Notice: Fradulent RIPE ASNs
After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a larger scheme to provide IP space to various snowshoe spammers. Evidence I have in hand strongly links this scheme and these ASNs and their associated IPv4 route announcements to Jump Network Services, aka JUMP.RO. Furthermore, all of these ASNs are apparently peering with exactly and only the same two other ASNs in all cases, i.e. GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737). These peers and the fradulent ASNs listed below are all apparently originated out of Romania. AS16011 (fiberwelders.ro) AS28822 (creativitaterpm.ro) AS48118 (telecomhosting.ro) AS49210 (rom-access.ro) AS50659 (grandnethost.com) AS57131 (speedconnecting.ro) AS57133 (nordhost.ro) AS57135 (fastcable.ro) AS57176 (bucovinanetwork.ro) AS57184 (kaboomhost.ro) AS57415 (highwayinternet.ro) AS57695 (effidata.ro) AS57724 (id-trafic.ro) AS57738 (mclick.ro) AS57786 (hosting-www.ro) AS57837 (romtechinnovation.ro) AS57906 (momy.ro) AS57917 (nature-design.ro) At present, the above 18 ASNs are currently announcing routes for a total amount of IP space equal to 1,022 /24s, which is the rough equivalent of an entire /14 block. These IPv4 route announcements are listed below, sorted by IPv4 (32-bit) start address. Additional potentially relevant background information: http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-... http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-bus... http://www.spamhaus.org/sbl/listings/jump.ro Current route announcements: 31.14.30.0/24 31.14.32.0/24 31.14.33.0/24 31.14.34.0/23 31.14.36.0/22 31.14.40.0/22 31.14.44.0/24 31.14.45.0/24 31.14.46.0/23 31.14.48.0/24 31.14.49.0/24 31.14.50.0/23 31.14.52.0/22 31.14.56.0/21 31.14.64.0/24 31.14.65.0/24 31.14.66.0/23 31.14.68.0/22 31.14.72.0/21 31.14.80.0/20 31.14.112.0/20 31.14.144.0/20 37.153.128.0/22 37.153.132.0/22 37.153.140.0/22 37.153.144.0/21 37.153.152.0/22 37.153.160.0/21 37.153.168.0/22 37.153.172.0/23 37.153.174.0/23 37.153.176.0/20 37.156.0.0/22 37.156.4.0/22 37.156.8.0/21 37.156.16.0/23 37.156.18.0/23 37.156.20.0/23 37.156.22.0/23 37.156.24.0/23 37.156.26.0/23 37.156.28.0/23 37.156.30.0/23 37.156.36.0/24 37.156.37.0/24 37.156.38.0/23 37.156.48.0/21 37.156.56.0/22 37.156.100.0/22 37.156.104.0/22 37.156.108.0/22 37.156.112.0/20 37.156.128.0/20 37.156.144.0/22 37.156.148.0/22 37.156.152.0/21 37.156.160.0/21 37.156.168.0/22 37.156.172.0/23 37.156.180.0/23 37.156.184.0/22 37.156.188.0/22 37.156.208.0/22 37.156.216.0/22 37.156.224.0/24 37.156.225.0/24 37.156.226.0/23 37.156.228.0/23 37.156.230.0/23 37.156.232.0/23 37.156.234.0/23 37.156.236.0/23 37.156.238.0/23 37.156.240.0/21 37.156.248.0/22 37.156.252.0/22 46.102.128.0/20 46.102.144.0/20 46.102.160.0/21 77.81.120.0/23 77.81.126.0/24 77.81.160.0/22 84.247.4.0/22 84.247.18.0/23 84.247.40.0/22 85.204.18.0/24 85.204.20.0/23 85.204.30.0/23 85.204.36.0/22 85.204.54.0/23 85.204.64.0/23 85.204.66.0/24 85.204.76.0/23 85.204.96.0/23 85.204.104.0/23 85.204.120.0/24 85.204.121.0/24 85.204.124.0/24 85.204.132.0/23 85.204.152.0/23 85.204.176.0/21 85.204.194.0/23 86.104.0.0/23 86.104.2.0/24 86.104.4.0/24 86.104.9.0/24 86.104.10.0/24 86.104.96.0/21 86.104.115.0/24 86.104.116.0/24 86.104.118.0/23 86.104.121.0/24 86.104.122.0/23 86.104.132.0/23 86.104.192.0/24 86.104.195.0/24 86.104.212.0/23 86.104.215.0/24 86.104.240.0/22 86.104.245.0/24 86.104.248.0/23 86.105.178.0/24 86.105.195.0/24 86.105.196.0/24 86.105.200.0/22 86.105.225.0/24 86.105.227.0/24 86.105.230.0/24 86.105.242.0/23 86.105.248.0/22 86.106.0.0/21 86.106.8.0/23 86.106.10.0/24 86.106.11.0/24 86.106.12.0/24 86.106.24.0/24 86.106.25.0/24 86.106.90.0/24 86.106.95.0/24 86.106.169.0/24 86.107.8.0/21 86.107.28.0/23 86.107.74.0/23 86.107.104.0/24 86.107.195.0/24 86.107.216.0/21 86.107.242.0/23 89.32.122.0/23 89.32.176.0/23 89.32.192.0/23 89.32.196.0/23 89.32.204.0/24 89.33.46.0/23 89.33.108.0/23 89.33.117.0/24 89.33.168.0/21 89.33.233.0/24 89.33.246.0/24 89.33.255.0/24 89.34.16.0/22 89.34.94.0/23 89.34.102.0/23 89.34.112.0/21 89.34.128.0/20 89.34.148.0/23 