The Curious Case of 143.95.0.0/16

Ronald F. Guilmette rfg at tristatelogic.com
Wed Aug 28 06:27:08 UTC 2019


Fair Warning:  Those of you not enamored of my long-winded exposés of
various remarkable oddities of the IPv4 address space may wish to click
on the tiny little wastebasket icons on your mail clients at this
point.  For the rest of you, please read on.  I think you may find the
following story intriguing.  It contains at least a few surprising
twists.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_


Our story today consists of three acts.


Act 1 - It is Born
------------------

In mid-February of 1990 a new venture-capital backed company was formed in
Sunnyvale, California.  In some ways it was no different than the hundreds
or thousands of hopeful high-tech startups that had been formed in Silicon
Valley, both before and since.  It started with a hopeful dream that, in
the end, just didn't work out.

The founders of this company settled initially on a temporary placeholder
company name, XYZ Corporation:

    https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view

The mission of the company was to design and manufacture so-called X-Windows
terminals.  These would be diskless workstations, complete with CPUs, color
(CRT) displays, graphics, memory, and an ethernet interface.  The basic
idea what that such a diskless workstation could run the free X-Windows
client software, and that the system would be cheaper than ordinary PeeCees
due to it not having any hard drives or optical drives.

By some odd twist of fate, I myself was working in the same geographic area
as a software engineer at around the same time, but I worked for a different
Silicon Valley startup, just down the road from XYZ Corporation.  And by a
rather remarkable coincidence, the company I worked for had exactly the
same goal and mission as the XYZ Corporation.  The name of this other
X-Windows workstation startup was Network Computing Devices, or just "NCD"
for short.

Quite obviously, both companies were inherently "network-centric" and thus,
both requested and were granted blocks of IPv4 addresses.  That wasn't at
all within my area of responsibility at NCD, so I don't know who actually
issued those blocks.  My guess, based on published historical accounts,
was that it was most probably Dr. Jon Postel who assigned the blocks.  I'm
sure that someone will correct me if I'm wrong.

Months passed, and eventually the founders of XYZ Corporation settled on
something they would use as a permanent replacement for their temporary
placeholder corporate name.  They decided to call the thing Athenix, Inc.
Once they had settled on that name, they filed papers to update their
records with the California Secretary of State's office:

    https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view

At some point, they also and likewise updated the ARIN WHOIS record for the
/16 block which had been assigned to them, on or about 1990-09-06, as was
appropriate to reflect their new permanent corporate identity:

    https://pastebin.com/raw/YbH6zYrR

More time passed and eventually it became clear that the entire world was
not in fact breathlessly waiting for -two- companies to bring to market
diskless X-Windows workstations.  In fact, as history now shows, market
demand would not support even one such company over the long term.

Thus it came to pass in the year 1993 that an all-too-familiar end-of-life
ritual played out once again in Silicon Valley.  At Athenix, Inc. HQ in
Sunnyvale, the people were all let go, including the founders.  The desks,
the chairs, the phones, the computers, and the tools were all sold at
auction, with the proceeds going to the preferred shareholders, i.e. the
poor fools who had put up all of the money for this now-failed venture in
the first place, the venture capitalists.  Foremost among those in this
instance, was the venerable Menlo Park venture capital firm Kleiner Perkins.

I've confirmed this historical account of the rise and fall of the original
1990-vintage Athenix, Inc. in multiple phone and email exchanges with both
the original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately
of Los Altos, California, and also the original CTO of the company, Mr. John
Garman, lately of Reno, Nevada.


Act 2 - Rebirth - The Athenix Phoenix
-------------------------------------

Fast forward fifteen years.  On April 22, 2008 a pair of gentlemen in
the Commonwealth of Massachusetts elected to establish a new corporate
entity within the commonwealth. It's name would be Athenic, Inc.[1]

    https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
    https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view

As you can see in the documents above, a certain Mr. Ofer Inbar and a certain
Mr. Robert Anita, both of the greater Boston area, formed this new corporate
entity in Massachusetts.  At its formation, the younger Mr. Inbar was the
President, while the more senior Mr. Antia served as the corporate secretary
and treasurer.

Various other records, which I shall not include here, suggest that both Mr.
Inbar and Mr. Anita were at some point in the distant past affiliated, in
at least some tangential way, with the well-regarded white-hat Boston area
hacking collective known as L0pht, aka L0pht Heavy Industries.  I cannot
say much about this apparent connection, other than to say that the details
I have ferreted out about this connection are sketchy at best.

