HIJACKED: AS18466, courtesy of Global Crossing (AS3549)
Ronald F. Guilmette
rfg at tristatelogic.com
Fri May 20 10:25:54 UTC 2011
Abundant evidence indicates that AS18466, allocated by LACNIC, has been
hijacked.
All of the routes currently announced by this AS, i.e.:
170.25.0.0/19
170.25.32.0/19
170.25.160.0/19
170.25.192.0/19
are currently routing IP blocks, also allocated by LACNIC, which have also
themselves appear to have been hijacked.
As you can see below, AS18466 was first allocated (apparently by ARIN) on
2000-08-31 and its WHOIS record was last updated on 2006-06-16. Note
however that the domain associated with the contact e-mail address for
this ASN, i.e. "geminicom.net" was apparently re-registered on 2010-11-01,
unboubtedly by the hijacker. (This is the mostly commonly used approach
to AS and IP block hijacking, i.e. find an abandoned AS or IP block whose
contact domain has become unregistered and then simply re-register it and
then pretend that you are the original party to whom the resource was
allocated. In short, fraud and identity theft.)
=========================================================================
aut-num: AS18466
owner: Geminicommunications Limited
ownerid: BZ-GELI-LACNIC
address: 13 1/2 Northern Highway
address: Belize City,
country: BZ
owner-c: HC170-ARIN
created: 20000831
changed: 20060616
source: ARIN-HISTORIC
nic-hdl: HC170-ARIN
person: Hans Cardenas
e-mail: hcardenas at GEMINICOM.NET
address: 13 1/2 Northern Highway
address: Belize City,
country: BZ
phone: 501254011
source: ARIN-HISTORIC
=========================================================================
As shown here:
http://www.robtex.com/as/as18466.html#graph
AS18466 is connected to the Internet only via Global Crossing.
In my opinion, and based on the available evidence, there appear to me to be
only two possibilities. Either (1) Global Crossing is consciously and in-
tentionally participating in this fraud and identity theft scheme or else
(2) Global Crossing has allowed itself to be hoodwinked by crooks who con-
vinced one or more decision makers at Global Crossing to allow fradulent
route announcements to pass to the wider Internet via Global Crossing's
network.
I look forward to Global Crossing's clarification of this event.
Additional evidence of this hijacking may be found here:
ftp://ftp.tristatelogic.com/pub/AS18466-rDNS.txt
and also here:
ftp://ftp.tristatelogic.com/pub/AS18466-nameservers.txt
Both of these files show an abundance of "snowshoe" spamming domains which
are associated with the IPv4 space currently routed by AS18466. All of
these domains have been registered in the relatively recent past, and all
of them have been registered either with WHOIS anonymity cloaking or with
clearly fradulent WHOIS information.
Additional supporting evidence of this hijacking is also readily available
in teh form of the following fradulent web site:
http://geminicom.net/
This false front web site, intended to serve as part of the clever deception
surrounding the miraculous rebirth of "Geminicommunications Limited", is in
fact nothing more than a thin veneer, much of which appears to have been
simply stolen/copied from the web site of a legitimate UK company, i.e.
http://www.8el.com/ (That copying itself represents yet another fradulent
and illegal act, i.e. blatant copyright violation.)
As was true with the prior group of IP hijackings that I reported on back
on April 14th[1], in this case also the majority of the snowshoe spamming
domains involved in this incident (as shown in the AS18466-rDNS.txt file,
see above) have been registered via the ICANN accredited registrar named
Dynamic Dolphin, Inc.
It is, I believe, well and widely know by this time that Dynamic Dolphin,
Inc. is among the past and/or present business interests of the notorious
Scott Richter, interests which include, or which have included bulk e-mail
advertising firm Media Breakaway LLC, aka OptInRealBig.
Other evidence I have in hand also indicates a clear connection between
this hijacked IP space and another of Richter's business interests,
specifically a company called WholesaleBandwidth, Inc. (I am not dis-
closing this additional evidence publically at the present time. I have
my reasons.)
FULL DISCLOSURE: Previously, in 2005, my company filed a legal claim in
the bankruptcy proceeding of Media Breakaway LLC, said bankruptcy having
been largely if not entirely precipitated by a multi-million dollar legal
action initiated by Microsoft against Media Breakaway LLC and Scott Richter
personally for various alleged mass violations of various anti-spam laws.
My company's claim was subsequently dismissed by the bankruptcy judge in
that case (improperly, in my view) and following the later dismissal of
the bankruptcy case, the Richters (Scott and father Steve) sued myself,
my company, and my attorney for alleged "abuse of process", specifically
for having had the gumption to show up in the bankruptcy case and make a
claim not too awfully different from the one that Microsoft had made. The
Richter's "abuse of process" case against me, my company, and my attorney
was also subsequently dismissed, the judge having found it to be lacking
in merit.
Regards,
rfg
P.S. Those of you who missed it the first time around may wish to review
the following potentially relevant historical reference material:
http://www.47-usc-230c2.org/chapter2.html
http://www.47-usc-230c2.org/chapter3.html
P.P.S. Although I have previously bemoaned ARIN's lack of agressivness in
reclaiming abandoned ASNs and IP blocks that have been hijacked, I feel
compelled to note that at least they (ARIN) do have a proccess in place
for doing so, i.e. when and if they are motivated in that direction.
I have it on good authority however that LACNIC does not even have an
established process for reclaiming abandoned number resources. Given
that the problem of hijacked number resources, rather than disappearing,
is in fact accelerating, over time, I do believe that it would behove
LACNIC and other RiRs to develop processes for reclaiming abandoned
resources, in particular when and where it becomes evident that these
resources have been hijacked.
=-=-=-=-=
[1] See http://mailman.nanog.org/pipermail/nanog/2011-April/035235.html
More information about the NANOG
mailing list