89.34.200.0/23 89.34.216.0/23 89.34.236.0/22 89.35.32.0/24 89.35.56.0/24 89.35.77.0/24 89.35.133.0/24 89.35.156.0/23 89.35.176.0/23 89.35.196.0/24 89.35.240.0/21 89.36.16.0/23 89.36.32.0/23 89.36.34.0/24 89.36.35.0/24 89.36.96.0/21 89.36.104.0/21 89.36.178.0/23 89.36.182.0/23 89.36.184.0/21 89.36.226.0/23 89.36.236.0/22 89.37.48.0/21 89.37.64.0/22 89.37.76.0/22 89.37.102.0/23 89.37.107.0/24 89.37.129.0/24 89.37.133.0/24 89.37.143.0/24 89.37.240.0/21 89.38.26.0/24 89.38.216.0/22 89.38.220.0/22 89.39.76.0/22 89.39.168.0/22 89.39.180.0/23 89.39.216.0/22 89.40.40.0/24 89.40.66.0/24 89.40.133.0/24 89.40.240.0/21 89.40.254.0/23 89.41.16.0/21 89.41.44.0/22 89.42.27.0/24 89.42.33.0/24 89.42.150.0/23 89.42.208.0/23 89.43.182.0/23 89.43.184.0/23 89.43.216.0/21 89.43.224.0/21 89.44.94.0/23 89.44.115.0/24 89.44.120.0/21 89.44.190.0/23 89.45.11.0/24 89.45.14.0/24 89.45.72.0/21 89.45.126.0/23 89.46.8.0/22 89.46.44.0/23 89.46.47.0/24 89.46.60.0/24 89.46.88.0/22 89.46.192.0/21 89.47.34.0/24 89.47.44.0/22 92.114.36.0/24 92.114.38.0/24 92.114.83.0/24 93.113.216.0/22 93.114.24.0/21 93.114.85.0/24 93.114.86.0/23 93.114.128.0/24 93.114.133.0/24 93.115.32.0/23 93.115.62.0/23 93.115.130.0/23 93.115.134.0/23 93.115.138.0/23 93.115.142.0/23 93.115.192.0/21 93.115.253.0/24 93.117.112.0/21 93.117.120.0/21 93.119.112.0/23 93.119.118.0/23 93.119.120.0/23 93.119.124.0/23 94.176.224.0/20 176.126.168.0/23 176.126.170.0/23 176.126.172.0/23 176.126.174.0/23 176.223.64.0/23 176.223.108.0/24 176.223.111.0/24 176.223.116.0/23 176.223.118.0/24 176.223.167.0/24 176.223.172.0/22 176.223.176.0/24 176.223.177.0/24 176.223.178.0/23 176.223.190.0/24 188.212.22.0/24 188.212.48.0/20 188.213.64.0/20 188.213.112.0/22 188.213.116.0/23 188.213.118.0/24 188.213.119.0/24 188.213.120.0/23 188.213.122.0/23 188.213.124.0/22 188.213.144.0/20 188.213.176.0/22 188.213.180.0/22 188.213.184.0/22 188.213.188.0/22 188.215.18.0/23 188.215.20.0/22 188.215.192.0/19 188.241.188.0/23 188.241.192.0/22 217.19.4.0/24
On Tue, Jan 15, 2013 at 12:49 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a larger scheme to provide IP space to various snowshoe spammers.
Evidence I have in hand strongly links this scheme and these ASNs and their associated IPv4 route announcements to Jump Network Services, aka JUMP.RO. Furthermore, all of these ASNs are apparently peering with exactly and only the same two other ASNs in all cases, i.e. GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737). These peers and the fradulent ASNs listed below are all apparently originated out of Romania.
Jump.ro is a very active LIR and domain registry on the Romanian market and is "selling" ASNs to whomever is interested and facilitates allocations of PI netblocks to those who can justify them. It might come as a surprise to you, but in Romania there are a lot of companies (even very small ones) with their own ASN and PI netblocks. This setup makes it extremely easy to switch ISPs with virtually no impact on network operations. If I'm not mistaken, companies use Netvision for cheap internet access. GTS is more expensive, but theoretically is providing high quality internet access with good SLAs.
AS16011 (fiberwelders.ro) AS28822 (creativitaterpm.ro) AS48118 (telecomhosting.ro) AS49210 (rom-access.ro) AS50659 (grandnethost.com) AS57131 (speedconnecting.ro) AS57133 (nordhost.ro) AS57135 (fastcable.ro) AS57176 (bucovinanetwork.ro) AS57184 (kaboomhost.ro) AS57415 (highwayinternet.ro) AS57695 (effidata.ro) AS57724 (id-trafic.ro) AS57738 (mclick.ro) AS57786 (hosting-www.ro) AS57837 (romtechinnovation.ro) AS57906 (momy.ro) AS57917 (nature-design.ro)
from all those websites it looks like they are all hosting companies. have you tried calling the numbers listed on the WHOIS registrant information on the ASN and you couldn't get to any one ?
At present, the above 18 ASNs are currently announcing routes for a total amount of IP space equal to 1,022 /24s, which is the rough equivalent of an entire /14 block. These IPv4 route announcements are listed below, sorted by IPv4 (32-bit) start address.
