[[ Fair warning to newcomers: I write and post longish pieces here regarding my various investigations of funny business I find going on within the IPv4 address space and the allocations and uses thereof. If you're looking for a quick 2 minute read then you are advised to skip this message now. ]] I confess that I have been meaning to write about the 159.174.0.0/16 legacy IPv4 block for quite some time now. What can I say? I was busy. The Present State of 159.174.0.0/16 ----------------------------------- I discovered quite some long time ago that this block was getting routing from a rather unusual place, and that the ASN in question was also announcing a few other nice juicy /16 legacy blocks, which by itself was more than a little suspicious. But that's not imporant now. Please allow me to just talk about who is routing this block at present, and who the alleged legitimate registrants are, going by ARIN's relevant current WHOIS record for this block: https://pastebin.com/raw/FBWMN9p3 As you can see, this block is registered to an entity located in Wilton, Connecticut. The block appears to have been originally assigned on 1992-05-11, well before the formation of ARIN. It is thus an unusually valuable "legacy" block. The first indication that something might be a bit off about this block is the contact phone number, +1-407-476-9854. In this modern era of number portability the area code portion of that may or may not have any real-world geographical implications at all, but it turns out to be notable, in this case, that area code 407 corresponds, historically, to the greater Orlando, Florida area and surrounding Florida counties. A quick bit of research reveals that there is in fact an entity calling itself Dunsnet, LLC and that it is located in Winter Park, Florida, a northern suburb of Orlando: http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=EntityName&directionType=Initial&searchNameOrder=DUNSNET%20L120001007590&aggregateId=flal-l12000100759-15618501-6ea8-4b18-898e-6470337507d1&searchTerm=dunsnet&listNameOrder=DUNSNET%20L120001007590 Further research on the Florida Secretary of State's web site confirms that this entity does exist, that it is "active", and that it has one and only one manager, that being another corporate entity called Ahosting, Inc.: http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=EntityName&directionType=Initial&searchNameOrder=AHOSTING%20P070001262120&aggregateId=domp-p07000126212-a6386b50-075c-4b07-b36e-ff5a3ba1b33c&searchTerm=ahosting&listNameOrder=AHOSTING%20P070001262120 As you can see via the above link, Ahosting, Inc. has only two corporate directors, i.e. a Mr. Erkan Ozdogan and a Mr. Adnan Canturk, both apparently residents of Istanbul, Turkey. At the present time, 100% of the 159.174.0.0/16 legacy block is being routed by AS54163, aka Ahosting, Inc.: https://bgp.he.net/AS54163#_prefixes The question is: Is this proper? A Brief History of 159.174.0.0/16 --------------------------------- When the 159.174.0.0/16 block was first allocated and registered, way back on 1992-05-11 it was assigned at that time to a unit of the famous Dun & Bradstreet financial information company for use in connection with one of the company's early forays into the world of the Internet: Fortune Magazine, August 19, 1985: https://archive.fortune.com/magazines/fortune/fortune_archive/1985/08/19/663... "Dun & Bradstreet also operates DunsNet, a $20- million private telecommunications network completed in March, which connects customers in 155 cities directly to the company's mainframes." On June 8th, 1994, Dun & Bradstreet's "Dunsnet" operation announced that it had elected to partner with a European company named Eunetcom SA, which was itself a partnership between Deutsche Bundespost Telekom and France Telecom: https://www.cbronline.com/news/eunetcom_wins_dunsnet_pact/ In August, 1994, Eunetcom apparently elected to buy out its customer, Dunsnet: "The Information Superhighway" (Randall L. Carlson - 1996) https://bit.ly/2O7kV48 "Eunetcom is actively pursuing customers and entry into the North American market. Its first customer was worth $200 million over five years and was {subequently} acquired by purchasing the networking services of Dun & Bradstreet's DunsNet. DunsNet provides data communications services for the Dun & Bradstreet companies, a role that Eunetcom now assumes." https://www.postjobfree.com/resume/pumacu/unix-administrator-technical-analy... "In August 1994, DunsNet was acquired by eunetcom, a joint venture between Deutsche Telekom and France Telecom." As we all know, unlike the situation today, IPv4 blocks in the 1990s had essentially no monetary value. And thus the 159.174.0.0/16 block became forgotten and abandoned by its rightful owners, which is to say Deutsche Telekom and France Telecom. Fast forward some 16 years to June 29, 2011, on which date it appears that two clever fellows in Istanbul, Turkey began what would seem to be a quite