AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

Joseph Karpenko karpenko at cisco.com
Thu Oct 6 16:31:37 UTC 2016


> 
> P.S.  This crap appears to be be brought to us courtesy of AS29632,
> NetAssist, LLC:
> 
>     http://new.netassist.ua/
> 

assuming accuracy of records, etc...  ;-)

or courtesy of both AS43659 (who was peering with and announcing the prefix to)
and AS29632 (who was then accepting and announcing to its upstreams)?  seems to
be an interesting relationship between the two (2) of them; along with an even
more interesting relationship/affiliation between AS43659 and AS57166 - and the
upstream for both the ASNs is/was AS29632 (NetAssist LLC).  ;-)

   - AS57166 UA-D2INVESTUKRAINE-AS, UA; D2 International Investment Ukraine Ltd.
   - AS43659 BUDREMYER-AS, UA; D2 International Investment Ukraine Ltd.

SAME EMAIL/ABUSE CONTACTS (and address) for both ASNs (AS43659 and AS57166):
   - EMAIL CONTACTS: abuse at etthua.net; d2invest at meta.ua; support at etthua.net
   - ABUSE CONTACTS: abuse at etthua.net

RELATED DOMAINS:
   - budremyer.su
   - etthua.net
   - meta.ua

BOGUS ROUTES AND AS ANNOUNCEMENTS 
93.175.240.0/20  AS47860  -Reserved AS-, ZZ  93.175.240.0 - 93.175.255.255

   - 93.175.240.0/20:  http://93.175.240.0.20.potaroo.net/

     Origins: 47860 (7d 10h 47m 1s, 1 times)  --   (AS47860: -Reserved AS-, ZZ)
Next AS Hops: 43659 (7d 10h 47m 1s, 1 times)  --   (AS43659: BUDREMYER-AS , UA)
       Paths: 4608 1221 4637 174 29632 43659 47860 (5d 13h 41m 44s, 1 times, avg 5d 13h 41m 44.0s)
              4777 2497 6939 29632 29632 29632 29632 29632 43659 47860 (1d 21h 5m 17s, 1 times, avg 1d 21h 5m 17.0s)

AS47860 -> AS43659 -> AS29632
   - AS47860 (RIPE NCC ASN BLOCK); http://www.cidr-report.org/cgi-bin/as-report?as=AS47860&view=2.0
       - AS43659 (BUDREMYER-AS, UKRAINE); http://www.cidr-report.org/cgi-bin/as-report?as=AS43659&view=2.0
           - AS29632 (NASSIST-AS, UKRAINE); http://www.cidr-report.org/cgi-bin/as-report?as=AS29632&view=2.0
               - UPSTREAM ADJACENT AS
                   - AS20485  TRANSTELECOM Moscow, Russia, RU
                   - AS29107  SYNAPSE-AS , UA
                   - AS8359   MTS , RU
                   - AS35320  ETT-AS , UA
                   - AS6939   HURRICANE - Hurricane Electric, Inc., US


regards,

-- 
.karpenko


On 2016-10-05T16:55:18-0700, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> 
> My analysis:  Serious and apparently long-lived bogosity, with a clear
> history of substantial spamming aactivity.
> 
> But you be the judge.
> 
> Looks to me like an unregistered RIPE AS announcing a route to a /20 worth of
> unregistered RIPE IPv4 space.
> 
> And this didn't exactly crop up just yesterday.  Looks like this has been
> ongoing for one hell of a long time:
> 
> https://stat.ripe.net/widget/routing-history#w.resource=AS47860
> 
> Of course, it's not even nearly as much of an issue -now- as it was, say,
> about 1 year ago, in October of 2015, when the /20 was apparently populated
> by a huge boat load of snowshoe spammer domains.  Sadly, Spamhaus has a bad
> habit of consistantly failing to ever put any helpful date information on any
> of its listings, otherwise I'd be able to see when -they- first noticed this
> absurd mess.
> 
> https://www.spamhaus.org/pbl/query/PBL1626432
> 
> Anyway, it's rather annoying to me personally... and I hope I'm not the only
> one who feels that way... to know that this has gone mostly unnoticed for so
> long, that nobody within the RIPE region has ever bothered to -do- anything
> about it, and that the AS and the bogus route are still being announced, even
> as we speak.
> 
> Assuming the thing remains in play, how long will be be before the spammers
> return to use and abuse it yet again?
> 
> Maybe they were just waiting for a full year to go by so that they might have
> some hopes of this /20 being automatically aged off some blacklists.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  This crap appears to be be brought to us courtesy of AS29632,
> NetAssist, LLC:
> 
>     http://new.netassist.ua/
> 
> So anyway, where are the grownups?
> 
> 
> [  --------------------  END OF INCLUDED MESSAGE  --------------------  ]



More information about the NANOG mailing list