Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?
Hi Ronald, APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and brought this matter to their attention. Regards, Vivek Member Services Manager, APNIC From: Ronald F. Guilmette <rfg@tristatelogic.com> Date: Fri, Sep 6, 2019 at 6:30 PM Subject: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? To: <nanog@nanog.org> Few of you here probably know about this, but nearly a week ago now an article appeared in South Africa's largest and most popular online tech publication, MyBroadband.co.za. It detailed many, but certainly not all of the results of my multi-month investigation of a massive and ongoing fraud involving the theft of large numbers of large (generally /16 or larger) abandoned legacy blocks, taken from the AFRINIC region and beyond: https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-addr... For various editorial reasons, the article that was published actually downplayed the magnitude of the of the thefts quite dramatically. The totality of the IPv4 space that has been stolen or squatted, primarily but not exclusively, from South African companies and South African national goverment agencies and departments is actually at least 5x bigger than what was reported in the MyBroadband.co.za article. The overwhelming majority of this stolen and squatted IPv4 space has been helpfully routed by Cogent (AS174), to their customer, FDCServers of Chicago, and then on to the prefered destinations of a certain Mr. Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have saved traceroutes up the wazoo that prove the involvement of FDCServers, in particular, in all of this.) Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting activities, basically grabbing everything that wasn't nailed down, both within the AFRINIC region and also within the APNIC region. In order to try to legitimize all of these thefts and squats, Mr. Cohen created quite a sizable number of fradulent route: objects within the Merit/RADB data base which, as most here should already know, has essentially zero authentication of any kind before it allows J. Random Luser to add pretty much any any route: object he wants to the RADB. Here's a full listing of all of Mr. Cohen's RADB route: objects as they existed as recently as August 17th: https://pastebin.com/raw/ZNgNuvtt And here is the short summary version showing just all of the prefixes/CIDRs that Mr. Cohen was effectively claiming rights and/or title to as of that same date: https://pastebin.com/raw/4LTaCg5R Plese do note the numerous blocks of size /16 or greater. The bottom line is that this one tiny little Israeli company was effectively claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of August 17th, 2019. (Not too shabby for one lone guy who teaches programming classes as a side job!) Vitrually all of the space is "legacy" IPv4 space, and generally consists of blocks having sizes of /16 or larger. Some of Mr. Cohen claims in his RADB entries are as humorous as they are pathetically fradulent. For example, Mr. Cohen has effectively claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port Authority of the City of Melbourne, Australia. But hell! That's merely city property! Mr. Cohen's limitless appetite for other people's IPv4 space is more vividly on display in his claims to ownerhip over the 168.198.0.0/16 block, which actually belongs to the Department of Finance of the Australian national government. And I haven't even mentioned yet another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block, which he did not see fit to create an RADB entry for, but which he's been squatting on for for quite some time now, quite clearly with the aid and assistance of both Cogent and FDCServers. That one belongs to th City of Cape Town, South Africa. That city's engineers have been struggling to regain control of their block back from Cogent, from FDCServers, and from Mr. Cohen for some time now. I know because I've personally spoken to them about it. Cogent, in its infinite wisdom, is continuing to fight the city for control over property that clearly and righfully belongs to the City of Cape Town, even as we speak: https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view When asked for LOAs attesting to his legitimate authority to route at least a few of these blocks, Mr. Cohen has produced blatantly forged documents, many of which appeared in the MyBroadband.co.za story. And when I say "blatant" that's a gross understatement. Any half-way decent forger would consider these documents an embarrasment. The documents all bear identical signatures, and identical and vaguely official looking stamps, and purport to actually be sales reciepts attesting to the alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell company, Afri Holdings, Ltd., of various /16 blocks from a mysterious company called Afrivestment, Ltd., which may actually exist in some faraway galaxy, or in Mr. Cohen's active imagination, but which both Google and OpenCorporates.com seem to agree exists exactly noplace on this planet. Here are the manufactured LOAs supplied by Mr. Cohen: https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view Recently, Cohen started to move some, but not all, of his stolen and squatted IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which, coincidently, just happen to be owned by the exact same pair of Dutch gentlemen who previously owned the notorious Ecatel, follwed by the notorious Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly all of its legitimately assigned IP space from its predecessor entities, Ecatel and Quasi Networks.) Despite these relocations, many of Mr. Cohen's stolen and squatted blocks are still helpfully being routed to Mr. Cohen's preferred desitnations by his good friends at Cogent and FDCServers, even as we speak. The current set of such routes that Cogent is maintaining, at the moment, apparently on behalf of their customer, Mr. Cohen, consists of the prefixes listed here: https://pastebin.com/raw/EA3xJVLF When I noticed two days ago that all of these routes were still up I was deeply confused. Did both Cogent and FDCServrs not get the memo?? Do they not know yet that Cohen is stealing stuff, left, right, and sideways? Did nobody even tell them about the MyBroadband.co.za article which was published this past Sunday? I decided that it was incumbant upon me to find out. Thus, more that 48 hours ago now I sent the following polite but firm inquiry to Cogent, and a separate nearly identical one directly to the CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net). https://pastebin.com/raw/ztipqE96 A full forty eight hours later, I have received no reply whatsoever from either Cogent or FDCServers, not even a "Go pound sand" type of response. More importantly, most of the stolen IPv4 space that I called out, very specifically, to both Cogent and FDCservers two+ days ago now is still being routed by Cogent/FDCservers to their fun-loving and, I'm sure, promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers still do not know now that Mr. Cohen is a crook, and that he has glommed onto quite a lot of stolen and squatted IPv4 space... which they have been helpfully routing for him, no doubt in exchange for some handsome payments... then I am foreced to say that it appears to be a reasonable conclusion that it must be because neither Cogent nor FDCServers really wants to know what sort of a character Cohen is, or what he has been up to, specifically with their ongoing and material assistance. But you all be the judges. What does it look like to you? Regards, rfg
In message <9567B241-12CE-4728-8E73-FF7143907CEF@apnic.net>, Vivek Nigam <vivek@apnic.net> wrote:
APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and brought this matter to their attention.
Excellent. Thank you. If possible, it would be Good if APNIC could also make contact with the rightful owners of the following additional 3 Japanese blocks, all of which were, of late, routed by Cogent to FDCServers and thence, presumably, to Mr. Cohen. 143.136.0.0/16 143.253.0.0/16 146.51.0.0/16 I tried to make contact myself with the legit owners of all of the above, but found it to be quite difficult. The registered owner of the first one appears to have gone into hiding on a remote island someplace. I only say that because, despite some considerable effort on my part, I was not able to find him. Making contact with the legitimate owners of the other two blocks, both of which belong to Japanese corporations that are still very much alive, was rather difficult also, because I am only a stupid gaijin, and don't speak a word of Japanese. Regards, rfg
Ronald F. Guilmette wrote:
If possible, it would be Good if APNIC could also make contact with the rightful owners of the following additional 3 Japanese blocks,
Because whois contact information is, seemingly by acquisition and relocation, obsolete, it should be impossible for APNIC to do so.
143.136.0.0/16 143.253.0.0/16 146.51.0.0/16
I tried to make contact myself with the legit owners of all of the above, but found it to be quite difficult. The registered owner of the first one appears to have gone into hiding on a remote island someplace.
From whois information: remarks: reg-date: 1993-03-22 notify: tmiyoko@gaijin.co.jp mnt-by: MNT-ERX-CROSFIELDELE-NON-JP last-modified: 2008-09-04T07:31:15Z I guess CROSFIELDELE is Japanese branch of: https://en.wikipedia.org/wiki/Crosfield_Electronics The firm was eventually taken over by Fujifilm Japan and named Fujifilm Electronic Imaging, now FFEI Ltd. following a management buy-out in 2008.[1] though, according to: https://www.ffei.co.uk/about-ffei-design-and-manufacture-digital-inkjet/ MBO was in 2006. In the page, we can also confirm that FFEI was crosfield until 1997.
Making contact with the legitimate owners of the other two blocks, both of which belong to Japanese corporations that are still very much alive, was rather difficult also, because I am only a stupid gaijin, and don't speak a word of Japanese.
Both relocated. I send queries to the current contact points. Maybe, blocks with stale contact information are attacked. Masataka Ohta
In message <152f0dbc-f7af-2a78-c5a7-f2062effed23@necom830.hpcl.titech.ac.jp>, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
From whois information:
remarks: reg-date: 1993-03-22
notify: tmiyoko@gaijin.co.jp ^^^^^^^^^^^^
I already talked to the guy who has owned the above domain name for mre than 25+ years. He's an American, living in Southern California, who these days runs a solar panel installation company. He told me that he has no way to find "tmiyoko" anymore and that that guy was just one of thousands of customers the guy in SoCal had, back 20+ years ago, for his Japanese ISP business. Regards, rfg
As I wrote:
143.136.0.0/16 143.253.0.0/16 146.51.0.0/16
I tried to make contact myself with the legit owners of all of the above, but found it to be quite difficult. The registered owner of the first one appears to have gone into hiding on a remote island someplace.
