Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)

Xavier Beaudouin kiwi at oav.net
Fri May 3 17:49:20 UTC 2013 

Hello there,

Seems there is some people in Ukraine that love to use IP and AS that doesn't belong to them.

See :
#sh ip bgp 91.220.85.0/24      
BGP routing table entry for 91.220.85.0/24, version 6661169
Paths: (2 available, best #1, table Default-IP-Routing-Table)
 Advertised to update-groups:
       1
 174 8359 8359 13249 57954 42989 51888, (received & used)
   149.11.xx.xx from 149.11.xxx.xxx (38.28.xx.xx)
     Origin IGP, metric 14050, localpref 100, valid, external, best
     Community: 11424365 11425269
 24990 21371 8359 13249 57954 42989 51888, (received & used)
   185.3.25.1 (metric 10) from 185.17.xxx.xxx (185.17.xxx.xxx)
     Origin IGP, metric 0, localpref 100, valid, internal, not synchronized


According to RIPE database :
aut-num:        AS51888
as-name:        PILOTSYSTEMS-AS
descr:          Pilot Systems consulting SARL
org:            ORG-PS74-RIPE
import:         from AS16128 accept ANY
import:         from AS29075 accept ANY
import:         from AS35189 accept ANY
export:         to AS16128 announce AS51888
export:         to AS29075 announce AS51888
export:         to AS35189 announce AS51888
admin-c:        DS7922-RIPE
tech-c:         GLM89-RIPE
tech-c:         XB80-RIPE
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         MNT-KAZAR
mnt-by:         MNT-PILOTSYSTEMS
mnt-routes:     MNT-KAZAR
mnt-routes:     MNT-PILOTSYSTEMS
source:         RIPE #Filtered

Seems that there is no AS42989 as upstream.... So we can consider that AS42989 is handle illicit activities, and does not filter prefixes (same also for AS57954).

That's cool but those people in UA, use that prefix to send spam, as LIR member I got thousands of mails from people that get thoses IP as spam source.

Needs really that rpki and other stuff to be deployed massively.

If some people from those UA AS can do their job instead of getting the honeypot of spammers, this should be better for everyone.

I have already tried to contact abuse / email from ripe data base : no MX, mailbox doesn't exist, even the domain doesn't exist...

Maybe AS-MTU doesn't lookaround the quality of their customers ? So bad...

People there that have some PI and unused AS, have a look if your ressources are not used by someone that should not use them.

Xavier

More information about the NANOG mailing list