I do however have it on reasonably good authority that Mr. Inbar has of late
relocated to the greater Seattle metropolitan area, and that he is or was
working as a network administrator for Google, Inc. in that area.  Mr. Antia,
in contrast, is still, when I last checked, a resident of the greater Boston
area, and is a well regarded "graybeard" in the computing community in and
around Boston, having been in the business, one way or another, for decades.
Mr. Anita currently serves as President of the Boston area chapter of the
public/private critical infrastructure cybersecurity defense partnership
known as InfraGuard.

    https://infragard-boston.org/

The evidence currently available to me suggests that not long after the
creation of Mr. Inbar's and Mr. Antia's Massachusetts Athenix, Inc., ARIN
elected to delegate responsibility for the reverse DNS for the 143.95.0.0/16
IPv4 block to a pair of name servers called dns1.athenixinc.com and
dns2.athenixinc.com.  That delegation was already in place by 2010-06-24,
which is about the time that Farsight Security Inc., my data source, first
began passively collecting its historical archives of DNS response records.

Historical records made available to me by Domaintools, LLC indicate that
the athenixinc.com domain name was, at least initially, registered to Mr.
Anita in Lincoln, Massachusetts.

    https://pastebin.com/raw/GNhbFDFz

Subsequent historical WHOIS data collected by Domaintools in relation to
the athenixinc.com domain name shows that after Mr. Anita, the domain name
registration passed into the hands of at least one other individual, and
eventually, to an entirely different corporate entity.  We will come to
that shortly.

Almost a year ago now, when I was first investigating the 143.95.0.0/16
block, I attempted to interview Mr. Inbar by phone regarding his and Mr.
Anita's Athenix, Inc. and the unusual history of the 143.95.0.0/16 block.
It did not go well.  Mr. Inbar was apparently reluctant to engage with
me by phone on these or any other topics.  He and I did have a few brief
and truncated email exchanges after that however, but apparently my
questions regarding how Mr. Inbar and Mr. Anita came to exercise effective
day-to-day control over the 143.95.0.0/16 ARIN legacy block were not ones
that Mr. Inbar felt in any way obliged to answer, and at some point he
simply ceased answering my emails.

In contrast, Mr. Antia was a veritable fount of information and he and I
had multiple phone conversations as well as multiple email exchanges.  From
these exchanges I quickly deduced that Mr. Antia saw absolutely nothing
wrong with, much less anything at all to be shy about with respect to the
history of the 143.95.0.0/16 block -or- his formation, along with Mr. Inbar,
of a new Athenix, Inc. in Massachusetts back in in 2008.  Quite the contrary!
Mr. Anita was kind enough for forward me a copy of the following really
rather remarkable lease agreement, in which Mr. Inbar and Mr.  Anita together
undertook to lease the 143.95.0.0/16 IPv4 block to a certain Nevada-
incorporated and Colorado-resident limited liability company known as
Media Breakaway, LLC:

    https://drive.google.com/file/d/1ASXrUsiNAIq1IIZO5Lw1BqjD1qucqFmI/view

As you can see, the term of the lease is 20 years, beginning from the 28th
day of May, 2008.  The compensation to be paid to Mr. Inbar's and Mr. Anita's
Massachusetts Athenic, Inc. in return for this 20 year leasehold was to be
$100,000 USD  As Mr. Anita related to me, this sum was in fact paid, and Mr.
Inbar and Mr. Anita split it evenly.  (But of course, I have no way to
independently verify that.)

For those unaware, I pause here just long enough to note that the CEO
of Media Breakaway, LLC is none other than Mr. Scott Richter, one-time
"Spam King" and a man who both Wikipedia and the KrebsOnSecurity blog
have asserted is a convicted felon.  And of couurse, this is the very same
Scott Richter who figured so prominently in Brian Krebs' report about
pilfered legacy ARIN /16 blocks, published on the Washington Post, way back
in April, 2008.

Of course, in my phone conversations with Mr. Anita, I acquainted him with
these relevant historical allegations.  He confessed at the time that he
had not personally done much at all in the way of due diligence with respect
to either Mr. Richter or his company -- a lapse which I personally found
(and find) quite unfortunate, to say the least, and not least because of
Mr.  Anita's position as the President of the Boston Chapter of Infraguard,
the public/private partnership whose mission is the protection of the
nation's critical infrastructure assets from cyber-threats.  I would have
hoped that a person in such a position would have been in the general
habit of exercising at least some due diligence with respect to the people
he does business with and, in this specific instance, preferably at some
moment *before* Mr. Anita cashed his $50,000 check.


Act 3 - Final Dispensation
--------------------------

Now we come to the final remarkable chapter in the already remarkable
history of the 143.95.0.0/16 legacy IPv4 ARIN address block.

