Hijack Factory: AS201640 / AS200002
How does one go about making a formal request to RIPE NCC to investigate a given AS registrant/registration? Given that AS201640 appears to exist exclusively for the purpose of hijacking multiple/numerous blocks of IPv4 space that it rather clearly has no rights to, I would like to formally lodge exactly such a request. http://blogs.cisco.com/security/talos/help-my-ip-address-has-been-hijacked/ http://mailman.nanog.org/pipermail/nanog/2014-October/071056.html This is ongoing, as we speak. Among the many IP blocks being hijacked, one of them even belongs to the Taiwan Network Information Center. Note that the hijacked IP space is being used, perhaps by multiple parties, by also by at least one convicted felon, and for one very specific purpose... http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/ Regards, rfg P.S. To be clear, I would like to see there be an investigation of _both_ AS201640 and also the one and only other AS that appears to connect AS201640 to the rest of the world, i.e. AS200002. Somebody please help me here. I did try to read at least one of the official RIPE NCC registration requirement documents yesterday, and I was left with the impression... perhaps incorrect on my part... that in order to obtain an AS, the network in question must be multi-homed. Doesn't that mean that the network in question must have connectivity to the outside world via *more than one* other AS? P.P.S. Unlike RIPE number resource allocations, it _is_ easily possible to find the registration date for most domain names in most TLDs. The AS primarily at issue here is AS201640 and it seems to be associated with a (contact) domain name of "grimhosting.com". (The associated web site, by the way, is _not_ hosted within any IP space which is being announced by AS201640. Rather it is hosted on Cloudflare.) Anyway, the registration date for the domain name grimhosting.com is 2014-06-18. The person name on the registration for both the AS and that domain name is "Bogomil Simeonov". In the domain name registration, this name is associated with the e-mail address <simeonov_zepter@abv.bg>. That address in turn seems to be associated with some company named Zepter Bulgaria Ltd., which is apparently a "direct sales" organization, and also, perhaps, with the young man who is pictured in/on this web page: http://cv-simeonov.hit.bg/
Dear Ronald and all, The RIPE NCC investigates reports about Internet number resource registrations. These fall into different categories: - Violation of RIPE Policies and RIPE NCC Procedures - Provision of untruthful information to the RIPE NCC - Bankruptcy, liquidation or insolvency - Incorrect contact information in the RIPE Database You can read more about the procedure together with a link for submitting a report at: https://www.ripe.net/contact/reporting-procedure Kind regards, Laura Cobley Customer Services Manager RIPE NCC On 05/11/14 21:38, Ronald F. Guilmette wrote:
How does one go about making a formal request to RIPE NCC to investigate a given AS registrant/registration?
Given that AS201640 appears to exist exclusively for the purpose of hijacking multiple/numerous blocks of IPv4 space that it rather clearly has no rights to, I would like to formally lodge exactly such a request.
http://blogs.cisco.com/security/talos/help-my-ip-address-has-been-hijacked/
http://mailman.nanog.org/pipermail/nanog/2014-October/071056.html
This is ongoing, as we speak. Among the many IP blocks being hijacked, one of them even belongs to the Taiwan Network Information Center.
Note that the hijacked IP space is being used, perhaps by multiple parties, by also by at least one convicted felon, and for one very specific purpose...
http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/
Regards, rfg
P.S. To be clear, I would like to see there be an investigation of _both_ AS201640 and also the one and only other AS that appears to connect AS201640 to the rest of the world, i.e. AS200002.
Somebody please help me here. I did try to read at least one of the official RIPE NCC registration requirement documents yesterday, and I was left with the impression... perhaps incorrect on my part... that in order to obtain an AS, the network in question must be multi-homed. Doesn't that mean that the network in question must have connectivity to the outside world via *more than one* other AS?
P.P.S. Unlike RIPE number resource allocations, it _is_ easily possible to find the registration date for most domain names in most TLDs. The AS primarily at issue here is AS201640 and it seems to be associated with a (contact) domain name of "grimhosting.com". (The associated web site, by the way, is _not_ hosted within any IP space which is being announced by AS201640. Rather it is hosted on Cloudflare.) Anyway, the registration date for the domain name grimhosting.com is 2014-06-18.
The person name on the registration for both the AS and that domain name is "Bogomil Simeonov". In the domain name registration, this name is associated with the e-mail address <simeonov_zepter@abv.bg>. That address in turn seems to be associated with some company named Zepter Bulgaria Ltd., which is apparently a "direct sales" organization, and also, perhaps, with the young man who is pictured in/on this web page:
Hi Ronald, Don't waste your time. RIPE is not going to do anything about piracy. They will tell you that they can't become judges and that they obligation is limited to the four points raised by Ms. Cobley. When RIPE is actually a judge that decided to protecting internet piracy. You can be sure that RIPE will open an expedient to any LIR that do not pay its fee, but you can keep waiting to see RIPE opening an expedient to investigate bad use of internet by one of their associated LIRs. Regards, Ángel -----Mensaje original----- De: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net] En nombre de Laura Cobley Enviado el: jueves, 06 de noviembre de 2014 15:27 Para: Ronald F. Guilmette; anti-abuse-wg@ripe.net Asunto: Re: [anti-abuse-wg] Hijack Factory: AS201640 / AS200002 Dear Ronald and all, The RIPE NCC investigates reports about Internet number resource registrations. These fall into different categories: - Violation of RIPE Policies and RIPE NCC Procedures - Provision of untruthful information to the RIPE NCC - Bankruptcy, liquidation or insolvency - Incorrect contact information in the RIPE Database You can read more about the procedure together with a link for submitting a report at: https://www.ripe.net/contact/reporting-procedure Kind regards, Laura Cobley Customer Services Manager RIPE NCC On 05/11/14 21:38, Ronald F. Guilmette wrote:
How does one go about making a formal request to RIPE NCC to investigate a given AS registrant/registration?
