Before I get into talking about this month's honorary Hijacker of the Month, I really must start by thanking everyone who pitched in and helped to insure an appropriate response and outcome for the BitCanal case, which I reported here last month. You all know who you are, and I won't explicitly name you here, only because most of you have expressed to me privately that you would prefer it if I didn't. But you folks deserve the lion's share of the credit, and I, in contrast, played only the most minor supporting role. I must also say that I was astonished and very pleasantly surprised by the very effective and, to-date, very nearly 100% effective response to my call to action with respect to Bitcanal. This thief, Joao Silveira, aka Mr. Bitcanal, and his business are still limping along, and, I'm sure, trying desperately to get back online after everybody with half a brain became convinced of what he has been up to for lo these past several years. He's apparently managed to at least get his main web site (www.bitcanal.com) back online, but now he's totally dependent on GoDaddy hosting for that. :-) I guess that he doesn't have a whole lot of IP space to call his own anymore, or any least not very much of it that he can actually get anyone to route for him. I should also offer my apologies for the rather deliberately rude way that I got right up into the faces of Cogent, GTT, and Level3, right here on the NANOG list, with regards to BitCanal. I see now that that was really rather completely unfair and uncalled for. All three took swift and appropriate action once they became fully aware of the issue/problem, and I am grateful to all of them for their prompt action, and also, of course, I am equally grateful also to the many other providers and IXes who also took appropriate action in this case. Following my posting last month about BitCanal, at least one person rightly took me to task for the rude way I approached the problem, and even moreso for the fact that I escalated the problem to this list as my first response to the whole issue. With 20/20 hindsight, I can now only agree with those criticisms. I shouldn't have done that. I am pleased with the final result, i.e. Bitcanal being kicked from essentially the whole Internet, but the ends do not justify the rather hamfisted means I elected to employ. I will try to do better in future. With that in mind, when I recently found another such operation... another entity performing an entire set of obviously very deliberate hijacks, evidently for the purpose of leasing the hijacked space to snowshoe spammers... I took what I had learned from the BitCanal case and applied it. In particular, rather than me having a very public tantrum and getting on the cases of each and every company that bgp.he.net said might be connected to the hijacker somehow, I instead began by running traceroutes to all of the relevant hijacked blocks. (If I would have had the good sense to have done this in the BitCanal case, I most probably would have begun by just hasseling Cogent alone, and privately, off list, since from where I sit, all of the traceroutes to all the blocks that Bitcvanal stole had Cogent as the next-to-last hop. YMMV) Anyway, in this new case I found that the next-to-last hop for all of the relevant traceroutes was a set of routers belonging to Telecom Italia. Rather than calling them out here, this time I had the good sense to just message TelecomItalia directly about the issue. it took me a couple of tries, but I was eventually able to find a proper contact address for a proper sort of person to discuss this matter with @ Telecom Italia. The two links below are (1) my message to them and (2) their very nice and proactive response back to me: Me -> Telecom Italia https://pastebin.com/raw/Ek3mxKCR Telecom Italia -> Me https://pastebin.com/raw/mtcA4Ehy Given that I sent my message to them well after business hours on Friday, I consider their response, sent on Monday, to be super-fast and very responsive. Of course, I am absolutely ecstatic also that they have elected to stop all routing to the particular bunch of of badness that I explicitly called out to them, at least for the time being. As you can all see, my message to TelecomItalia describes the issue/problem with AS205869 - Universal IP Solution Corp. in some considerable detail. In a nutshell, these guys are criminals and they've been reselling the IPv4 space they've hijacked, specifically but perhaps not only to snowshoe spammers. (Specific evidence available upon request.) Of course, one can easily imagine even vastly worse uses that may be made of stolen IP space. By the time that I personally became aware of what these specific jerks were up to, they had already used, abused, and tossed aside several other IPv4 blocks -and- also a number of other previously abandoned ASNs. (They have been absconding with -both- abandoned IPv4 address blocks -and- also a number of previously abandoned ASNs... as well as one that was/is in active use by its legitimate owner. And they have bee doing so without any apparent restraint watever.) The evidence of all this is crystal clear from a quick review of all of the relevant RIPE records. They left their bloody fingerprints all over this mess. Anyway, by the time I noticed them. late last week, the set of routes and ASNs that this particular set of crooks were