AS29073, 184.108.40.206/14, Level3: Why does anyone peer with these schmucks?
Ronald F. Guilmette
rfg at tristatelogic.com
Mon Aug 14 18:47:56 UTC 2017
I think that this is primarily Level3's problem to fix. But you be
the judge. Please, read on.
Over the weekend, I stumbled upon an interesting blog calld "Bad Packets",
where a fellow named Troy has written about various unsavory goings on
involving various newtorks. One network that he called out in particular
was AS29073, formerly called "Ecatel". on his blog, this fellow Troy has
noted at length some break-in attempts originating from AS29073 and his
inability to get anyone, in particular RIPE NCC, to give a damn.
The fact that RIPE NCC declined to accept the role of The Internet Police
didn't surprise me at all... they never have and probably never will...
but I decided to have a quick look at what this newtork was routing, at
present, which can be easily see here:
So I was looking through the announced routes for AS29073, and it all
looked pretty normal... a /24 block, check, a /24 block, check, a /21
block check... another /24 block, and then ... WAIT A SECOND! HOLY
MOTHER OF GOD! WHAT'S THIS??? 220.127.116.11/14 !!!
So how does a little two-bit network with a rather dubious reputation
and a grand total of only about a /19 to its name suddenly come to
be routing an entire /14 block??
And of course, its a legacy (abandoned) Afrinic block.
And of course, there's no reverse DNS for any of it, because there is
no valid delegation for the reverse DNS for any of it... usually a good
sign that whoever is routing the block right now -does not- have legit
rights to do so. (If they did, then they would have presented their
LOAs or whatever to Afrinic and thus gotten the reverse DNS properly
delegated to their own name servers.)
I've seen this movie before. You all have. This gives every indication
of being just another sad chapter in the ongoing mass pillaging of
unused Afrinic legacy IPv4 space, by various actors with evil intent.
I've already documented this hightly unfortunate fad right here on
This incident is a bit different from the others however, in that it
-does not- appear that the 18.104.22.168/14 block has been filed to the
brim with snoeshoe spammers. Well, not yet anyway.
But if in fact the stories are correct, and if AS29073 does indeed have
a history of hosting outbound hacking activities, then the mind reels
when thinking about how much mischief such bad actors could get into
if given an entire /14 to play with. (And by the way, this is a new
world's record I think, for largest singe-route deliberate hijack.
I've seen plenty of /16 go walkabout before, and even a whole /15.
But an entire /14?? That is uniquely brazen.)
In addition to the above, and the points raised within teh Bad Packets
blog (see links above) I found, via passive DNS a number of other
causes for concern about AS29073, to wit:
(In addition to the above, I've also found plenty of additional domain names
associated with AS29073 which incorporate the names "Apple" "AirBnB",
"Facebook", and "Groupon", as well as dozens of other legitimate companies
I confess that I have not had the time to look at any of the web sites that
may or may not be associated with any of the above FQDNs, but the domain names
themselves are certainly strongly suggestive of (a) the possible hosting of
child porn and also and separately (b) the possible hosting of phishing sites.
So, given the history of this network (as is well documented on the Bad
Packets blog) and given all of the above, and given what would appear to
be the unauthorized "liberation" of the entire 22.214.171.124/14 block by
AS29073, one cannot help but wonder Why does anybody still even peer
with these jerks?
The always helpful and informative web site bgp.he.net indicates that very
nearly 50% of the connectivity currently enjoyed by AS29073 is being provided
to them by Level3. I would thus like to ask Level3 to reconsider that peering
arrangement in light of the above facts, and especially in light of what
would appear to be the unauthorized routing of the 126.96.36.199/14 block by
Surprisingly, given its history, AS29073 apparently has a total of 99 different
peers, at present, and I would likewise ask all of them to reconsider their
current peering arrangements with this network. I am listing all 99 peers
Before I get to that however, I'd liek to also note that there currently
exists, within the RIPE Routing Registry, the following route object:
I confess that I am not 100% sure of the exact semantics of the "mnt-routes"
tag, but it would appear from the above that the UK's M247 network (AS9009)...
which itself is not even peering with AS29073... appears to have, in effect
countersigned the above RIPE route object, vouching for its correctness and
authenticity as they did so. Why they would have done that, especially given
that they themselves are not even peering with AS29073, is, I confess, beyond
me. But I would love to have them explain it, or even try to explain it.
It's enigmatic, to say the least.
Anyway, the "created" date in the above record seems to be consistant with
that actual start of the announcement of 188.8.131.52/14 by AS29073, which
the RIPE Routing History tool says occured sometime in March of this year.
One additional (and rather bizzare) footnote to this whole story about
the 184.108.40.206/14 block has to do with the entity that allegedly -is-
the current rightful owner of the block (as far as Afrinic is concerned).