If you really believe that all those ASNs listed by you above are only used to host spammers, then by all means please contact alerts@cert-ro.eu - that is the Romanian CERT as they are active and will investigate the allegations you make.
Additional potentially relevant background information:
http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-... http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-bus... http://www.spamhaus.org/sbl/listings/jump.ro
So far I do not know a single web hosting company that it's customers never spammed anyone :)
Hello, On Tue, Jan 15, 2013 at 7:31 AM, Eugeniu Patrascu <eugen@imacandi.net> wrote:
On Tue, Jan 15, 2013 at 12:49 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a larger scheme to provide IP space to various snowshoe spammers.
As this email is regarding actions in Europe by RIPE, you may get a better response from contacts in the RIPE region. I notice that you have been cross posting this message (though not responding on list to replies), for example to the RIPE NCC Anti-Abuse Working Group (http://www.ripe.net/ripe/groups/wg/anti-abuse) - a great place to start. Although you have already been told this elsewhere, your best step after contacting the Romanian CIRT is likely to be following the reporting procedure for the provision of untruthful information to the RIPE NCC at http://www.ripe.net/contact/reporting-procedure, which is a well defined procedure. RIPE NCC will investigate any report submitted though this procedure; there is a flowchart at this web address that clearly explains what will happen. If you ever need to find the contact details for a European CSIRT, the centralised "Trusted Introducer" is normally the place to start. Their website can be found at https://www.trusted-introducer.org. As this list is the North America Network Operators Group, it's unlikely that much in they way of action by RIPE NCC, Romanian authorities or other relevant authorities within the EU will happen as a result of a post here. I hope this helps get you in touch with the right people to help. Best wishes, Alex
In message <CALKLF0-g2Ni7tZ5toUZi9Ss_VWXOBL7BAeDUBmRo1TpCSJDuYg@mail.gmail.com> Alex Brooks <askoorb+nanog@gmail.com> you wrote:
I notice that you have been cross posting this message (though not responding on list to replies), for example to the RIPE NCC Anti-Abuse Working Group (http://www.ripe.net/ripe/groups/wg/anti-abuse)
I did post (singular) the message there also, and have seen no replies on that list that warrant any type of further follow up from me.
Although you have already been told this elsewhere, your best step after contacting the Romanian CIRT
I personally have no intention of contacting the Romanian CERT (or CIRT) for reasons I previously elaborated upon. But by all means, please feel free to do so yourself it you think it worthwhile. I have done the hard work to find, flesh out, document, and verify the problem/issue I reported on. I have tried to warn the people who matter, network operators and people in the RIPE area interested in network abuse issues. If other people feel that the message needs to be relayed to yet more parties, then that is up to them to effectuate. I have done all that I plan to do on this. (However I am willing to answer questions put to me, e.g. from people wanting to know the specific facts that led me to my conclusions. That is only fair, after all.)
is likely to be following the reporting procedure for the provision of untruthful information to the RIPE NCC at http://www.ripe.net/contact/reporting-procedure, which is a well defined procedure. RIPE NCC will investigate any report submitted though this procedure; there is a flowchart at this web address that clearly explains what will happen.
See above. I have done a great deal of work on this already. I leave it to other interested parties to file wharever additional reports they might feel are warranted or appropriate. I may be able to clear tall buildings with a single bound, but I can't do _everything_. (Besides which, why should _I_ have all the fun?) Separately however, I should perhaps also clarify that I have less than zero faith in _any_ process undertaken by _any_ RiR which has as its purported goal the un-doing of fradulent number resource registrations. I was not born yesterday. I have seen such processes in action, and it has been my experience that all such make molasses in January look fast by comparison... when they work at all. Furthermore, RiRs are not the Internet Police. Thus, whenever they find (or, more often, are told about) some number resource which has been registered or used via fraud, deceit, or artifice they have universally self-defined the limits of their own authority to simply taking back what was stolen. Never more. Thus, the most theives risk when they steal or defraud to obtain number resources is that somebody _might_ someday ask them to give what they stole back... and thus it may be easily demonstrated that the RiRs are effectively all castrated eunics with gigantic "kick me" signs on their backs. (When and if RIPE kicks JUMP.RO entirely off the net as a penalty for its part in these shenanigans... and others that have previously been documented..., then please do let me know and then I may change my mind and start believeing that RiRs are no longer acting like helpless hapless morons each time they have been clearly defrauded.) And of course, some (perhaps all) RiRs are more than happy to have the final remaining bits of IPv4 space defrauded out from under them so that they can press on with the business of selling us all IPv6. It is rather pointless to report something as stolen to an owner who doesn't seriously want it back anyway. But it's a free country. You can do whatever you like.
If you ever need to find the contact details for a European CSIRT,
Why would I ever need THAT?? Until convinced otherwise, I'm going to continue to view those folks as being more likely to be a part of the problem rather than part of the solution.
As this list is the North America Network Operators Group, it's unlikely that much in they way of action by RIPE NCC, Romanian authorities or other relevant authorities within the EU will happen as a result of a post here.
