On "very" fast IPv6-growing entities
This specific case is not involved with observed abuse, but it elicited my curiosity. It is not the first time that I see such things, and I'd like to see what other people think. A GB entity with a ukrainian director, incorporated on 23 March 2024, gets an ASN (AS215158) assigned by RIPE NCC on 05 April 2024, and now, just a week later, they are announcing no less than ten /29 IPv6 networks regularly assigned to them: 2a11:e8c0::/29 2a11:ea80::/29 2a11:ff40::/29 2a12:1040::/29 2a12:2e80::/29 2a12:3c00::/29 2a12:8580::/29 2a12:8a00::/29 2a12:9300::/29 2a12:d080::/29 That is quite a bit of space, indicating the entrance in the field of a large communication company making a large investment on infrastructure in preparation for a sizable number of users. So you look for their website, but in vain. They do not even expose their domain in the RIPE database, just a mailbox on a freemail. So my curiosities are: - what will this huge IPv6 space be used for? - what is the business area of this company? - can any individual easily grab ten /29's just for the fun of it, since there are plenty of them (2^29) before we need to think about 512-bit IPv8? - shouldn't the intended usage be made publicly visible somehow, so that the community can see how and why the space is used, and statistics can be made? (if it is already, I apologize and will appreciate pointers). Natale M Bianchi Spamhaus Project
With entities like this, it appears that they just register large amounts of LIRs in order to gain the IPv6 and IPv4 resources. With the ASN that you linked (PEERLINK LTD) the large amounts of IPs belong to a Russian IP leasing platform. As for what it is used for - I wildly assume it will be used for scraping or botting of some kind - just consult cloudflare radar in a few days to have a general idea of the statistics of what it is used for. A large amount of ipv6 proxy companies have popped up recently though never with this much ipv6. However, I can comment that PEERLINK was one of our clients and proved themselves to be legally in the clear in terms of ID verification, legal standing and tax. Daniel Mishayev, WHITELABEL NETWORKS (PVT-SMC). LLP ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Natale Maria Bianchi <nmb@spamhaus.org> Sent: Friday, April 12, 2024 1:17 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] On "very" fast IPv6-growing entities This specific case is not involved with observed abuse, but it elicited my curiosity. It is not the first time that I see such things, and I'd like to see what other people think. A GB entity with a ukrainian director, incorporated on 23 March 2024, gets an ASN (AS215158) assigned by RIPE NCC on 05 April 2024, and now, just a week later, they are announcing no less than ten /29 IPv6 networks regularly assigned to them: 2a11:e8c0::/29 2a11:ea80::/29 2a11:ff40::/29 2a12:1040::/29 2a12:2e80::/29 2a12:3c00::/29 2a12:8580::/29 2a12:8a00::/29 2a12:9300::/29 2a12:d080::/29 That is quite a bit of space, indicating the entrance in the field of a large communication company making a large investment on infrastructure in preparation for a sizable number of users. So you look for their website, but in vain. They do not even expose their domain in the RIPE database, just a mailbox on a freemail. So my curiosities are: - what will this huge IPv6 space be used for? - what is the business area of this company? - can any individual easily grab ten /29's just for the fun of it, since there are plenty of them (2^29) before we need to think about 512-bit IPv8? - shouldn't the intended usage be made publicly visible somehow, so that the community can see how and why the space is used, and statistics can be made? (if it is already, I apologize and will appreciate pointers). Natale M Bianchi Spamhaus Project -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
On Fri, Apr 12, 2024 at 12:41:15PM +0000, Daniel Mishayev wrote:
With entities like this, it appears that they just register large amounts of LIRs in order to gain the IPv6 and IPv4 resources. With the ASN that you linked (PEERLINK LTD) the large amounts of IPs belong to a Russian IP leasing platform.
As for what it is used for - I wildly assume it will be used for scraping or botting of some kind - just consult cloudflare radar in a few days to have a general idea of the statistics of what it is used for. A large amount of ipv6 proxy companies have popped up recently though never with this much ipv6.
However, I can comment that PEERLINK was one of our clients and proved themselves to be legally in the clear in terms of ID verification, legal standing and tax.