Some months after the formation of the Massachusetts "Athenix, Inc.", on
Sepetember 2nd, 2008 a new corporate entity calling itself "Athenix
Corporation" was incorporated in the State of California.  Curiously, this
third Athenix gave both its actual address and its mailing address as 10
Corporate Drive, Burlington, MA 01813.

    https://drive.google.com/file/d/1GHhwuPGPKdx5n46cYQ2UhTGiMSdxonFu/view
    https://drive.google.com/file/d/1ZLtcY2HWoi5vmNFAJleHep8DxIS3igVR/view

As it happens, that street address is also the headquarters address of the
publicly-traded Endurance International Group, Inc. (EIGI).

There is substantial evidence indicating that EIGI is effectively in complete
functional control of the 143.95.0.0/16 address block at the present moment.

The company's primary ASN, AS29873 and also, an AS number belonging to one
of the company's many acquired subsidiaries, A Small Orange LLC, AS62729
are each routing significant portions of the 143.95.0.0/16 block at the
present time.

    https://bgp.he.net/AS29873#_prefixes
    https://bgp.he.net/AS62729#_prefixes

Additionally, on or about 2017-05-22, EIGI became the registrant of the
athenixinc.com domain, whose associated name servers (dns1 dns2) had
provided revserse DNS service for the entire 143.95.0.0/16 block during
2011 and 2012.  Delegation of the reverse DNS responsibility for the
entire 143.95.0.0/16 block changed on or about 2013-11-28 so that the
new name servers were ones associated with the domain name asonoc.com,
at least according to the relevant historical data provided to me by
Farsight Security, Inc.

    https://pastebin.com/raw/MVmzhirc

Historically, and as recently as 2018-04-20, the domain name asonoc.com
was and has been registered to the EIGI subsidiary A Small Orange LLC.

    https://pastebin.com/raw/Xy8UHZNw

Responsibility for the reverse DNS for the entire 143.95.0.0/16 block
remains delegated to the rdns1.asonoc.com and rdns2.asonoc.com name
servers at the present moment.

EIGI is primarily a web hosting company.  It has, over time. exhibited a
tendency to acquire other and smaller web hosting companies which it has
then absorbed into and under its corporate unbrella.  Unlike most other
corporate acquirers however, EIGI is somewhat unique in its notable tendency
to not rebrand its acqusitions so that they would be additive to its main
corporate brand, generally electing instead to maintain the pre-acqusition
brand names for its newly acquired web hosting businesses.  One such EIGI-
acquired propery that has retained its pre-acqusition brand name is the
aforementioned Texas-based web hosting company called A Small Orange LLC,
aka AS62729.

(Those who may be interested in more backgound regarding EIGI and past
controversies, specifically with relating to the company's accounting
practices as well as the online activities of its clientele, are encouraged
to consult the footnotes below.[2])

The available evidence suggests the clear possibility that EIGI and its
subsidiary, A Small Orange LLC. may be controling and using the 143.95.0.0/16
block in a manner inconsistant with ordinary business rules of fair dealing
and/or in a manner inconsistant with current ARIN policy, and further, that
the company and/or its various C-suite officers may have arrived at this
current situation not by happentance but rather by some very carefully
considered premeditation.

I mention specifically EIGI's C-suite officers, because the available
evidence suggests that EIGI's apparent takeover of the 143.95.0.0/16
block was not purely or only the product of some unsanctioned rogue
activity on the part of lower-level company functionaries.  Multiple
publicly available records obtained from the web site of the California
Secretary of State implicate multiple current and former EIGI C-suite
officers as having been, at the very least, directly aware of the formation
of the third "Athenix", even if perhaps not directly or personally
responsible for that rather suspicious company formation.

    https://drive.google.com/file/d/12gm41jG9iFIC9KvIJmfWNjUqCmRtTfxN/view
    https://drive.google.com/file/d/1zdhru_hpYVIJfVKi-s5X1MW0znrErJzQ/view
    https://drive.google.com/file/d/1dVHDSPKD4Qvur9rzCK9YZDEtOkFA2raS/view

Plese note that Mr. Hari Ravichandran is the now-former CEO of EIGI.  Mr.
David Bryson was and remains EIGI's Chief Legal Officer.  Mr. Marc
Montagner was and remains EIGI's Chief Financial Officer.  Mr. Jeffrey Fox
is EIGI's current CEO, having succeded Mr. Ravichandran in that post.