I know that. However I am also of the opinion that it is unlikely that much in the way of action by RIPE NCC, Romanian authorities or other relevant authorities within the EU will happen with respect to an issue like this NO MATTER WHAT because all of these organizations are far more adept at explaining why nothing can be done than they are at actually doing anything. By posting here, at least North American network operators can decide on their own to block routes from the relevant ASNs... or not, if they don't feel like it. That's something at least. I'm not an Internet Policeman. I'm not even an Internet Police informant. I'm an investigative journalist. As the old saying goes, if you don't like the news, then go out and make some of your own.
I hope this helps get you in touch with the right people to help.
I don't need any help. I posted here to try to help others, and I believe that I did. I don't feel any pressing need or desire to contact anyone else.
Best wishes,
Thank you. And to you! Regards, rfg
Hi,
is likely to be following the reporting procedure for the provision of untruthful information to the RIPE NCC at http://www.ripe.net/contact/reporting-procedure, which is a well defined procedure. RIPE NCC will investigate any report submitted though this procedure; there is a flowchart at this web address that clearly explains what will happen.
See above. I have done a great deal of work on this already. I leave it to other interested parties to file wharever additional reports they might feel are warranted or appropriate.
Sorry, but you post this information on public mailing lists where it can be discussed but where no action can be taken, and then refuse to post it to the single organisation that actually *can* do something with it? Nobody else will take your research and submit it to a third party. It's your research: either you submit it to the RIPE NCC and action will be taken where appropriate, or you don't and then your research will be forgotten and nothing will be done... It's just one form to fill in. Thanks, Sander
I'm having more than a little deja vu here - Romanian LIRs have come up on this list (leave alone nanog, or various other RIPE lists) more than once in this context. In fact There is an apparent pattern of large scale misuse of resources here, with a complex reporting procedure that puts the onus on the complainant to perform validation that, given complaints of a widespread problem, RIPE staff is much better qualified (not to mention, paid for their time) to do themselves, on a proactive basis. --srs On Wednesday, January 16, 2013, Sander Steffann wrote:
Hi,
is likely to be following the reporting procedure for the provision of untruthful information to the RIPE NCC at http://www.ripe.net/contact/reporting-procedure, which is a well defined procedure. RIPE NCC will investigate any report submitted though this procedure; there is a flowchart at this web address that clearly explains what will happen.
See above. I have done a great deal of work on this already. I leave it to other interested parties to file wharever additional reports they might feel are warranted or appropriate.
Sorry, but you post this information on public mailing lists where it can be discussed but where no action can be taken, and then refuse to post it to the single organisation that actually *can* do something with it?
Nobody else will take your research and submit it to a third party. It's your research: either you submit it to the RIPE NCC and action will be taken where appropriate, or you don't and then your research will be forgotten and nothing will be done... It's just one form to fill in.
Thanks, Sander
-- --srs (iPad)
Hi,
I'm having more than a little deja vu here - Romanian LIRs have come up on this list (leave alone nanog, or various other RIPE lists) more than once in this context. In fact
Yes, but like I said: talk on lists is not enough
There is an apparent pattern of large scale misuse of resources here, with a complex reporting procedure that puts the onus on the complainant to perform validation
Filling in one web form is a complex reporting procedure? The form only contains: - the reason (probably "Violation of RIPE Policies and RIPE NCC Procedures" or "Provision of untruthful information to the RIPE NCC") - one of the relevant resources (can be an address, ASN or organisation object from the RIPE database) "In order to identify the natural or legal person responsible". - a text field where you can copy&paste your report - your contact details - one checkbox "I confirm that the information I provide is correct and to the best of my knowledge" - one checkbox "I allow the RIPE NCC to forward my report and attachments to the party the report is about." - a captcha They add a note that your contact details will never be shared with a third party, only the content of your report. They also provide a nice flowchart that shows how they will handle the report, which basically comes down to: Report-submitted -> report-accepted -> start-investigation. I really can't see how this is a "complex reporting procedure that puts the onus on the complainant to perform validation". They don't ask for validation, only that you provide correct information on which they can base their investigation.
that, given complaints of a widespread problem, RIPE staff is much better qualified (not to mention, paid for their time) to do themselves, on a proactive basis.
They do proactive audits and they do verification/validation of the information people write in the reports. They will take action on complaints of a widespread problem. They just need the proper information through the official channels, which in this case is a not-so-complicated web form... Cheers, Sander
In message <A5DAD1A3-9CC9-4560-93BD-85F9E912885E@steffann.nl>, Sander Steffann <sander@steffann.nl> wrote:
Sorry, but you post this information on public mailing lists where it can be discussed but where no action can be taken...
I think that you mistake formalized centralized "action" for "action" more broadly and generally. In fact, it is my belief that "action" has already been taken, within some networks, to firewall themselves off from the miscreant ASNs and IP blocks that I reported on. (And based upon my beliefs regading these ASNs and IP blocks I would highly recommend that others who have not yet done so follow suit, along with any and all IP space being announced in routes from AS2876.)
Nobody else will take your research and submit it to a third party. It's your research: either you submit it to the RIPE NCC and action will be taken where appropriate...
