[159567] in North American Network Operators' Group
(Long) rant about some LIRs in RIPE region,
daemon@ATHENA.MIT.EDU (Vasile Capdefier)
Tue Jan 15 12:33:55 2013
Date: Tue, 15 Jan 2013 17:13:39 +0000 (GMT)
From: Vasile Capdefier <vasile.capdefier@yahoo.co.uk>
To: "nanog@nanog.org" <nanog@nanog.org>,
"anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>,
"rfg@tristatelogic.com" <rfg@tristatelogic.com>
Reply-To: Vasile Capdefier <vasile.capdefier@yahoo.co.uk>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Disclaimer: this is just my POV, I didn't investigate (too) much/deep. All =
the information bellow is public, easy to find and Google Translate seems t=
o work most of the times.=0A=0AFrom what I know, Jump.RO's business model i=
s to *sell* IP space from their ALLOCATED PA ranges received from RIPE. Not=
*sub-allocate*, not *assign* or similar terms. They don't ask too many que=
stions. They give you IPs faster than other LIRs. They market this as being=
professional.=0A=0AAll of the Jump.RO's sub-allocations (that I've seen in=
whois) have *ASSIGNED PA* status, which according to ripe-553 [1] is to be=
used when the range is assigned to an end user for services provided by th=
e issuing LIR. This is probably not the case because except the (new) annua=
l fee for the registration service there are no other services provided by =
that LIR to the end user.=0A=0AMost of Jump.RO's "end users" are in fact sm=
all ISPs that can't afford the RIPE membership fees and bypass the rules of=
not using PI space for customers by deaggregating Jump's IP space. I don't=
know about the 12k number, but they have a large client base in the countr=
y and neighboring countries.=0A=0AI also think that Jump is aware of their =
IPs being in use by spammers as they advertise on their website that new an=
d unused IP blocks cost about 2 times more than "used" ones. They also note=
that the previously "used" PA space is checked with "MxToolBox" in 120 ant=
i-spam lists [2].=0A=0AEven though Jump.RO's business model isn't exactly i=
n the spirit of the RIPE region rules or following best practices (no prefi=
x aggregation, but their excuse is that they are not the only ones doing it=
), I don't think that they are willing to risk their LIR status by defendin=
g known spam operations, so reporting well documented cases of false inform=
ation provided during registration first to RIPE and then to them would pro=
bably get them to withdraw the PA from that customer. The ranges found by y=
ou clearly suggest that fake information has been used. Only "under constru=
ction" sites, nobody ever heard of those companies, all using same ISPs.=0A=
=0AWith all this said about ro.registry (Jump.RO's LIR id) i'd like to add =
the following. There are entire LIRs with very large IP allocations and sus=
picious activities. I'll just list here a few:=0A=0A(RIPE allocation list p=
ublicly available here [3])=0A=0AThe first candidate that pops up is ro.vis=
net (VisNetwork Media SRL).=0AAccording to their web page [4] they are a pr=
etty large ISP with over 300 experienced employees and over 30 vehicles use=
d for interventions and installations. They provide no CIF (Romanian for Fi=
scal Identification Code) or other identifying information, but the company=
is valid and has CIF 25083281.=0AAccording to the Romanian Trade Register =
[5], the company named VisNetwork Media SRL with Fiscal Identification Code=
25083281 is registered since February 2009, has no employees (where did th=
ose 300 professionals go?) and has registered for the 2011 fiscal year expe=
nses of roughly about 3000 EUR (this value is around the value of the RIPE =
maintenance fees) and an amazing income of 100 EUR.=0AAlso, they are not re=
gisterd with ANCOM [6] (Romanian National Agency for Management and Regulat=
ion in Communications), so they are not a real ISP.=0A=0AThey have received=
from RIPE the following IP space:=0A20090624=A0=A0=A0 188.170.0.0/16=A0=A0=
=A0 ALLOCATED PA=0A20100713=A0=A0=A0 46.49.128.0/17=A0=A0=A0 ALLOCATED PA=
=0A20110404=A0=A0=A0 31.173.0.0/16=A0=A0=A0 ALLOCATED PA=0A20110707=A0=A0=