still fradulently using were as follows: ASN Route ---------------------- 10510 216.238.64.0/18 10737 207.183.96.0/20 10800 192.110.32.0/19 19529 104.143.112.0/20 19529 198.14.0.0/20 19529 198.32.208.0/20 19529 206.41.128.0/20 30237 192.73.128.0/20 30237 192.73.144.0/20 30237 192.73.160.0/20 30237 192.73.176.0/20 (The above list was present also in my private message to TelecomItalia. See link above.) I suspect that perhaps the fact that the final four routes in the list above are for IPv4 space which is formally registered to the United States Air Force may possibly have contributed somewhat to TelecomItalia's apparent readiness and willingness to take swift and decisive action in this case. (It's not every day that you see USAF IP space being routed by mysterious Ukranian networks. :-) In any case, as I've noted above, I am greatly pleased that TelecomItalia took the action it did, regardless of what factors may have entered into their decision. At this point in my presentation, anyone who might have been expecting another "call to arms", like my posting here last month, will be disappointed. I'd greatly appreciate it if readers of this post would help me to to confirm that the non-routing of the above block is both universal and complete... as it is, at least, from where I am sitting... but at this point I have nothing and nobody to rail against. (Or so I thought! But while writing this post I found some new and apparently associated curiosities relating to a different ASN, AS57166. Read on!) So, anyway with regards to AS205869... case closed? Is it Miller time? Well, yes and no. There's still the question of just who or what the devil is this thing called Universal IP Solution Corp. (which also, apparently, goes by the name of "ADMASTER-MNT" within RIPE WHOIS records). And then there is the question of what there is to prevent these hijackers from just coming back tomorrow under a different guise or corporate identity and starting the game all over again. Even more worrying is the distinct possibility that they may not even find it necessary to change out their current corporate identity before getting back into the game. They could just keep their current name... as BitCanal did... and try to reroute their connectivity via one of their other existing peers. The (ostensible) list of those is shown here: https://bgp.he.net/AS205869#_peers These crooks may have already anticipated the small setback of losing their TelecomItalia connection, and as you can see, they already have nine listed IPv4 peers, although at least four of these are provably ones that they themselves have been masquerading as, specifically: AS11717 Solarus AS7827 American Business Information AS11324 BRFHH Shreveport, LLC AS32226 Menard, Inc. The above ASNs have all been hijacked by the folks using the handle ADMASTER-MNT. The RIPE WHOIS records essentially prove that. (Menard, Inc., by the way, is a chain of retail home improvement stores, comparable to HomeDepot, located in the U.S. MidWest region. Hardly the kind of place you'd expect to be peering with mysterious Ukranian company, -or- to be indirectly routing space... 216.238.64.0/18... for a long-dead Pennsylvania ISP such as Razor, Inc. The case of BRFHH Shreveport, LLC is arguably more worrying than any of the rest of this, because in that case the hijackers apparently didn't even care that the ASN in question was still in active use by its rightful owners, uhsystem.com, which appears to be a University-based hospital in Louisiana. HIPPA horrors easily imaginable!) Anyway, eliminating the ASNs above, we are still left with multiple possible "Plan Bs" for this hijacking operation: AS6762 Telecom Italia <============== plug already pulled AS8359 MTS PJSC (Russia) AS1299 Telia Company AB (Sweden) AS35320 Eurotranstelecom Ltd. (Ukraine) AS57166 D2 International Investment Ukraine Ltd. Now that Telecom Italia has pulled the plug, I'll be emailing to the other peers listed above, and asking them to do likewise. We'll just have to wait and see what they do. But there is one ASN from the above list that I quite definitely -won't- be sending any emails to, and that's the last one, D2 International Investment Ukraine Ltd. AS57166, D2 International Investment Ukraine Ltd. was a name already known to me. It came up previously, right here on this mailing list, in the context of a discussion I had started here on October 5th, 2016 relating to a previous set of hijacks that I had reported here: https://mailman.nanog.org/pipermail/nanog/2016-October/088487.html This thing, whetever it is, has/had a peering relationship, both then and now, with AS29632 Netassist Limited, which is headquartered in... ummm... Ukraine. No. Wait. Make that Gibraltar. Anyway, we'll come back to that a bit latter on. Back in the day, D2 International Investment Ukraine Ltd. was using two different ASNs, i.e. AS43659 and AS57166. As of now, it doesn't seem to be using the former for much of anything: https://bgp.he.net/AS43659 AS57166 is a rather different story however. The listing of IPv4 peers shown currently at bgp.he.net (https://bgp.he.net/AS57166#_peers) shows the following as current peers of AS57166: AS205869 Universal IP Solution Corp. AS29632 Netassist Limited AS11695 TheStreet.Com AS8011 CoreComm Internet Services Inc The first two are (or were) headquartered in Ukraine, so other than the