AS3266: BitCanal hijack factory, courtesy of many connectivity providers

Adam Davenport adam at davenpro.com
Wed Jun 27 19:12:07 UTC 2018


GTT takes all AUP violations extremely seriously.  Any offending parties mentioned in this thread 
have been dealt with accordingly, and GTT now considers the matter resolved from its side.

On 6/25/2018 9:49 PM, Ronald F. Guilmette wrote:
> Sometimes I see stuff that just makes me shake my head in disbelief.
> Here is a good example:
>
>      https://bgp.he.net/AS3266#_prefixes
>
> I mean seriously, WTF?
>
> As should be blatantly self-evident to pretty much everyone who has ever
> looked at any of the Internet's innumeriable prior incidents of very
> deliberately engineered IP space hijackings, all of the routes currently
> being announced by AS3266 (Bitcanal, Portugal) except for the ones in
> 213/8 are bloody obvious hijacks.  (And to their credit, even Spamhaus
> has a couple of the U.S. legacy /16 blocks explicitly listed as such.)
>
> That's 39 deliberately hijacked routes, at least going by the data
> visible on bgp.he.net.  But even that data from bgp.he.net dramatically
> understates the case, I'm sorry to say.  According to the more complete
> and up-to-the-minute data that I just now fetched from RIPEstat, the real
> number of hijacked routes is more on the order of 130 separate hijacked
> routes for a total of 224,512 IPv4 addresses:
>
>      https://pastebin.com/raw/Jw1my9Bb
>
> In simpler terms, Bitcanal has made off with the rough equivalent of an
> entire /14 block of IPv4 addresses that never belonged to them.  (And of
> course, they haven't paid a dime to anyone for any of that space.)
>
> Of couse we could all be shocked (Shocked!) at this turn of events if
> it were not for the fact that Bitcanal already has a rich, longstanding,
> and sordid history of involvement with IP space hijacks.  All one has to
> do is google for "Bitcanal" and "hijack" to find that out.  This isn't
> exactly a state secret.  In fact if you lookup "IP space hijacking" in
> any modern Internet dictionary you'll find Mr. Joao Silveira's picture
> next to the definition: https://twitter.com/bitcanal :-)
>
> This guy Silveira has obviously decided that he is a law unto himself,
> and can grab whatever IP space happens to be lying around for his own
> purposes... and no need to fill out any tedious forms -or- pay any fees
> for using any of this space to any of those annoying Regional Internet
> Registries.
>
> As usual, and as I have said here previously, I generally don't mind too
> much when these kinds of greedy idiots decide to color outside the lines.
> As long as they just confine themselves to hijacking abandoned IP blocks
> belonging to banks and/or government agencies, well then it's no skin off
> my nose.  But when they start reselling their stolen IP space to spammers,
> as Mr.  Silveira is apparently in the habit of doing, then I get ticked off.
> And actually, Mr. Silveira must be *exceptionally* greedy in that he is
> apparently not satisfied to just sub-lease his own legitimate IP space to
> snowshoe spammers, as he is clearly doing:
>
>      https://pastebin.com/raw/5P5rnQ2y
>
> Obviously, merely hosting snowshoe spammers in his own IP space isn't enough
> to keep Mr. Silveira in the style to which he has become accustomned, so he
> has to go out and rip off other people's IP space and then resell that to
> spammers also.
>
> The fact that there exists a jerk like this on the Internet isn't really
> all that surprising.  What I personally -do- find rather surprising is that
> three companies that each outght to know better, namely Cogent, GTT, and
> Level3 are collectively supplying more than 3/4ths of this guy's IPv4
> connectivity, at least according to the graph displayed here:
>
>      https://bgp.he.net/AS197426
>
> Without the generous support of Cogent, GTT, and Level3 this dumbass
> lowlife IP address space thief would be largely if not entirely toast.
> So what are they waiting for?  Why don't their turf this jackass?  Are
> they waiting for an engraved invitation or what?
>
> As I always ask, retorically, in cases like this:  Where are the grownups?
>
> I would like everyone reading this who is a customer of Cogent, GTT, or
> Level3 to try to contact these companies and ask them why they are providing
> connectivity/peering to a hijacking jerk like this Silveira character.
> Ask them why -you- have to endure more spam in your inbox just so that
> -they- can make another one tenth of one percent profit by peering with
> this hijacking, spammer-loving miscreant.  I would ask them myself, but
> I personally am not a direct customer of any of them, so they would all,
> most probably, just tell me to go pound sand.
>
> If you do manage to make contact, please be sure to mention all three of
> Mr. Silveira's ASNs, i.e. AS42229, AS197426, and AS3266.  And don't let
> whoever you talk to try to weasel out of responsibility for this travesty,
> e.g. by claiming that they don't know anything about what's been going on
> with all those hijacks announced by AS3266, and/or that they only provide
> peering for AS197426.  The hijacks may all be originating from Mr. Silveira's
> AS3266, but bgp.he.net makes clear that AS3266 has one, and only one peer,
> i.e. Mr. Silveira's AS197426:
>
>      https://bgp.he.net/AS3266
>
> So basically, Cogent, GTT, and Level3 are the prime enablers of this
> massive theft of IP space.  (They might try to claim that BitCanal's
> historical propensity to engage in hijacks is sonmething "brand new"
> or at least that -they- may not have been aware of it until now, in which
> case you should ask them if they have anybody on staff who is paying
> attention.  As noted above, it isn't as if Bitcanal just started pulling
> this crap yesterday.  Far from it.)
>
> Oh!  And you might also mention the fact that Spamhaus, and, I would guess,
> at least a few of the oether public blacklists already have most or all of
> Mr.  Silveira's IP space... hijacked or otherwise... blacklisted, presumably
> for good and ample cause.
>
> As long as Cogent, GTT, and Level3 are willing to go along with this
> nonsense, i.e. by selling peering to this Silveira thief, crime on
> the Internet -does- pay, and the theft of other people's IP space
> will continue to be rewarded rather than punished, as it should be.
>
> If that becomes the new normal for Internet behavior, then god help us
> all.
>
>
> Regards,
> rfg
>



More information about the NANOG mailing list