Both relocated. I send queries to the current contact points.
I get reply from technical people in a company, which has originally assigned: 146.51.0.0/16 they said they have never transferred the block and allow me to post so here. So, RADB entry: https://pastebin.com/raw/ZNgNuvtt route: 146.51.0.0/16 origin: AS174 descr: Cogent mnt-by: MAINT-AS199267 changed: elad@netstyle.io 20190710 #17:02:13Z source: RADB is confirmed to be registration fraud. Masataka Ohta
On Fri, Oct 11, 2019 at 08:14:00PM +0900, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote a message of 34 lines which said:
they said they have never transferred the block
So, RADB entry: ... route: 146.51.0.0/16 origin: AS174 ... is confirmed to be registration fraud.
I nitpick, but "never transferred the block" is not the same thing as "never authorized Cogent to announce it".
Stephane Bortzmeyer wrote:
On Fri, Oct 11, 2019 at 08:14:00PM +0900, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote a message of 34 lines which said:
they said they have never transferred the block
So, RADB entry: ... route: 146.51.0.0/16 origin: AS174 ... is confirmed to be registration fraud.
I nitpick, but "never transferred the block" is not the same thing as "never authorized Cogent to announce it".
Cogent? I think cogent is innocent. What, do you think: changed: elad@netstyle.io 20190710 #17:02:13Z mean? Masataka Ohta
On Oct 11, 2019, at 6:28 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
I nitpick, but "never transferred the block" is not the same thing as "never authorized Cogent to announce it”.
This should not be just a “nitpick". AT&T announces our extremely legacy ARIN allocation for us because we do not qualify to have an ASN, but I absolutely did not, will not, and *have actively resisted attempts to* transfer the block to them. I would sooner have my gums tattooed than give up my address space. Having an ASN was not a requirement when we were allocated the resource, and I don’t see why we should be punished for being early adopters.
On Fri, Oct 11, 2019 at 7:16 AM Daniel Seagraves < dseagrav@humancapitaldev.com> wrote:
On Oct 11, 2019, at 6:28 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
I nitpick, but "never transferred the block" is not the same thing as "never authorized Cogent to announce it”.
This should not be just a “nitpick". AT&T announces our extremely legacy ARIN allocation for us because we do not qualify to have an ASN, but I absolutely did not, will not, and *have actively resisted attempts to* transfer the block to them. I would sooner have my gums tattooed than give up my address space. Having an ASN was not a requirement when we were allocated the resource, and I don’t see why we should be punished for being early adopters.
Getting an AS number is as easy as getting two $20/month virtual servers (e.g. from Vultr and one other provider) and then applying for one from ARIN on the grounds that you're multihomed. As a bonus, you can actually announce it from the VPS provider with a couple prepends, link back to your site with a VPN through whatever cheap commodity backup path you can get and actually be multihomed. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On 10/11/19 07:16, Daniel Seagraves wrote:
This should not be just a “nitpick". AT&T announces our extremely legacy ARIN allocation for us because we do not qualify to have an ASN, but I absolutely did not, will not, and*have actively resisted attempts to* transfer the block to them. I would sooner have my gums tattooed than give up my address space. Having an ASN was not a requirement when we were allocated the resource, and I don’t see why we should be punished for being early adopters.
How exactly is it punishment that BGP needs an AS number? If AT&T won't support a private AS number for the last mile then that's AT&T, not ARIN. If you're a legacy holder you should be around long enough to know this stuff and that it's not some conspiracy that BGP uses AS numbers.
On Oct 12, 2019, at 12:22 PM, Seth Mattinen <sethm@rollernet.us> wrote:
How exactly is it punishment that BGP needs an AS number?
It’s not. I was objecting to the implication that if someone announces a prefix that has not been transferred to their ownership it is fraudulent or shady, and as a consequence I should be forced to surrender my addresses since I can’t announce them myself.
participants (7)
-
Daniel Seagraves
-
Masataka Ohta
-
Ronald F. Guilmette
-
Seth Mattinen
-
Stephane Bortzmeyer
-
Vivek Nigam
-
William Herrin