fact that Universal IP Solution Corp. is hip deep in IP address space thievery, those two are unremarkable as peers for D2 International Investment Ukraine Ltd. which is also allegedly located in Ukraine. That third one should come as a bit of a shock to anyone who has ever had the privlege (or misfortune, depending on your point of view) of watching "Mr. Booyah" Jim Cramer attempts to make the muundane world of stock trading entertaining for the masses. TheStreet.com is a highly popular web destination belonging to a company of the same name which was founded by the same said Mr. Jim Cramer. From Wikipedia: TheStreet, Inc. is an American financial news and services website founded by Jim Cramer and Martin Peretz. How does a company like this get mixed up with a bunch of Ukranians of dubious repute?? Well, quite simply they don't. The ASN has been hijacked by AS57166 -- D2 International Investment Ukraine Ltd. As we speak, D2 International Investment Ukraine Ltd. is using this hijacked ASN, AS11695 -- TheStreet.Com for an ongoing set of hijacks, mostly of abandoned legacy IPv4 space belonging to various defunct U.S. companies, but with one Canadian block (69.171.160.0/19) and one Mongolian block (192.82.64.0/19) mixed in just to give this portfolio of hijacks a bit of an international flavor, I suppose. The list of blocks currently announced by AS11695, according to stat.ripe.net, is as follows: 24.137.0.0/20 24.137.0.0/19 24.137.16.0/20 24.236.0.0/19 52.128.192.0/19 66.219.64.0/19 68.232.96.0/20 69.171.160.0/19 70.34.192.0/20 70.34.192.0/19 70.34.208.0/20 98.143.176.0/20 163.123.192.0/20 163.123.192.0/18 163.123.208.0/20 163.123.224.0/20 163.123.240.0/20 192.82.64.0/19 192.254.32.0/19 198.40.192.0/19 204.195.192.0/18 206.15.32.0/19 206.54.128.0/20 206.125.0.0/19 206.127.224.0/19 206.190.160.0/19 206.222.128.0/19 206.246.32.0/19 207.183.64.0/19 209.182.0.0/20 209.182.0.0/18 209.182.16.0/20 209.182.32.0/20 209.182.48.0/20 This is quite an impressive list, even if it does fall a bit short of the recent and slightly more prodigious escapades of Bitcanal. I've run a few traceroutes on a few of the above routes and I've found them to have next-to-last hops within the same batch of Telcom Italia routers as were being used by the batch of hijacks that were easily tracable back to AS205869 - Universal IP Solution Corp. Not a real huge surprise there. AS205869 is peering with AS57166 and vise versa. They are both quite obviously working together on this grand hijacking scheme. Of course, I will shortly be initiating another friendly and, I hope, equally productive chat with my new friend @ Telecom Italia regarding these additional blatant and obvious hijacks. I have so far neglected to mention the forth and final peer of AS57166, i.e. AS8011 -- CoreComm Internet Services Inc. Based on my reading of he relevant RIPE records, this ASN appears to have been registered with RIPE on or about 2017-01-12 by whoever was in control of the RIPE handle "DATASTAR-MNT" as of that date. It appears to me that, with a few exceptions, such as the RIPE WHOIS record for this ASN, pretty much everything else that has been created and installed into the RIPE WHOIS data base by "DATASTAR-MNT" is fundamentally fradulent. Here is the full list of such stuff: https://pastebin.com/raw/DQbWe0gq By extension from this premise, I think that it may be reasonably assumed that any routes currently being announced by AS8011 are most likely also hijacks. As of now, this seems to be limited to only one single route: 216.127.0.0/19. This IPv4 block would seem to have been yet another abandoned IPv4 block that was just left lying around, and which has now been very effectively repurposed in service of the hijackers' preferred ends. Finally, as some may have noted, there is one rather glaring hole in the story it has been presented above, specifically, the true and verifiable identities of the hijackers, which remain cloaked in mystery. D2 International Investment Ukraine Ltd. historically used the domain name etthua.net as part of its contact email address, but that domain currently has no DNS, and data from archives suggests that it may have never had a functioning web site. RIPE NCC undoubtedly has the name of some specific individual to go along with this corporate front name, but even before the advent of the travesty that is GDPR, they almost certainly would refuse to divulge that to any party, based on their traditional strict contractual code of omerta. A page on virustotal seems to suggest a connection of some sort between D2 International Investment Ukraine Ltd. and the now notorious coinhive scam, but it is not at all clear how this connection was derived or even whether there actually is any real connection at all: https://www.virustotal.com/#/ip-address/94.130.90.152 Googling now, I see that I myself called out this crooked enterprise on a RIPE mailing list back on 2016-10-08. (I didn't really remember doing that, as it has been nearly 2 years ago now.) https://www.ripe.net/participate/mail/forum/anti-abuse-wg/PDMxNjk3LjE0NzU5Nj... I also have no specific recollection of this follow-up post by a rather outspoked fellow who goes by the name of Marilson, and who has frequently appeared to drink even substantially more coffee than I do: https://lists.ripe.net/pipermail/anti-abuse-wg/2016-October/003726.html I myself have no direct