I hope that RIPE NCC does not accept "scraping or botting of some kind" as a valid motivation to assign a /29, so - if this was the case - I wonder what they wrote. Natale M Bianchi Spamhaus Project
I still wonder what those /14s were assigned for back in the day 😊 Checks out tax etc wise is a very easy thing to do with a shell company registered in a business friendly jurisdiction. From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Natale Maria Bianchi <nmb@spamhaus.org> Date: Friday, 12 April 2024 at 8:39 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] On "very" fast IPv6-growing entities On Fri, Apr 12, 2024 at 12:41:15PM +0000, Daniel Mishayev wrote:
With entities like this, it appears that they just register large amounts of LIRs in order to gain the IPv6 and IPv4 resources. With the ASN that you linked (PEERLINK LTD) the large amounts of IPs belong to a Russian IP leasing platform.
As for what it is used for - I wildly assume it will be used for scraping or botting of some kind - just consult cloudflare radar in a few days to have a general idea of the statistics of what it is used for. A large amount of ipv6 proxy companies have popped up recently though never with this much ipv6.
However, I can comment that PEERLINK was one of our clients and proved themselves to be legally in the clear in terms of ID verification, legal standing and tax.
I hope that RIPE NCC does not accept "scraping or botting of some kind" as a valid motivation to assign a /29, so - if this was the case - I wonder what they wrote. Natale M Bianchi Spamhaus Project -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
organisation: ORG-NL608-RIPE org-name: Next Limited country: HK address: Rm 1405, 135 Bonham Strand Trade Centre, 135 Bonham Strand address: HK address: Sheung Wan address: HONG KONG phone: +44 20 8159 8328 admin-c: NEX7-RIPE tech-c: NEX7-RIPE abuse-c: NEX7-RIPE mnt-ref: TELECOM-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: TELECOM-MNT org-type: LIR created: 2024-03-22T10:50:27Z last-modified: 2024-03-26T15:17:14Z source: RIPE # Filtered Hahah I used to live just down the road from this back in 2001-02 in Hong Kong. Serviced / coworking office space on the lines of a Regus, Mailboxes Etc etc. Dozens of companies all crowded into that single room. Reminds me of when RIPE was handing out /14s for the asking to various quite anonymous LIRs and then those ranges would get stuffed with snowshoe spam. Back then I seem to remember someone right here telling me “v4 is running out anyway, v6 is the future” when I raised this. I’d asked what’d happen if this same thing happened with v6 and got told that there’s so much v6 space around, worrying about IP shortages was just a waste of time. [paraphrasing here]. Somewhat similar to the “oh, we’ll never run out of v4, here, have another class C” from back in the good old days. That last thread was just over a decade ago if I remember right. --srs From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Natale Maria Bianchi <nmb@spamhaus.org> Date: Friday, 12 April 2024 at 5:51 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] On "very" fast IPv6-growing entities This specific case is not involved with observed abuse, but it elicited my curiosity. It is not the first time that I see such things, and I'd like to see what other people think. A GB entity with a ukrainian director, incorporated on 23 March 2024, gets an ASN (AS215158) assigned by RIPE NCC on 05 April 2024, and now, just a week later, they are announcing no less than ten /29 IPv6 networks regularly assigned to them: 2a11:e8c0::/29 2a11:ea80::/29 2a11:ff40::/29 2a12:1040::/29 2a12:2e80::/29 2a12:3c00::/29 2a12:8580::/29 2a12:8a00::/29 2a12:9300::/29 2a12:d080::/29 That is quite a bit of space, indicating the entrance in the field of a large communication company making a large investment on infrastructure in preparation for a sizable number of users. So you look for their website, but in vain. They do not even expose their domain in the RIPE database, just a mailbox on a freemail. So my curiosities are: - what will this huge IPv6 space be used for? - what is the business area of this company? - can any individual easily grab ten /29's just for the fun of it, since there are plenty of them (2^29) before we need to think about 512-bit IPv8? - shouldn't the intended usage be made publicly visible somehow, so that the community can see how and why the space is used, and statistics can be made? (if it is already, I apologize and will appreciate pointers). Natale M Bianchi Spamhaus Project -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
participants (3)
-
Daniel Mishayev -
Natale Maria Bianchi -
Suresh Ramasubramanian