The curious case of 159.174.0.0/16

Wed Jan 29 08:40:37 UTC 2020

[[ Fair warning to newcomers:  I write and post longish pieces here
   regarding my various investigations of funny business I find going
   on within the IPv4 address space and the allocations and uses thereof.
   If you're looking for a quick 2 minute read then you are advised to
   skip this message now. ]]

I confess that I have been meaning to write about the 159.174.0.0/16
legacy IPv4 block for quite some time now.  What can I say?  I was busy.

The Present State of 159.174.0.0/16
-----------------------------------

I discovered quite some long time ago that this block was getting routing
from a rather unusual place, and that the ASN in question was also
announcing a few other nice juicy /16 legacy blocks, which by itself
was more than a little suspicious.  But that's not imporant now.  Please
allow me to just talk about who is routing this block at present, and
who the alleged legitimate registrants are, going by ARIN's relevant
current WHOIS record for this block:

    https://pastebin.com/raw/FBWMN9p3

As you can see, this block is registered to an entity located in Wilton,
Connecticut.  The block appears to have been originally assigned on
1992-05-11, well before the formation of ARIN.  It is thus an unusually
valuable "legacy" block.

The first indication that something might be a bit off about this block
is the contact phone number, +1-407-476-9854.  In this modern era of
number portability the area code portion of that may or may not have
any real-world geographical implications at all, but it turns out to
be notable, in this case, that area code 407 corresponds, historically,
to the greater Orlando, Florida area and surrounding Florida counties.

A quick bit of research reveals that there is in fact an entity calling
itself Dunsnet, LLC and that it is located in Winter Park, Florida,
a northern suburb of Orlando:

    http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=EntityName&directionType=Initial&searchNameOrder=DUNSNET%20L120001007590&aggregateId=flal-l12000100759-15618501-6ea8-4b18-898e-6470337507d1&searchTerm=dunsnet&listNameOrder=DUNSNET%20L120001007590

Further research on the Florida Secretary of State's web site confirms that
this entity does exist, that it is "active", and that it has one and only
one manager, that being another corporate entity called Ahosting, Inc.:

    http://search.sunbiz.org/Inquiry/CorporationSearch/SearchResultDetail?inquirytype=EntityName&directionType=Initial&searchNameOrder=AHOSTING%20P070001262120&aggregateId=domp-p07000126212-a6386b50-075c-4b07-b36e-ff5a3ba1b33c&searchTerm=ahosting&listNameOrder=AHOSTING%20P070001262120

As you can see via the above link, Ahosting, Inc. has only two corporate
directors, i.e.  a Mr. Erkan Ozdogan and a Mr. Adnan Canturk, both
apparently residents of Istanbul, Turkey.

At the present time, 100% of the 159.174.0.0/16 legacy block is being routed
by AS54163, aka Ahosting, Inc.:

    https://bgp.he.net/AS54163#_prefixes

The question is: Is this proper?

A Brief History of 159.174.0.0/16
---------------------------------

When the 159.174.0.0/16 block was first allocated and registered, way back
on 1992-05-11 it was assigned at that time to a unit of the famous Dun &
Bradstreet financial information company for use in connection with one
of the company's early forays into the world of the Internet:

    Fortune Magazine, August 19, 1985:
    https://archive.fortune.com/magazines/fortune/fortune_archive/1985/08/19/66327/index.htm

        "Dun & Bradstreet also operates DunsNet, a $20- million private
        telecommunications network completed in March, which connects
        customers in 155 cities directly to the company's mainframes."

On June 8th, 1994, Dun & Bradstreet's "Dunsnet" operation announced that
it had elected to partner with a European company named Eunetcom SA, which
was itself a partnership between Deutsche Bundespost Telekom and France
Telecom:

    https://www.cbronline.com/news/eunetcom_wins_dunsnet_pact/

In August, 1994, Eunetcom apparently elected to buy out its customer,
Dunsnet:

    "The Information Superhighway" (Randall L. Carlson - 1996)
    https://bit.ly/2O7kV48

        "Eunetcom is actively pursuing customers and entry into the North
        American market.  Its first customer was worth $200 million over
        five years and was {subequently} acquired by purchasing the
        networking services of Dun & Bradstreet's DunsNet.  DunsNet
        provides data communications services for the Dun & Bradstreet
        companies, a role that Eunetcom now assumes."

    https://www.postjobfree.com/resume/pumacu/unix-administrator-technical-analyst-reg-shelton

        "In August 1994, DunsNet was acquired by eunetcom, a joint venture
        between Deutsche Telekom and France Telecom."

