that was stolen from the AFRINIC free pool and also a
> good deal of space that was stolen from various AFRINIC region legacy
> block registrants.  For the benefit of those of you who may have missed
> this news, please allow me to share the following links to relevant
> press reports:
>
> https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html
>
> https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/
>
> https://www.theregister.co.uk/2019/12/17/another_afrinic_scandal/
>
> https://mybroadband.co.za/news/security/335226-here-are-the-police-charges-filed-in-the-great-african-ip-address-heist.html
>
> As the primary investigator pursuing this case, I have invested more
> than a little effort into continuing to track what has been going
> on as AFRINIC attempts to remediate the effects of these thefts.
> I would like now to provide you all with some insight into the current
> situation and status relating to the affected stolen AFRINIC blocks
> and the multiple parties in your own region who are continuing, at
> present, to provide routing to the various bits and pieces of the
> stolen AFRINIC IPv4 space.
>
> My hope, of course, is that you will all join with me in trying to
> persuade these networks to cease all routing to all of the stolen
> AFRINIC address space.
>
> A full list of all of the stolen AFRINIC blocks that are still of
> ongoing concern at the present moment is available here:
>
>      https://pastebin.com/raw/71zNNriB
>
> Note that many of the blocks listed at the link above have already
> been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
> But because routing remains almost entirely decoupled from RIR WHOIS
> data bases, much of this "reclaimed" space is still being routed as
> I write this.  The only difference is that now the space is being
> routed as bogons, rather than as "legitimately" allocated space.
>
> A summary of all of the current routing for all of the stolen AFRINIC
> IPv4 address space that is still of concern (including routing for
> recently reclaimed address space that AFRINIC will eventually be
> returning to its free pool) is provided below.  This list is sorted
> by the number of constituent stolen /24 blocks being routed by each
> listed network, thus showing the most major offenders at the top.
> A few footnotes concerning specific ASNs in this list follow below
> the listing.
>
> I urge everyone on this mailing list to share this data as widely as
> possible in and among the global networking connunity.  In all cases
> noted below, the networks in question are unambiguously routing IP
> blocks that were obtained, in the first instance, via thefts perpetrated
> by one or more AFRINIC insiders and then resold on the black market
> in secretive deals.  In many and perhaps most cases listed below, the
> relevant networks appear to have been more than happy to accept some
> cash in exchange for their services, while not looking all that
> carefully at the purported (but fradulent) "LOA" documents that they
> were given in order to persuade them to announce routes to stolen IP
> space.  (Repeated use of blatantly fradulent documents has been one
> of the consistant features of this entire ongoing criminal enterprise.)
>
> I would also like to request the assistance of every person on this
> mailing list in the task of informing all of the networks that are
> mentioned in the list below, and that are within your own geographic
> region, that they are each currently announcing routes to stolen IP
> space.  Of course, it is my hope that you will also encourage them,
> in no uncertain terms, to stop doing this immediately, if not sooner.
>
> As you can see below, this Internet crime spree is a globe-spanning
> and ongoing disaster.  There is no way that I can get all of this
> mess cleaned up on my own.  I am therefore relying on all people of
> honesty and good will, in all regions, to assist me in getting the
> word to the networks mentioned below, and telling them, very directly,
> that they are each facilitating a colossal fraud that affects the
> whole of the global Internet community.  (I know for a fact that
> there is ongoing criminal activity which is being perpetrated from
> at least some of this provably stolen IP address space, so it is in
> the self interest of every honest netizen to get this all turned
> off and shut down.)
>
> All routing data is derived from current data published by RIPEstat.
>
> ======================================================================
>    3719  0       ??  UNROUTED IP SPACE
>     629  132165  PK  Connect Communication
>     512  18013   HK  Asline Limited
>     504  19969   US  Joe's Datacenter, LLC
>     500  62355   CO  Network Dedicated SAS
>     423  202425  SC  IP Volume inc
>     286  58895   PK  Ebone Network (PVT.) Limited
>     250  136525  PK  Wancom (Pvt) Ltd.
>     192  18530   US  Isomedia, Inc.
>     186  9009    GB  M247 Ltd
>     134  262287  BR  Maxihost LTDA
>     132  204655  NL  Novogara LTD
>      79  132116  IN  Ani Network Pvt Ltd
>      75  136384  PK  Optix Pakistan (Pvt.) Limited
>      68  132422  HK  Hong Kong Business Telecom Limited
>      60  137443  HK  Anchnet Asia Limited
>      48  63956   AU  Colocation Australia Pty Ltd
>      26  132335  IN  LeapSwitch Networks Pvt Ltd
>      21  131284  AF  Etisalat Afghan
>      20  139043  PK  WellNetworks (Private) Limited
>      19  43092   JP  OSOA Corporation., LTD
>      17  36351   US  SoftLayer Technologies Inc.
>      16  56611   NL  REBA Communications BV
>      16  199267  IL  Netstyle A. Ltd
>      16  23679   ID  Media Antar Nusa PT.
