AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3
Sometimes I see stuff that just makes me shake my head in disbelief. Here is a good example: https://bgp.he.net/AS3266#_prefixes I mean seriously, WTF? As should be blatantly self-evident to pretty much everyone who has ever looked at any of the Internet's innumeriable prior incidents of very deliberately engineered IP space hijackings, all of the routes currently being announced by AS3266 (Bitcanal, Portugal) except for the ones in 213/8 are bloody obvious hijacks. (And to their credit, even Spamhaus has a couple of the U.S. legacy /16 blocks explicitly listed as such.) That's 39 deliberately hijacked routes, at least going by the data visible on bgp.he.net. But even that data from bgp.he.net dramatically understates the case, I'm sorry to say. According to the more complete and up-to-the-minute data that I just now fetched from RIPEstat, the real number of hijacked routes is more on the order of 130 separate hijacked routes for a total of 224,512 IPv4 addresses: https://pastebin.com/raw/Jw1my9Bb In simpler terms, Bitcanal has made off with the rough equivalent of an entire /14 block of IPv4 addresses that never belonged to them. (And of course, they haven't paid a dime to anyone for any of that space.) Of couse we could all be shocked (Shocked!) at this turn of events if it were not for the fact that Bitcanal already has a rich, longstanding, and sordid history of involvement with IP space hijacks. All one has to do is google for "Bitcanal" and "hijack" to find that out. This isn't exactly a state secret. In fact if you lookup "IP space hijacking" in any modern Internet dictionary you'll find Mr. Joao Silveira's picture next to the definition: https://twitter.com/bitcanal :-) This guy Silveira has obviously decided that he is a law unto himself, and can grab whatever IP space happens to be lying around for his own purposes... and no need to fill out any tedious forms -or- pay any fees for using any of this space to any of those annoying Regional Internet Registries. As usual, and as I have said here previously, I generally don't mind too much when these kinds of greedy idiots decide to color outside the lines. As long as they just confine themselves to hijacking abandoned IP blocks belonging to banks and/or government agencies, well then it's no skin off my nose. But when they start reselling their stolen IP space to spammers, as Mr. Silveira is apparently in the habit of doing, then I get ticked off. And actually, Mr. Silveira must be *exceptionally* greedy in that he is apparently not satisfied to just sub-lease his own legitimate IP space to snowshoe spammers, as he is clearly doing: https://pastebin.com/raw/5P5rnQ2y Obviously, merely hosting snowshoe spammers in his own IP space isn't enough to keep Mr. Silveira in the style to which he has become accustomned, so he has to go out and rip off other people's IP space and then resell that to spammers also. The fact that there exists a jerk like this on the Internet isn't really all that surprising. What I personally -do- find rather surprising is that three companies that each outght to know better, namely Cogent, GTT, and Level3 are collectively supplying more than 3/4ths of this guy's IPv4 connectivity, at least according to the graph displayed here: https://bgp.he.net/AS197426 Without the generous support of Cogent, GTT, and Level3 this dumbass lowlife IP address space thief would be largely if not entirely toast. So what are they waiting for? Why don't their turf this jackass? Are they waiting for an engraved invitation or what? As I always ask, retorically, in cases like this: Where are the grownups? I would like everyone reading this who is a customer of Cogent, GTT, or Level3 to try to contact these companies and ask them why they are providing connectivity/peering to a hijacking jerk like this Silveira character. Ask them why -you- have to endure more spam in your inbox just so that -they- can make another one tenth of one percent profit by peering with this hijacking, spammer-loving miscreant. I would ask them myself, but I personally am not a direct customer of any of them, so they would all, most probably, just tell me to go pound sand. If you do manage to make contact, please be sure to mention all three of Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266. And don't let whoever you talk to try to weasel out of responsibility for this travesty, e.g. by claiming that they don't know anything about what's been going on with all those hijacks announced by AS3266, and/or that they only provide peering for AS197426. The hijacks may all be originating from Mr. Silveira's AS3266, but bgp.he.net makes clear that AS3266 has one, and only one peer, i.e. Mr. Silveira's AS197426: https://bgp.he.net/AS3266 So basically, Cogent, GTT, and Level3 are the prime enablers of this massive theft of IP space. (They might try to claim that BitCanal's historical propensity to engage in hijacks is sonmething "brand new" or at least that -they- may not have been aware of it until now, in which case you should ask them if they have anybody on staff who is paying attention. As noted above, it isn't as if Bitcanal just started pulling this crap yesterday. Far from it.) Oh! And you might also mention the fact that Spamhaus, and, I would guess, at least a few of the oether public blacklists already have most or all of Mr. Silveira's IP space... hijacked or otherwise... blacklisted, presumably for good and ample cause. As long as Cogent, GTT, and Level3 are willing to go along with this nonsense, i.e. by selling peering to this Silveira thief, crime on the Internet -does- pay, and the theft of other people's IP space will continue to be rewarded rather than punished, as it should be. If that becomes the new normal for Internet behavior, then god help us all. Regards, rfg
On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Without the generous support of Cogent, GTT, and Level3 this dumbass lowlife IP address space thief would be largely if not entirely toast. So what are they waiting for? Why don't their turf this jackass? Are they waiting for an engraved invitation or what?
As I always ask, retorically, in cases like this: Where are the grownups?
