[lacnog] The Great AFRINIC Heist -- The Enablers
Fernando Frediani
fhfrediani en gmail.com
Jue Ene 30 16:35:56 GMT+3 2020
Hello Ronald.
Thanks for you valuable work being done in this area. In my view this
investigation has been a remarkable thing in the try to fix these things
been done by greed and dishonest people.
Agree about trying to contact Transit providers to stop routing these
prefixes. The only thing that needs to be careful how it is done is to
never mark them as some kind of 'dirty ' prefixes so it doesn't harm the
future users of these prefixes. I will review the full list and see if I
have contact with any of those NOCs in order to try make the message to
be delivered.
Two things I wanted to ask is:
- From the Tier 1's how many of them is already confirmed for have
stopped to route these prefixes anymore ?
- I have checked some of the prefixes that are in that list in some of
the known IRRs and in fact they are still there. Has contact been tried
with them to clean up that information from there and what were they
response about ?
Regards
Fernando
On 30/01/2020 02:48, Ronald F. Guilmette wrote:
> By now I hope that you all have read about or heard about the events
> in the AFRINIC region relating to the apparent theft, by an AFRINIC
> insider, of a large quantity of valuable IPv4 address space, consisting
> both of space that was stolen from the AFRINIC free pool and also a
> good deal of space that was stolen from various AFRINIC region legacy
> block registrants. For the benefit of those of you who may have missed
> this news, please allow me to share the following links to relevant
> press reports:
>
> https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html
>
> https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/
>
> https://www.theregister.co.uk/2019/12/17/another_afrinic_scandal/
>
> https://mybroadband.co.za/news/security/335226-here-are-the-police-charges-filed-in-the-great-african-ip-address-heist.html
>
> As the primary investigator pursuing this case, I have invested more
> than a little effort into continuing to track what has been going
> on as AFRINIC attempts to remediate the effects of these thefts.
> I would like now to provide you all with some insight into the current
> situation and status relating to the affected stolen AFRINIC blocks
> and the multiple parties in your own region who are continuing, at
> present, to provide routing to the various bits and pieces of the
> stolen AFRINIC IPv4 space.
>
> My hope, of course, is that you will all join with me in trying to
> persuade these networks to cease all routing to all of the stolen
> AFRINIC address space.
>
> A full list of all of the stolen AFRINIC blocks that are still of
> ongoing concern at the present moment is available here:
>
> https://pastebin.com/raw/71zNNriB
>
> Note that many of the blocks listed at the link above have already
> been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
> But because routing remains almost entirely decoupled from RIR WHOIS
> data bases, much of this "reclaimed" space is still being routed as
> I write this. The only difference is that now the space is being
> routed as bogons, rather than as "legitimately" allocated space.
>
> A summary of all of the current routing for all of the stolen AFRINIC
> IPv4 address space that is still of concern (including routing for
> recently reclaimed address space that AFRINIC will eventually be
> returning to its free pool) is provided below. This list is sorted
> by the number of constituent stolen /24 blocks being routed by each
> listed network, thus showing the most major offenders at the top.
> A few footnotes concerning specific ASNs in this list follow below
> the listing.
>
> I urge everyone on this mailing list to share this data as widely as
> possible in and among the global networking connunity. In all cases
> noted below, the networks in question are unambiguously routing IP
> blocks that were obtained, in the first instance, via thefts perpetrated
> by one or more AFRINIC insiders and then resold on the black market
> in secretive deals. In many and perhaps most cases listed below, the
> relevant networks appear to have been more than happy to accept some
> cash in exchange for their services, while not looking all that
> carefully at the purported (but fradulent) "LOA" documents that they
> were given in order to persuade them to announce routes to stolen IP
> space. (Repeated use of blatantly fradulent documents has been one
> of the consistant features of this entire ongoing criminal enterprise.)
>
> I would also like to request the assistance of every person on this
> mailing list in the task of informing all of the networks that are
> mentioned in the list below, and that are within your own geographic
> region, that they are each currently announcing routes to stolen IP
> space. Of course, it is my hope that you will also encourage them,
> in no uncertain terms, to stop doing this immediately, if not sooner.
>
> As you can see below, this Internet crime spree is a globe-spanning
> and ongoing disaster. There is no way that I can get all of this
> mess cleaned up on my own. I am therefore relying on all people of
> honesty and good will, in all regions, to assist me in getting the
> word to the networks mentioned below, and telling them, very directly,
> that they are each facilitating a colossal fraud that affects the
> whole of the global Internet community. (I know for a fact that
> there is ongoing criminal activity which is being perpetrated from
> at least some of this provably stolen IP address space, so it is in
> the self interest of every honest netizen to get this all turned
> off and shut down.)
>
> All routing data is derived from current data published by RIPEstat.
>
> ======================================================================
> 3719 0 ?? UNROUTED IP SPACE
> 629 132165 PK Connect Communication
> 512 18013 HK Asline Limited
> 504 19969 US Joe's Datacenter, LLC
> 500 62355 CO Network Dedicated SAS
> 423 202425 SC IP Volume inc
> 286 58895 PK Ebone Network (PVT.) Limited
> 250 136525 PK Wancom (Pvt) Ltd.
> 192 18530 US Isomedia, Inc.