As we all know, unlike the situation today, IPv4 blocks in the 1990s had
essentially no monetary value.  And thus the 159.174.0.0/16 block became
forgotten and abandoned by its rightful owners, which is to say Deutsche
Telekom and France Telecom.

Fast forward some 16 years to June 29, 2011, on which date it appears that
two clever fellows in Istanbul, Turkey began what would seem to be a quite
deliberate, premeditated, and determined effort to take control of the
(now quite valuable) 159.174.0.0/16 legacy block via the same sort of
simple-minded ruse that had already, by that time, worked so well for
others who likewise coveted various ARIN-administered large and valuable
legacy IPv4 blocks.  They simply pretended to be "Dunsnet" and began
the process of requesting from ARIN complete control over "their" legacy
block.

ARIN apparently obliged and permitted these two Turkish geentleman to make
various changes to the relevant ARIN WHOIS records.  The official ARIN
"WhoWas" historical records relating to the 159.174.0.0/16 block show
quite clearly various changes being made to the relevant organization
record on 06-29-2011, 09-24-2011, and again on 11-06-2017:

    https://pastebin.com/raw/WTgvjXg2

Also and similarly, changes were made to the NET-159-174-0-0-1 record for
the block itself on 06-29-2011 and again on 11-06-2017:

    https://pastebin.com/raw/b3F1eTua

These latter day changes to the relevant ARIN WHOIS records might have been
and remained mostly unsuspicious had it not been for the creation, by the
aforementioned two Turkish gentlemen, on 08/06/2012, of the new Florida LLC
named "Dunsnet, LLC".    (See link above.)

In this context, it seems more than plausible that the name of this newly
minted Florida LLC was chosen specifically and deliberately with the intent
of hiding the facts regarding the illicit usurpation of the valuable
159.174.0.0/16 block.  This pattern of apparent corporate-level identity
theft is one that I have already seen on multiple previous occasions in
association with fraud, perpetrated against some Regional Internet Registry
(and ARIN in particular) with the goal being the theft of some sizable
IPv4 legacy block.

In fact, the only thing that is actually striking and somewhat remarkable
in this case is the exact timing of the relevant events.  As noted above,
the relevant ARIN WHOIS records were, it appears, improperly fiddled on
various dates in 2011.  It is not immediately clear why ARIN would have
allowed such manipulations in that year, given that the fradulent Florida
shell company, Dunsnet, LLC was not actually incorporated until 08/06/2012
according to Florida state records.  (See link above.)

As noted above, official Florida state records for Dunsnet, LLC say that
it has one and only one manager, that being Ahosting, Inc.  As also noted
above, two specific persons appear to be in control of Ahosting, Inc.,
Mr. Erkan Ozdogan and Mr. Adnan Canturk, both residents of Istanbul,
Turkey.

Despite the strikingly inconvenient commute that these two gentlemen must
apparently have to deal with, these gentlemen quite obviously are the
principals of at least the two Florida corporate entities named above.

A look at some relevant web sites provides us with some further clues.

Whereas ahosting.com formerly was associated with a fuilly functioning
web site, that appears to not be the case at the present time.  There
is some downloadable content that can be reached via a URL which, in
normal circumstances, would be expected to take you to the home page of
this company, but the content in question is just some small bit of
HTML that my various web browsers refuse to render for some reason.

The same problem seems to also and likewise afflicts what should be the
home page for dunsnet.com.  And the same again also for the web site
associated with tthe domain name mentioned in the WHOIS record for AS54163,
ahostinginc.com.  (Remember that this ASN is currently routing all of the
159.174.0.0/16 block.)  In this last case however the content provides
some clues as to an apparently related business known as aseohosting.com,
where the "SEO" part apparently stands for "Search Engine Optimization".

    https://pastebin.com/raw/PnpgnA2A

A simple Google search for Mr. Erkan Ozdogan turns up little of interest,
however a similar search in the case of Mr. Adnan Canturk turns up multiple
bits of his social media footprint:

    https://www.linkedin.com/in/adnan-canturk-24a66633
    https://twitter.com/adnan_canturk

The latter page provides us with a link to Mr. Canturk's personal web site,
adnancanturk.com, but this also appears to have a dysfunctional home page.
Nontheless, the text content that can be fetched from that URL further
confirms Mr. Canturk's apparent connection to a business named "Aseohosting":

    https://pastebin.com/raw/NTW9nH6G

Despite all of these dysfunctional web sites and home pages, the web site
and the home page of aseohosting.com appears to be very much alive and well
at present:

    https://www.aseohosting.com/

It is my hope that I will not have to go into too much detail in order to
explain to the audience here why the use of large numbers of unique IPv4
addresses might be viewed by some as an integral part of any one of the
net's myriad and almost entirely useless "SEO" schemes whose intent is
the fundamental hoodwinking of search engines, such as Google, and their
algorithms.  The ultimate goal of these schemes, of course, is to snooker
the search engines into displaying certain results above others.