deliberate, premeditated, and determined effort to take control of the (now quite valuable) 159.174.0.0/16 legacy block via the same sort of simple-minded ruse that had already, by that time, worked so well for others who likewise coveted various ARIN-administered large and valuable legacy IPv4 blocks. They simply pretended to be "Dunsnet" and began the process of requesting from ARIN complete control over "their" legacy block. ARIN apparently obliged and permitted these two Turkish geentleman to make various changes to the relevant ARIN WHOIS records. The official ARIN "WhoWas" historical records relating to the 159.174.0.0/16 block show quite clearly various changes being made to the relevant organization record on 06-29-2011, 09-24-2011, and again on 11-06-2017: https://pastebin.com/raw/WTgvjXg2 Also and similarly, changes were made to the NET-159-174-0-0-1 record for the block itself on 06-29-2011 and again on 11-06-2017: https://pastebin.com/raw/b3F1eTua These latter day changes to the relevant ARIN WHOIS records might have been and remained mostly unsuspicious had it not been for the creation, by the aforementioned two Turkish gentlemen, on 08/06/2012, of the new Florida LLC named "Dunsnet, LLC". (See link above.) In this context, it seems more than plausible that the name of this newly minted Florida LLC was chosen specifically and deliberately with the intent of hiding the facts regarding the illicit usurpation of the valuable 159.174.0.0/16 block. This pattern of apparent corporate-level identity theft is one that I have already seen on multiple previous occasions in association with fraud, perpetrated against some Regional Internet Registry (and ARIN in particular) with the goal being the theft of some sizable IPv4 legacy block. In fact, the only thing that is actually striking and somewhat remarkable in this case is the exact timing of the relevant events. As noted above, the relevant ARIN WHOIS records were, it appears, improperly fiddled on various dates in 2011. It is not immediately clear why ARIN would have allowed such manipulations in that year, given that the fradulent Florida shell company, Dunsnet, LLC was not actually incorporated until 08/06/2012 according to Florida state records. (See link above.) As noted above, official Florida state records for Dunsnet, LLC say that it has one and only one manager, that being Ahosting, Inc. As also noted above, two specific persons appear to be in control of Ahosting, Inc., Mr. Erkan Ozdogan and Mr. Adnan Canturk, both residents of Istanbul, Turkey. Despite the strikingly inconvenient commute that these two gentlemen must apparently have to deal with, these gentlemen quite obviously are the principals of at least the two Florida corporate entities named above. A look at some relevant web sites provides us with some further clues. Whereas ahosting.com formerly was associated with a fuilly functioning web site, that appears to not be the case at the present time. There is some downloadable content that can be reached via a URL which, in normal circumstances, would be expected to take you to the home page of this company, but the content in question is just some small bit of HTML that my various web browsers refuse to render for some reason. The same problem seems to also and likewise afflicts what should be the home page for dunsnet.com. And the same again also for the web site associated with tthe domain name mentioned in the WHOIS record for AS54163, ahostinginc.com. (Remember that this ASN is currently routing all of the 159.174.0.0/16 block.) In this last case however the content provides some clues as to an apparently related business known as aseohosting.com, where the "SEO" part apparently stands for "Search Engine Optimization". https://pastebin.com/raw/PnpgnA2A A simple Google search for Mr. Erkan Ozdogan turns up little of interest, however a similar search in the case of Mr. Adnan Canturk turns up multiple bits of his social media footprint: https://www.linkedin.com/in/adnan-canturk-24a66633 https://twitter.com/adnan_canturk The latter page provides us with a link to Mr. Canturk's personal web site, adnancanturk.com, but this also appears to have a dysfunctional home page. Nontheless, the text content that can be fetched from that URL further confirms Mr. Canturk's apparent connection to a business named "Aseohosting": https://pastebin.com/raw/NTW9nH6G Despite all of these dysfunctional web sites and home pages, the web site and the home page of aseohosting.com appears to be very much alive and well at present: https://www.aseohosting.com/ It is my hope that I will not have to go into too much detail in order to explain to the audience here why the use of large numbers of unique IPv4 addresses might be viewed by some as an integral part of any one of the net's myriad and almost entirely useless "SEO" schemes whose intent is the fundamental hoodwinking of search engines, such as Google, and their algorithms. The