You could ask the same about the IXPs that facilitate the reach and impact of Bitcanal’s BGP hijacks by allowing that network on their platform: https://bgp.he.net/AS197426#_ix Kind regards, Job
"we are not the internet police" right? ( On 26/06/18, 10:33 AM, "NANOG on behalf of Job Snijders" <nanog-bounces@nanog.org on behalf of job@instituut.net> wrote: On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette <rfg@tristatelogic.com> wrote: > Without the generous support of Cogent, GTT, and Level3 this dumbass > lowlife IP address space thief would be largely if not entirely toast. > So what are they waiting for? Why don't their turf this jackass? Are > they waiting for an engraved invitation or what? > > As I always ask, retorically, in cases like this: Where are the grownups? You could ask the same about the IXPs that facilitate the reach and impact of Bitcanal’s BGP hijacks by allowing that network on their platform: https://bgp.he.net/AS197426#_ix Kind regards, Job
In message <CACWOCC-t+wsL=rSfz-zXzXA+m-=RfRdG1eBMuyQ_DF3AurCYnQ@mail.gmail.com>, Job Snijders <job@instituut.net> wrote:
On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
As I always ask, retorically, in cases like this: Where are the grownups?
You could ask the same about the IXPs that facilitate the reach and impact of Bitcanal's BGP hijacks by allowing that network on their platform: https://bgp.he.net/AS197426#_ix
I can and I do ask that question. Indeed it would appear that at least one such IX was persuaded, via a Spamhaus escalation last year, to appropriately kick Mr. Silveira's ass to the curb: April, 2017: https://www.isptoday.nl/nieuws/de-cix-door-spamhaus-op-de-bon-geslingerd/ DE-CIX: "We are in direct contact with Spamhouse regarding this, in order to avoid such incidents in the future, and are counting on an open and direct dialog with our Spamhouse colleagues." But first things first. As I have stated, bgp.he.net shows that more than three fourths of Mr. Silveira's connectivity is coming to him via just the three companies I named, Cogent, GTT, and Level3. Without them, both the financial and political burden of supporting this crook would fall onto a motley collection of smaller and more easily influenced players... ones who might be more easily persuaded to cease and desist from their ongoing support of IP address space theft. But the first step is to make it clear to the various law abiding customers of Cogent, GTT, and Level3 that these three companies are acting irresponsibly in their continued peering with Mr. Silveira's various ASNs, and that this -does- negatively affect everyone, or at least everyone who has an email inbox, and/or anyone and everyone who still believes that the formal system of IP address allocation, as administered by the five RiRs, prevents chaos from breaking out across the entire Internet. Regards, rfg
Job, Unless of course they are not actually on an IXP listed. Bitcanal is not a member of TorIX and as far as I recall, never has been. The IP they list in PeeringDB was never assigned to them at any point and in fact was used by an AS112 instance which was run by TorIX directly on the fabric for a time. I sent in a note to PeeringDB several years ago about Bitcanal claiming to be a peer when they were not and never heard back.. I'll resend. -- Stephen (ops, TorIX) On 2018-06-26 1:01 AM, Job Snijders wrote:
On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Without the generous support of Cogent, GTT, and Level3 this dumbass lowlife IP address space thief would be largely if not entirely toast. So what are they waiting for? Why don't their turf this jackass? Are they waiting for an engraved invitation or what?
As I always ask, retorically, in cases like this: Where are the grownups?
You could ask the same about the IXPs that facilitate the reach and impact of Bitcanal’s BGP hijacks by allowing that network on their platform: https://bgp.he.net/AS197426#_ix
Kind regards,
Job
IXP Manager now has IXF exports that PeeringDB can use to cleanup stale members. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Stephen Fulton" <sf@lists.esoteric.ca> To: nanog@nanog.org Sent: Tuesday, June 26, 2018 11:18:19 AM Subject: Re: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3 Job, Unless of course they are not actually on an IXP listed. Bitcanal is not a member of TorIX and as far as I recall, never has been. The IP they list in PeeringDB was never assigned to them at any point and in fact was used by an AS112 instance which was run by TorIX directly on the fabric for a time. I sent in a note to PeeringDB several years ago about Bitcanal claiming to be a peer when they were not and never heard back.. I'll resend. -- Stephen (ops, TorIX) On 2018-06-26 1:01 AM, Job Snijders wrote:
On Mon, 25 Jun 2018 at 22:49, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Without the generous support of Cogent, GTT, and Level3 this dumbass lowlife IP address space thief would be largely if not entirely toast. So what are they waiting for? Why don't their turf this jackass? Are they waiting for an engraved invitation or what?
As I always ask, retorically, in cases like this: Where are the grownups?
You could ask the same about the IXPs that facilitate the reach and impact of Bitcanal’s BGP hijacks by allowing that network on their platform: https://bgp.he.net/AS197426#_ix
Kind regards,
Job
(I've updated the email subject to make it more accurate) On Tue, Jun 26, 2018 at 12:18:19PM -0400, Stephen Fulton wrote:
Unless of course they are not actually on an IXP listed.
Of course.
Bitcanal is not a member of TorIX and as far as I recall, never has been. The IP they list in PeeringDB was never assigned to them at any point and in fact was used by an AS112 instance which was run by TorIX directly on the fabric for a time. I sent in a note to PeeringDB several years ago about Bitcanal claiming to be a peer when they were not and never heard back.. I'll resend.