knowledge of the "Samuel Joel Nirushan" that Marilson spoke of, or about any of Mr. Marilson's specific allegations against him (including that this Mr. Nirushan is even connected in any way to D2 International Investment Ukraine Ltd.) but I did find that if one simply googles for "Samuel Joel Nirushan" or alternatively, for "D2 International Investments" (note: plural, rather than singular) one quickly comes upon a plethora of public postings made by -somebody- who was apparently quite angry at this guy, many most or all of which seem to date from October, 2011, and all of which contain many of the same unsubstantiated allegations of fradulent activities. As these allegations are not accompanied by any relevant documentation, then must be judged to only be worth even less that the electrons they were written on. Arguably more relevant is this archived RIPE WHOIS record that I found online and which appears to show that D2 International Investment Ukraine Ltd. was formerly granted a sub-allocation of IPv4 space which, at that time, and also currently, is registered to NetAssist, Ltd (Ukraine): https://pastebin.com/raw/95LRyvwv This, taken together with the fact that NetAssist, Ltd (AS57166) is currently peering with AS57166 - D2 International Investment Ukraine Ltd., ertainly suggest a strong business relationship between the Netassist and D2, whatever the hell it is. Returning briefly to the other obviously crooked actor in this drama, i.e. AS205869 - Universal IP Solution Corp., it is worth mentioning that this company, like D2 International Investment, also has a domain that is used as part of its contact email address, universalipsolution.bz (BZ -- Belize??) but this domain also, like etthua.net for D2, does not currently have any web site, and based on my reading of historical passive DNS data, it appears that it may have -never- have had one. Nontheless, both D2 International Investments and Universal IP Solution are both members in good standing of RIPE: https://www.ripe.net/membership/indices/data/ua.d2investukraine.html https://www.ripe.net/membership/indices/data/bz.universal.html So, you know, one wonders how these two crooked companies that are clearly colluding together to hijack lots and lots of IP space are then able to somehow turn around and make a profit by selling off bits and pieces of what they have stolen when neither of them even have any web site via which they could entice eager buyers of their stolen property. This is an enigma, but I have a theory that seems at least possible. RIPE provides many useful services to its members, but there is one in particular that I personally have become acquainted with only quite recently. RIPE NCC apparently maintains a list of what they call "Recognised IPv4 Transfer Brokers": https://www.ripe.net/manage-ips-and-asns/resource-transfers-and-mergers/brok... As noted on the above page "there are no costs involved" in being admitted to this prestigious and exclusive club, "...however, you will need to agree to adhere to the relevant RIPE Policies and RIPE NCC procedural documents..."

From these public statements of the RIPE web site I infer that as long as one can fog a mirror, and as long as one is willing and able to raise one's right hand and swear on some sort of religious text, one can be and will be admitted into this special club of "recognised" IP brokers.

One company listed on the above page that caught my eye is NetAssist LLC, formerly of Ukraine, but more recently re-incorporated in the jurisdiction of Gibraltar. (Why the company elected to up and change jurisdictions is not immediately obvious.) Whereas neither Universal IP Solution Corp. nor their apparent partners in crime, D2 International Investment Ukraine Ltd. have any web sites, and whereas they both thus have no apparent means of easily reselling/ offloading/fencing any or all of the IP space that the two of them together have stolen, it appears that D2's friend and peer, NetAssist LLC, is already well positioned to barter blocks of IPv4 space that may have unexpectedly gone walkabout. This is not to say that they have done so. I have no direct evidence of that. I just personally find NetAssist's formal registration, with RIPE, as an "recognized" IP broker to be a possibly relevant detail, and one that may perhaps be exceptionally convenient, under the curcumstances. Plesse note that Bitcanal, using its full, formal, and legal name of Ebonyhorizon Telecomunicacoes Lda., is also still a member in good standing of not only RIPE, but also of RIPE's cadre of "Recognised IPv4 Transfer Brokers". (See link above.) To reiterate, I have posted all of this information here on the NANOG list, not as a call to action... I'll be trying myself to contact any and all relevant providers and encouraging them to take appropriate action... but rather just because I felt that people here on this list might want to at least be aware of all of these convoluted shenanigans and schemes. Certainly, I encourage everyone reading this to be extra vigilant, in future, and especially if you are approached in the near future by any Ukrainian (or Gibraltarian) networks requesting peering. Regards, rfg P.S. It is left as an exercise for the reader as to why these sorts of large scale hijacking schemes always seem to originate somewhere within the RIPE geographical region and never elsewhere.