Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?
Carlos Friaças
cfriacas at fccn.pt
Fri Sep 6 13:57:23 UTC 2019
Hi,
(Also never been in Australia, unfortunately...)
Netname is "PMANET":
...isn't it OK to assume it could stand for "Port of Melbourne Authority
Network"?
* pma.vic.gov.au is not operational
(i wonder what can be found with passive dns)
* vic.gov.au is still operational.
Quick googling also allowed me to find this:
https://www.portofmelbourne.com/about-us/port-history/timeline/
"1996 Melbourne Port Corporation established as successor to Port of
Melbourne Authority."
Regards,
Carlos
On Fri, 6 Sep 2019, Mel Beckman wrote:
> A quick check of one of your facts produces unexpected results, so you might want to perform more research. According the APNIC,
> 139.44.0.0/16 does not ?belong unambiguously to the Port Authority of Melbourne?. It belongs to an individual, with an office address
> at a building called ?Port Authority of Melbourne?:
> person:
> Rob Shute
>
> address:
> Port of Melbourne Authority
> Level 47 South
> 525 Collins St
>
> country:
> AU
> phone:
> +61 3 9628 7613
> e-mail:
> djk at pma.vic.gov.au
> nic-hdl:
> RS54-AP
> remarks:
> ----------
> remarks:
> imported from ARIN object:
> remarks:
> remarks:
> poc-handle: RS546-ARIN
> remarks:
> is-role: N
> remarks:
> last-name: Shute
> remarks:
> first-name: Rob
> remarks:
> street: Port of Melbourne Authority
> Level 47 South
> 525 Collins St
> remarks:
> country: AU
> remarks:
> mailbox: djk at pma.vic.gov.au
> remarks:
> bus-phone: +61 3 9628 7613
> remarks:
> reg-date: 1970-01-01
> remarks:
> changed: hostmaster at arin.poc 20001127
> remarks:
> source: ARIN
> remarks:
> remarks:
> ----------
> notify:
> djk at pma.vic.gov.au
> mnt-by:
> MNT-ERX-PRTMELAUTH-NON-AU
> last-modified:
> 2008-09-04T07:31:33Z
> source:
> APNIC
> The building called the Port Authority of Melbourne is not, by all accounts, a government agency. It?s just the name of a 54-story
> office building, like the World Trade Center in NYC. In fact, World Trade Centre (Melbourne) is another name for the building, and
> although it houses the Port of Melbourne Authority agency (on Level 4, not Level 47), it appears to be largely just a toney address
> for business offices. Some, perhaps, not unlike American ?Mail Boxes Etc? (although I haven?t confirmed this). But the following Wikipedia
> excerpt says this unambiguously:
>
> The building currently houses some offices of the headquarters of Victoria Police, and the Victoria Police Museum , a collection of
> exhibits and memorabilia from over 150 years of policing in Victoria.[3] It also houses offices for companies, including Thales
> Australia.
>
> https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority
>
> Now, I?m not an Ossie, and in fact have never been down under, but it seems likely that the address in the registration is akin to a
> US business having a World Trade Center address in NYC. It means nothing as far as APNIC asset ownership is concerned. It?s just an
> address.
>
> I could be wrong. However, it seems a simple fact to verify by calling management at that building. I tried sending email to the
> registered ?.gov.au? address:
>
> djk at pma.vic.gov.au
>
> But the domain does not exist.
>
> -mel beckman
>
> On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
>
> Few of you here probably know about this, but nearly a week ago now
> an article appeared in South Africa's largest and most popular online
> tech publication, MyBroadband.co.za. It detailed many, but certainly not
> all of the results of my multi-month investigation of a massive and
> ongoing fraud involving the theft of large numbers of large (generally
> /16 or larger) abandoned legacy blocks, taken from the AFRINIC region
> and beyond:
>
> https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html
>
>
> For various editorial reasons, the article that was published actually
> downplayed the magnitude of the of the thefts quite dramatically. The
> totality of the IPv4 space that has been stolen or squatted, primarily
> but not exclusively, from South African companies and South African national
> goverment agencies and departments is actually at least 5x bigger than what
> was reported in the MyBroadband.co.za article.
>
> The overwhelming majority of this stolen and squatted IPv4 space has
> been helpfully routed by Cogent (AS174), to their customer, FDCServers
> of Chicago, and then on to the prefered destinations of a certain Mr.
> Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
> saved traceroutes up the wazoo that prove the involvement of FDCServers,
> in particular, in all of this.)
>
> Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
> activities, basically grabbing everything that wasn't nailed down, both
> within the AFRINIC region and also within the APNIC region.
