Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?
Ben Cannon
ben at 6by7.net
Fri Sep 6 14:02:42 UTC 2019
Important realization: Things don’t always work there like they work here (wherever “here” is for you).
-Ben
> On Sep 6, 2019, at 6:57 AM, Carlos Friaças via NANOG <nanog at nanog.org> wrote:
>
>
> Hi,
>
> (Also never been in Australia, unfortunately...)
>
> Netname is "PMANET":
> ...isn't it OK to assume it could stand for "Port of Melbourne Authority Network"?
>
> * pma.vic.gov.au is not operational
> (i wonder what can be found with passive dns)
>
> * vic.gov.au is still operational.
>
>
> Quick googling also allowed me to find this:
>
> https://www.portofmelbourne.com/about-us/port-history/timeline/
>
> "1996 Melbourne Port Corporation established as successor to Port of
> Melbourne Authority."
>
>
> Regards,
> Carlos
>
>
>
>> On Fri, 6 Sep 2019, Mel Beckman wrote:
>>
>> A quick check of one of your facts produces unexpected results, so you might want to perform more research. According the APNIC,
>> 139.44.0.0/16 does not ?belong unambiguously to the Port Authority of Melbourne?. It belongs to an individual, with an office address
>> at a building called ?Port Authority of Melbourne?:
>> person:
>> Rob Shute
>> address:
>> Port of Melbourne Authority
>> Level 47 South
>> 525 Collins St
>> country:
>> AU
>> phone:
>> +61 3 9628 7613
>> e-mail:
>> djk at pma.vic.gov.au
>> nic-hdl:
>> RS54-AP
>> remarks:
>> ----------
>> remarks:
>> imported from ARIN object:
>> remarks:
>> remarks:
>> poc-handle: RS546-ARIN
>> remarks:
>> is-role: N
>> remarks:
>> last-name: Shute
>> remarks:
>> first-name: Rob
>> remarks:
>> street: Port of Melbourne Authority
>> Level 47 South
>> 525 Collins St
>> remarks:
>> country: AU
>> remarks:
>> mailbox: djk at pma.vic.gov.au
>> remarks:
>> bus-phone: +61 3 9628 7613
>> remarks:
>> reg-date: 1970-01-01
>> remarks:
>> changed: hostmaster at arin.poc 20001127
>> remarks:
>> source: ARIN
>> remarks:
>> remarks:
>> ----------
>> notify:
>> djk at pma.vic.gov.au
>> mnt-by:
>> MNT-ERX-PRTMELAUTH-NON-AU
>> last-modified:
>> 2008-09-04T07:31:33Z
>> source:
>> APNIC
>> The building called the Port Authority of Melbourne is not, by all accounts, a government agency. It?s just the name of a 54-story
>> office building, like the World Trade Center in NYC. In fact, World Trade Centre (Melbourne) is another name for the building, and
>> although it houses the Port of Melbourne Authority agency (on Level 4, not Level 47), it appears to be largely just a toney address
>> for business offices. Some, perhaps, not unlike American ?Mail Boxes Etc? (although I haven?t confirmed this). But the following Wikipedia
>> excerpt says this unambiguously:
>> The building currently houses some offices of the headquarters of Victoria Police, and the Victoria Police Museum , a collection of
>> exhibits and memorabilia from over 150 years of policing in Victoria.[3] It also houses offices for companies, including Thales
>> Australia.
>> https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority
>> Now, I?m not an Ossie, and in fact have never been down under, but it seems likely that the address in the registration is akin to a
>> US business having a World Trade Center address in NYC. It means nothing as far as APNIC asset ownership is concerned. It?s just an
>> address.
>> I could be wrong. However, it seems a simple fact to verify by calling management at that building. I tried sending email to the
>> registered ?.gov.au? address:
>> djk at pma.vic.gov.au
>> But the domain does not exist.
>> -mel beckman
>> On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
>>
>> Few of you here probably know about this, but nearly a week ago now
>> an article appeared in South Africa's largest and most popular online
>> tech publication, MyBroadband.co.za. It detailed many, but certainly not
>> all of the results of my multi-month investigation of a massive and
>> ongoing fraud involving the theft of large numbers of large (generally
>> /16 or larger) abandoned legacy blocks, taken from the AFRINIC region
>> and beyond:
>> https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html
>>
>> For various editorial reasons, the article that was published actually
>> downplayed the magnitude of the of the thefts quite dramatically. The
>> totality of the IPv4 space that has been stolen or squatted, primarily
>> but not exclusively, from South African companies and South African national
>> goverment agencies and departments is actually at least 5x bigger than what
>> was reported in the MyBroadband.co.za article.