Thank you for this clarification. Indeed a note to the PeeringDB Admin committee should help clean this up. Please note that this organisation also goes under the name of "Ebony Horizon". I've manually confirmed bitcanal/AS 197426 is connected to AMS-IX, ECIX Frankfurt, ESPANIX, FranceIX Paris, GigaPIX, and LINX LON1. At most of these IXPs, bitcanal seems to be connected the the IXP's route servers. In my mind, if we want to consider responsibility, these IXPs are as much at fault as any upstream provider. Connectivity is connectivity. Kind regards, Job
Hi Job, all, On the France-IX route servers, we are applying filters based on IRR DBs. I double checked the list https://pastebin.com/raw/Jw1my9Bb and these prefixes should be filtered if bitcanal starts announcing them. Currently, bitcanal/AS197426 is not announcing any prefix on our route servers: https://lg.franceix.net/irr_found_for/RS1+RS2/ipv4?q=197426 https://lg.franceix.net/irr_notfound_for/RS1+RS2/ipv4?q=197426 regards, Simon -- Simon Muyal CTO FranceIX Tél: +33 (0)1 70 61 97 74 Mob: +33 (0)6 21 17 29 51 <https://t.co/dN09RCYsX9> Le 26/06/2018 à 11:22, Job Snijders a écrit :
(I've updated the email subject to make it more accurate)
On Tue, Jun 26, 2018 at 12:18:19PM -0400, Stephen Fulton wrote:
Unless of course they are not actually on an IXP listed. Of course.
Bitcanal is not a member of TorIX and as far as I recall, never has been. The IP they list in PeeringDB was never assigned to them at any point and in fact was used by an AS112 instance which was run by TorIX directly on the fabric for a time. I sent in a note to PeeringDB several years ago about Bitcanal claiming to be a peer when they were not and never heard back.. I'll resend. Thank you for this clarification. Indeed a note to the PeeringDB Admin committee should help clean this up. Please note that this organisation also goes under the name of "Ebony Horizon".
I've manually confirmed bitcanal/AS 197426 is connected to AMS-IX, ECIX Frankfurt, ESPANIX, FranceIX Paris, GigaPIX, and LINX LON1.
At most of these IXPs, bitcanal seems to be connected the the IXP's route servers. In my mind, if we want to consider responsibility, these IXPs are as much at fault as any upstream provider. Connectivity is connectivity.
Kind regards,
Job
Dear Simon, On Tue, Jun 26, 2018 at 12:13:26PM -0600, Simon Muyal wrote:
On the France-IX route servers, we are applying filters based on IRR DBs. I double checked the list https://pastebin.com/raw/Jw1my9Bb and these prefixes should be filtered if bitcanal starts announcing them. Currently, bitcanal/AS197426 is not announcing any prefix on our route servers:
https://lg.franceix.net/irr_found_for/RS1+RS2/ipv4?q=197426 https://lg.franceix.net/irr_notfound_for/RS1+RS2/ipv4?q=197426
I'm very happy FranceIX apply filters - however Bitcanal is known to submit fabricated/falsified IRR information to databases like RADB and RIPE. I've reported this multiple times over the years to IRR database operators. In conclusion in the case of Bitcanal, most of your filtering is useless (and so is mine). Participants like Bitcanal dillute the value of your route servers and the IXP as a whole. Kind regards, Job
Any solution to that? Yell at the IRRs more? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Job Snijders" <job@instituut.net> To: "Simon Muyal" <smuyal@franceix.net> Cc: nanog@nanog.org Sent: Tuesday, June 26, 2018 1:23:55 PM Subject: Re: AS3266: BitCanal hijack factory, courtesy of many connectivity providers Dear Simon, On Tue, Jun 26, 2018 at 12:13:26PM -0600, Simon Muyal wrote:
On the France-IX route servers, we are applying filters based on IRR DBs. I double checked the list https://pastebin.com/raw/Jw1my9Bb and these prefixes should be filtered if bitcanal starts announcing them. Currently, bitcanal/AS197426 is not announcing any prefix on our route servers:
https://lg.franceix.net/irr_found_for/RS1+RS2/ipv4?q=197426 https://lg.franceix.net/irr_notfound_for/RS1+RS2/ipv4?q=197426
I'm very happy FranceIX apply filters - however Bitcanal is known to submit fabricated/falsified IRR information to databases like RADB and RIPE. I've reported this multiple times over the years to IRR database operators. In conclusion in the case of Bitcanal, most of your filtering is useless (and so is mine). Participants like Bitcanal dillute the value of your route servers and the IXP as a whole. Kind regards, Job
On Tue, 26 Jun 2018 at 12:28, Mike Hammett <nanog@ics-il.net> wrote:
Any solution to that? Yell at the IRRs more?
Or more generally, everyone involved should consider to stop selling services to well-known BGP hijackers. Kind regards, Job
Authoritative list of shame with supporting evidence? (Yes, I assume there isn't one and that one would have to be created.) Many network operators aren't going to know who's supposed to be on that list and who isn't. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Job Snijders" <job@instituut.net> To: "Mike Hammett" <nanog@ics-il.net> Cc: nanog@nanog.org Sent: Tuesday, June 26, 2018 1:30:05 PM Subject: Re: AS3266: BitCanal hijack factory, courtesy of many connectivity providers On Tue, 26 Jun 2018 at 12:28, Mike Hammett < nanog@ics-il.net > wrote: Any solution to that? Yell at the IRRs more? Or more generally, everyone involved should consider to stop selling services to well-known BGP hijackers. Kind regards, Job
https://datatracker.ietf.org/wg/sidr/about/ Being presented at nanog nowish: Architecting Robust BGP Routing Policies Lightning Talk: BGP Transport Security - Do You Care? Lightning Talk: Legal Barriers to Securing the Routing Architecture On Tue, Jun 26, 2018 at 2:31 PM, Mike Hammett <nanog@ics-il.net> wrote:
Authoritative list of shame with supporting evidence? (Yes, I assume there isn't one and that one would have to be created.)
Many network operators aren't going to know who's supposed to be on that list and who isn't.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "Job Snijders" <job@instituut.net> To: "Mike Hammett" <nanog@ics-il.net> Cc: nanog@nanog.org Sent: Tuesday, June 26, 2018 1:30:05 PM Subject: Re: AS3266: BitCanal hijack factory, courtesy of many connectivity providers
On Tue, 26 Jun 2018 at 12:28, Mike Hammett < nanog@ics-il.net > wrote:
Any solution to that? Yell at the IRRs more?