That entity is designated by the Afrinic handle ORG-IA41-AFRINIC and
that in turn has an admin-c and tech-c of NAIT1-AFRINIC. The record
for that handle is as follows:
person: Network and Information Technology Administrator
address: Unit 117, Orion Mall, Palm Street
address: Victoria, Mahe
address: Seychelles (SC)
e-mail: info at networkandinformationtechnology.com
changed: info at networkandinformationtechnology.com 20150725
Upon fetching the current WHOIS record for networkandinformationtechnology.com
I found it more than passing strange that all of the contact details
therein are associated *not* with anything in Africa, nor even anything
in the home country of AS29073 (Netherlands) but rather, the address
and ophone numbers therein all appear to be ones associated with a
relatively well known Internet attorney in Santa Monica, Califiornia
by the name of Bennet Kelly.
As it happens, in the distant past (about 10 years ago) I personally
crossed swords with this particular fellow. He may be a lot of things,
but it never seemed to me that stupid was one of them. And indeed
the domain name networkandinformationtechnology.com and all of its
connections to the 220.127.116.11/14 block appear to date from 2015...
long before AS29073 started routing this block (which only started
in March of this year).
So, my best guess about this whole confuseing mess is that the -original-
legitimate owners of the 18.104.22.168/14 block most probably sold it on,
in a legitimate transaction, to some other party in 2015, where that
other party was/is represented by Mr. Bennet Kelly, Esq. And my guess
is that neither he nor the new owners, who he represents, even know
that their expensive /14 has gone walkabout, as of March of this year.
I will be trying to make contact with Mr. Kelley today to discuss this
with him and will post a follow-up if any new and interesting information
arises from that conversation.
Peers of AS29073:
1 Level 3 Communications, Inc.
2 REBA Communications BV
3 Hurricane Electric, Inc.
4 Core-Backbone GmbH
5 Init7 (Switzerland) Ltd.
6 RETN Limited
7 COLT Technology Services Group Limited
8 State Institute of Information Technologies and Telecommunications (SIIT&T "Informika")
9 GlobeNet Cabos Submarinos Colombia, S.A.S.
10 Digital Telecommunication Services S.r.l.
11 IT.Gate S.p.A.
12 green.ch AG
13 UNIDATA S.p.A.
14 GEANT Limited
15 IP-Max SA
16 Lost Oasis SARL
17 nexellent ag
18 SEACOM Limited
19 Angola Cables
20 ENTANET International Limited
21 Blix Solutions AS
22 POST Luxembourg
23 Zayo France SAS
24 Wind Telecomunicazioni SpA
25 Swisscom (Switzerland) Ltd
26 Pacnet Global Ltd
27 SURFnet bv
28 SEEWEB s.r.l.
29 BIT BV
30 euNetworks Managed Services GmbH
31 CAIW Diensten B.V.
32 netplus.ch SA
33 DOKOM Gesellschaft fuer Telekommunikation mbH
34 ADISTA SAS
35 Viewqwest Pte Ltd
36 Digital Ocean, Inc.
37 Digital Ocean, Inc.
38 Open Peering B.V.
39 Services Industriels de Geneve
40 Cemig Telecomunicaes SA
42 Vorboss Limited
43 equada network GmbH
44 Avantel, Close Joint Stock Company
45 Gyron Internet Ltd
46 IPROUTE SRL
47 LLC "TRC FIORD"
48 Hostserver GmbH
49 Telekommunikation Mittleres Ruhrgebiet GmbH
50 Internet Systems Consortium, Inc.
51 Liquid Telecommunications Ltd
52 Paulus M. Hoogsteder trading as Meanie
53 Digiweb ltd
54 Fiberax Networking&Cloud Ltd.
56 CELESTE SAS
57 Kantonsschule Zug
59 SoftLayer Technologies Inc.
60 Network Platforms (PTY) LTD
61 Micron21 Datacentre Pty Ltd
62 Convergenze S.p.A.
63 Fiberby ApS
64 IP ServerOne Solutions Sdn Bhd,
65 Easynet Global Services
66 IP-Only Networks AB
67 Tango S.A.
68 Les Nouveaux Constructeurs SA
69 CustodianDC Limited
70 MCKAYCOM LTD
71 Daisy Communications Ltd
72 MC-IX Matrix Internet Exchange RS-1
73 NetIX Communications Ltd.
74 Anycast Global Backbone
75 LUXNETWORK S.A.
76 oja.at GmbH
77 Elisa Oyj
78 A1 Telekom Austria AG
79 Fusix Networks B.V.
80 ClaraNET LTD
81 "OBIT" Ltd.
82 Console Network Solutions Ltd
83 NetCologne GmbH
84 Tesonet Ltd
85 Linx Telecommunications B.V.
86 Strato AG
87 CJSC RASCOM
88 Sunrise Communications AG
89 KPN B.V.
90 MTN SA
91 Portlane AB
92 TM Net, Internet Service Provider
93 Network Dedicated SAS
94 Next Layer Telekommunikationsdienstleistungs- und Beratungs GmbH
95 Telkom SA Ltd.
96 ShockSRV Internet Services Private Limited
97 JUPITER 25 LIMITED
98 M-net Telekommunikations GmbH
99 Neterra Ltd.
More information about the NANOG