As I have already stated, I have no faith whatsoever in the last part of that assertion, and thus elect not to waste my time. These kinds of problems have been going on for literally years now, primarily originating out of Romania. If RIPE seriously wanted to shut down all of this fradulent activity, they could have and would have done so long before now. In the three years since the following report was written, what has changed? Anything? http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-... "It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN," RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn't until May 2008 that RIPE was able to close down the LIR and get the IP space back." Excuse me, but really? Two *&^%$#@ years, just to get some space back from the notorious RBN?? "In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space..." But not in the RIPE region, apparently. Regards, rfg P.S. ASNs are not nearly in as short supply as IPv4 addresses are, however there _are_ only a finite number of them, and they should not be wasted. As I understand it, generally speaking if you are too small to own even at least one router, then you most certainly do not need your own ASN. I have noted however that the last hop on all traceroutes to all of the domains mentioned in my initial report seems to be 193.226.166.214. The router at that address is, I believe, the router immediately in front of the server(s) that are serving up the home pages for these fraudlent false-front entities. That IP belongs to AS5606 aka GTS Telecom SRL... *not* to any one of these bogus fradulent pseudo-entities. So, within the RIPE region, it appears that one can obtain one's own ASN... or even perhaps a couple dozen of them... without even owning a single router. Somewhow this does not seem to me to be an efficient allocation of finite number resources. P.P.S. Before anyone asks, no, the fact that all routes to all of the web servers for all of the domains mentioned in my initial report all pass through 193.226.166.214 (just before the last hop in all cases) is most certainly *not* the only bit of evidence that indicates that all of these 18 fradulent false-front entities were created/registered/implemented by a single hand (which I am confident they all were). There is plenty more evidence that supports this view also. One has only to look just very slightly below the surface. The evidence is abundant. P.P.P.S. Long before I posted my report here this week, it was already well and widely known that JUMP.RO has an unfortunate tendency to provide IP space to fictitious entities engaged primarily in spamming: http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-bus... If the good folks at RIPE NCC have not already known about this for some time then I would suggest that some of them may perhaps be working overtime to avoid knowing. On the other hand, if the RIPE folks have in fact known about what JUMP.RO has been up to, based on earlier published reports of their quastionable activities, then that begs the obvious question: What has RIPE done about this so far? Anything? I'm sure that your urging of me to take further action with respect to this matter is well intentioned, but you have your urging pointed in the wrong direction, I think. The primary onus for further action lies elsewhere.
On Tue, Jan 15, 2013 at 11:36:04PM +0100, Sander Steffann wrote:
Sorry, but you post this information on public mailing lists where it can be discussed but where no action can be taken [...]
That's not exactly correct. Lots of people on this list are perfectly capable of taking a variety of actions (based on this information) should they choose to do so. I have. I do not understand why you're so adamant about sending this information to an organization primarily distinguished by its incompetence and negligence. If they were actually DOING THEIR JOBS in even minimally diligent fashion, then Ron wouldn't needed to write that note or do the research behind it, because this wouldn't be happening. ---rsk
I do not understand why you're so adamant about sending this information to an organization primarily distinguished by its incompetence and negligence. If they were actually DOING THEIR JOBS in even minimally diligent fashion, then Ron wouldn't needed to write that note or do the research behind it, because this wouldn't be happening.
this kind of mostly unfounded vitriole is silly and damages your credibility. no one seriously believes that the RIPE NCC (which is managed by all of its members) is primarily distinguished by their incompetence and negligence. i believe this conversation has now gotten to the <plonk> stage. can someone compare them to hitler so that we can move on? cheers, t
On Wed, Jan 16, 2013 at 10:07:40AM -0500, Todd Underwood wrote:
no one seriously believes that the RIPE NCC (which is managed by all of its members) is primarily distinguished by their incompetence and negligence.
Really? Then why, pray tell, haven't they made it a practice to routinely (let's say, once a month) ask the people over at Spamhaus: "Hey folks, do you see anything wonky in the space we manage?" and then act immediately and decisively on what they get back for an answer? I don't want to speak for Spamhaus, but I suspect that they would be delighted to provide that response, particularly if it led to swift and effective action to make the problem(s) go away. And while I don't always agree with their positions, I've *rarely* found mistakes in their research: they're thorough. (So's Ron, by the way.) This isn't complicated. This isn't expensive. This doesn't require new technology or anything fancy. It's basic due diligence. Yet it clearly hasn't happened. Why the hell not? We live in a time when abuse is epidemic. It's costing us a fortune, and I don't just mean in financial terms, although certainly that's bad enough all by itself. But it doesn't just magically fall out of the sky and land on our servers or routers, or at port 25 on our mail servers. It comes from *somewhere*, and it does so on *somebody's* watch. And when it does so on a chronic and systemic basis, surely it is reasonable to ask questions like "Why, if we can so clearly see it arriving at our operation, can they not see it leaving theirs?" or "Why aren't people paying attention to the primary/most useful sources of information about their own operations?" So it's (well past) time to stop giving people a pass for looking the other way or failing to look at all. It's my, your, and everyone's professional responsibility to do everything we possibly can to prevent the networks, hosts, and resources we run from being part of the problem. So yeah: "incompetence" and "negligence" are the best words I can find to describe failure to do that. What would you call it? ---rsk
it's nice that we've proceded to insult our colleagues. many thanks to mr. petach for achieving the end of this thread. thank you all for participating. On Wed, Jan 16, 2013 at 10:54 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Jan 16, 2013 at 10:07:40AM -0500, Todd Underwood wrote:
no one seriously believes that the RIPE NCC (which is managed by all of its members) is primarily distinguished by their incompetence and negligence.
Really? Then why, pray tell, haven't they made it a practice to routinely (let's say, once a month) ask the people over at Spamhaus: "Hey folks, do you see anything wonky in the space we manage?" and then act immediately and decisively on what they get back for an answer?