Or more generally, everyone involved should consider to stop selling services to well-known BGP hijackers.
Kind regards,
Job
On 26/Jun/18 20:31, Mike Hammett wrote:
Authoritative list of shame with supporting evidence? (Yes, I assume there isn't one and that one would have to be created.)
Many network operators aren't going to know who's supposed to be on that list and who isn't.
I tend to agree - I probably wouldn't know this well-known list, unless it's shared somewhere. Perhaps something that MANRS members have access to, although it would be good that it is accessible to the entire power-networking community. I imagine a Sales person doing a deal with a well-known spammer, and the provisioning team (who have no time/energy to follow what's happening in the world) delivering the service. Might be difficult to get this turned off after the Sales team have shown a TCV for the quarter/year heavily bumped by said sale. A list of shame that we can share with the Sales and Delivery teams could help stem the problem at its root. Mark.
RPKI? BGPsec? 26.06.18 21:27, Mike Hammett пише:
Any solution to that? Yell at the IRRs more?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "Job Snijders" <job@instituut.net> To: "Simon Muyal" <smuyal@franceix.net> Cc: nanog@nanog.org Sent: Tuesday, June 26, 2018 1:23:55 PM Subject: Re: AS3266: BitCanal hijack factory, courtesy of many connectivity providers
Dear Simon,
On Tue, Jun 26, 2018 at 12:13:26PM -0600, Simon Muyal wrote:
On the France-IX route servers, we are applying filters based on IRR DBs. I double checked the list https://pastebin.com/raw/Jw1my9Bb and these prefixes should be filtered if bitcanal starts announcing them. Currently, bitcanal/AS197426 is not announcing any prefix on our route servers:
https://lg.franceix.net/irr_found_for/RS1+RS2/ipv4?q=197426 https://lg.franceix.net/irr_notfound_for/RS1+RS2/ipv4?q=197426
I'm very happy FranceIX apply filters - however Bitcanal is known to submit fabricated/falsified IRR information to databases like RADB and RIPE. I've reported this multiple times over the years to IRR database operators.
In conclusion in the case of Bitcanal, most of your filtering is useless (and so is mine). Participants like Bitcanal dillute the value of your route servers and the IXP as a whole.
Kind regards,
Job
On Tue, Jun 26, 2018, at 20:23, Job Snijders wrote:
I'm very happy FranceIX apply filters - however Bitcanal is known to submit fabricated/falsified IRR information to databases like RADB and RIPE. I've reported this multiple times over the years to IRR database operators.
In conclusion in the case of Bitcanal, most of your filtering is useless (and so is mine). Participants like Bitcanal dillute the value of your route servers and the IXP as a whole.
I can confirm that this mornig (~09h30 CEST, when I read the first message in the thread) there were no BitCanal announces received from FranceIX Paris RS. Not even the ones with an IRR record (the ones in 213/8). All of them were from transit.
On Tue, Jun 26, 2018 at 09:57:14PM +0200, Radu-Adrian Feurdean wrote:
On Tue, Jun 26, 2018, at 20:23, Job Snijders wrote:
I'm very happy FranceIX apply filters - however Bitcanal is known to submit fabricated/falsified IRR information to databases like RADB and RIPE. I've reported this multiple times over the years to IRR database operators.
In conclusion in the case of Bitcanal, most of your filtering is useless (and so is mine). Participants like Bitcanal dillute the value of your route servers and the IXP as a whole.
I can confirm that this mornig (~09h30 CEST, when I read the first message in the thread) there were no BitCanal announces received from FranceIX Paris RS.
What about now? Still squeaky clean? What about now? What about tomorrow? You only need to announce hijacked routes for the duration of the spamming campaign (usually just a few hours). The presence of this type of actor poses a risk to all connnected to the IX fabric. Kind regards, Job
https://bgp.he.net/AS205869#_peers This is another chronic hijacker that is spoofing downstream ASNs and Prefixes. They are currently hijacking 25 prefixes. Mostly /18s,/19s and /20s. Telcom Italia, Telia and Eurotrans Telecom are upstreams. Of course people making money off of it aren't going to do anything about it. Eurotrans Telecom has telia and tata as upstreams. They are also peered with HE but HE doesn't appear to be accepting the hijacked routes. Good for them. Mack -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Radu-Adrian Feurdean Sent: Tuesday, June 26, 2018 1:57 PM To: nanog@nanog.org Subject: Re: AS3266: BitCanal hijack factory, courtesy of many connectivity providers On Tue, Jun 26, 2018, at 20:23, Job Snijders wrote:
I'm very happy FranceIX apply filters - however Bitcanal is known to submit fabricated/falsified IRR information to databases like RADB and RIPE. I've reported this multiple times over the years to IRR database operators.
In conclusion in the case of Bitcanal, most of your filtering is useless (and so is mine). Participants like Bitcanal dillute the value of your route servers and the IXP as a whole.
I can confirm that this mornig (~09h30 CEST, when I read the first message in the thread) there were no BitCanal announces received from FranceIX Paris RS. Not even the ones with an IRR record (the ones in 213/8). All of them were from transit. E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Hi, I've been casually observing the connectivity to Bitcanal / AS3266 / AS197426 since the thread started. After GTT shared that bitcanal had been disconnected, bitcanal was only visible behind Cogent. But the Cogent path now also seems to have been disconnected. After Cogent they popped up behind BICS (but just for a few days), that circuit seems to have been disconnected too. On the IX front: I noticed that Bitcanal's IP addresses on LINX (since yesterday) and FranceIX (since today) are no longer responding. It is good to see that discussing BGP hijacking abuse complaints actually results in clean up activities. I hope the remaining IX's they're still connected to can act too. Thanks! -Tom
On 2018-07-06 21:18, Tom Paseka via NANOG wrote:
Hi,
I've been casually observing the connectivity to Bitcanal / AS3266 / AS197426 since the thread started.