Given that AS201640 appears to exist exclusively for the purpose of hijacking multiple/numerous blocks of IPv4 space that it rather clearly has no rights to, I would like to formally lodge exactly such a request.
http://blogs.cisco.com/security/talos/help-my-ip-address-has-been-hija cked/
http://mailman.nanog.org/pipermail/nanog/2014-October/071056.html
This is ongoing, as we speak. Among the many IP blocks being hijacked, one of them even belongs to the Taiwan Network Information Center.
Note that the hijacked IP space is being used, perhaps by multiple parties, by also by at least one convicted felon, and for one very specific purpose...
http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-year s/
Regards, rfg
P.S. To be clear, I would like to see there be an investigation of _both_ AS201640 and also the one and only other AS that appears to connect AS201640 to the rest of the world, i.e. AS200002.
Somebody please help me here. I did try to read at least one of the official RIPE NCC registration requirement documents yesterday, and I was left with the impression... perhaps incorrect on my part... that in order to obtain an AS, the network in question must be multi-homed. Doesn't that mean that the network in question must have connectivity to the outside world via *more than one* other AS?
P.P.S. Unlike RIPE number resource allocations, it _is_ easily possible to find the registration date for most domain names in most TLDs. The AS primarily at issue here is AS201640 and it seems to be associated with a (contact) domain name of "grimhosting.com". (The associated web site, by the way, is _not_ hosted within any IP space which is being announced by AS201640. Rather it is hosted on Cloudflare.) Anyway, the registration date for the domain name grimhosting.com is 2014-06-18.
The person name on the registration for both the AS and that domain name is "Bogomil Simeonov". In the domain name registration, this name is associated with the e-mail address <simeonov_zepter@abv.bg>. That address in turn seems to be associated with some company named Zepter Bulgaria Ltd., which is apparently a "direct sales" organization, and also, perhaps, with the young man who is pictured in/on this web page:
In message <545B8542.9010203@ripe.net>, Laura Cobley <laura@ripe.net> wrote:
Dear Ronald and all,
The RIPE NCC investigates reports about Internet number resource registrations. These fall into different categories:
- Violation of RIPE Policies and RIPE NCC Procedures - Provision of untruthful information to the RIPE NCC - Bankruptcy, liquidation or insolvency - Incorrect contact information in the RIPE Database
You can read more about the procedure together with a link for submitting a report at: https://www.ripe.net/contact/reporting-procedure
Thank you Laura. This information is really most helpful. As should be apparent, I would like to file a report on AS201640, but I believe that I may need some help with that, from you, from the members of this mailing list, or both. This is not a case involving any kind of bankruptcy, so that one (out of four) is clearly inapplicable. But with regards to the remaining three possibilities, I could use some guidance. Let's take them one at a time. (*) Violation of RIPE Policies and RIPE NCC Procedures I asked the list about this earlier. Is there a requirement that an AS be ``multi-homed'' and does AS201640 currently appear to be fulfilling that requirement? Could some list participants who know more than me on this point... which is to say just about everybody... please comment and enlighten me? (*) Provision of untruthful information to the RIPE NCC Here again, I need to ask for guidance. Last night, I did see several things... things in the RIPE WHOIS data base... that did seem entirely wrong to me. If one queries the RIPE WHOIS data base, right now, about any of the following IP addresses, you will see what I mean: 105.154.248.0 210.57.0.0 202.39.112.0 119.227.224.0 41.198.224.0 The responses that come back from the RIPE WHOIS server say that each of the above IP addresses belongs to "MEGA - SPRED LTD". I believe that these responses are all incorrect however, and that in fact, none of the relevant IP ranges is actually, formally, and properly registered to either "MEGA - SPRED LTD" or to -any- entity within the RIPE region for that matter. (The addresses in question belong to other RiRs. So sayeth IANA.) So there are two seemingly obvious questions: 1) Did these RIPE data base entries come about because "MEGA - SPRED LTD" ``provided untruthful information to the RIPE NCC''? I can't tell. I guess that it largely depends upon one's definition of ``untruthful''. It *is* in fact true/truthful that AS201640 *has* in fact been announcing routes to the relevant blocks of IPv4 space. But it is my contention that they have no rights to do so. If true, would that situation imply untruthfulness... actionable or otherwise... on on that part of AS201640? 2) How on earth did these RIPE IPv4 block registration records even manage to get in to the RIPE WHOIS data base anyway?? As I have said, the IP blocks in question all seem to belong to other RiRs. That is what the whois.iana.org WHOIS server is telling me anyway. Does the RIPE WHOIS data base routinely contradict the IANA data base in this way? Is it _supposed_ to do so? Does any checking occur on newly added RIPE WHOIS records... before they go into the RIPE WHOIS data base... to make sure that no such newly added RIPE WHOIS records conflict with what IANA believes (regarding number resource allocations)? If not, why not? And if so, how did the five examples above slip past these simple consistancy checks? (*) Incorrect contact information in the RIPE Database I gather that this one is intended to deal with contact data that, while once having been accurate, has not been properly maintained, over time. So I guess that this doesn't apply to the present case either. Regards, rfg
participants (3)
-
anfernandez@lavanguardia.es -
Laura Cobley -
Ronald F. Guilmette