Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Ronald F. Guilmette rfg at tristatelogic.com
Thu Aug 15 03:16:24 UTC 2019


In message <4fcb73bf-224f-e011-f310-522193c86667 at efes.iucc.ac.il>, 
Hank Nussbacher <hank at efes.iucc.ac.il> wrote:

>Just as an observer to your long resource theft postings:
>- Do you attempt to contact directly the organization or person who have 
>had their resource taken over?

To the extent that I can spare the time, and to the extent that I am able
to do so, (which is often limited by time zone differences) yes, I do.

>- Do they care or are they apathetic?

Before answering let me clarify first the two different classes of problems
that I've most often been looking at.

Everybody including myself has in the past used the term "hijack" but
I'm going to try to stop doing that, in future, and instead use the more
precise terms "squatting" and "theft", where "theft" involves a case
where the relevant WHOIS records have been materially "fiddled" by the
usurper.

In both cases, the usurpers generally aim, first and foremost, for the
low hanging fruit, which is to say legacy blocks that were abandoned
years and years ago, sometimes even decades ago, back when IP addresses
had zero monitizable value.

When contacted, victims in these cases are typically at first utterly
perplexed, and when I explain to them that I am trying to give them
back stuff that they already own, and which in some cases is worth
considerable money on the open market, they *do* look a gift horse
in the mouth, and they assume, quite reasonably I think, given the
current way of the world, that *I* am trying to run some kind of
elaboarate scam on them.  It takes a lot of talking on my part to
convince them that no. I'm actually just a good samaritan, and that no,
I am -not- going to be asking them to first send any sort of "release
fee" via WesterUnion or Bitcoin or WebMoney before they can have their
own blocks back.

Even after they have been convinced that this ain't a scam and that they
do own the stuff I say they own, most are often entirely lackadaisical
about getting off their butts and then working with the relevant RIRs
to get their own stuff back.  Even when I try to get them fired up
by telling them that "cybercriminals" have stolen their blocks, and
the fact that evil that is being done under their names may negatively
affect THEIR public reputations, it's still like watching paint dry,
for me anyway.  Clearly, nobody but me has any sense of urgency about
these things at all.

>- If the resource owner is no where to be found, why should we as a 
>community care?

I'm so glad you asked.

Before answering I should first note that it is actually quite rare when
a sufficient amount of research on my part fails to turn up a relevant
"successor or assign" which would, by rights, be the modern day entity
with a legitimate claim on the asset.  So the "nowhere to be found" case
is by far the exception, rather than the rule.

Regardless, in -either- the case where no heir can be found -or- in the
case where the rightful heir is either just too dumb or just too lazy
to take the minimal steps necessary to reclaim the property (and/or before
this has ocurred) the community should care because the kind of people who
either steal or squat on IPv4 blocks are, almost without exception, not the
kind of people who anybody sane wants to be accepting packets from, let
alone peering with.  There is, in my opinion and experience, a high
degree of correlation between skulduggery with respect to -obtaining-
(illicitly) IPv4 address blocks and using those addresses in a manner
which is not at all conducive to the general welfare of the Internet or
its users.

>Report it on some webpage and call it "Internet 
>Resources stolen", document every incident as you do via email, send a 
>copy to the appropriate RIR and upstream ISP allowing the hijack in 
>question to show that you did the appropriate effort and we can then 
>move on.

I can and will stop posting here, and go off an blog about this stuff
instead, if the consensus is that I'm utterly off-topic or utterly
uninteresting and useless.  But a few folks have told me they find
this stuff interesting, and it has operational significance, I think.
So for now, at least, I'd like to continue to share here.

As regards to reporting to RIRs or upstreams, what makes you think that
either of those would care one wit?  The RIRs are not the Internet
Police, or so I am told.  They don't configure routers.  Upstreams are,
in my experience utterly intransigent and unresponsive, especially in
the absence of public exposure of the self-evident problem(s).... like
the time I tried to get Telecom Italia to get off their asses and do
something... anything... about their criminal mass squatting customer.
It wasn't until much later on, after WhiteOps and Google had exposed
the massive click fraud operation that was behind all that that Telecom
Italia saw fit to lift even a single finger to actaully DO anything at
all.  And the last time I looked, Telecom Italia was *still* peering
with the exact same crooked ASN, even though most or all of the people
who were identified, by LE, and being behind it are nowaadays facing
numerous federal criminal charges here in the U.S.

Please remember also that there are two separate classes of problems
involved here, i.e. mere "sqyuatting" and separately, "theft", where
some clever crook has managed to get in and actually fiddle with one
or more RIR-maintained WHOIS records.  I very explicitly -do not- want
to just report this latter class of incidents exclusively and only to
the RIRs themselves.  Some of these cases raise quite serious questions
about the operation of and oversight of various RIRs, and I feel very
strongly that those questions deserve to be kicked around in public,
and not just between myself and the relevant RIRs, some of whom, at
least, may have more than a little incentive to just sweep these things
entirely under the carpet.

I apologize for being vague and non-specific.  For now, I need to be.
Later I  will be providing further clarity to all I have said above.


Regards,
rfg



More information about the NANOG mailing list