AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

Ronald F. Guilmette rfg at tristatelogic.com
Thu Oct 6 19:28:35 UTC 2016


In message <20161006163137.uvcnzodrve6tom43 at cisco.com>, 
Joseph Karpenko <karpenko at cisco.com> wrote:

>> 
>> P.S.  This crap appears to be be brought to us courtesy of AS29632,
>> NetAssist, LLC:
>> 
>>     http://new.netassist.ua/
>> 
>
>assuming accuracy of records, etc...  ;-)

Right.  An that doesn't seem to be RIPE's strong suit.

>or courtesy of both AS43659 (who was peering with and announcing the prefix to>)
>and AS29632 (who was then accepting and announcing to its upstreams)?  seems to
>be an interesting relationship between the two (2) of them; along with an even
>more interesting relationship/affiliation between AS43659 and AS57166 - and the
>upstream for both the ASNs is/was AS29632 (NetAssist LLC).  ;-)

Well, yes.  I tried to untangle the relationships here just by looking at
bgp.he.net, but as I looked at all of the relevant pages, nothing seemed
to be adding up, or even remaining consistant among all of the info that
bgp.he.net was showing me.  So I just shrugged, gave up, and reported the
few facts that I felt sure about here.

Specifically, bgp.he.net is reporting the name associated with AS47860 as
"Albino, LLC", but personally, I have no idea where they are getting that
name from.  (And it sure doesn't look like a European style of company
name... rather more American, I think.)

Then I looked at the bgp.he.net connectivity graph for AS47860:

    http://bgp.he.net/AS47860#_graph4

This suggests that AS47860 is connected to the Internet only via AS43659,
D2 International Investment Ukraine Ltd.  (That AS, it seems, is currently
announcing -zero- routes of its own, which seems, well, odd.)

The connectivity graph for AS43659 is here:

    http://bgp.he.net/AS43659#_graph4

This seems to indicate that AS43659 is only connected to the Internet via
AS29632 and that AS29632 is itself -only- connected to the Internet via
AS6939.  But then when I looked at the connectivity graph for AS29632
it actually appears to have -five- different IPv4 peers:

   http://bgp.he.net/AS29632#_graph4

But then I looked at the actual -list- of IPv4 peers of AS29632 and I see
it has 121 of them!

     http://bgp.he.net/AS29632#_peers

So, anyay, bottom line, there are clearly things about how bgp.he.net draws
connectivity graphs that I don't actually undetrstand.

That's OK.  I don't need to understand any of that in order to understand
that AS47860 is a bogus unregistered AS which is, and which has been, apparently,
for some long time, announcing a route (93.175.240.0/20) to unregistered RIPE
IPv4 space.

Sadly, announcing of bogons is not uncommon, so I wouldn't even have mentioned
this if it hadn't been for the fact that historical passive DNS data indicate
quite clearly that at least one snowshoe spammer was using that IPv4 space at
about this time last year.


Regards,
rfg



More information about the NANOG mailing list