ultimate goal of these schemes, of course, is to snooker the search engines into displaying certain results above others. The bottom line is that it would appear that in this case, in the year 2011, Mr. Ozdogan and Mr. Canturk found themlseves a convenient and zero cost way of acquiring a sizable supply of IPv4 addreses, and that at the present time these valuable legacy IPv4 addrdesses are being employed (wasted?) on one big and undoubtedly fruitless search engine optimization scheme. To say that this is not the highest, best or most efficient use of the increasingly scarce supply of IPv4 addresses would, I'm sure, be a serious understatement. (To paraphrase my mother's early admonitions to me at dinner time "There are children starving in Asia would would like to have those IP addresses!") I must note that before posting this message I have made what I believe to be reasonable efforts to contact both Mr. Ozdogan and Mr. Canturk via every email address I could find for them, offering them the opportunity to respond to the preceeding facts and my interpretation of them, while promising those gentlemen that I would post their responses, whatever they might be. No response was received to this offer by press time. I also emailed John Curran, CEO of ARIN, prior to posting this message, and also offered him an opportunity to provide me with a response. This is his response: "ARIN does not comment on specific registry changes (as number resource change requests are made in confidence), but we do take matters of potential number resource fraud quite seriously. As you have chosen not to report this case of potential fraud, ARIN will not be investigating at this time, but we would welcome a fraud report if you believe that there is a need for investigation." -- John Curran, CEO, ARIN In closing I would just like to offer my personal observation that over time it appears to me that ARIN has been repeatedly victimized by this exact form of rather transparent fraud based on corporate identity theft. Instances of this date back to 2008, and now appear to have occurred as recently as last year. (More about that later.) I find this fact more than a little troubling, not least because of the apparent correlation between the specific IPv4 blocks that have been purloined in this manner and the congregation of Internet bad actors... spammers, hackers, and all manner of other Internet hooligans and miscreants... in and around the relevant stolen blocks. I understand that ARIN has neither the mandate to perform exhaustive investigations of all requests it receives, nor the kind of unlimited resources that might be required in order to do exhaustive investigations on a routine basis. That having been said however, in this and other such instances, the fradulent nature of the requests has been really rather obvious and transparent, requiring only the most modest amount of effort to note one or more of the glaring red flags and thus the need for further inquiry. I feel compelled to also note that ARIN's responses to cases such as this (e.g. the case of the 143.95.0.0/16 block) or, more accurately, the general lack of such responses may ultimately prove to be problematic, not just for ARIN but for the United States Department of Justice, e.g. in its current prosecution of federal criminal case 3:18-CR-04683-GPC: https://krebsonsecurity.com/2019/09/feds-allege-adconion-employees-hijacked-... I am not immediately persuaded that a case could not be made, by the defense in that case, for selective prosecution. To an outsider such as myself, it seems that it might be difficult to defend and justify a decision to criminally prosecute one case in which ARIN was allegedly defrauded, apparently by persons of less-than-impressive means, while electing to -not- prosecute a half-billion dollar corporation, such as EIGI, against which the weight of the evidence may perhaps be equally compelling. This is the kind of slippery slope that one begins to traverse when one is guided by convenience or pragmatics, rather than by even-handed principal. Regards, rfg P.S. I have previously been in contact with a representative of Orange S.A., formerly France Telecom, and have requested that he arrange for his company to take back control of what would appear to be their partial ownership of the 159.174.0.0/16 block. To the best of my knowledge, no action has been taken by the company in this direction. To date I have to date been utterly unable to make contact with any representative of Deutsche Telekom in order to likewise encourage that company to reassert its apparently rightful claims to the 159.174.0.0/16 block. I would thus appreciate any referrals to any actual natural persons in that company with whom I might be able to discuss this matter. (I have a standing policy of never attempting to converse with unaccountable anonymized role accounts. Based on past experience, this is without exception an utter waste of my time.)