After GTT shared that bitcanal had been disconnected, bitcanal was only visible behind Cogent. But the Cogent path now also seems to have been disconnected. After Cogent they popped up behind BICS (but just for a few days), that circuit seems to have been disconnected too.
On the IX front: I noticed that Bitcanal's IP addresses on LINX (since yesterday) and FranceIX (since today) are no longer responding.
It is good to see that discussing BGP hijacking abuse complaints actually results in clean up activities. I hope the remaining IX's they're still connected to can act too.
Thanks! -Tom
And it also seems that they are now no longer reachable over the AMS-IX fabric (and is no longer listed as a member). I also noticed that hey are not reachable over the Megaport/ECIX fabric in Frankfurt either (no arp or ping-reply) but is listed as member on the megaport website, so not sure whats going on there. The only routes i can see now for 3266/197426 is two /24 v4 and one /29 v6 that jumps on over to portugal through 1299 (telia) -> 174 (cogent) -> 29003 (refertelecom / iptelecom). -- hugge
The only routes i can see now for 3266/197426 is two /24 v4 and one /29 v6 that jumps on over to portugal through 1299 (telia) -> 174 (cogent) -> 29003 (refertelecom / iptelecom).
6939 (HE) are still advertising the routes to their customers. That suggests that 197426 is still active on at least one IX.
We saw these announcements from GigaPix and ESPANIX route servers. Adjustments have been made and we are no longer accepting these. -- Rob Mosher Senior Network and Software Engineer Hurricane Electric / AS6939 On 7/9/2018 11:43 AM, Phil Lavin wrote:
The only routes i can see now for 3266/197426 is two /24 v4 and one /29 v6 that jumps on over to portugal through 1299 (telia) -> 174 (cogent) -> 29003 (refertelecom / iptelecom). 6939 (HE) are still advertising the routes to their customers. That suggests that 197426 is still active on at least one IX.
On 2018-07-09 17:24, Fredrik Korsbäck wrote:
On 2018-07-06 21:18, Tom Paseka via NANOG wrote:
Hi,
I've been casually observing the connectivity to Bitcanal / AS3266 / AS197426 since the thread started.
After GTT shared that bitcanal had been disconnected, bitcanal was only visible behind Cogent. But the Cogent path now also seems to have been disconnected. After Cogent they popped up behind BICS (but just for a few days), that circuit seems to have been disconnected too.
On the IX front: I noticed that Bitcanal's IP addresses on LINX (since yesterday) and FranceIX (since today) are no longer responding.
It is good to see that discussing BGP hijacking abuse complaints actually results in clean up activities. I hope the remaining IX's they're still connected to can act too.
Thanks! -Tom
And it also seems that they are now no longer reachable over the AMS-IX fabric (and is no longer listed as a member).
I also noticed that hey are not reachable over the Megaport/ECIX fabric in Frankfurt either (no arp or ping-reply) but is listed as member on the megaport website, so not sure whats going on there.
The only routes i can see now for 3266/197426 is two /24 v4 and one /29 v6 that jumps on over to portugal through 1299 (telia) -> 174 (cogent) -> 29003 (refertelecom / iptelecom).
And now it also seems that NANOG-contributor Doug over at Dyn has done a complete wrap-up of the thing and he has hilighted all the important aspects of this incident in a very educative manner. https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/ Thanks for this Doug! I will bring this post up with my NOC and L2-teams since i think these type of incidents will become as common as regular spam in the future... -- hugge
On 26/06/2018 07:49, Ronald F. Guilmette wrote: You are mistaken. Cogent and Level3 are signatories to MANRS: https://www.manrs.org/participants/ so this clearly can't happen and you are making this up. :-) -Hank
The fact that there exists a jerk like this on the Internet isn't really all that surprising. What I personally -do- find rather surprising is that three companies that each outght to know better, namely Cogent, GTT, and Level3 are collectively supplying more than 3/4ths of this guy's IPv4 connectivity, at least according to the graph displayed here:
Without the generous support of Cogent, GTT, and Level3 this dumbass lowlife IP address space thief would be largely if not entirely toast. So what are they waiting for? Why don't their turf this jackass? Are they waiting for an engraved invitation or what?
As I always ask, retorically, in cases like this: Where are the grownups?
I would like everyone reading this who is a customer of Cogent, GTT, or Level3 to try to contact these companies and ask them why they are providing connectivity/peering to a hijacking jerk like this Silveira character. Ask them why -you- have to endure more spam in your inbox just so that -they- can make another one tenth of one percent profit by peering with this hijacking, spammer-loving miscreant. I would ask them myself, but I personally am not a direct customer of any of them, so they would all, most probably, just tell me to go pound sand.
If you do manage to make contact, please be sure to mention all three of Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266. And don't let whoever you talk to try to weasel out of responsibility for this travesty, e.g. by claiming that they don't know anything about what's been going on with all those hijacks announced by AS3266, and/or that they only provide peering for AS197426. The hijacks may all be originating from Mr. Silveira's AS3266, but bgp.he.net makes clear that AS3266 has one, and only one peer, i.e. Mr. Silveira's AS197426:
So basically, Cogent, GTT, and Level3 are the prime enablers of this massive theft of IP space. (They might try to claim that BitCanal's historical propensity to engage in hijacks is sonmething "brand new" or at least that -they- may not have been aware of it until now, in which case you should ask them if they have anybody on staff who is paying attention. As noted above, it isn't as if Bitcanal just started pulling this crap yesterday. Far from it.)
