Re: [routing-wg] [anti-abuse-wg] An arrest in Russia
In message <20191228020627.GA9820@allog.giato>, furio ercolessi <furio+as@spin.it> wrote:
On Fri, Dec 27, 2019 at 02:35:29PM -0800, Ronald F. Guilmette wrote:
Anyone have more details about this?
https://belsat.eu/en/news/runet-founder-under-house-arrest/
The Czech company that allagedly received the allegedly stolen 7.5 "B" blocks (/16) would seem to be this one:
ORG-RCS23-RIPE AS15731
https://www.ripe.net/membership/indices/data/cz.relcom.html
But I am not seeing that ORG as having quite that many IPv4 addresses assigned.
Maybe the alleged perp in this case only stole IPv6 addresses (?)
Hello Ron,
in https://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt under cz.relcom you can currently see the equivalent of about 2.6 "B" blocks.
However, only 10 days they were apparently a lot more! For instance, the list at https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIPE_Allocations/Allocs/C... was collected on Thu Dec 19 2019 and shows the equivalent of about 9.6 "B" blocks (I enclose it below). So the majority of those blocks appears to have changed LIR, leaving cz.relcom/AS2118-MNT to return to ROSNIIROS (aka RIPN) in the past 10 days. Example:
Facinating. It would be even more facinating to have someone from RIPE NCC come and explain to us all how it came to pass that something on the order of an alleged 490 thousand IPv4 addresses got transferred, allegedly illicitly, from a Russian company to a Czech company, AND what rules and standard procedures were followed in order to transfer these back to the Russian company... ... but I also asked for a unicorn for Christmas and I didn't get that either. :-) I guess that when Russia comes knocking, RIPE NCC submissively complies. I can only wish that they would do the same for me. Regards, rfg
Hi Ronald, How these things slip through is when paperwork gets submitted that is incorrect and falsified with fake signatures. Despite al the efforts that the RIPE NCC is taking to recognize fake / falsified documents ... On the topic how does it get reversed ... Typically one of the actual directors reports a theft of IP space to the RIPE NCC.. The RIPE NCC will then investigate and if things are incorrect, the legitimate holder can request a reverse of the IP space transfer. This obviously leaves the buyer ( typically one that paid a lot of money to a certain individual for the IP space ) ... without funds and without IP space. This is also why some if not most traders will/should walk away from certain deals if it isn't 100% clear who the actual legitimate holder of the IP space is and if the proper signatures aren't on the paperwork. Funds should always be deposited from an escrow into the bank account of the company that sells the IP space, never to a private bank account of a director or sister company ... Any other options that are requested are typical red flags for money laundering / fraudulent transactions .. Especially with international fraud, it is hard to get the funds back ... the buyer has little to no option to get the funds back and the one that received the funds are probably long gone. Regards, Erik Bais On 28/12/2019, 04:03, "anti-abuse-wg on behalf of Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net on behalf of rfg@tristatelogic.com> wrote: In message <20191228020627.GA9820@allog.giato>, furio ercolessi <furio+as@spin.it> wrote: >On Fri, Dec 27, 2019 at 02:35:29PM -0800, Ronald F. Guilmette wrote: >> Anyone have more details about this? >> >> https://belsat.eu/en/news/runet-founder-under-house-arrest/ >> >> The Czech company that allagedly received the allegedly stolen >> 7.5 "B" blocks (/16) would seem to be this one: >> >> ORG-RCS23-RIPE >> AS15731 >> >> https://www.ripe.net/membership/indices/data/cz.relcom.html >> >> But I am not seeing that ORG as having quite that many IPv4 addresses >> assigned. >> >> Maybe the alleged perp in this case only stole IPv6 addresses (?) > >Hello Ron, > >in https://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt >under cz.relcom you can currently see the equivalent of about 2.6 "B" blocks. > >However, only 10 days they were apparently a lot more! For instance, the list at >https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIPE_Allocations/Allocs/C... >was collected on Thu Dec 19 2019 and shows the equivalent of about 9.6 "B" blocks >(I enclose it below). >So the majority of those blocks appears to have changed LIR, leaving cz.relcom/AS2118-MNT >to return to ROSNIIROS (aka RIPN) in the past 10 days. Example: Facinating. It would be even more facinating to have someone from RIPE NCC come and explain to us all how it came to pass that something on the order of an alleged 490 thousand IPv4 addresses got transferred, allegedly illicitly, from a Russian company to a Czech company, AND what rules and standard procedures were followed in order to transfer these back to the Russian company... ... but I also asked for a unicorn for Christmas and I didn't get that either. :-) I guess that when Russia comes knocking, RIPE NCC submissively complies. I can only wish that they would do the same for me. Regards, rfg
How these things slip through is when paperwork gets submitted that is incorrect and falsified with fake signatures.
and the ncc has a job advert out to hire even more lawyers (no blame; it's a mess). can ripe keep from becoming arin? randy
+1 Randy Bush <randy@psg.com>于2019年12月29日 周日04:10写道:
How these things slip through is when paperwork gets submitted that is incorrect and falsified with fake signatures.