> 186 9009 GB M247 Ltd
> 134 262287 BR Maxihost LTDA
> 132 204655 NL Novogara LTD
> 79 132116 IN Ani Network Pvt Ltd
> 75 136384 PK Optix Pakistan (Pvt.) Limited
> 68 132422 HK Hong Kong Business Telecom Limited
> 60 137443 HK Anchnet Asia Limited
> 48 63956 AU Colocation Australia Pty Ltd
> 26 132335 IN LeapSwitch Networks Pvt Ltd
> 21 131284 AF Etisalat Afghan
> 20 139043 PK WellNetworks (Private) Limited
> 19 43092 JP OSOA Corporation., LTD
> 17 36351 US SoftLayer Technologies Inc.
> 16 56611 NL REBA Communications BV
> 16 199267 IL Netstyle A. Ltd
> 16 23679 ID Media Antar Nusa PT.
> 14 137085 IN Nixi
> 10 63018 US Dedicated.com
> 9 136782 JP Pingtan Hotline Co., Limited
> 8 45671 AU Servers Australia Pty. Ltd
> 8 57717 NL FiberXpress BV
> 7 49335 RU LLC "Server v arendy"
> 7 134451 SG NewMedia Express Pte Ltd
> 6 49367 IT Seflow S.N.C. Di Marco Brame' & C.
> 6 26754 ?? {{unknown organization}}
> 5 198504 AE Star Satellite Communications Company - PJSC
> 5 198381 AE Star Satellite Communications Company - PJSC
> 4 38001 SG NewMedia Express Pte Ltd
> 4 263812 AR TL Group SRL ( IPXON Networks )
> 4 30827 GB Extraordinary Managed Services Ltd
> 4 42831 GB UK Dedicated Servers Limited
> 4 37200 NG SimbaNET Nigeria Limited
> 4 133495 PK Vision telecom Private limited
> 4 198394 AE Star Satellite Communications Company - PJSC
> 2 44066 DE First Colo GmbH
> 2 198247 AE Star Satellite Communications Company - PJSC
> 2 133933 PK NetSat Private Limited
> 2 328096 UG truIT Uganda Limited
> 2 38713 PK Satcomm (Pvt.) Ltd.
> 2 31122 IE Digiweb ltd
> 2 46562 US Total Server Solutions L.L.C.
> 2 13737 US Riverfront Internet Systems LLC
> 2 11990 US Unlimited Net, LLC
> 2 20860 GB Iomart Cloud Services Limited
> 2 45382 KR Ehostict
> 2 17216 US Dc74 Llc
> 2 16637 ZA Mtn Sa
> 2 53999 CA Priority Colo Inc
> 1 23470 US ReliableSite.Net LLC
> 1 35074 NG Cobranet Limited
> 1 19832 ZA Link Data Group
> 1 43945 IL Netstyle A. Ltd
> 1 134917 IN Ragsaa Communication pvt. ltd.
> 1 203833 DE First Colo GmbH
> ======================================================================
>
> The actual current route announcements corresponding to all of the above
> are listed in the table given here, which is sorted by ASN:
>
> https://pastebin.com/raw/XQyJ8EK2
>
> Footnotes:
>
> [1] AS62355 gives all indications of being a false front fradulent
> network, possibly one that was set up by one or more of the black
> market dealers involved in this case. There is no actual web site
> associated with its contact domain (networkdedicated.com) at present,
> the alleged contact phone number in the associated AS WHOIS record
> was non-working when I tried it, and the street address given for
> this entity in Bogotá, Columbia, is one that Google maps cannot
> locate. Traceroutes to the one and only IPv4 block that is being
> routed by this AS and that is actually registed to the company itself
> (185.39.8.0/22 -- issued by RIPE NCC) do not terminate in Columbia,
> South America, as one would expect based on the WHOIS, but rather
> such traceroutes dead-end somwhere on the network of core-backbone.com
> (Core-Backbone GmbH, Germany) in the general vicinity of Amsterdam,
> Netherlands.
>
> Please note also that AS62355 appears to be a "leaf" ASN which is
> connected to the Internet only via AS202425, IP Volume, Ltd. --
> Seyhelles. (See below.)
>
> https://bgp.he.net/AS62355
>
>
> [2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655
> (Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV -
> Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all
> believed by me to be onwed and controled by a certain pair of Dutch
> gentlemen named Mr. Ferdinand Reinier Van Eeden and Mr. Bartholomeus
> Johannes ("Bap") Karreman, both of whom I have previously posted about
> to the NANOG mailing list. For more information on these characters,
> please google for "Ecatel" and/or "Quasi Networks". Both of those are,
> I believe, demonstratably the predecessors of what is nowadays being
> called "IP volume, Inc."
>
> [3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. -
> Israel) belongs to the Israeli gentleman featured in Jan Vermeulen's
> detailed December 4th report on this whole AFRINIC caper. This is the
> specific fellow who has been going around passing out fradulent LOAs
> of such shockingly low quality that one wonders why he even bothers.
>
> [4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned
> to the entirely fictitious business entity called "ITC'. That entity
> appears to have just been an imaginary concoction of Mr. Ernest
> Byaruhanga, formerly a senior employee of AFRINIC (and now the target
> of an ongoing crimininal investigation) and/or other AFRINIC insiders
> who worked with or along side Mr. Byaruhanga to criminally strip
> assets from AFRINIC and its legacy block holders. The registration
> for this AS number has now been withdrawn by AFRINIC, thus rendering
> the ASN itself a bogon.
>
> [5] AS19832 ("Link Data Group") is yet another fiction that was
> manufactured out of (nearly) whole cloth, either by Mr. Byaruhanga
> and/or by other AFRINIC insiders who were working with him. It is
> not immediately clear why this ASN is still registered, let alone why
> its route announcements are still being accepted or propagated
> anywhere.
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
Más información sobre la lista de distribución LACNOG