>      14  137085  IN  Nixi
>      10  63018   US  Dedicated.com
>       9  136782  JP  Pingtan Hotline Co., Limited
>       8  45671   AU  Servers Australia Pty. Ltd
>       8  57717   NL  FiberXpress BV
>       7  49335   RU  LLC "Server v arendy"
>       7  134451  SG  NewMedia Express Pte Ltd
>       6  49367   IT  Seflow S.N.C. Di Marco Brame' & C.
>       6  26754   ??  {{unknown organization}}
>       5  198504  AE  Star Satellite Communications Company - PJSC
>       5  198381  AE  Star Satellite Communications Company - PJSC
>       4  38001   SG  NewMedia Express Pte Ltd
>       4  263812  AR  TL Group SRL ( IPXON Networks )
>       4  30827   GB  Extraordinary Managed Services Ltd
>       4  42831   GB  UK Dedicated Servers Limited
>       4  37200   NG  SimbaNET Nigeria Limited
>       4  133495  PK  Vision telecom Private limited
>       4  198394  AE  Star Satellite Communications Company - PJSC
>       2  44066   DE  First Colo GmbH
>       2  198247  AE  Star Satellite Communications Company - PJSC
>       2  133933  PK  NetSat Private Limited
>       2  328096  UG  truIT Uganda Limited
>       2  38713   PK  Satcomm (Pvt.) Ltd.
>       2  31122   IE  Digiweb ltd
>       2  46562   US  Total Server Solutions L.L.C.
>       2  13737   US  Riverfront Internet Systems LLC
>       2  11990   US  Unlimited Net, LLC
>       2  20860   GB  Iomart Cloud Services Limited
>       2  45382   KR  Ehostict
>       2  17216   US  Dc74 Llc
>       2  16637   ZA  Mtn Sa
>       2  53999   CA  Priority Colo Inc
>       1  23470   US  ReliableSite.Net LLC
>       1  35074   NG  Cobranet Limited
>       1  19832   ZA  Link Data Group
>       1  43945   IL  Netstyle A. Ltd
>       1  134917  IN  Ragsaa Communication pvt. ltd.
>       1  203833  DE  First Colo GmbH
> ======================================================================
>
> The actual current route announcements corresponding to all of the above
> are listed in the table given here, which is sorted by ASN:
>
>     https://pastebin.com/raw/XQyJ8EK2
>
> Footnotes:
>
> [1]  AS62355 gives all indications of being a false front fradulent
> network, possibly one that was set up by one or more of the black
> market dealers involved in this case.  There is no actual web site
> associated with its contact domain (networkdedicated.com) at present,
> the alleged contact phone number in the associated AS WHOIS record
> was non-working when I tried it, and the street address given for
> this entity in Bogotá, Columbia, is one that Google maps cannot
> locate.  Traceroutes to the one and only IPv4 block that is being
> routed by this AS and that is actually registed to the company itself
> (185.39.8.0/22 -- issued by RIPE NCC) do not terminate in Columbia,
> South America, as one would expect based on the WHOIS, but rather
> such traceroutes dead-end somwhere on the network of core-backbone.com
> (Core-Backbone GmbH, Germany) in the general vicinity of Amsterdam,
> Netherlands.
>
> Please note also that AS62355 appears to be a "leaf" ASN which is
> connected to the Internet only via AS202425, IP Volume, Ltd. --
> Seyhelles.  (See below.)
>
>      https://bgp.he.net/AS62355
>
>
> [2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655
> (Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV -
> Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all
> believed by me to be onwed and controled by a certain pair of Dutch
> gentlemen named Mr. Ferdinand Reinier Van Eeden and Mr. Bartholomeus
> Johannes ("Bap") Karreman, both of whom I have previously posted about
> to the NANOG mailing list.  For more information on these characters,
> please google for "Ecatel" and/or "Quasi Networks".  Both of those are,
> I believe, demonstratably the predecessors of what is nowadays being
> called "IP volume, Inc."
>
> [3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. -
> Israel) belongs to the Israeli gentleman featured in Jan Vermeulen's
> detailed December 4th report on this whole AFRINIC caper. This is the
> specific fellow who has been going around passing out fradulent LOAs
> of such shockingly low quality that one wonders why he even bothers.
>
> [4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned
> to the entirely fictitious business entity called "ITC'.  That entity
> appears to have just been an imaginary concoction of Mr. Ernest
> Byaruhanga, formerly a senior employee of AFRINIC (and now the target
> of an ongoing crimininal investigation) and/or other AFRINIC insiders
> who worked with or along side Mr. Byaruhanga to criminally strip
> assets from AFRINIC and its legacy block holders.  The registration
> for this AS number has now been withdrawn by AFRINIC, thus rendering
> the ASN itself a bogon.
>
> [5] AS19832 ("Link Data Group") is yet another fiction that was
> manufactured out of (nearly) whole cloth, either by Mr. Byaruhanga
> and/or by other AFRINIC insiders who were working with him.  It is
> not immediately clear why this ASN is still registered, let alone why
> its route announcements are still being accepted or propagated
> anywhere.
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog


Más información sobre la lista de distribución LACNOG