and the ncc has a job advert out to hire even more lawyers (no blame; it's a mess). can ripe keep from becoming arin?
randy
-- -- Kind regards. Lu
In message <CAAvCx3iky28KdLYYQ3Adubkj9i2gsTYv7GQxUzHK4MzcyV93MA@mail.gmail.com> Lu Heng <h.lu@anytimechinese.com> wrote:
+1
I should think so! Lu, as the owner of a great deal of legitimately acquired AFRINIC IPv4 space, I should think that you would be suitably outraged to see others committing fraud and/or other kinds of malfeasance in order to scam their way into the same sort of IPv4 space that you legitimately bought and paid for. All of these crooked schemes should quite rightly be an outrage to an honest man such as yourself. And for that reason I feel sure that you'll be dismayed to learn that you have... undoubtedly unintentionally... been paying at least some of your honest and hard earned money to obtain routing for a small sub-part of your sizable IPv4 holdings to a company that's rather unambiguously linked to yet another apparent IPv4 scam that was already outted some months ago by my friend, journalist Brian Krebs. I'm speaking specifically about your 154.81.1.0/24, 154.208.12.0/22, and 154.208.16.0/20 blocks, all of which are apparently currently being routed by a recently slapped together Virginia company named "Ting Wireless, LLC" and its apparent proprietor, Roy Tyree Franklin (age 31). https://opencorporates.com/companies/us_va/S7848650 As we speak, it appears that this company and its ASN, i.e. AS398083, is routing the above named blocks for you, and is also routing a number of blocks for a somewhat slippery company known as Residential Networking Solutions LLC, aka "RESNET", which Brian Krebs identified as being located in the state of Maryland (consistant with th 240 area code of the phone number on the company web site, resnet.io), but which at least some relevant RIPE WHOIS records (e.g. ORG-RI49-RIPE) suggest is actually located in Norwalk, Connecticut. Here's is Brian's article about this apparent scam from August: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-netw... Since the time of Brian's article, it seems that "RESNET" and its apparent sister company, Maryland Broadband, found the general ambiance rather less accomodating of their chicanery in the ARIN region, so they did the logical thing and started getting their IPv4 space from the always accomodating RIPE region, where no criminal with a good story and a freshly minted shell company is ever turned away, regardless of criminal past or present. So anyway, Lu, your blocks are being routed by Ting Wireless, LLC, right along with a bunch of others that I have more than a little reason to be suspicious about, specifically regarding their provenance. I feel sure that this horrifies you, just as it does me, and that thus, you'll help me to get to the bottom of it all. As a first step, I hope that you will introduce me to whoever it was who you contracted with at Ting Wireless in order to arrange for that company to route your blocks, which it is quite clearly doing, right along side all of the questionable stuff: https://bgp.he.net/AS398083#_prefixes Who did you send your check to at the fresh new company Ting Wireless, LLC? Would that have been Mr. Roy Tyree Franklin? Is that by any chance the exact same same high-end experienced and seasoned networking professional, Roy Tyree Franklin, who was busted on March 15, 2015, in Petersburg, Virginia for fishing without a license? https://www.pressreader.com/usa/the-progress-index/20150420/281573764231659 Like I always say, "Beware the Ides of March!" I have to say, I think that he would have been better served if he had been stringing cat6 that day, or maybe upgrading his A/C plant, rather than trawling for catfish. But that's just my opinion. Anyway, if you can arrange it, I would love to have you make a personal introduction so that I can maybe get to the bottom of this whole set of questions I have about this whole RESNET / Maryland Boradband thing. Please do let me know if you can do that. I don't see any reason why you wouldn't be able to do make connections for me, considering that you are clearly doing business with this company (Ting Wireless). Regards, rfg P.S. Brian said in his article that AT&T had told him that "“We have taken steps to terminate this company’s services and have referred the matter to law enforcement.” but I guess that whichever LE people AT&T spoke with, they have other more pressing things on their plates, and other fish to fry... no pun intended. So I guess it's up to me... again... to figure out what's actually going on here, and your kind assistance would be greatly appreciated.
On 28/12/2019 21:09, Randy Bush wrote:
How these things slip through is when paperwork gets submitted that is incorrect and falsified with fake signatures. and the ncc has a job advert out to hire even more lawyers (no blame; it's a mess). can ripe keep from becoming arin?
randy
It would be nice if RIPE NCC could provide as part of its annual report a list of incidents of this nature so we have an idea of how wide-spread this is - or not. -Hank
It would be nice if RIPE NCC could provide as part of its annual report a list of incidents of this nature so we have an idea of how wide-spread this is - or not.
as i try not to indulge in schadenfreude, i don't have much use for this information. we spent some time in this space in rotterdam. the presos were well done, but not my cup of coffee. i am sure there were others who found it fascinating. i guess that's what makes the world go 'round. randy
participants (5)
-
Erik Bais -
Hank Nussbacher -
Lu Heng -
Randy Bush -
Ronald F. Guilmette