[195505] in North American Network Operators' Group
RE: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these
daemon@ATHENA.MIT.EDU (Siegel, David)
Mon Aug 14 16:17:14 2017
X-Original-To: nanog@nanog.org
From: "Siegel, David" <Dave.Siegel@level3.com>
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Mon, 14 Aug 2017 20:17:06 +0000
In-Reply-To: <15340.1502740194@segfault.tristatelogic.com>
Errors-To: nanog-bounces@nanog.org
If you believe that a customer of a network service provider is in violatio=
n of that service providers AUP, you should email abuse@serviceprovider.net=
. Most large networks have a security team that monitors that email addres=
s regularly and will cooperate with you to address the problem.
Dave
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ronald F. Guilmet=
te
Sent: Monday, August 14, 2017 1:50 PM
To: nanog@nanog.org
Subject: AS29073, 196.16.0.0/14, Level3: Why does anyone peer with these sc=
hmucks?
Sorry for the re-post, but it has been brought to my attention that my incl=
usion, in my prior posting, of various unsavory FQDNs resolving to various =
IPv4 addresses on AS29073 has triggered some people's spam filters. (Can't=
imagine why. :-) So I am re-posting this message now, with just a link to=
where those shady FQDNs and their current forward resolutions may be found=
. (I also took the opportunity to clean up some minor typos.)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
I think that this is primarily Level3's problem to fix. But you be the jud=
ge. Please, read on.
+_+_+_+_+_+_+_+_
Over the weekend, I stumbled upon an interesting blog calld "Bad Packets", =
where a fellow named Troy has written about various unsavory goings on invo=
lving various newtorks. One network that he called out in particular was A=
S29073, formerly called "Ecatel". on his blog, this fellow Troy has noted =
at length some break-in attempts originating from AS29073 and his inability=
to get anyone, in particular RIPE NCC, to give a damn.
https://badpackets.net/the-master-needler-80-82-65-66/
https://badpackets.net/a-conversation-with-ripe-ncc-regarding-quasi-net=
works-ltd/
https://badpackets.net/quasi-networks-responds-as-we-witness-the-death-=
of-the-master-needler-80-82-65-66-for-now/
The fact that RIPE NCC declined to accept the role of The Internet Police d=
idn't surprise me at all... they never have and probably never will.
But I decided to have a quick look at what this newtork was routing, at pre=
sent, which can be easily see here:
http://bgp.he.net/AS29073#_prefixes
So I was looking through the announced routes for AS29073, and it all looke=
d pretty normal... a /24 block, check, a /24 block, check, a /21 block chec=
k... another /24 block, and then ... WAIT A SECOND! HOLY MOTHER OF GOD! W=
HAT'S THIS??? 196.16.0.0/14 !!!
So how does a little two-bit network with a rather dubious reputation and a=
grand total of only about a /19 to its name suddenly come to be routing an=
entire /14 block??
And of course, its a legacy (abandoned) Afrinic block.
And of course, there's no reverse DNS for any of it, because there is no va=
lid delegation for the reverse DNS for any of it... usually a good sign tha=
t whoever is routing the block right now -does not- have legit rights to do=
so. (If they did, then they would have presented their LOAs or whatever t=
o Afrinic and thus gotten the reverse DNS properly delegated to their own n=
ame servers.)
I've seen this movie before. You all have. This gives every indication of=
being just another sad chapter in the ongoing mass pillaging of unused Afr=
inic legacy IPv4 space, by various actors with evil intent.
I've already documented this hightly unfortunate fad right here on multiple=
occasions:
https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html
https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html
This incident is a bit different from the others however, in that it -does =
not- appear that the 196.16.0.0/14 block has been filed to the brim with sn=
owshoe spammers. Well, not yet anyway.
But if in fact the stories are correct, and if AS29073 does indeed have a h=
istory of hosting outbound hacking activities, then the mind reels when thi=
nking about how much mischief such bad actors could get into if given an en=
tire /14 to play with. (And by the way, this is a new world's record I thi=
nk, for largest single-route deliberate hijack.
I've seen plenty of /16s go walkabout before, and even a whole /15.
But an entire /14?!?! That is uniquely brazen.)
In addition to the above, and the points raised within the Bad Packets blog=
(see links above) I found, via passive DNS, a number of other causes for c=
oncern about AS29073, to wit:
Shady FQDNs (incl possible child porn ones) on AS29073 moved here:
https://pastebin.com/raw/f4M09UKL
(In addition to the above, I've also found plenty more domain names associa=
ted with AS29073 which incorporate the names "Apple" "AirBnB", "Facebook", =
and "Groupon", as well as dozens of other legitimate companies and organiza=
tions.)
I confess that I have not had the time to look at any of the web sites that=
may or may not be associated with any of the above FQDNs, but the domain n=
ames themselves are certainly strongly suggestive of (a) the possible hosti=
ng of child porn and also and separately (b) the possible hosting of phishi=
ng sites.
So, given the history of this network (as is well documented on the Bad Pac=
kets blog) and given all of the above, and given what would appear to be th=
e unauthorized "liberation" of the entire 196.16.0.0/14 block by AS29073, o=
ne cannot help but wonder: Why does anybody still even peer with these jerk=
s?
