Anyone hear of the SundownGroup? On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this. In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses" Their reason for requesting such a large address block was "As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed." Interesting tidbits about the company we and the networking community have already found out: Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified). The contact address is the same as National University Nevada (nu.edu): Sundown Capital Management LLC 2850 Horizon Ridge Parkway Henderson, Nevada 89052 United States of America They also have virtually no Internet presence (http://www.google.com/search?q=%22Sundown+Capital+Management%22) The first result shows them as a franchicing company with contact address in California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With... I'd say this case is pretty obvious... With Kind Regards, -- Tero Toikkanen Nebula Oy Internet Services
We see this all the time, usually it involves either a /20 or multiple-/xx that change every month. Jeff On Tue, Sep 7, 2010 at 12:54 PM, Tero Toikkanen <Tero.Toikkanen@nebula.fi>wrote:
Anyone hear of the SundownGroup?
On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this.
In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses"
Their reason for requesting such a large address block was "As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed."
Interesting tidbits about the company we and the networking community have already found out:
Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified).
The contact address is the same as National University Nevada (nu.edu):
Sundown Capital Management LLC 2850 Horizon Ridge Parkway Henderson, Nevada 89052 United States of America
They also have virtually no Internet presence ( http://www.google.com/search?q=%22Sundown+Capital+Management%22) The first result shows them as a franchicing company with contact address in California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With...
I'd say this case is pretty obvious...
With Kind Regards, -- Tero Toikkanen Nebula Oy Internet Services
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Tue, 7 Sep 2010, Jeffrey Lyon wrote:
We see this all the time, usually it involves either a /20 or multiple-/xx that change every month.
If they want frequently changing IPs, it's almost certainly for spamming. I got the impression with these people they were just trying to get a bunch of SWIPs in order to go to ARIN and request as big a block of ipv4 as they could get with the intent to chop it up and resell it in pieces as soon as ARIN runs out of IPs to satisfy normal requests. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Tue, Sep 7, 2010 at 10:03 AM, Jon Lewis <jlewis@lewis.org> wrote:
On Tue, 7 Sep 2010, Jeffrey Lyon wrote:
We see this all the time, usually it involves either a /20 or multiple-/xx that change every month.
If they want frequently changing IPs, it's almost certainly for spamming.
I got the impression with these people they were just trying to get a bunch of SWIPs in order to go to ARIN and request as big a block of ipv4 as they could get with the intent to chop it up and resell it in pieces as soon as ARIN runs out of IPs to satisfy normal requests.
it used to be (~4-5 years ago) that the spammer code of 'voip service provider' was really 'we intend on raping proxies all over the planet' ... when you call them out on the random port traffic out of their pipe they point at their 'business' model that this is 'voip traffic, you know that rtp uses random ports, right?' I used to have some quick/dirty instructions for how to verify that the traffic was in fact proxy traffic, something like: 1) log traffic from the soon-to-be-ex-customer (acl logs are fine) 2) pick an external 'top talker' 3) route that /32 to a host you control 4) run NC on the port that /32 is being contacted on 5) rejoice (and shut now ex-customer interface) when you see: "CONNECT smtp.xxxxx:25" from the connection... -Chris
On Tue, 7 Sep 2010, Christopher Morrow wrote:
it used to be (~4-5 years ago) that the spammer code of 'voip service provider' was really 'we intend on raping proxies all over the planet' ... when you call them out on the random port traffic out of their pipe they point at their 'business' model that this is 'voip traffic, you know that rtp uses random ports, right?'
I haven't seen that excuse/justification from customers. What I did see recently that I have to admit was very slick was a customer who claimed they were going to be doing a bunch of remote "terminals" in stores VPN'd into their dedi servers and would be streaming video from the servers to the clients. This was of course 99% BS. There was VPN involved....they used the dedi servers as VPN endpoints for their spam servers that were hosted elsewhere. When we shut them down, there was absolutely nothing incriminating of spam operations on their servers...and all they had to do was sign up for service at another hosting company, setup the VPN server, change the IPs their spam servers VPN to, and they're back in business. When sales brought me their initial request, I really didn't believe it, but I didn't have good enough cause to reject it.
I used to have some quick/dirty instructions for how to verify that the traffic was in fact proxy traffic, something like: 1) log traffic from the soon-to-be-ex-customer (acl logs are fine) 2) pick an external 'top talker' 3) route that /32 to a host you control 4) run NC on the port that /32 is being contacted on 5) rejoice (and shut now ex-customer interface) when you see: "CONNECT smtp.xxxxx:25"
Seems like a lot of work when you could just setup a monitor session on their port and capture a few minutes of actual spam traffic as evidence just before shutting their port. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Yeah. This is just the way snowshoe spammers operate - GRE or VPN tunnels back to a master server, and a /24 full of output points with throwaway hostnames / reverse dns On Tue, Sep 7, 2010 at 8:05 PM, Jon Lewis <jlewis@lewis.org> wrote:
I haven't seen that excuse/justification from customers. What I did see recently that I have to admit was very slick was a customer who claimed they were going to be doing a bunch of remote "terminals" in stores VPN'd into their dedi servers and would be streaming video from the servers to the clients. This was of course 99% BS. There was VPN involved....they used the dedi servers as VPN endpoints for their spam servers that were hosted elsewhere. When we shut them down, there was absolutely nothing incriminating of spam operations on their servers...and all they had to do was sign up for service at another hosting company, setup the VPN server, change the IPs their spam servers VPN to, and they're back in business. When sales brought me their initial request, I really didn't believe it, but I didn't have good enough cause to reject it.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Tue, Sep 7, 2010 at 10:35 AM, Jon Lewis <jlewis@lewis.org> wrote:
On Tue, 7 Sep 2010, Christopher Morrow wrote:
I used to have some quick/dirty instructions for how to verify that the traffic was in fact proxy traffic, something like: 1) log traffic from the soon-to-be-ex-customer (acl logs are fine) 2) pick an external 'top talker' 3) route that /32 to a host you control 4) run NC on the port that /32 is being contacted on 5) rejoice (and shut now ex-customer interface) when you see: "CONNECT smtp.xxxxx:25"
Seems like a lot of work when you could just setup a monitor session on their port and capture a few minutes of actual spam traffic as evidence just before shutting their port.
