AS37135, AS6560, AS32714, AS14029 - Squatted or not? You be the judge.
At least one person has now asserted to me in private email that my suggestion that AS30186 was being squatted on was in fact accurate. Thus, I now feel confident enough to provide here the rest of the story which goes along with that. In a nutshell, AS30186 and also two other ASNs, together appear to all be parts of a single large multi-ASN squat. In addition to what appears to be a squat on AS30186 (the former Ross Technology Inc. of Austin, Texas, which even Wikipedia says has been dead for lo these past 18 years) it appears to me, based on the evidence, that the exact same large scale spamming company is, at present, also usurping and squatting on two additional AFRINIC ASNs, namely AS37135 and AS6560. I provide here listings of the current forward resolutions of a sizable number of snowshoe spammer nonsense domain names (more than 1,400 in total) which are currently associated with various portion of several apparently illicitly appropriated AFRINIC /16 blocks: AS37135: http://pastebin.com/raw/PkBagrpJ AS6560 http://pastebin.com/raw/zg9W2agN The affected, and apparently long-orphaned AFRINIC IPv4 blocks involved are as follows. Note that these have each have their own AFRINIC block registration records which indicate that they belong to, among others, a chemicals & power company (155.237.0.0/16), a manufacturer of stainless steel products (160.115.0.0/16), an international mining company (163.197.0.0/16), a manufacturer of fertilizers and nitrogen compounds (163.198.0.0/16), an agricultural chemicals company (164.155.0.0/16), the Directorate of Information Services for the South African government (165.25.0.0), a Seychelles Islands ISP (168.80.16.0/15), and a South African outsourcing and business services company (196.9.0.0/16). Despite these "official" IPv4 block registrations, based on the evidence as shown in the above Pastebin reports, I am forced to conclude that somehow, magically, all of these long-dormant African entities recently began hosting parts of a large scale snowshoe spamming operation, including even the Directorate of Information Services for the South African government, as well as the South African Post Office (196.10.0.0./16), both of which appear to be kindly lending a hand to these spammers also. Here is the list of affected AFRINIC-allocatded IPv4 blocks: 152.108.0.0/16 155.159.0.0/16 155.235.0.0/16 155.237.0.0/16 160.115.0.0/16 160.116.0.0/16 160.122.0.0/16 163.197.0.0/16 163.198.0.0/16 164.155.0.0/16 165.25.0.0/16 168.76.0.0/16 168.80.16.0/15 196.9.0.0/16 196.10.0.0./16 196.16.0.0/14 196.15.64.0/18 Note that AS37135 and AS6560, which I contend are themselves being squatted on, are currently announcing numerous discrete and discreet /20, /21, and /19 blocks out of the above large blocks, perhaps with a view to the future and to switching their announcements to other and different sub-blocks within these same containing blocks, e.g. when they have so throughly sullied the reputations of the blocks they are currently using so as to have caused those blocks to be universally blacklisted everywhere. In any case, here are the current announcements being made by AS37135 and AS6560, respectively. Note that the set of announcements from these ASNs has changed, and significantly, even just within the past 24 hours. What you are seeing here is just the routes being announced by these two suspicious ASNs as I write this. AS37135: 152.108.0.0/19 155.235.80.0/20 155.235.128.0/19 155.235.224.0/19 155.237.128.0/21 155.237.128.0/19 160.115.32.0/20 160.115.48.0/20 160.115.64.0/20 160.115.80.0/20 160.115.96.0/20 160.115.112.0/20 160.116.112.0/20 160.116.160.0/20 160.116.192.0/20 160.122.0.0/19 160.122.128.0/21 160.122.240.0/21 163.198.0.0/20 163.198.64.0/20 168.76.128.0/20 -- Free State Education Department (not routed earlier today) 196.9.32.0/20 196.9.128.0/20 AS6560: 155.159.128.0/20 155.237.64.0/20 155.237.208.0/20 155.237.224.0/20 155.237.240.0/20 163.197.112.0/20 163.197.144.0/20 163.197.176.0/20 163.197.208.0/20 163.197.240.0/20 163.198.16.0/20 163.198.80.0/20 163.198.96.0/20 163.198.144.0/20 163.198.192.0/20 163.198.224.0/20 164.155.0.0/20 164.155.64.0/20 164.155.128.0/20 164.155.192.0/20 165.25.0.0/20 165.25.32.0/20 165.25.64.0/20 165.25.96.0/20 165.25.128.0/20 165.25.160.0/20 165.25.192.0/20 165.25.224.0/20 168.80.16.0/20 168.80.48.0/20 168.80.80.0/20 168.81.16.0/20 168.81.64.0/20 168.81.176.0/20 168.81.224.0/20 196.9.0.0/20 196.9.16.0/20 196.15.64.0/20 196.15.96.0/20 As I was preparing this post, two furter and additional dodgy looking ASNs also came to my attention, and preliminary analysis suggests that these two additional AFRINIC ASNs, AS32714, and AS14029, together with all of the IP space they are announcing, may perhaps also be squatted on at the present time. Given below are the current announcements from these two additional ASNs. Note that AS32714 is currently announcing routes to some South African IP address blocks, as well as to certain German blocks registered to Daimler AG, and also a number of Chinese /18 blocks registered to the Chinese retailing giant Alibaba, Inc... two companies which I suspect do not really require outside help from South Africa in order to obtain routing to their own IP blocks. Interestingly also, the former Zimbabwean ASN AS14029 does not appear to be actually registered to anyone at all at the present time. This minor annoyance does not, apparently prevent it from announcing a number of rather entirely dubious routes via its lone BGP peer AS260. AS32714: 47.93.0.0/18 47.93.64.0/18 47.93.128.0/18 47.93.192.0/18 53.122.1.0/24 53.122.2.0/24 165.10.0.0/16 196.10.64.0/19 AS14029: 41.77.240.0/22 155.159.254.0/24 155.159.255.0/24 160.122.70.0/24 160.122.71.0/24 168.81.254.0/24 168.81.255.0/24 196.10.61.0/24 196.10.62.0/24 196.10.63.0/24 203.212.160.0/20 I will be looking in more depth into AS32714 and AS14029 shortly, but for now I just wanted to make people aware of these additional two rather curious ASNs and the routes they are currently announcing. On a final note, it has not escaped my notice that all three of the ASNs AS37135, AS6560, and AS14029 appear to have only a single common BGP peer, that being AS260, Xconnect24 Inc. I suspect that this is not entirely a matter of coincidence. I have attempted to make contact via email with Xconnect24, but they have not replied to my polite inquiry. For its part, AS32714 also has but a single BGP peer, that being AS6939, Hurricane Electric, Inc. Regards, rfg
participants (1)
-
Ronald F. Guilmette