AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

Ronald F. Guilmette rfg at tristatelogic.com
Tue Jun 26 04:49:15 UTC 2018


Sometimes I see stuff that just makes me shake my head in disbelief.
Here is a good example:

    https://bgp.he.net/AS3266#_prefixes

I mean seriously, WTF?

As should be blatantly self-evident to pretty much everyone who has ever
looked at any of the Internet's innumeriable prior incidents of very
deliberately engineered IP space hijackings, all of the routes currently
being announced by AS3266 (Bitcanal, Portugal) except for the ones in
213/8 are bloody obvious hijacks.  (And to their credit, even Spamhaus
has a couple of the U.S. legacy /16 blocks explicitly listed as such.)

That's 39 deliberately hijacked routes, at least going by the data
visible on bgp.he.net.  But even that data from bgp.he.net dramatically
understates the case, I'm sorry to say.  According to the more complete
and up-to-the-minute data that I just now fetched from RIPEstat, the real
number of hijacked routes is more on the order of 130 separate hijacked
routes for a total of 224,512 IPv4 addresses:

    https://pastebin.com/raw/Jw1my9Bb

In simpler terms, Bitcanal has made off with the rough equivalent of an
entire /14 block of IPv4 addresses that never belonged to them.  (And of
course, they haven't paid a dime to anyone for any of that space.)

Of couse we could all be shocked (Shocked!) at this turn of events if
it were not for the fact that Bitcanal already has a rich, longstanding,
and sordid history of involvement with IP space hijacks.  All one has to
do is google for "Bitcanal" and "hijack" to find that out.  This isn't
exactly a state secret.  In fact if you lookup "IP space hijacking" in
any modern Internet dictionary you'll find Mr. Joao Silveira's picture
next to the definition: https://twitter.com/bitcanal :-)

This guy Silveira has obviously decided that he is a law unto himself,
and can grab whatever IP space happens to be lying around for his own
purposes... and no need to fill out any tedious forms -or- pay any fees
for using any of this space to any of those annoying Regional Internet
Registries.

As usual, and as I have said here previously, I generally don't mind too
much when these kinds of greedy idiots decide to color outside the lines.
As long as they just confine themselves to hijacking abandoned IP blocks
belonging to banks and/or government agencies, well then it's no skin off
my nose.  But when they start reselling their stolen IP space to spammers,
as Mr.  Silveira is apparently in the habit of doing, then I get ticked off.
And actually, Mr. Silveira must be *exceptionally* greedy in that he is
apparently not satisfied to just sub-lease his own legitimate IP space to
snowshoe spammers, as he is clearly doing:

    https://pastebin.com/raw/5P5rnQ2y

Obviously, merely hosting snowshoe spammers in his own IP space isn't enough
to keep Mr. Silveira in the style to which he has become accustomned, so he
has to go out and rip off other people's IP space and then resell that to
spammers also.

The fact that there exists a jerk like this on the Internet isn't really
all that surprising.  What I personally -do- find rather surprising is that
three companies that each outght to know better, namely Cogent, GTT, and
Level3 are collectively supplying more than 3/4ths of this guy's IPv4
connectivity, at least according to the graph displayed here:

    https://bgp.he.net/AS197426

Without the generous support of Cogent, GTT, and Level3 this dumbass
lowlife IP address space thief would be largely if not entirely toast.
So what are they waiting for?  Why don't their turf this jackass?  Are
they waiting for an engraved invitation or what?

As I always ask, retorically, in cases like this:  Where are the grownups?

I would like everyone reading this who is a customer of Cogent, GTT, or
Level3 to try to contact these companies and ask them why they are providing
connectivity/peering to a hijacking jerk like this Silveira character.
Ask them why -you- have to endure more spam in your inbox just so that
-they- can make another one tenth of one percent profit by peering with
this hijacking, spammer-loving miscreant.  I would ask them myself, but
I personally am not a direct customer of any of them, so they would all,
most probably, just tell me to go pound sand.

If you do manage to make contact, please be sure to mention all three of
Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266.  And don't let
whoever you talk to try to weasel out of responsibility for this travesty,
e.g. by claiming that they don't know anything about what's been going on
with all those hijacks announced by AS3266, and/or that they only provide
peering for AS197426.  The hijacks may all be originating from Mr. Silveira's
AS3266, but bgp.he.net makes clear that AS3266 has one, and only one peer,
i.e. Mr. Silveira's AS197426:

    https://bgp.he.net/AS3266

So basically, Cogent, GTT, and Level3 are the prime enablers of this
massive theft of IP space.  (They might try to claim that BitCanal's
historical propensity to engage in hijacks is sonmething "brand new"
or at least that -they- may not have been aware of it until now, in which
case you should ask them if they have anybody on staff who is paying
attention.  As noted above, it isn't as if Bitcanal just started pulling
this crap yesterday.  Far from it.)

Oh!  And you might also mention the fact that Spamhaus, and, I would guess,
at least a few of the oether public blacklists already have most or all of
Mr.  Silveira's IP space... hijacked or otherwise... blacklisted, presumably
for good and ample cause.

As long as Cogent, GTT, and Level3 are willing to go along with this
nonsense, i.e. by selling peering to this Silveira thief, crime on
the Internet -does- pay, and the theft of other people's IP space
will continue to be rewarded rather than punished, as it should be.

If that becomes the new normal for Internet behavior, then god help us
all.


Regards,
rfg



More information about the NANOG mailing list