>
> In order to try to legitimize all of these thefts and squats, Mr. Cohen
> created quite a sizable number of fradulent route: objects within the
> Merit/RADB data base which, as most here should already know, has
> essentially zero authentication of any kind before it allows J. Random
> Luser to add pretty much any any route: object he wants to the RADB.
>
> Here's a full listing of all of Mr. Cohen's RADB route: objects as they
> existed as recently as August 17th:
>
> https://pastebin.com/raw/ZNgNuvtt
>
> And here is the short summary version showing just all of the prefixes/CIDRs
> that Mr. Cohen was effectively claiming rights and/or title to as of that
> same date:
>
> https://pastebin.com/raw/4LTaCg5R
>
> Plese do note the numerous blocks of size /16 or greater.
>
> The bottom line is that this one tiny little Israeli company was effectively
> claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
> August 17th, 2019. (Not too shabby for one lone guy who teaches programming
> classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
> and generally consists of blocks having sizes of /16 or larger.
>
> Some of Mr. Cohen claims in his RADB entries are as humorous as they
> are pathetically fradulent. For example, Mr. Cohen has effectively
> claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
> Authority of the City of Melbourne, Australia. But hell! That's merely
> city property! Mr. Cohen's limitless appetite for other people's IPv4
> space is more vividly on display in his claims to ownerhip over the
> 168.198.0.0/16 block, which actually belongs to the Department of Finance
> of the Australian national government. And I haven't even mentioned yet
> another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
> which he did not see fit to create an RADB entry for, but which he's
> been squatting on for for quite some time now, quite clearly with the
> aid and assistance of both Cogent and FDCServers. That one belongs to
> th City of Cape Town, South Africa. That city's engineers have been
> struggling to regain control of their block back from Cogent, from
> FDCServers, and from Mr. Cohen for some time now. I know because I've
> personally spoken to them about it. Cogent, in its infinite wisdom, is
> continuing to fight the city for control over property that clearly and
> righfully belongs to the City of Cape Town, even as we speak:
>
> https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view
>
> When asked for LOAs attesting to his legitimate authority to route at
> least a few of these blocks, Mr. Cohen has produced blatantly forged
> documents, many of which appeared in the MyBroadband.co.za story. And
> when I say "blatant" that's a gross understatement. Any half-way decent
> forger would consider these documents an embarrasment. The documents all
> bear identical signatures, and identical and vaguely official looking
> stamps, and purport to actually be sales reciepts attesting to the
> alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
> company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
> company called Afrivestment, Ltd., which may actually exist in some
> faraway galaxy, or in Mr. Cohen's active imagination, but which both
> Google and OpenCorporates.com seem to agree exists exactly noplace on
> this planet. Here are the manufactured LOAs supplied by Mr. Cohen:
>
> https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
> https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
> https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view
>
> Recently, Cohen started to move some, but not all, of his stolen and squatted
> IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
> hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
> to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
> coincidently, just happen to be owned by the exact same pair of Dutch
> gentlemen who previously owned the notorious Ecatel, follwed by the notorious
> Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
> all of its legitimately assigned IP space from its predecessor entities,
> Ecatel and Quasi Networks.)
>
> Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
> are still helpfully being routed to Mr. Cohen's preferred desitnations by
> his good friends at Cogent and FDCServers, even as we speak. The current
> set of such routes that Cogent is maintaining, at the moment, apparently on
> behalf of their customer, Mr. Cohen, consists of the prefixes listed here:
>
> https://pastebin.com/raw/EA3xJVLF
>
> When I noticed two days ago that all of these routes were still up I was
> deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
> they not know yet that Cohen is stealing stuff, left, right, and sideways?
> Did nobody even tell them about the MyBroadband.co.za article which was
> published this past Sunday? I decided that it was incumbant upon me to
> find out.
>
> Thus, more that 48 hours ago now I sent the following polite but firm
> inquiry to Cogent, and a separate nearly identical one directly to the
> CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).
>
> https://pastebin.com/raw/ztipqE96
>
> A full forty eight hours later, I have received no reply whatsoever from
> either Cogent or FDCServers, not even a "Go pound sand" type of response.
>
> More importantly, most of the stolen IPv4 space that I called out, very
> specifically, to both Cogent and FDCservers two+ days ago now is still
> being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
> promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
> still do not know now that Mr. Cohen is a crook, and that he has glommed
> onto quite a lot of stolen and squatted IPv4 space... which they have
> been helpfully routing for him, no doubt in exchange for some handsome
> payments... then I am foreced to say that it appears to be a reasonable
> conclusion that it must be because neither Cogent nor FDCServers really
> wants to know what sort of a character Cohen is, or what he has been up
> to, specifically with their ongoing and material assistance.
>
> But you all be the judges. What does it look like to you?
>
>
> Regards,
> rfg
>
>
>
More information about the NANOG
mailing list