Oh! And you might also mention the fact that Spamhaus, and, I would guess, at least a few of the oether public blacklists already have most or all of Mr. Silveira's IP space... hijacked or otherwise... blacklisted, presumably for good and ample cause.
As long as Cogent, GTT, and Level3 are willing to go along with this nonsense, i.e. by selling peering to this Silveira thief, crime on the Internet -does- pay, and the theft of other people's IP space will continue to be rewarded rather than punished, as it should be.
If that becomes the new normal for Internet behavior, then god help us all.
Regards, rfg
Hi all, I have heard that DE-CIX expelled BitCanal from their IXPs. One of their guys also gave a presentation about how DE-CIX handles abuse cases: https://ripe75.ripe.net/archives/video/103/ I don't know how other IXPs are handling such cases. Would be interesting to know. Best regards, IUO On Tue, Jun 26, 2018 at 9:35 AM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
On 26/06/2018 07:49, Ronald F. Guilmette wrote:
You are mistaken. Cogent and Level3 are signatories to MANRS: https://www.manrs.org/participants/ so this clearly can't happen and you are making this up.
:-)
-Hank
The fact that there exists a jerk like this on the Internet isn't really all that surprising. What I personally -do- find rather surprising is
three companies that each outght to know better, namely Cogent, GTT, and Level3 are collectively supplying more than 3/4ths of this guy's IPv4 connectivity, at least according to the graph displayed here:
Without the generous support of Cogent, GTT, and Level3 this dumbass lowlife IP address space thief would be largely if not entirely toast. So what are they waiting for? Why don't their turf this jackass? Are they waiting for an engraved invitation or what?
As I always ask, retorically, in cases like this: Where are the grownups?
I would like everyone reading this who is a customer of Cogent, GTT, or Level3 to try to contact these companies and ask them why they are
connectivity/peering to a hijacking jerk like this Silveira character. Ask them why -you- have to endure more spam in your inbox just so that -they- can make another one tenth of one percent profit by peering with this hijacking, spammer-loving miscreant. I would ask them myself, but I personally am not a direct customer of any of them, so they would all, most probably, just tell me to go pound sand.
If you do manage to make contact, please be sure to mention all three of Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266. And don't let whoever you talk to try to weasel out of responsibility for this
e.g. by claiming that they don't know anything about what's been going on with all those hijacks announced by AS3266, and/or that they only provide peering for AS197426. The hijacks may all be originating from Mr. Silveira's AS3266, but bgp.he.net makes clear that AS3266 has one, and only one
i.e. Mr. Silveira's AS197426:
So basically, Cogent, GTT, and Level3 are the prime enablers of this massive theft of IP space. (They might try to claim that BitCanal's historical propensity to engage in hijacks is sonmething "brand new" or at least that -they- may not have been aware of it until now, in which case you should ask them if they have anybody on staff who is paying attention. As noted above, it isn't as if Bitcanal just started pulling this crap yesterday. Far from it.)
Oh! And you might also mention the fact that Spamhaus, and, I would guess, at least a few of the oether public blacklists already have most or all of Mr. Silveira's IP space... hijacked or otherwise... blacklisted,
that providing travesty, peer, presumably
for good and ample cause.
As long as Cogent, GTT, and Level3 are willing to go along with this nonsense, i.e. by selling peering to this Silveira thief, crime on the Internet -does- pay, and the theft of other people's IP space will continue to be rewarded rather than punished, as it should be.
If that becomes the new normal for Internet behavior, then god help us all.
Regards, rfg
I am the guy who gave the presentation. We ask our customers to report misbehavior of peers at DE-CIX IXPs (e.g. IP hijack, ASN hijacks) to abuse@de-cix.net. We will look into reported cases and collect evidence so that we can act accordingly. So far, this process helped us to identify and fix configuration errors from peers on a few occasions. Also, as a last resort we expelled a small number of permanent and notorious rule breakers. Best regards, Thomas On 26.06.18, 15:16, "IXP User One" <ixp.user.one@gmail.com> wrote: Hi all, I have heard that DE-CIX expelled BitCanal from their IXPs. One of their guys also gave a presentation about how DE-CIX handles abuse cases: https://ripe75.ripe.net/archives/video/103/ I don't know how other IXPs are handling such cases. Would be interesting to know. Best regards, IUO On Tue, Jun 26, 2018 at 9:35 AM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote: > On 26/06/2018 07:49, Ronald F. Guilmette wrote: > > You are mistaken. Cogent and Level3 are signatories to MANRS: > https://www.manrs.org/participants/ > so this clearly can't happen and you are making this up. > > :-) > > -Hank > > > > > > > The fact that there exists a jerk like this on the Internet isn't really > > all that surprising. What I personally -do- find rather surprising is > that > > three companies that each outght to know better, namely Cogent, GTT, and > > Level3 are collectively supplying more than 3/4ths of this guy's IPv4 > > connectivity, at least according to the graph displayed here: > > > > https://bgp.he.net/AS197426 > > > > Without the generous support of Cogent, GTT, and Level3 this dumbass > > lowlife IP address space thief would be largely if not entirely toast. > > So what are they waiting for? Why don't their turf this jackass? Are > > they waiting for an engraved invitation or what? > > > > As I always ask, retorically, in cases like this: Where are the > grownups? > > > > I would like everyone reading this who is a customer of Cogent, GTT, or > > Level3 to try to contact these companies and ask them why they are > providing > > connectivity/peering to a hijacking jerk like this Silveira character. > > Ask them why -you- have to endure more spam in your inbox just so that > > -they- can make another one tenth of one percent profit by peering with > > this hijacking, spammer-loving miscreant. I would ask them myself, but > > I personally am not a direct customer of any of them, so they would all, > > most probably, just tell me to go pound sand. > > > > If