The always helpful and informative web site bgp.he.net indicates that very =
nearly 50% of the connectivity currently enjoyed by AS29073 is being provid=
ed to them by Level3. I would thus like to ask Level3 to reconsider that p=
eering arrangement in light of the above facts, and especially in light of =
what would appear to be the unauthorized routing of the 196.16.0.0/14 block=
by AS29073.
Surprisingly, given its history, AS29073 apparently has a total of 99 diffe=
rent peers, at present, and I would likewise ask all of them to reconsider =
their current peering arrangements with this network. I am listing all 99 =
peers below.
Before I get to that however, I'd like to also note that there currently ex=
ists, within the RIPE Routing Registry, the following route object:
route: 196.16.0.0/14
origin: AS29073
mnt-by: QUASINETWORKS-MNT
mnt-by: EC42500-MNT
mnt-routes: EC42500-MNT
mnt-routes: M247-EU-MNT
created: 2017-03-28T21:47:03Z
last-modified: 2017-08-11T19:58:39Z
source: RIPE
I confess that I am not 100% sure of the exact semantics of the "mnt-routes=
"
tag, but it would appear from the above that the UK's M247 network (AS9009)=
...
which itself is not even peering with AS29073... appears to have, in effect=
countersigned the above RIPE route object, vouching for its correctness an=
d authenticity as they did so. Why they would have done that, especially g=
iven that they themselves are not even peering with AS29073, is, I confess,=
beyond me. But I would love to have them explain it, or even try to expla=
in it.
It's enigmatic, to say the least.
Anyway, the "created" date in the above record seems to be consistant with =
that actual start of the announcement of 196.16.0.0/14 by AS29073, which th=
e RIPE Routing History tool says occured sometime in March of this year.
One additional (and rather bizzare) footnote to this whole story about the =
196.16.0.0/14 block has to do with the entity that allegedly -is- the curre=
nt rightful owner of the block (as far as Afrinic is concerned).
That entity is designated by the Afrinic handle ORG-IA41-AFRINIC and that i=
n turn has an admin-c and tech-c of NAIT1-AFRINIC. The record for that han=
dle is as follows:
-------------------------------------------------------
person: Network and Information Technology Administrator
address: Unit 117, Orion Mall, Palm Street
address: Victoria, Mahe
address: Seychelles (SC)
phone: +972-54-2203545
e-mail: info@networkandinformationtechnology.com
nic-hdl: NAIT1-AFRINIC
mnt-by: MNT-NETWORKANDINFORMATIONTECHNOLOGY
changed: info@networkandinformationtechnology.com 20150725
source: AFRINIC
-------------------------------------------------------
Upon fetching the current WHOIS record for networkandinformationtechnology.=
com
I found it more than passing strange that all of the contact details therei=
n are associated *not* with anything in Africa, nor even anything in the ho=
me country of AS29073 (Netherlands) but rather, the address and phone numbe=
rs therein all appear to be ones associated with a relatively well known In=
ternet attorney in Santa Monica, Califiornia by the name of Bennet Kelly.
As it happens, in the distant past (about 10 years ago) I personally crosse=
d swords with this particular fellow. He may be a lot of things, but it ne=
ver seemed to me that stupid was one of them. And indeed the domain name n=
etworkandinformationtechnology.com and all of its connections to the 196.16=
.0.0/14 block appear to date from 2015...
long before AS29073 started routing this block (which only started in March=
of this year).
So, my best guess about this whole confusing mess is that the -original- le=
gitimate owners of the 196.16.0.0/14 block most probably sold it on, in a l=
egitimate transaction, to some other party in 2015, where that other party =
was/is represented by Mr. Bennet Kelly, Esq. And my guess is that neither =
he nor the new owners, who he represents, even know that their expensive /1=
4 has gone walkabout, as of March of this year.
I will be trying to make contact with Mr. Kelley today to discuss this with=
him and will post a follow-up if any new and interesting information arise=
s from that conversation.
Regards,
rfg
Peers of AS29073:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
1 Level 3 Communications, Inc.
United States
AS3356
2 REBA Communications BV
Netherlands
AS56611
3 Hurricane Electric, Inc.
United States
AS6939
4 Core-Backbone GmbH
Germany
AS33891
5 Init7 (Switzerland) Ltd.
Switzerland
AS13030
6 RETN Limited
Ukraine
AS9002
7 COLT Technology Services Group Limited
United Kingdom
AS8220
8 State Institute of Information Technologies and Telecommunications (SIIT=
&T "Informika")