    https://www.endurance.com/our-company/our-team

    https://exechange.com/7850/endurance-ceo-hari-ravichandran-leaves-2/7850
    https://www.linkedin.com/in/hari-ravichandran-9b949b8
    https://jumpv.com/meet-the-team/

    https://www.linkedin.com/in/davidbryson
    https://www1.salary.com/David-C-Bryson-Salary-Bonus-Stock-Options-for-ENDURANCE-INTL-GRP-HLDGS-INC.html

    https://www.linkedin.com/in/marc-montagner-b112a1b1
    https://wallmine.com/people/6106/marc-montagner

    https://www.linkedin.com/in/jeff-fox-820a0413
    https://wallmine.com/people/2962/jeffrey-h-fox

Given that EIGI's rights in and/or legal title to the 143.95.0.0/16 block
appear to be, at best, on somewhat shaky ground, and given that the new
2008-vintage Athenix Corporation does not obviously possess any other
obvious or apparent assets to speak of, it appears, to this writer at
least, more than a little incongruous to see that EIGI apparently listed
Athenix Corporation as a collateral asset on what, to a layman such as
myself, appears to be a bank collateral statement which was filed, apparently
in 2013, with the United States Securities and Exchange Comission.

    https://www.sec.gov/Archives/edgar/data/1237746/000119312514077774/d635170dex1025.htm

All I can say about that is that I personally was turned down for a bank
loan, some years ago, when I attempted to use the monthly -liability- of
my recurring water bills as collateral for the loan.  But then I have
never been anywhere near as accomplished at high finance as any of the
gentlemen mentioned above surely are.


Responses
---------

More than 24 hours prior to posting this message, I reached out to the press
contact email address listed on EIGI's web site, press (at) endurance.com,
for comment about the facts elaborated above.  No response was received from
the company by press time.

Prior to posting, I also reached out to John Curran @ ARIN for his response
to the facts set forth above.  John was kind enough to provide the following
official on-the-record ARIN response:

    ARIN does not comment on specific registry changes (as number resource
    change requests are made in confidence), but we do take matters of
    potential number resource fraud quite seriously. I would recommend that
    you report potential incidents of registry fraud (if you have not done
    so already) via our Internet Number Resource Fraud Reporting process at
    https://www.arin.net/resources/fraud/, and we will promptly investigate.
     – John Curran, CEO, ARIN

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_

FULL DISCLOSURE:  I hold no postions, either short or long in EIGI or in
any related company.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_

Acknowledgements
----------------

My thanks to Farsight Security, Inc. and to Domaintools, LLC for their
kind support of this research.


Footnotes:
=======================================================================
[1]  Rather remarkably, the Massachusetts Athenix, Inc. was incorporated
a mere six days before my friend, journalist Brian Krebs, put up a story
on the Washington Post web site, detailing how a pair of legacy ARIN IPv4
/16 blocks had somewhat inexplicably ended up in the hands of one of the
world's most notorious spammers, Scott Richter.  That story, as some of you
will already know, alleged that a rather simple and yet elaborate fraud had
been perpetrated against ARIN, a fraud which amounted to nothing less than
corporate identity theft, with the one and only apparent goal being the
effective take-over of two quite valuable legacy ARIN IPv4 /16 blocks, a
goal which was, it appeared, successfully achieved with only a relatively
minor investment of effort and expense.

[2] In recent years, all has not gone well for EIGI.  In the year 2015, a
somewhat mysterious New York City short seller using the pen name Gotham
City Research published a sequence of four reports detailing his beliefs
that all was not as it should be at EIGI, both with respect to the company's
financial statements and with respect to its clientele and their (allegedly)
questionable online activities.

    2015-04-28 - Endurance International Group - A Web of Deceit
    https://bit.ly/2KZXPLA

    2015-04-29 - Initial Follow-up To: A Web of Deceit
    https://bit.ly/2L5Vv4o

    2015-05-05 - EIGI’s Adjusted EBITDA is a Meaningless Metric 
    https://bit.ly/342x4xE

    2015-08-03 - Endurance International Group: Malicious Activities
    https://bit.ly/30Gk4vr

The value of EIGI stock dropped rather precepitously following the publication
of the Gotham City Research reports and has yet to recover to its earlier
highs.

    https://drive.google.com/file/d/1BaGzFglnrbAca9DsRIqt2eD0m_jnrCMw/view

The SEC's investigation of EIGI, and the SEC's subsequent enforcement actions
against the company and its officers in 2018 also didn't help matters much
with respect to EIGI and its stock price:

    https://www.sec.gov/enforce/33-10504-s
    https://www.bizjournals.com/boston/news/2018/08/22/former-endurance-group-execs-pay-1-4m-to-settle.html




More information about the NANOG mailing list