I don't want to speak for Spamhaus, but I suspect that they would be delighted to provide that response, particularly if it led to swift and effective action to make the problem(s) go away. And while I don't always agree with their positions, I've *rarely* found mistakes in their research: they're thorough. (So's Ron, by the way.)
This isn't complicated. This isn't expensive. This doesn't require new technology or anything fancy. It's basic due diligence. Yet it clearly hasn't happened. Why the hell not?
We live in a time when abuse is epidemic. It's costing us a fortune, and I don't just mean in financial terms, although certainly that's bad enough all by itself. But it doesn't just magically fall out of the sky and land on our servers or routers, or at port 25 on our mail servers. It comes from *somewhere*, and it does so on *somebody's* watch. And when it does so on a chronic and systemic basis, surely it is reasonable to ask questions like "Why, if we can so clearly see it arriving at our operation, can they not see it leaving theirs?" or "Why aren't people paying attention to the primary/most useful sources of information about their own operations?"
So it's (well past) time to stop giving people a pass for looking the other way or failing to look at all. It's my, your, and everyone's professional responsibility to do everything we possibly can to prevent the networks, hosts, and resources we run from being part of the problem. So yeah: "incompetence" and "negligence" are the best words I can find to describe failure to do that. What would you call it?
---rsk
On Wed, Jan 16, 2013 at 10:54 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Jan 16, 2013 at 10:07:40AM -0500, Todd Underwood wrote:
no one seriously believes that the RIPE NCC (which is managed by all of its members) is primarily distinguished by their incompetence and negligence.
Really? Then why, pray tell, haven't they made it a practice to routinely (let's say, once a month) ask the people over at Spamhaus: "Hey folks, do you see anything wonky in the space we manage?" and then act immediately and decisively on what they get back for an answer?
I don't want to speak for Spamhaus, but I suspect that they would be delighted to provide that response, particularly if it led to swift and effective action to make the problem(s) go away. And while I don't always agree with their positions, I've *rarely* found mistakes in their research: they're thorough. (So's Ron, by the way.)
This isn't complicated. This isn't expensive. This doesn't require new technology or anything fancy. It's basic due diligence. Yet it clearly hasn't happened. Why the hell not?
Hi Rich, Since this is NANOG, not a forum which represents Internet activities on the Continent, perhaps a better set of questions would be: 1. Has SPAMHAUS attempted to feed relevant portions of their knowledge into ARIN's reporting system for fraudulent registrations and, 2. Understanding that ARIN can only deal with fraudulent registrations, not any other kind of bad-actor behavior, are there improvements to ARIN's process which would help SPAMHAUS and similar organizations feed ARIN actionable knowledge? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
There have been previous incidents in the ARIN region .. Nothing on the grand scale of what Ron is describing, and just saying, Arin does liaise with the Anti spam world rather better than this. On Wednesday, January 16, 2013, William Herrin wrote:
Hi Rich,
Since this is NANOG, not a forum which represents Internet activities on the Continent, perhaps a better set of questions would be:
1. Has SPAMHAUS attempted to feed relevant portions of their knowledge into ARIN's reporting system for fraudulent registrations and,
2. Understanding that ARIN can only deal with fraudulent registrations, not any other kind of bad-actor behavior, are there improvements to ARIN's process which would help SPAMHAUS and similar organizations feed ARIN actionable knowledge?
-- --srs (iPad)
On Wed, Jan 16, 2013 at 11:39:14AM -0500, William Herrin wrote:
1. Has SPAMHAUS attempted to feed relevant portions of their knowledge into ARIN's reporting system for fraudulent registrations and,
I don't know the answer to that.
2. Understanding that ARIN can only deal with fraudulent registrations, not any other kind of bad-actor behavior, are there improvements to ARIN's process which would help SPAMHAUS and similar organizations feed ARIN actionable knowledge?
Yes. All ARIN (public) data should be immediately downloadable in bulk by anyone who wishes to access it. No registration, no limits, no nothing. As I pointed out here a couple of weeks ago (see below), query rate-limiting measures such as RIPE currently employs are not only pointless but counterproductive: the bad guys already have (or can have) the data any time they wish, but the good guys can't. I suggest a daily rsync'able snapshot of the whole enchilada in whatever form(s) is/are appropriate: text, XML, tarball, etc. Of course I was responding to something from RIPE, but this applies everywhere. It's 2013. The bad guys have had the means to easily bypass stuff like this for about a decade, if not longer. It's not only silly to keep pretending they don't, but it's limiting: some of the best techniques we have for spotting not only fraudulent registrations, but other patterns of abuse, work best when given as much data as possible. (It's really quite impressive what you can find with "grep", if you have enough data in the right form.) (Incidentally, the same thing is true of all domain registration data. The namespace, like network space, is a public resource, therefore anyone using any of it must be publicly accountable.) Here's what I said at the time, generalize/modify appropriately:
Subject: Re: RIPE Database Proxy Service Issues
On Wed, Jan 02, 2013 at 05:00:14PM +0100, Axel Pawlik wrote:
To prevent the automatic harvesting of personal information (real names, email addresses, phone numbers) from the RIPE Database, there are PERSON and ROLE object query limits defined in the RIPE Database Acceptable Use Policy. This is set at 1,000 PERSON or ROLE objects per IP address per day. Queries that result in more than 1,000 objects with personal data being returned result in that IP address being blocked from carrying out queries for that day.