you do manage to make contact, please be sure to mention all three of > > Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266. And don't let > > whoever you talk to try to weasel out of responsibility for this > travesty, > > e.g. by claiming that they don't know anything about what's been going on > > with all those hijacks announced by AS3266, and/or that they only provide > > peering for AS197426. The hijacks may all be originating from Mr. > Silveira's > > AS3266, but bgp.he.net makes clear that AS3266 has one, and only one > peer, > > i.e. Mr. Silveira's AS197426: > > > > https://bgp.he.net/AS3266 > > > > So basically, Cogent, GTT, and Level3 are the prime enablers of this > > massive theft of IP space. (They might try to claim that BitCanal's > > historical propensity to engage in hijacks is sonmething "brand new" > > or at least that -they- may not have been aware of it until now, in which > > case you should ask them if they have anybody on staff who is paying > > attention. As noted above, it isn't as if Bitcanal just started pulling > > this crap yesterday. Far from it.) > > > > Oh! And you might also mention the fact that Spamhaus, and, I would > guess, > > at least a few of the oether public blacklists already have most or all > of > > Mr. Silveira's IP space... hijacked or otherwise... blacklisted, > presumably > > for good and ample cause. > > > > As long as Cogent, GTT, and Level3 are willing to go along with this > > nonsense, i.e. by selling peering to this Silveira thief, crime on > > the Internet -does- pay, and the theft of other people's IP space > > will continue to be rewarded rather than punished, as it should be. > > > > If that becomes the new normal for Internet behavior, then god help us > > all. > > > > > > Regards, > > rfg > > > >
On 26/06/2018 17:08, Thomas King wrote: Kudos to DE-CIX for getting it right. -Hank
I am the guy who gave the presentation. We ask our customers to report misbehavior of peers at DE-CIX IXPs (e.g. IP hijack, ASN hijacks) to abuse@de-cix.net. We will look into reported cases and collect evidence so that we can act accordingly. So far, this process helped us to identify and fix configuration errors from peers on a few occasions. Also, as a last resort we expelled a small number of permanent and notorious rule breakers.
Best regards, Thomas
On 26.06.18, 15:16, "IXP User One" <ixp.user.one@gmail.com> wrote:
Hi all,
I have heard that DE-CIX expelled BitCanal from their IXPs. One of their guys also gave a presentation about how DE-CIX handles abuse cases: https://ripe75.ripe.net/archives/video/103/
I don't know how other IXPs are handling such cases. Would be interesting to know.
Best regards, IUO
On Tue, Jun 26, 2018 at 9:35 AM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
> On 26/06/2018 07:49, Ronald F. Guilmette wrote: > > You are mistaken. Cogent and Level3 are signatories to MANRS: > https://www.manrs.org/participants/ > so this clearly can't happen and you are making this up. > > :-) > > -Hank > > > > > > > The fact that there exists a jerk like this on the Internet isn't really > > all that surprising. What I personally -do- find rather surprising is > that > > three companies that each outght to know better, namely Cogent, GTT, and > > Level3 are collectively supplying more than 3/4ths of this guy's IPv4 > > connectivity, at least according to the graph displayed here: > > > > https://bgp.he.net/AS197426 > > > > Without the generous support of Cogent, GTT, and Level3 this dumbass > > lowlife IP address space thief would be largely if not entirely toast. > > So what are they waiting for? Why don't their turf this jackass? Are > > they waiting for an engraved invitation or what? > > > > As I always ask, retorically, in cases like this: Where are the > grownups? > > > > I would like everyone reading this who is a customer of Cogent, GTT, or > > Level3 to try to contact these companies and ask them why they are > providing > > connectivity/peering to a hijacking jerk like this Silveira character. > > Ask them why -you- have to endure more spam in your inbox just so that > > -they- can make another one tenth of one percent profit by peering with > > this hijacking, spammer-loving miscreant. I would ask them myself, but > > I personally am not a direct customer of any of them, so they would all, > > most probably, just tell me to go pound sand. > > > > If you do manage to make contact, please be sure to mention all three of > > Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266. And don't let > > whoever you talk to try to weasel out of responsibility for this > travesty, > > e.g. by claiming that they don't know anything about what's been going on > > with all those hijacks announced by AS3266, and/or that they only provide > > peering for AS197426. The hijacks may all be originating from Mr. > Silveira's > > AS3266, but bgp.he.net makes clear that AS3266 has one, and only one > peer, > > i.e. Mr. Silveira's AS197426: > > > > https://bgp.he.net/AS3266 > > > > So basically, Cogent, GTT, and Level3 are the prime enablers of this > > massive theft of IP space. (They might try to claim that BitCanal's > > historical propensity to engage in hijacks is sonmething "brand new" > > or at least that -they- may not have been aware of it until now, in which > > case you should ask them if they have anybody on staff who is paying > > attention. As noted above, it isn't as if Bitcanal just started pulling > > this crap yesterday. Far from it.) > > > > Oh! And you might also mention the fact that Spamhaus, and, I would > guess, > > at least a few of the oether public blacklists already have most or all > of > > Mr. Silveira's IP space... hijacked or otherwise... blacklisted, > presumably > > for good and ample cause. > > > > As long as Cogent, GTT, and Level3 are willing to go along with this > > nonsense, i.e. by selling peering to this Silveira thief, crime on > > the Internet -does- pay, and the theft of other people's IP space > > will continue to be rewarded rather than punished, as it should be. > > > > If that becomes the new normal for Internet behavior, then god help us > > all. > > > > > > Regards, > > rfg > > > >
GTT takes all AUP violations extremely seriously. Any offending parties mentioned in this thread have been dealt with accordingly, and GTT now considers the matter resolved from its side. On 6/25/2018 9:49 PM, Ronald F. Guilmette wrote:
Sometimes I see stuff that just makes me shake my head in disbelief. Here is a good example:
https://bgp.he.net/AS3266#_prefixes
I mean seriously, WTF?
