Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Ronald F. Guilmette rfg at tristatelogic.com
Sat Aug 10 00:26:25 UTC 2019


In message <MWHPR09MB1504F1CDEEB104E38F66501AA4D60 at MWHPR09MB1504.namprd09.prod.
outlook.com>, Brandon Price <PriceB at SherwoodOregon.gov> wrote:

><snip>
>
>     1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
>        registration of the 216.179.128.0/17 block from itself to the
>        2009 vintage Delaware entity Azuki, LLC.  If this is what happened,
>        then it is likely that the transfer was performed in violation
>        of the applicable ARIN trasfer policy that was in force at the time.
>        (Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
>        barrel in 2010.  California records show that HHSI, Inc. continued
>        to be an active California corporation until at least 02/12/2014,
>        and probably well beyond that date.)
>
>
>The Arin policy in affect at the time of the transfer would absolutely allow
>this as an 8.2 mergers and acquisitions sale. There is no policy requirement
>for a "lock, stock, and barrel" buy-out as you say.
>
>>From the 2010.1 version published 13 JAN 2010, ref: https://www.arin.net/va=
>ult/policy/archive/nrpm_20100113.pdf
>
>
>"ARIN will consider requests for the transfer of number resources
>in the case of mergers and acquisitions upon receipt of
>evidence that the new entity has acquired the assets which
>had, as of the date of the acquisition or proposed
>reorganization, justified the current entity's use of the number
>resource. Examples of assets that justify use of the number
>resource include, but are not limited to:
>* Existing customer base
>* Qualified hardware inventory"
>
>So they bought the customers and routers that were using that /17. What's
>the big deal?

Firstly, there is no clear evidence that I am aware of that there are any
"customers" per se in this case.  Spamhaus has, in effect, judged the
entire 216.179.128.0/17 block as being just one big spamming operation,
and I personally have no reason at this instant to take issue with that
judgement.  (Please note also that a generally reliable source informs
me that Spamhaus has had this SBL listing for the entire 216.179.128.0/17
block active and in place since circa 2010-03-02, i.e. a full 9 years now.)

So anyway, in this case we are really only talking about equipment and not
"customers" per se.  If I am wrong about that, please post the evidence.

Second and more to the point, I think that you and I have dramatically
different understandings of the plain meanings of the terms "merger" and
"aquisition".

The evidence indicates that HHSI, Inc. neither merged with nor was aquired
by Azuki, LLC.  Rather, HHSI continued to have, and to actively maintain
its own separate legal existance through at least 2014... several years
*after* the moment in time, on or about 02-17-2010, when the -apparent-
ownership of the 216.179.128.0/17 block (going by the WHOIS records)
somehow magically passed from HHSI, Inc. to Azuki, LLC.

It is not my understanding of mergers and/or aquisitions that the merged
(or acquired) entity continues to have and maintain a separate legal
existance from the other merged (or acquiring) entity following the
merger or acquisition.  You, it seems, may have a different conception.

Theoretically, HHSI, Inc may have been acquired by Azuki, LLC and may have
then become a wholly owned subsidiary of Azuki, LLC.  This would explain
it's continued, simultaneous, and parallel legal existance in the years
2010 through 2014, along with Azuki, LLC.  But even if this rather remote
possibility applied, it would still not serve to explain the apparent
2010 transfer of the 216.179.128.0/17 block from the wholly owned subsidary
to the parent entity.  Why would such a transfer be either necessary or
even desirable?  And how would such a transfer comport with the ARIN
transfer regulations in place at the time?  Those regulations, as you
have quoted them, DO NOT obviously sanction transfers from subsidiaries
to parent entities in cases where both survive as separate legal entities.
And it is not even in the least bit clear that there even was any such
parent/subsididiary relationship between these two corporate entities at
the time of the transfer.

But in answer to your larger question, "What's the big deal?", the answer
is that -all- WHOIS records for -all- IP address blocks adminstered by
-all- RIRs are fundementally unvetted and thus untrustworthy.  This one
case is a clear and blatant example of that fundemental problem with the
way all RIRs are behaving.

As far as I am aware, no RIR makes any effort whatsoever to vet changes
to WHOIS records, either for IP blocks or ASNs or ORG records.  (And this
fact was abundantly evident in the Micfo fraud case, where the man behind
that fiddled the majority of the street address and other contact information
appearing in the public-facing WHOIS records for the blocks assigned to his
various phony baloney shell companies in a now-obvious attempt to mislead
both the public and also anti-abuse investigators.)

Someday soon, because of policies in place at all of the RIRs, you're
going to get some spam, or a hack attempt from a specific IP address,
and when you go to look up the registrant of the containing IP address
block you're going to find out that it is registered to Bozo the Clown,
whose mailing address is 1600 Pennsylvania Ave., Washington D.C. and
whose contact office phone number is 1-734-930-3030.  (Google it.)
Worse, that utterly bogus information may appear in the WHOIS record
for the ASN that is currently announcing more specifics for parts of
YOUR address space.

If you don't see any of this as an actual problem. then please just forget
I mentioned it.


Regards,
rfg



More information about the NANOG mailing list