Hijacks: AS12506, AS327814, AS44582, AS62135

• Previous message (by thread): BGP Optimizers (Was: Validating possible BGP MITM attack)
• Next message (by thread): Hijacks: AS12506, AS327814, AS44582, AS62135
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following set of interrelated networks appear to be engaged in
hijacking various IPv4 address blocks at the present time:

AS12506   Inspiring Networks, B.V. (Netherlands)
AS44582   Inspiring Networks, B.V. (Netherlands)
AS62135   Inspiring Networks, B.V. (Netherlands)
AS327814  Echoband, Ltd. (Ghana)

The specific routes that are unambiguously being hijacked by each of
these networks are as follows:

AS12506:
152.108.0.0/16
155.159.0.0/16
196.15.64.0/18

AS327814:
163.198.0.0/18
164.88.0.0/16
168.80.0.0/17
168.80.128.0/17

AS44582:
175.53.0.0/17
175.53.128.0/17
175.54.0.0/17
175.54.128.0/17

AS62135:
160.116.32.0/20
160.116.128.0/20
160.116.240.0/20
160.122.144.0/20

Screenshots of the bgp.he.net prefixes reports for the above networks are
archived here:

    http://i.imgur.com/5HuDRYX.png   (AS12506)
    http://i.imgur.com/YishDCK.png   (AS44582)
    http://i.imgur.com/lgiAKWz.png   (AS62135)
    http://i.imgur.com/IM9Wf5h.png   (AS327814)

(Note that the set of routes announced by the four networks in question
has changed slightly since the last bgp.he.net update -- 30 Aug 2017 14:48
PST.  The route for 163.198.0.0/18 has been dropped and the routes for
160.116.128.0/20 and 160.122.144.0/20 have been added.)

As seen in previous hijackings, and as is consistant with the general nature
of such hijackings, no individual IP addresses within any of the above listed
routes have any functioning reverse DNS delegation.

Note that AS44582 (Inspiring Networks) and AS62135 (Inspiring Networks)
really only have a single upstream connection to the Internet, at least
as far as public BGP is concerned, and that is AS12506 (Inspiring Networks).

Meanwhile, AS12506 (Inspiring Networks) has only a single BGP upstream,
which is AS49544 i3D.net B.V (Netherlands).  Therefore, the majority of
this hijacking activity is only made possible via the generous help and
assistance of AS49544, i3D.net B.V.

Inspiring Networks is apparently run by one Maikel Jozef Gerardus Uerlings,
<maikel at uerlings.nl>:

    https://labs.ripe.net/Members/maikel_uerlings
    https://nl.linkedin.com/in/maikel-uerlings-072aaa65
    https://twitter.com/maikeluerlings
    (recently disappeared) https://www.facebook.com/maikel.uerlings
    http://uerlings.nl/

On February 24, 2013, over four years ago, Mr. Uerlings apparently promised
his Facebook friends and fans that his new corporate web site would be
"launched soon".  As of today however, Mr. Uerlings' corporate web site
for Inspiring Networks stil contains only generic/boilerplate "Lorem ipsum"
type filler text:

    https://inspiringnetworks.com/

It would thus appear that Mr. Uerlings has other ways of attracting customers,
other than his minimalist placeholder corporate web site.

In any case, Mr. Uerlings has apparently gotten some bad press on a couple
of occasions, for example the following blog post by some anonymous spammer
who felt that Mr. Uerlings didn't actually deliver on his promises of
"fresh IPs for mailing":

    http://maikel-uerlings-inspiring-networks.blogspot.com/

Mr. Uerlings' name also came up in the context of a 2013 attempt by Microsoft
to take down a certain botnet:

    Microsoft v. Botnet
    United States Court for the Western District of Texas
    Case: A-13-CV-1014SS
    http://botnetlegalnotice.com/zeroaccess/files/Summons_Does_1-8.pdf
    (... Care of: Maikel Uerlings, cust597 at serverius.com ...)

Other folks also have, or had, a rather unfavorable opinion of Mr. Uerlings
also, it would seem:

    https://www.mywot.com/en/scorecard/uerlings.nl
    https://www.scamwarners.com/forum/viewtopic.php?p=123180
    https://unapprovedpharmacy.com/category/counterfeit-drugs-alert/page/12/

As usual, I wouldn't even mind about any of this hijacking activity if it
were not for the fact that at least some porgtion of the hijacked IPv4
space appears to have been populated with snowshoe spammer domains:

     https://pastebin.com/raw/As9nVCMV

I cannot help but wonder if there is something in the water supply in the
Netherlands that may be causing so much hijacking activity to originate
from that country.  I do understand that Netherlands has what I gather is
the best connectivity in all of Europe, but even that does not fully explain,
I think, the Netherland's disproportionate share of these sorts of events
and incidents, in this case involving Inspiring Networks, B.V. and clearly
supported by AS49544, i3D.net B.V, also of the Netherlands.


Regards,
rfg


P.s.  Don't be fooled by hijackings of IP blocks that were historically
allocated by AFRINIC to various corporate entities in the Seychelles Islands.
Many of those corporate entities have long since died, and their associated
IPv4 blocks have thus been abandoned.  Unfortunately, due to the unique
and very strict corporate secrecy laws in the Seychelles, it is not
possible for any outsider to find out even if these entiries still exist
or not, let alone who their corporate officers are or might have been.
Thus, literally anybody can come along, after the fact (even lawyers)
and claim to be representing the rightful owers of these blocks.  And
there is apparently no way, either verify or to disprove any such claims.

Thus, hijacking the IP blocks of any defunct Seychelles Islands company is
very nearly "The Perfect Crime".

The only catch is that AFRINIC has, in its archives, the names of the
actual corporate officers who originally requested (and were granted)
the IP block allocations originally.  And thus, they at least cannot be
so easily fooled by any usurpers who are mearly pretending to be the
rightful owners of these blocks.  So it is actually pretty easy to tell
which IPv4 blocks registered to Seychelles Islands companies have been
hijacked.  If they are hijacked by persons who are not actually acting
on behalf of the true rightful owners of these blocks, then the thieves
in question will not have been able to snooker AFRINIC into delegating
reverse DNS authority for the blocks to them.

So this is the simple acid test.  If a given IP address block is allocated,
from AFRINIC, to some corporate entity in the Seychelles Islands, and if
that block has no working reverse DNS, then there's probably a very good
reason for that, i.e. it's hijacked.  And the hijacking has taken place
without any knowledge of this event whatssoever on the part of AFRINIC.

• Previous message (by thread): BGP Optimizers (Was: Validating possible BGP MITM attack)
• Next message (by thread): Hijacks: AS12506, AS327814, AS44582, AS62135
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]