Hijacks: AS12506, AS327814, AS44582, AS62135
The following set of interrelated networks appear to be engaged in hijacking various IPv4 address blocks at the present time: AS12506 Inspiring Networks, B.V. (Netherlands) AS44582 Inspiring Networks, B.V. (Netherlands) AS62135 Inspiring Networks, B.V. (Netherlands) AS327814 Echoband, Ltd. (Ghana) The specific routes that are unambiguously being hijacked by each of these networks are as follows: AS12506: 152.108.0.0/16 155.159.0.0/16 196.15.64.0/18 AS327814: 163.198.0.0/18 164.88.0.0/16 168.80.0.0/17 168.80.128.0/17 AS44582: 175.53.0.0/17 175.53.128.0/17 175.54.0.0/17 175.54.128.0/17 AS62135: 160.116.32.0/20 160.116.128.0/20 160.116.240.0/20 160.122.144.0/20 Screenshots of the bgp.he.net prefixes reports for the above networks are archived here: http://i.imgur.com/5HuDRYX.png (AS12506) http://i.imgur.com/YishDCK.png (AS44582) http://i.imgur.com/lgiAKWz.png (AS62135) http://i.imgur.com/IM9Wf5h.png (AS327814) (Note that the set of routes announced by the four networks in question has changed slightly since the last bgp.he.net update -- 30 Aug 2017 14:48 PST. The route for 163.198.0.0/18 has been dropped and the routes for 160.116.128.0/20 and 160.122.144.0/20 have been added.) As seen in previous hijackings, and as is consistant with the general nature of such hijackings, no individual IP addresses within any of the above listed routes have any functioning reverse DNS delegation. Note that AS44582 (Inspiring Networks) and AS62135 (Inspiring Networks) really only have a single upstream connection to the Internet, at least as far as public BGP is concerned, and that is AS12506 (Inspiring Networks). Meanwhile, AS12506 (Inspiring Networks) has only a single BGP upstream, which is AS49544 i3D.net B.V (Netherlands). Therefore, the majority of this hijacking activity is only made possible via the generous help and assistance of AS49544, i3D.net B.V. Inspiring Networks is apparently run by one Maikel Jozef Gerardus Uerlings, <maikel@uerlings.nl>: https://labs.ripe.net/Members/maikel_uerlings https://nl.linkedin.com/in/maikel-uerlings-072aaa65 https://twitter.com/maikeluerlings (recently disappeared) https://www.facebook.com/maikel.uerlings http://uerlings.nl/ On February 24, 2013, over four years ago, Mr. Uerlings apparently promised his Facebook friends and fans that his new corporate web site would be "launched soon". As of today however, Mr. Uerlings' corporate web site for Inspiring Networks stil contains only generic/boilerplate "Lorem ipsum" type filler text: https://inspiringnetworks.com/ It would thus appear that Mr. Uerlings has other ways of attracting customers, other than his minimalist placeholder corporate web site. In any case, Mr. Uerlings has apparently gotten some bad press on a couple of occasions, for example the following blog post by some anonymous spammer who felt that Mr. Uerlings didn't actually deliver on his promises of "fresh IPs for mailing": http://maikel-uerlings-inspiring-networks.blogspot.com/ Mr. Uerlings' name also came up in the context of a 2013 attempt by Microsoft to take down a certain botnet: Microsoft v. Botnet United States Court for the Western District of Texas Case: A-13-CV-1014SS http://botnetlegalnotice.com/zeroaccess/files/Summons_Does_1-8.pdf (... Care of: Maikel Uerlings, cust597@serverius.com ...) Other folks also have, or had, a rather unfavorable opinion of Mr. Uerlings also, it would seem: https://www.mywot.com/en/scorecard/uerlings.nl https://www.scamwarners.com/forum/viewtopic.php?p=123180 https://unapprovedpharmacy.com/category/counterfeit-drugs-alert/page/12/ As usual, I wouldn't even mind about any of this hijacking activity if it were not for the fact that at least some porgtion of the hijacked IPv4 space appears to have been populated with snowshoe spammer domains: https://pastebin.com/raw/As9nVCMV I cannot help but wonder if there is something in the water supply in the Netherlands that may be causing so much hijacking activity to originate from that country. I do understand that Netherlands has what I gather is the best connectivity in all of Europe, but even that does not fully explain, I think, the Netherland's disproportionate share of these sorts of events and incidents, in this case involving Inspiring Networks, B.V. and clearly supported by AS49544, i3D.net B.V, also of the Netherlands. Regards, rfg P.s. Don't be fooled by hijackings of IP blocks that were historically allocated by AFRINIC to various corporate entities in the Seychelles Islands. Many of those corporate entities have long since died, and their associated IPv4 blocks have thus been abandoned. Unfortunately, due to the unique and very strict corporate secrecy laws in the Seychelles, it is not possible for any outsider to find out even if these entiries still exist or not, let alone who their corporate officers are or might have been. Thus, literally anybody can come along, after the fact (even lawyers) and claim to be representing the rightful owers of these blocks. And there is apparently no way, either verify or to disprove any such claims. Thus, hijacking the IP blocks of any defunct Seychelles Islands company is very nearly "The Perfect Crime". The only catch is that AFRINIC has, in its archives, the names of the actual corporate officers who originally requested (and were granted) the IP block allocations originally. And thus, they at least cannot be so easily fooled by any usurpers who are mearly pretending to be the rightful owners of these blocks. So it is actually pretty easy to tell which IPv4 blocks registered to Seychelles Islands companies have been hijacked. If they are hijacked by persons who are not actually acting on behalf of the true rightful owners of these blocks, then the thieves in question will not have been able to snooker AFRINIC into delegating reverse DNS authority for the blocks to them. So this is the simple acid test. If a given IP address block is allocated, from AFRINIC, to some corporate entity in the Seychelles Islands, and if that block has no working reverse DNS, then there's probably a very good reason for that, i.e. it's hijacked. And the hijacking has taken place without any knowledge of this event whatssoever on the part of AFRINIC.
Dear Ronald, Thanks for the investigative work, we will look into your report and take the appropriate action. Kind regards, Martijn Schmidt i3D.net / AS49544 PS: if anyone suspects that any of our customers are misbehaving, we would very much appreciate hearing about it directly via abuse@i3d.net as opposed to seeing the information for the first time on a public mailing list. All abuse reports are handled on a case-by-case basis by our own support staff in our headquarters in the Netherlands.
participants (2)
-
i3D.net - Martijn Schmidt
-
Ronald F. Guilmette