Hi Ronald,

APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and brought this matter to their attention.

Regards,

 

Vivek

Member Services Manager, APNIC

 

 

 

From: Ronald F. Guilmette <rfg@tristatelogic.com>

    Date: Fri, Sep 6, 2019 at 6:30 PM

    Subject: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

    To: <nanog@nanog.org>

   

    

    Few of you here probably know about this, but nearly a week ago now

    an article appeared in South Africa's largest and most popular online

    tech publication, MyBroadband.co.za.  It detailed many, but certainly not

    all of the results of my multi-month investigation of a massive and

    ongoing fraud involving the theft of large numbers of large (generally

    /16 or larger) abandoned legacy blocks, taken from the AFRINIC region

    and beyond:

   

    https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

   

    For various editorial reasons, the article that was published actually

    downplayed the magnitude of the of the thefts quite dramatically.  The

    totality of the IPv4 space that has been stolen or squatted, primarily

    but not exclusively, from South African companies and South African national

    goverment agencies and departments is actually at least 5x bigger than what

    was reported in the MyBroadband.co.za article.

   

    The overwhelming majority of this stolen and squatted IPv4 space has

    been helpfully routed by Cogent (AS174), to their customer, FDCServers

    of Chicago, and then on to the prefered destinations of a certain Mr.

    Elad Cohen of Israel, and his company Netstyle Atarim, Ltd.  (I have

    saved traceroutes up the wazoo that prove the involvement of FDCServers,

    in particular, in all of this.)

   

    Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting

    activities, basically grabbing everything that wasn't nailed down, both

    within the AFRINIC region and also within the APNIC region.

   

    In order to try to legitimize all of these thefts and squats, Mr. Cohen

    created quite a sizable number of fradulent route: objects within the

    Merit/RADB data base which, as most here should already know, has

    essentially zero authentication of any kind before it allows J. Random

    Luser to add pretty much any any route: object he wants to the RADB.

   

    Here's a full listing of all of Mr. Cohen's RADB route: objects as they

    existed as recently as August 17th:

   

        https://pastebin.com/raw/ZNgNuvtt

   

    And here is the short summary version showing just all of the prefixes/CIDRs

    that Mr. Cohen was effectively claiming rights and/or title to as of that

    same date:

   

        https://pastebin.com/raw/4LTaCg5R

   

    Plese do note the numerous blocks of size /16 or greater.

   

    The bottom line is that this one tiny little Israeli company was effectively

    claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of

    August 17th, 2019.  (Not too shabby for one lone guy who teaches programming

    classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,

    and generally consists of blocks having sizes of /16 or larger.

   

    Some of Mr. Cohen claims in his RADB entries are as humorous as they

    are pathetically fradulent.  For example, Mr. Cohen has effectively

    claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port

    Authority of the City of Melbourne, Australia.  But hell!  That's merely

    city property!  Mr. Cohen's limitless appetite for other people's IPv4

    space is more vividly on display in his claims to ownerhip over the

    168.198.0.0/16 block, which actually belongs to the Department of Finance

    of the Australian national government.  And I haven't even mentioned yet

    another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,

    which he did not see fit to create an RADB entry for, but which he's

    been squatting on for for quite some time now, quite clearly with the

    aid and assistance of both Cogent and FDCServers.  That one belongs to

    th City of Cape Town, South Africa.  That city's engineers have been

    struggling to regain control of their block back from Cogent, from

    FDCServers, and from Mr. Cohen for some time now.   I know because I've

    personally spoken to them about it.  Cogent, in its infinite wisdom, is

    continuing to fight the city for control over property that clearly and

    righfully belongs to the City of Cape Town, even as we speak:

   

        https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view

   

    When asked for LOAs attesting to his legitimate authority to route at

    least a few of these blocks, Mr. Cohen has produced blatantly forged

    documents, many of which appeared in the MyBroadband.co.za story.  And

    when I say "blatant" that's a gross understatement.  Any half-way decent

    forger would consider these documents an embarrasment.  The documents all

    bear identical signatures, and identical and vaguely official looking

    stamps, and purport to actually be sales reciepts attesting to the

    alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell

    company, Afri Holdings, Ltd., of various /16 blocks from a mysterious

    company called Afrivestment, Ltd., which may actually exist in some

    faraway galaxy, or in Mr. Cohen's active imagination, but which both

    Google and OpenCorporates.com seem to agree exists exactly noplace on

    this planet.  Here are the manufactured LOAs supplied by Mr. Cohen:

   

        https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view

        https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view

        https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view

   

    Recently, Cohen started to move some, but not all, of his stolen and squatted

    IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof

    hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or

    to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,

    coincidently, just happen to be owned by the exact same pair of Dutch

    gentlemen who previously owned the notorious Ecatel, follwed by the notorious

    Quasi Networks.  (IP Volume, Inc. appears to have intherited all or nearly

    all of its legitimately assigned IP space from its predecessor entities,

    Ecatel and Quasi Networks.)

   

    Despite these relocations, many of Mr. Cohen's stolen and squatted blocks

    are still helpfully being routed to Mr. Cohen's preferred desitnations by

    his good friends at Cogent and FDCServers, even as we speak.  The current

    set of such routes that Cogent is maintaining, at the moment, apparently on

    behalf of their customer, Mr. Cohen, consists of the prefixes listed here:

   

        https://pastebin.com/raw/EA3xJVLF

   

    When I noticed two days ago that all of these routes were still up I was

    deeply confused.  Did both Cogent and FDCServrs not get the memo??  Do

    they not know yet that Cohen is stealing stuff, left, right, and sideways?

    Did nobody even tell them about the MyBroadband.co.za article which was

    published this past Sunday?  I decided that it was incumbant upon me to

    find out.

   

    Thus, more that 48 hours ago now I sent the following polite but firm

    inquiry to Cogent, and a separate nearly identical one directly to the

    CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).

   

        https://pastebin.com/raw/ztipqE96

   

    A full forty eight hours later, I have received no reply whatsoever from

    either Cogent or FDCServers, not even a "Go pound sand" type of response.

   

    More importantly, most of the stolen IPv4 space that I called out, very

    specifically, to both Cogent and FDCservers two+ days ago now is still

    being routed by Cogent/FDCservers to their fun-loving and, I'm sure,

    promptly paying customer, Mr. Cohen.  If neither Cogent nor FDCServers

    still do not know now that Mr. Cohen is a crook, and that he has glommed

    onto quite a lot of stolen and squatted IPv4 space... which they have

    been helpfully routing for him, no doubt in exchange for some handsome

    payments... then I am foreced to say that it appears to be a reasonable

    conclusion that it must be because neither Cogent nor FDCServers really

    wants to know what sort of a character Cohen is, or what he has been up

    to, specifically with their ongoing and material assistance.

   

    But you all be the judges.  What does it look like to you?

   

    

    Regards,

    rfg