AS37135, AS6560, AS32714, AS14029 - Squatted or not? You be the judge.
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Nov 11 11:49:20 UTC 2016
At least one person has now asserted to me in private email that
my suggestion that AS30186 was being squatted on was in fact accurate.
Thus, I now feel confident enough to provide here the rest of the story
which goes along with that.
In a nutshell, AS30186 and also two other ASNs, together appear to all
be parts of a single large multi-ASN squat.
In addition to what appears to be a squat on AS30186 (the former
Ross Technology Inc. of Austin, Texas, which even Wikipedia says
has been dead for lo these past 18 years) it appears to me, based
on the evidence, that the exact same large scale spamming company
is, at present, also usurping and squatting on two additional
AFRINIC ASNs, namely AS37135 and AS6560. I provide here listings
of the current forward resolutions of a sizable number of snowshoe
spammer nonsense domain names (more than 1,400 in total) which are
currently associated with various portion of several apparently
illicitly appropriated AFRINIC /16 blocks:
The affected, and apparently long-orphaned AFRINIC IPv4 blocks involved
are as follows. Note that these have each have their own AFRINIC block
registration records which indicate that they belong to, among others, a
chemicals & power company (184.108.40.206/16), a manufacturer of stainless
steel products (220.127.116.11/16), an international mining company
(18.104.22.168/16), a manufacturer of fertilizers and nitrogen compounds
(22.214.171.124/16), an agricultural chemicals company (126.96.36.199/16),
the Directorate of Information Services for the South African government
(188.8.131.52), a Seychelles Islands ISP (184.108.40.206/15), and a South
African outsourcing and business services company (220.127.116.11/16).
Despite these "official" IPv4 block registrations, based on the evidence
as shown in the above Pastebin reports, I am forced to conclude that
somehow, magically, all of these long-dormant African entities recently
began hosting parts of a large scale snowshoe spamming operation,
including even the Directorate of Information Services for the South
African government, as well as the South African Post Office (18.104.22.168./16),
both of which appear to be kindly lending a hand to these spammers also.
Here is the list of affected AFRINIC-allocatded IPv4 blocks:
Note that AS37135 and AS6560, which I contend are themselves being squatted
on, are currently announcing numerous discrete and discreet /20, /21, and
/19 blocks out of the above large blocks, perhaps with a view to the future
and to switching their announcements to other and different sub-blocks within
these same containing blocks, e.g. when they have so throughly sullied the
reputations of the blocks they are currently using so as to have caused
those blocks to be universally blacklisted everywhere.
In any case, here are the current announcements being made by AS37135
and AS6560, respectively. Note that the set of announcements from these
ASNs has changed, and significantly, even just within the past 24 hours.
What you are seeing here is just the routes being announced by these
two suspicious ASNs as I write this.
22.214.171.124/20 -- Free State Education Department (not routed earlier today)
As I was preparing this post, two furter and additional dodgy looking
ASNs also came to my attention, and preliminary analysis suggests that
these two additional AFRINIC ASNs, AS32714, and AS14029, together with
all of the IP space they are announcing, may perhaps also be squatted on
at the present time. Given below are the current announcements from
these two additional ASNs. Note that AS32714 is currently announcing
routes to some South African IP address blocks, as well as to certain
German blocks registered to Daimler AG, and also a number of Chinese
/18 blocks registered to the Chinese retailing giant Alibaba, Inc...
two companies which I suspect do not really require outside help from
South Africa in order to obtain routing to their own IP blocks.
Interestingly also, the former Zimbabwean ASN AS14029 does not appear
to be actually registered to anyone at all at the present time. This
minor annoyance does not, apparently prevent it from announcing a
number of rather entirely dubious routes via its lone BGP peer AS260.
I will be looking in more depth into AS32714 and AS14029 shortly, but
for now I just wanted to make people aware of these additional two
rather curious ASNs and the routes they are currently announcing.
On a final note, it has not escaped my notice that all three of the
ASNs AS37135, AS6560, and AS14029 appear to have only a single
common BGP peer, that being AS260, Xconnect24 Inc. I suspect that
this is not entirely a matter of coincidence. I have attempted to
make contact via email with Xconnect24, but they have not replied
to my polite inquiry.
For its part, AS32714 also has but a single BGP peer, that being
AS6939, Hurricane Electric, Inc.
More information about the NANOG