Notice: Fradulent RIPE ASNs

Ronald F. Guilmette rfg at tristatelogic.com
Wed Jan 16 10:41:59 UTC 2013


In message <A5DAD1A3-9CC9-4560-93BD-85F9E912885E at steffann.nl>, 
Sander Steffann <sander at steffann.nl> wrote:

>Sorry, but you post this information on public mailing lists where it
>can be discussed but where no action can be taken...

I think that you mistake formalized centralized "action" for "action"
more broadly and generally.

In fact, it is my belief that "action" has already been taken, within
some networks, to firewall themselves off from the miscreant ASNs and
IP blocks that I reported on.  (And based upon my beliefs regading these
ASNs and IP blocks I would highly recommend that others who have not
yet done so follow suit, along with any and all IP space being announced
in routes from AS2876.)

>Nobody else will take your research and submit it to a third party. It's
>your research: either you submit it to the RIPE NCC and action will be
>taken where appropriate...

As I have already stated, I have no faith whatsoever in the last part of
that assertion, and thus elect not to waste my time.

These kinds of problems have been going on for literally years now,
primarily originating out of Romania.  If RIPE seriously wanted to shut
down all of this fradulent activity, they could have and would have done
so long before now.

In the three years since the following report was written, what has changed?
Anything?

  http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-spam-122109

   "It is impossible at that stage in the process for the RIPE NCC to determine
   that a company is involved in illegal activity. The member in question later
   proved to be a front for RBN," RIPE said in a statement on the case. But the
   allocation was made in 2006 and it wasn't until May 2008 that RIPE was able
   to close down the LIR and get the IP space back."

Excuse me, but really?  Two *&^%$#@ years, just to get some space back from
the notorious RBN??

   "In most regions, a new organization requesting a large allocation will have
   to go through a fairly rigorous process to show the need for the address
   space..."

But not in the RIPE region, apparently.


Regards,
rfg


P.S.  ASNs are not nearly in as short supply as IPv4 addresses are, however
there _are_ only a finite number of them, and they should not be wasted.

As I understand it, generally speaking if you are too small to own even
at least one router, then you most certainly do not need your own ASN.
I have noted however that the last hop on all traceroutes to all of
the domains mentioned in my initial report seems to be 193.226.166.214.
The router at that address is, I believe, the router immediately in front
of the server(s) that are serving up the home pages for these fraudlent
false-front entities.  That IP belongs to AS5606 aka GTS Telecom SRL...
*not* to any one of these bogus fradulent pseudo-entities.

So, within the RIPE region, it appears that one can obtain one's own
ASN... or even perhaps a couple dozen of them... without even owning a
single router.

Somewhow this does not seem to me to be an efficient allocation of finite
number resources.


P.P.S.  Before anyone asks, no, the fact that all routes to all of the
web servers for all of the domains mentioned in my initial report all
pass through 193.226.166.214 (just before the last hop in all cases) is
most certainly *not* the only bit of evidence that indicates that all of
these 18 fradulent false-front entities were created/registered/implemented
by a single hand (which I am confident they all were).  There is plenty
more evidence that supports this view also.  One has only to look just
very slightly below the surface.  The evidence is abundant.

P.P.P.S.  Long before I posted my report here this week, it was already
well and widely known that JUMP.RO has an unfortunate tendency to provide
IP space to fictitious entities engaged primarily in spamming:

  http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-business-register/rogue-ases-as43332-as4

If the good folks at RIPE NCC have not already known about this for some
time then I would suggest that some of them may perhaps be working overtime
to avoid knowing.  On the other hand, if the RIPE folks have in fact known
about what JUMP.RO has been up to, based on earlier published reports of
their quastionable activities, then that begs the obvious question:  What
has RIPE done about this so far?  Anything?

I'm sure that your urging of me to take further action with respect to this
matter is well intentioned, but you have your urging pointed in the wrong
direction, I think.  The primary onus for further action lies elsewhere.



More information about the NANOG mailing list