=A0 146.0.128.0/17=A0=A0=A0 ALLOCATED PA=0A20110707=A0=A0=A0 146.0.32.0/19=
=A0=A0=A0 ALLOCATED PA=0A20111012=A0=A0=A0 128.234.0.0/16=A0=A0=A0 ALLOCATE=
D PA=0A20120113=A0=A0=A0 37.56.0.0/16=A0=A0=A0 ALLOCATED PA=0A20120405=A0=
=A0=A0 37.224.0.0/16=A0=A0=A0 ALLOCATED PA=0A20120730=A0=A0=A0 5.163.0.0/16=
=A0=A0=A0 ALLOCATED PA=0A20121113=A0=A0=A0 185.9.244.0/22=A0=A0=A0 ALLOCATE=
D PA=0A20110331=A0=A0=A0 2a03:4100::/29=0A=0AWith this much IP space I woul=
d think they must have at least a few LARGE cities covered, but nobody ever=
heard of them or their professional employees.=0A=0AAlso, because apparent=
ly their IPs were not enough and their employees seem that they couldn't ha=
ndle hosting their main website, their website is hosted on IP ranges from =
another LIR.=0A=0Avisnet.ro has address 77.36.59.10=0A=0Ainetnum:=A0=A0=A0=
=A0=A0=A0=A0 77.36.59.0 - 77.36.59.255=0Anetname:=A0=A0=A0=A0=A0=A0=A0 ROSI=
TE-EQUIPMENTS=0A=0AThe second obvious candidate for our small investigation=
is, as you might have guessed, ro.rosite (RoSite Equipment SRL).=0AInforma=
tion about their deaggregation habits can be found here [7].=0AAccording to=
the Trade Register, ROSITE EQUIPMENT SRL has CIF 17352052 and is a registe=
red company since march 2005.=0AThey are registered as an ISP at ANCOM, but=
with a different company name (ROSITE NET SRL).=0ATheir second company, th=
e one registered as an ISP, ROSITE NET SRL has CIF 13669105 and is a regist=
ered company since january 2001.=0A=0AThe larger company, not the ISP, rece=
ived from RIPE a large number of IP addresses:=0A20090706=A0=A0=A0 188.119.=
128.0/18=A0=A0=A0 ALLOCATED PA=0A20090813=A0=A0=A0 188.74.128.0/18=A0=A0=A0=
ALLOCATED PA=0A20091223=A0=A0=A0 188.74.192.0/18=A0=A0=A0 ALLOCATED PA=0A2=
0100325=A0=A0=A0 62.216.64.0/19=A0=A0=A0 ALLOCATED PA=0A20100628=A0=A0=A0 1=
78.157.64.0/18=A0=A0=A0 ALLOCATED PA=0A20110712=A0=A0=A0 146.158.128.0/17=
=A0=A0=A0 ALLOCATED PA=0A20110712=A0=A0=A0 146.66.208.0/20=A0=A0=A0 ALLOCAT=
ED PA=0A20120105=A0=A0=A0 37.35.128.0/17=A0=A0=A0 ALLOCATED PA=0A20120105=
=A0=A0=A0 37.35.32.0/19=A0=A0=A0 ALLOCATED PA=0A20120724=A0=A0=A0 5.157.128=
.0/17=A0=A0=A0 ALLOCATED PA=0A20101217=A0=A0=A0 2a03:8800::/32=0A=0AOn the =
third place in our list we have ro.swift (now Media Trend Sistem SRL, forme=
rly using the company Swift Marketing SRL).=0ASwift Marketing SRL (nice nam=
e, huh?) was deleted from the Trade Registry in may 2011. During 2010 they =
had 0 employees.=0AThe new company, Media Trend Sistem SRL (CIF 26301830) i=
s registered since december 2009 and was known under another name (not publ=
icly available) until changing it's name to the current one in december 201=
0.=0AThey are also not registered as an ISP with ANCOM and had 0 employees =
in 2011.=0A=0AThis didn't seem to stop them from receiving the following IP=
ranges from RIPE:=0A20070730=A0=A0=A0 78.95.0.0/16=A0=A0=A0 ALLOCATED PA=
=0A20080319=A0=A0=A0 93.168.0.0/15=A0=A0=A0 ALLOCATED PA=0A20090303=A0=A0=
=A0 95.218.0.0/15=A0=A0=A0 ALLOCATED PA=0A20110518=A0=A0=A0 2a00:aa80::/32=
=0A=0AAnother interesting Romanian LIR is ro.ssnet (SISTEM SOFT NETWORK SRL=
).=0AThe company is registered with the Trade Register with CIF 24496484 si=
nce september 2008, had in 2011 only 1 employee and is not a registered ISP=
with ANCOM.=0AThey became LIR just a few months before the final /8 was re=
ached in RIPE region.=0A=0AThey only got from RIPE this /15:=0A20120719=A0=
=A0=A0 5.154.0.0/15=A0=A0=A0 ALLOCATED PA=0A=0AThey also seem to like deagg=
regating very much [8], now originating 369 prefixes.=0A=0A=0A=0ANow with a=
ll this in sight I suppose the ro.registry issue of about an /14 block seem=
s a rather small issue.=0A=0A[1] https://www.ripe.net/ripe/docs/ripe-553=0A=
[2] http://www.ip.ro/ip.html=0A[3] ftp://ftp.ripe.net/pub/stats/ripencc/mem=
bership/alloclist.txt=0A[4] http://www.visnet.ro/despre/=0A[5] http://www.m=
finante.ro/agenticod.html=0A[6] http://www.ancom.org.ro/furnizoricomunicati=
i-electronice_133=0A[7] http://bgp.he.net/AS49687#_prefixes=0A[8] http://bg=
p.he.net/AS56465#_prefixes=0A
