Notice: Fradulent RIPE ASNs

Eugeniu Patrascu eugen at imacandi.net
Tue Jan 15 07:31:04 UTC 2013


On Tue, Jan 15, 2013 at 12:49 AM, Ronald F. Guilmette
<rfg at tristatelogic.com> wrote:
>
> After a careful investigation, I am of the opinion that each of the
> following 18 ASNs was registered (via RIPE) with fradulent information
> purporting to represent the identity of the true registrant, and that
> in fact, all 18 of these ASNs were registered by a single party,
> apparently as part of a larger scheme to provide IP space to various
> snowshoe spammers.
>
> Evidence I have in hand strongly links this scheme and these ASNs and
> their associated IPv4 route announcements to Jump Network Services,
> aka JUMP.RO.  Furthermore, all of these ASNs are apparently peering
> with exactly and only the same two other ASNs in all cases, i.e.
> GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737).  These
> peers and the fradulent ASNs listed below are all apparently originated
> out of Romania.

Jump.ro is a very active LIR and domain registry on the Romanian
market and is "selling" ASNs to whomever is interested and facilitates
allocations of PI netblocks to those who can justify them. It might
come as a surprise to you, but in Romania there are a lot of companies
(even very small ones) with their own ASN and PI netblocks. This setup
makes it extremely easy to switch ISPs with virtually no impact on
network operations.

If I'm not mistaken, companies use Netvision for cheap internet
access. GTS is more expensive, but theoretically is providing high
quality internet access with good SLAs.

>
> AS16011 (fiberwelders.ro)
> AS28822 (creativitaterpm.ro)
> AS48118 (telecomhosting.ro)
> AS49210 (rom-access.ro)
> AS50659 (grandnethost.com)
> AS57131 (speedconnecting.ro)
> AS57133 (nordhost.ro)
> AS57135 (fastcable.ro)
> AS57176 (bucovinanetwork.ro)
> AS57184 (kaboomhost.ro)
> AS57415 (highwayinternet.ro)
> AS57695 (effidata.ro)
> AS57724 (id-trafic.ro)
> AS57738 (mclick.ro)
> AS57786 (hosting-www.ro)
> AS57837 (romtechinnovation.ro)
> AS57906 (momy.ro)
> AS57917 (nature-design.ro)

from all those websites it looks like they are all hosting companies.
have you tried calling the numbers listed on the WHOIS registrant
information on the ASN and you couldn't get to any one ?

>
> At present, the above 18 ASNs are currently announcing routes for a total
> amount of IP space equal to 1,022 /24s, which is the rough equivalent of
> an entire /14 block.  These IPv4 route announcements are listed below,
> sorted by IPv4 (32-bit) start address.

If you really believe that all those ASNs listed by you above are only
used to host spammers, then by all means please contact
alerts at cert-ro.eu - that is the Romanian CERT as they are active and
will investigate the allegations you make.

>
> Additional potentially relevant background information:
>
>     http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-spam-122109
>     http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-business-register/rogue-ases-as43332-as44414-as44520-as49173-as49643
>     http://www.spamhaus.org/sbl/listings/jump.ro
>

So far I do not know a single web hosting company that it's customers
never spammed anyone :)



More information about the NANOG mailing list