1. The technical measures you've outlined will not prevent, and have not prevented, anyone from automatically harvesting the entire thing. Anyone who owns or rents, for example, a 2M-member botnet, could easily retrieve the entire database using 1 query per IP address, spread out over a day/week/month/whatever. (Obviously more sophisticated approaches immediately suggest themselves.)
Of course a simpler approach might be to buy a copy from someone who already has.
I'm not picking on you, particularly: all WHOIS operators need to stop pretending that they can protect their public databases via rate-limiting. They can't. The only thing that they're doing is preventing NON-abusers from acquiring and using bulk data.
2. This presumes that the database is actually a target for abusers. I'm sure for some it is. But as a source, for example, of email addresses, it's a poor one: the number of addresses per thousand records is relatively small and those addresses tend to belong to people with clue, making them rather suboptimal choices for spamming/phishing/etc.
Far richer targets are available on a daily basis simply by following the dataloss mailing list et.al. and observing what's been posted on pastebin or equivalent. These not only include many more email addresses, but often names, passwords (encrypted or not), and other personal details. And once again, the simpler approach of purchasing data is available.
3. Of course answering all those queries no doubt imposes significant load. Happily, one of the problems that we seem to have pretty much figured out how to solve is "serving up many copies of static content" because we have tools like web servers and rsync.
So let me suggest that one way to make this much easier on yourselves is to export a (timestamped) static snapshot of the entire database once a day, and let the rest of the Internet mirror the hell out of it. Spreads out the load, drops the pretense that rate-limiting accomplishes anything useful, makes all the data available to everyone equally, and as long as everyone is aware that it's a snapshot and not a real-time answer, would probably suffice for most uses. (It would also come in handy during network events which render your service unreachable/unusable in whole or part, e.g., from certain parts of the world. Slightly-stale data is way better than no data.)
I'll bet Hitler would have used his real name on the whois entries. There. Now I think we're done. Matt On Jan 16, 2013 7:09 AM, "Todd Underwood" <toddunder@gmail.com> wrote:
I do not understand why you're so adamant about sending this information to an organization primarily distinguished by its incompetence and negligence. If they were actually DOING THEIR JOBS in even minimally diligent fashion, then Ron wouldn't needed to write that note or do the research behind it, because this wouldn't be happening.
this kind of mostly unfounded vitriole is silly and damages your credibility.
no one seriously believes that the RIPE NCC (which is managed by all of its members) is primarily distinguished by their incompetence and negligence.
i believe this conversation has now gotten to the <plonk> stage. can someone compare them to hitler so that we can move on?
cheers,
t
Please, please someone go to http://meemsy.com/videos/add/24 and create 'Hitler reacts to the fraudulent Romanian ASNs' After that we can move on. :=) ~C. On 1/16/13 2:01 PM, Matthew Petach wrote:
I'll bet Hitler would have used his real name on the whois entries.
There. Now I think we're done.
Matt On Jan 16, 2013 7:09 AM, "Todd Underwood" <toddunder@gmail.com> wrote:
I do not understand why you're so adamant about sending this information to an organization primarily distinguished by its incompetence and negligence. If they were actually DOING THEIR JOBS in even minimally diligent fashion, then Ron wouldn't needed to write that note or do the research behind it, because this wouldn't be happening.
this kind of mostly unfounded vitriole is silly and damages your credibility.
no one seriously believes that the RIPE NCC (which is managed by all of its members) is primarily distinguished by their incompetence and negligence.
i believe this conversation has now gotten to the <plonk> stage. can someone compare them to hitler so that we can move on?
cheers,
t
ni lar has requested to add someone, and so has kanchana, so i think our group reservation is full will try to check this morning to confirm On Wed, 16 Jan 2013, Matthew Petach wrote:
I'll bet Hitler would have used his real name on the whois entries.
There. Now I think we're done.
Matt On Jan 16, 2013 7:09 AM, "Todd Underwood" <toddunder@gmail.com> wrote:
I do not understand why you're so adamant about sending this information to an organization primarily distinguished by its incompetence and negligence. If they were actually DOING THEIR JOBS in even minimally diligent fashion, then Ron wouldn't needed to write that note or do the research behind it, because this wouldn't be happening.
this kind of mostly unfounded vitriole is silly and damages your credibility.
no one seriously believes that the RIPE NCC (which is managed by all of its members) is primarily distinguished by their incompetence and negligence.
i believe this conversation has now gotten to the <plonk> stage. can someone compare them to hitler so that we can move on?
cheers,
t
In message <CALgc3C7n0Hy80qLBcQ8tZrvGuaVsVrcEneYaYKomUUy58p3rEw@mail.gmail.com>, Eugeniu Patrascu <eugen@imacandi.net> wrote:
Jump.ro is a very active LIR and domain registry on the Romanian market and is "selling" ASNs to whomever is interested...
I do see that JUMP.RO is ``very active''. I do not know who they have actually given all of this IP space to. Do you? If so, then by all means, please don't keep us in suspense. Please do share that information. (I have also seen that JUMP.RO has puffed up its own resume, claiming on its home page to have over 12,000 customers. but from where I am sitting, it looks more like a tiny little ISP with only two /24s of its own, and perhaps only a few handfuls of customers, many of whom, it seems, are spammers.)
and facilitates allocations of PI netblocks to those who can justify them.