The bottom line is that it would appear that in this case, in the year
2011, Mr. Ozdogan and Mr. Canturk found themlseves a convenient and zero
cost way of acquiring a sizable supply of IPv4 addreses, and that at the
present time these valuable legacy IPv4 addrdesses are being employed
(wasted?) on one big and undoubtedly fruitless search engine optimization
scheme.

To say that this is not the highest, best or most efficient use of the
increasingly scarce supply of IPv4 addresses would, I'm sure, be a serious
understatement.  (To paraphrase my mother's early admonitions to me at
dinner time "There are children starving in Asia would would like to have
those IP addresses!")

I must note that before posting this message I have made what I believe
to be reasonable efforts to contact both Mr. Ozdogan and Mr. Canturk via
every email address I could find for them, offering them the opportunity
to respond to the preceeding facts and my interpretation of them, while
promising those gentlemen that I would post their responses, whatever
they might be.  No response was received to this offer by press time.

I also emailed John Curran, CEO of ARIN, prior to posting this message,
and also offered him an opportunity to provide me with a response.  This
is his response:

    "ARIN does not comment on specific registry changes (as number resource
    change requests are made in confidence), but we do take matters of
    potential number resource fraud quite seriously.   As you have chosen
    not to report this case of potential fraud, ARIN will not be investigating
    at this time, but we would welcome a fraud report if you believe that
    there is a need for investigation."

                                -- John Curran, CEO, ARIN

In closing I would just like to offer my personal observation that over
time it appears to me that ARIN has been repeatedly victimized by this
exact form of rather transparent fraud based on corporate identity theft.
Instances of this date back to 2008, and now appear to have occurred as
recently as last year.  (More about that later.)  I find this fact more
than a little troubling, not least because of the apparent correlation
between the specific IPv4 blocks that have been purloined in this manner
and the congregation of Internet bad actors... spammers, hackers, and
all manner of other Internet hooligans and miscreants... in and around
the relevant stolen blocks.

I understand that ARIN has neither the mandate to perform exhaustive
investigations of all requests it receives, nor the kind of unlimited
resources that might be required in order to do exhaustive investigations
on a routine basis.  That having been said however, in this and other
such instances, the fradulent nature of the requests has been really
rather obvious and transparent, requiring only the most modest amount of
effort to note one or more of the glaring red flags and thus the need for
further inquiry.

I feel compelled to also note that ARIN's responses to cases such as
this (e.g. the case of the 143.95.0.0/16 block) or, more accurately, the
general lack of such responses may ultimately prove to be problematic,
not just for ARIN but for the United States Department of Justice, e.g.
in its current prosecution of federal criminal case 3:18-CR-04683-GPC:

    https://krebsonsecurity.com/2019/09/feds-allege-adconion-employees-hijacked-ip-addresses-for-spamming/

I am not immediately persuaded that a case could not be made, by the defense
in that case, for selective prosecution.

To an outsider such as myself, it seems that it might be difficult to defend
and justify a decision to criminally prosecute one case in which ARIN was
allegedly defrauded, apparently by persons of less-than-impressive means,
while electing to -not- prosecute a half-billion dollar corporation, such
as EIGI, against which the weight of the evidence may perhaps be equally
compelling.  This is the kind of slippery slope that one begins to traverse
when one is guided by convenience or pragmatics, rather than by even-handed
principal.

Regards,
rfg

P.S.  I have previously been in contact with a representative of Orange S.A.,
formerly France Telecom, and have requested that he arrange for his company
to take back control of what would appear to be their partial ownership of
the 159.174.0.0/16 block.  To the best of my knowledge, no action has been
taken by the company in this direction.

To date I have to date been utterly unable to make contact with any
representative of Deutsche Telekom in order to likewise encourage that
company to reassert its apparently rightful claims to the 159.174.0.0/16
block.  I would thus appreciate any referrals to any actual natural
persons in that company with whom I might be able to discuss this matter.
(I have a standing policy of never attempting to converse with unaccountable
anonymized role accounts.  Based on past experience, this is without
exception an utter waste of my time.)