sorry, can't do monitor on a ptp oc-12 link :(
Kind of funny how they intend to do enough 'WholesaleVoIP" on a 10Mbps connection/1GB RAM for a /20 :) That is a giveaway in itself. -----Original Message----- From: Tero Toikkanen <Tero.Toikkanen@nebula.fi> Date: Tue, 7 Sep 2010 08:24:05 To: NANOG list<nanog@nanog.org> Subject: IPv4 squatters on the move again? Anyone hear of the SundownGroup? On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this. In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses" Their reason for requesting such a large address block was "As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed." Interesting tidbits about the company we and the networking community have already found out: Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified). The contact address is the same as National University Nevada (nu.edu): Sundown Capital Management LLC 2850 Horizon Ridge Parkway Henderson, Nevada 89052 United States of America They also have virtually no Internet presence (http://www.google.com/search?q=%22Sundown+Capital+Management%22) The first result shows them as a franchicing company with contact address in California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With... I'd say this case is pretty obvious... With Kind Regards, -- Tero Toikkanen Nebula Oy Internet Services
Yeah, it's pretty obvious from the start. I'd like to see the VoIP-system with those requirements... I just think these cases should be made public to at least slow these guys down, just in case someone else is less cluefull :) If these really happen all the time in the big world, this list may not be the right place, but just something Google can find. This is not first case we have come across requests like this, but still not so common in the Finnish hosting scene. With Kind Regards, -- Tero Toikkanen Nebula Oy Internet Services
Kind of funny how they intend to do enough 'WholesaleVoIP" on a 10Mbps connection/1GB RAM for a /20 :)
That is a giveaway in itself. -----Original Message----- From: Tero Toikkanen <Tero.Toikkanen@nebula.fi> Date: Tue, 7 Sep 2010 08:24:05 To: NANOG list<nanog@nanog.org> Subject: IPv4 squatters on the move again?
Anyone hear of the SundownGroup?
On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this.
In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses"
Their reason for requesting such a large address block was "As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed."
Interesting tidbits about the company we and the networking community have already found out:
Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified).
The contact address is the same as National University Nevada (nu.edu):
Sundown Capital Management LLC 2850 Horizon Ridge Parkway Henderson, Nevada 89052 United States of America
They also have virtually no Internet presence (http://www.google.com/search?q=%22Sundown+Capital+Management%22) The first result shows them as a franchicing company with contact address in California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of- 32709-FDD-With-Exhibits
I'd say this case is pretty obvious...
With Kind Regards, -- Tero Toikkanen Nebula Oy Internet Services
On Tue, 7 Sep 2010, Tero Toikkanen wrote:
Anyone hear of the SundownGroup?
On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this.
In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses"
Their reason for requesting such a large address block was "As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed."
Interesting tidbits about the company we and the networking community have already found out:
Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified).
They hit up one of our sales guys last week. I gave it an immediate two thumbs down. I think the sales guy knew the request was bogus and was really just showing it to me out of humor. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 9/7/2010 1:24 AM, Tero Toikkanen wrote:
Anyone hear of the SundownGroup?
yes it is the fictional name - it pertains to a covert operations group from a Tommy Lee Scott & Gene Hackman movie called "The Package". As I recall "Operation Sundown" was the op name and it was a bunch of assassins but there were a number of instances used. In this instance the SundownGroup (or Sundowner Group) was a specialized Army strikeforce who was about to assassinate the Russian Prime Minister or somesuch. TGlassey
On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this.
In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses"
Their reason for requesting such a large address block was "As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed."
Interesting tidbits about the company we and the networking community have already found out:
Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified).
The contact address is the same as National University Nevada (nu.edu):
Sundown Capital Management LLC 2850 Horizon Ridge Parkway Henderson, Nevada 89052 United States of America
They also have virtually no Internet presence (http://www.google.com/search?q=%22Sundown+Capital+Management%22) The first result shows them as a franchicing company with contact address in California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With...
I'd say this case is pretty obvious...
With Kind Regards, -- Tero Toikkanen Nebula Oy Internet Services
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.851 / Virus Database: 271.1.1/3118 - Release Date: 09/06/10 11:34:00
-- //----------------------------------------------------------------- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
participants (7)
-
Christopher Morrow -
Jeffrey Lyon -
Jon Lewis -
khatfield@socllc.net -
Suresh Ramasubramanian -
Tero Toikkanen -
todd glassey