As should be blatantly self-evident to pretty much everyone who has ever looked at any of the Internet's innumeriable prior incidents of very deliberately engineered IP space hijackings, all of the routes currently being announced by AS3266 (Bitcanal, Portugal) except for the ones in 213/8 are bloody obvious hijacks. (And to their credit, even Spamhaus has a couple of the U.S. legacy /16 blocks explicitly listed as such.)
That's 39 deliberately hijacked routes, at least going by the data visible on bgp.he.net. But even that data from bgp.he.net dramatically understates the case, I'm sorry to say. According to the more complete and up-to-the-minute data that I just now fetched from RIPEstat, the real number of hijacked routes is more on the order of 130 separate hijacked routes for a total of 224,512 IPv4 addresses:
https://pastebin.com/raw/Jw1my9Bb
In simpler terms, Bitcanal has made off with the rough equivalent of an entire /14 block of IPv4 addresses that never belonged to them. (And of course, they haven't paid a dime to anyone for any of that space.)
Of couse we could all be shocked (Shocked!) at this turn of events if it were not for the fact that Bitcanal already has a rich, longstanding, and sordid history of involvement with IP space hijacks. All one has to do is google for "Bitcanal" and "hijack" to find that out. This isn't exactly a state secret. In fact if you lookup "IP space hijacking" in any modern Internet dictionary you'll find Mr. Joao Silveira's picture next to the definition: https://twitter.com/bitcanal :-)
This guy Silveira has obviously decided that he is a law unto himself, and can grab whatever IP space happens to be lying around for his own purposes... and no need to fill out any tedious forms -or- pay any fees for using any of this space to any of those annoying Regional Internet Registries.
As usual, and as I have said here previously, I generally don't mind too much when these kinds of greedy idiots decide to color outside the lines. As long as they just confine themselves to hijacking abandoned IP blocks belonging to banks and/or government agencies, well then it's no skin off my nose. But when they start reselling their stolen IP space to spammers, as Mr. Silveira is apparently in the habit of doing, then I get ticked off. And actually, Mr. Silveira must be *exceptionally* greedy in that he is apparently not satisfied to just sub-lease his own legitimate IP space to snowshoe spammers, as he is clearly doing:
https://pastebin.com/raw/5P5rnQ2y
Obviously, merely hosting snowshoe spammers in his own IP space isn't enough to keep Mr. Silveira in the style to which he has become accustomned, so he has to go out and rip off other people's IP space and then resell that to spammers also.
The fact that there exists a jerk like this on the Internet isn't really all that surprising. What I personally -do- find rather surprising is that three companies that each outght to know better, namely Cogent, GTT, and Level3 are collectively supplying more than 3/4ths of this guy's IPv4 connectivity, at least according to the graph displayed here:
Without the generous support of Cogent, GTT, and Level3 this dumbass lowlife IP address space thief would be largely if not entirely toast. So what are they waiting for? Why don't their turf this jackass? Are they waiting for an engraved invitation or what?
As I always ask, retorically, in cases like this: Where are the grownups?
I would like everyone reading this who is a customer of Cogent, GTT, or Level3 to try to contact these companies and ask them why they are providing connectivity/peering to a hijacking jerk like this Silveira character. Ask them why -you- have to endure more spam in your inbox just so that -they- can make another one tenth of one percent profit by peering with this hijacking, spammer-loving miscreant. I would ask them myself, but I personally am not a direct customer of any of them, so they would all, most probably, just tell me to go pound sand.
If you do manage to make contact, please be sure to mention all three of Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266. And don't let whoever you talk to try to weasel out of responsibility for this travesty, e.g. by claiming that they don't know anything about what's been going on with all those hijacks announced by AS3266, and/or that they only provide peering for AS197426. The hijacks may all be originating from Mr. Silveira's AS3266, but bgp.he.net makes clear that AS3266 has one, and only one peer, i.e. Mr. Silveira's AS197426:
So basically, Cogent, GTT, and Level3 are the prime enablers of this massive theft of IP space. (They might try to claim that BitCanal's historical propensity to engage in hijacks is sonmething "brand new" or at least that -they- may not have been aware of it until now, in which case you should ask them if they have anybody on staff who is paying attention. As noted above, it isn't as if Bitcanal just started pulling this crap yesterday. Far from it.)
Oh! And you might also mention the fact that Spamhaus, and, I would guess, at least a few of the oether public blacklists already have most or all of Mr. Silveira's IP space... hijacked or otherwise... blacklisted, presumably for good and ample cause.
As long as Cogent, GTT, and Level3 are willing to go along with this nonsense, i.e. by selling peering to this Silveira thief, crime on the Internet -does- pay, and the theft of other people's IP space will continue to be rewarded rather than punished, as it should be.
If that becomes the new normal for Internet behavior, then god help us all.
Regards, rfg
participants (20)
-
Adam Davenport
-
Dan Hollis
-
Fredrik Korsbäck
-
Hank Nussbacher
-
Heather Schiller
-
IXP User One
-
Job Snijders
-
Mark Tinka
-
Max Tulyev
-
McBride, Mack
-
Mike Hammett
-
Phil Lavin
-
Radu-Adrian Feurdean
-
Rob Mosher
-
Ronald F. Guilmette
-
Simon Muyal
-
Stephen Fulton
-
Suresh Ramasubramanian
-
Thomas King
-
Tom Paseka