JUMP.RO also ``facilitates'' IP block allocations to _themselves_, apparently.
It might come as a surprise to you, but in Romania there are a lot of companies (even very small ones) with their own ASN and PI netblocks.
Regardless of whether that assertion is true or false, it has no bearing whatsoever on the specific issue and the specific ASNs and the specific IP address blocks that I have reported on here. I will repeat myself, so as to be completely clear. The 18 specific ASNs I reported on, together with their associated IPv4 address blocks, were all registered, via RIPE, with fradulent information.
AS16011 (fiberwelders.ro) AS28822 (creativitaterpm.ro) AS48118 (telecomhosting.ro) AS49210 (rom-access.ro) AS50659 (grandnethost.com) AS57131 (speedconnecting.ro) AS57133 (nordhost.ro) AS57135 (fastcable.ro) AS57176 (bucovinanetwork.ro) AS57184 (kaboomhost.ro) AS57415 (highwayinternet.ro) AS57695 (effidata.ro) AS57724 (id-trafic.ro) AS57738 (mclick.ro) AS57786 (hosting-www.ro) AS57837 (romtechinnovation.ro) AS57906 (momy.ro) AS57917 (nature-design.ro)
from all those websites it looks like they are all hosting companies.
Yes. Indeed. The web sites associated with all of the above domain names have indeed been made to _look_ like they are all legitimate hosting companies. I'm so glad that you noticed.
have you tried calling the numbers listed on the WHOIS registrant information on the ASN and you couldn't get to any one ?
That is a good idea. Why don't you try it and report back here and let us know your results. Personally, I have much better things to do with my time (and my money) that to waste any of it making pointless long-distance overseas phone calls to pseudo-companies that I am already 100% convinced are simply fradulent and fictitious. But since you yourself seem to be geographically in that area... AND since you probably speak Romanian about 100,000% better than I do, by all means, I encourage you to try to reach some human, i.e. ANY human at any of these (fictitious) places who might be able to disprove the assertions that I have made here, and repeated elsewhere. Good luck.
If you really believe that all those ASNs listed by you above are only used to host spammers...
Sir, I am not in the habit of risking either my reputation or my legal safety by posting allegations on the NANOG list which I have anything less than the highest confidence in. To do so would be foolish in the extreme, and in multiple dimensions.
...then by all means please contact alerts@cert-ro.eu - that is the Romanian CERT
Thank you but no. This is another task that you have tried to assign to me... also of entirely questionable usefulness... that I also personally elect not to waste any of my precious minutes on this earth pursuing. But please, feel free to do yourself the (pointless) tasks that you have attempted to assign to me. Please feel free to contact the Romanian CERT yourself. (If you manage to find anyone within that organization that has ever done _anything_ to materially improve the safety or security of the Internet, then please do send me that person's name so that I can send it on to the Guinness World Records people and let them know that such a person does exist after all.)
...as they are active...
Oh yes! I am quite sure they are. As are the particles shown in the simulation on this page: http://en.wikipedia.org/wiki/Brownian_motion Very active indeed!
and will investigate the allegations you make.
What exactly would be the point of that? They are not Internet Police, and I rather doubt that they have any control over RIPE's allocation processes for number resources. (On the other hand, if I am wrong, and if the people at the Romanian CERT actually *are* the Internet Police, then please do let me know immediately. In that case, I have some vastly more serious matters to discuss with them, specifically the massive fake pharmacy operations that are run out of your country *and* the propensity of the specific crooks behind those oper- ations for stealing and using the credit card numbers of at least hundreds and more probably thousands of unsuspecting Americans. But I digress.)
So far I do not know a single web hosting company that it's customers never spammed anyone :)
I confess that I cannot deduce whether your obtuse inability to differentiate between the occasional spammer and an entire /14 full of them is genuine or an act. If genuine, you have my sympathy. Regards, rfg
On Mon, Jan 14, 2013 at 5:49 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a larger scheme to provide IP space to various snowshoe spammers.
Ronald, What is your goal here? Is there some action that any particular NANOG participant should take based on your opinion? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
In message <CAP-guGVs-kCYoSkNNs+v8R1gDKBpmkuuFM1eNgqvhqh0pR0gCA@mail.gmail.com> William Herrin <bill@herrin.us> wrote:
What is your goal here?
Primarily to inform. Forewarned is forearmed. Wouldn't you agree?
Is there some action that any particular NANOG participant should take based on your opinion?
Dropping all route announcements from the 18 fraudlent ASNs I listed, together with all those from AS2876, and avoiding propagating any of said routes to any other parties would, I think, be an altogether prudent step for all concerned. Unless of couse your are hosting one or more spam research organizations that are eager to collect as much spam as possible. Regards, rfg P.S. It is most probably unnecessary to worry about blocking route announcements relating to any of the separate set of five bogus ASNs documented here: http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-bus... It is unnecessary to block any such route announcements because owing to the good work Spamhaus did already in publicising these other five "rogue" ASNs... which also got all of their IP space from JUMP.RO... none of them is even announcing routes anymore. (Well, at least that's what it looks like from where I am sitting.)
participants (11)
-
Alex Brooks
-
Carlos M. Martinez
-
Eugeniu Patrascu
-
Matthew Petach
-
Rich Kulawiec
-
Ronald F. Guilmette
-
Sander Steffann
-
Steven G. Huter
-
Suresh Ramasubramanian
-
Todd Underwood
-
William Herrin