Russian Federation
AS3267
9 GlobeNet Cabos Submarinos Colombia, S.A.S.
Colombia
AS52320
10 Digital Telecommunication Services S.r.l.
Italy
AS49605
11 IT.Gate S.p.A.
Italy
AS12779
12 green.ch AG
Switzerland
AS1836
13 UNIDATA S.p.A.
Italy
AS5394
14 GEANT Limited
European Union
AS20965
15 IP-Max SA
Switzerland
AS25091
16 Lost Oasis SARL
France
AS29075
17 nexellent ag
Switzerland
AS31424
18 SEACOM Limited
Mauritius
AS37100
19 Angola Cables
Angola
AS37468
20 ENTANET International Limited
United Kingdom
AS8468
21 Blix Solutions AS
Norway
AS50304
22 POST Luxembourg
Luxembourg
AS6661
23 Zayo France SAS
France
AS8218
24 Wind Telecomunicazioni SpA
Italy
AS1267
25 Swisscom (Switzerland) Ltd
Switzerland
AS3303
26 Pacnet Global Ltd
Hong Kong
AS10026
27 SURFnet bv
Netherlands
AS1103
28 SEEWEB s.r.l.
Italy
AS12637
29 BIT BV
Netherlands
AS12859
30 euNetworks Managed Services GmbH
Germany
AS13237
31 CAIW Diensten B.V.
Netherlands
AS15435
32 netplus.ch SA
Switzerland
AS15547
33 DOKOM Gesellschaft fuer Telekommunikation mbH
Germany
AS15763
34 ADISTA SAS
France
AS16347
35 Viewqwest Pte Ltd
Singapore
AS18106
36 Digital Ocean, Inc.
European Union
AS200130
37 Digital Ocean, Inc.
Netherlands
AS202018
38 Open Peering B.V.
Netherlands
AS20562
39 Services Industriels de Geneve
Switzerland
AS20932
40 Cemig Telecomunicaes SA
Brazil
AS23106
41 SG.GS
Singapore
AS24482
42 Vorboss Limited
United Kingdom
AS25160
43 equada network GmbH
Germany
AS25220
44 Avantel, Close Joint Stock Company
Russian Federation
AS25227
45 Gyron Internet Ltd
United Kingdom
AS29017
46 IPROUTE SRL
Italy
AS49289
47 LLC "TRC FIORD"
Russian Federation
AS28917
48 Hostserver GmbH
Germany
AS29140
49 Telekommunikation Mittleres Ruhrgebiet GmbH
Germany
AS12329
50 Internet Systems Consortium, Inc.
United States
AS30132
51 Liquid Telecommunications Ltd
United Kingdom
AS30844
52 Paulus M. Hoogsteder trading as Meanie
Netherlands
AS31019
53 Digiweb ltd
Ireland
AS31122
54 Fiberax Networking&Cloud Ltd.
United Kingdom
AS3252
55 Hivane
France
AS34019
56 CELESTE SAS
France
AS34177
57 Kantonsschule Zug
Switzerland
AS34288
58 Citycable
Switzerland
AS34781
59 SoftLayer Technologies Inc.
United States
AS36351
60 Network Platforms (PTY) LTD
South Africa
AS37497
61 Micron21 Datacentre Pty Ltd
Australia
AS38880
62 Convergenze S.p.A.
Italy
AS39120
63 Fiberby ApS
Denmark
AS42541
64 IP ServerOne Solutions Sdn Bhd,
Malaysia
AS45352
65 Easynet Global Services
European Union
AS4589
66 IP-Only Networks AB
Sweden
AS12552
67 Tango S.A.
Luxembourg
AS48526
68 Les Nouveaux Constructeurs SA
France
AS49463
69 CustodianDC Limited
United Kingdom
AS50300
70 MCKAYCOM LTD
United Kingdom
AS50763
71 Daisy Communications Ltd
United Kingdom
AS5413
72 MC-IX Matrix Internet Exchange RS-1
Indonesia
AS55818
73 NetIX Communications Ltd.
Bulgaria
AS57463
74 Anycast Global Backbone
Australia
AS58511
75 LUXNETWORK S.A.
Luxembourg
AS29467
76 oja.at GmbH
Austria
AS39912
77 Elisa Oyj
Finland
AS6667
78 A1 Telekom Austria AG
Austria
AS8447
79 Fusix Networks B.V.
Netherlands
AS57866
80 ClaraNET LTD
United Kingdom
AS8426
81 "OBIT" Ltd.
Russian Federation
AS8492
82 Console Network Solutions Ltd
United Kingdom
AS43531
83 NetCologne GmbH
Germany
AS8422
84 Tesonet Ltd
Lithuania
AS201341
85 Linx Telecommunications B.V.
Estonia
AS3327
86 Strato AG
Germany
AS6724
87 CJSC RASCOM
Russian Federation
AS20764
88 Sunrise Communications AG
Switzerland
AS6730
89 KPN B.V.
Netherlands
AS1136
90 MTN SA
South Africa
AS16637
91 Portlane AB
Sweden
AS42708
92 TM Net, Internet Service Provider
Malaysia
AS4788
93 Network Dedicated SAS
Switzerland
AS62355
94 Next Layer Telekommunikationsdienstleistungs- und Beratungs GmbH
Austria
AS1764
95 Telkom SA Ltd.
South Africa
AS5713
96 ShockSRV Internet Services Private Limited
Netherlands
AS60115
97 JUPITER 25 LIMITED
Netherlands
AS64484
98 M-net Telekommunikations GmbH
Germany
AS8767
99 Neterra Ltd.
Bulgaria
AS34224