>>
>> The overwhelming majority of this stolen and squatted IPv4 space has
>> been helpfully routed by Cogent (AS174), to their customer, FDCServers
>> of Chicago, and then on to the prefered destinations of a certain Mr.
>> Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
>> saved traceroutes up the wazoo that prove the involvement of FDCServers,
>> in particular, in all of this.)
>>
>> Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
>> activities, basically grabbing everything that wasn't nailed down, both
>> within the AFRINIC region and also within the APNIC region.
>>
>> In order to try to legitimize all of these thefts and squats, Mr. Cohen
>> created quite a sizable number of fradulent route: objects within the
>> Merit/RADB data base which, as most here should already know, has
>> essentially zero authentication of any kind before it allows J. Random
>> Luser to add pretty much any any route: object he wants to the RADB.
>>
>> Here's a full listing of all of Mr. Cohen's RADB route: objects as they
>> existed as recently as August 17th:
>>
>> https://pastebin.com/raw/ZNgNuvtt
>>
>> And here is the short summary version showing just all of the prefixes/CIDRs
>> that Mr. Cohen was effectively claiming rights and/or title to as of that
>> same date:
>>
>> https://pastebin.com/raw/4LTaCg5R
>>
>> Plese do note the numerous blocks of size /16 or greater.
>>
>> The bottom line is that this one tiny little Israeli company was effectively
>> claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
>> August 17th, 2019. (Not too shabby for one lone guy who teaches programming
>> classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
>> and generally consists of blocks having sizes of /16 or larger.
>>
>> Some of Mr. Cohen claims in his RADB entries are as humorous as they
>> are pathetically fradulent. For example, Mr. Cohen has effectively
>> claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
>> Authority of the City of Melbourne, Australia. But hell! That's merely
>> city property! Mr. Cohen's limitless appetite for other people's IPv4
>> space is more vividly on display in his claims to ownerhip over the
>> 168.198.0.0/16 block, which actually belongs to the Department of Finance
>> of the Australian national government. And I haven't even mentioned yet
>> another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
>> which he did not see fit to create an RADB entry for, but which he's
>> been squatting on for for quite some time now, quite clearly with the
>> aid and assistance of both Cogent and FDCServers. That one belongs to
>> th City of Cape Town, South Africa. That city's engineers have been
>> struggling to regain control of their block back from Cogent, from
>> FDCServers, and from Mr. Cohen for some time now. I know because I've
>> personally spoken to them about it. Cogent, in its infinite wisdom, is
>> continuing to fight the city for control over property that clearly and
>> righfully belongs to the City of Cape Town, even as we speak:
>>
>> https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view
>>
>> When asked for LOAs attesting to his legitimate authority to route at
>> least a few of these blocks, Mr. Cohen has produced blatantly forged
>> documents, many of which appeared in the MyBroadband.co.za story. And
>> when I say "blatant" that's a gross understatement. Any half-way decent
>> forger would consider these documents an embarrasment. The documents all
>> bear identical signatures, and identical and vaguely official looking
>> stamps, and purport to actually be sales reciepts attesting to the
>> alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
>> company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
>> company called Afrivestment, Ltd., which may actually exist in some
>> faraway galaxy, or in Mr. Cohen's active imagination, but which both
>> Google and OpenCorporates.com seem to agree exists exactly noplace on
>> this planet. Here are the manufactured LOAs supplied by Mr. Cohen:
>>
>> https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
>> https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
>> https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view
>>
>> Recently, Cohen started to move some, but not all, of his stolen and squatted
>> IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
>> hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
>> to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
>> coincidently, just happen to be owned by the exact same pair of Dutch
>> gentlemen who previously owned the notorious Ecatel, follwed by the notorious
>> Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
>> all of its legitimately assigned IP space from its predecessor entities,
>> Ecatel and Quasi Networks.)
>>
>> Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
>> are still helpfully being routed to Mr. Cohen's preferred desitnations by
>> his good friends at Cogent and FDCServers, even as we speak. The current
>> set of such routes that Cogent is maintaining, at the moment, apparently on
>> behalf of their customer, Mr. Cohen, consists of the prefixes listed here:
>>
>> https://pastebin.com/raw/EA3xJVLF
>>
>> When I noticed two days ago that all of these routes were still up I was
>> deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
>> they not know yet that Cohen is stealing stuff, left, right, and sideways?
>> Did nobody even tell them about the MyBroadband.co.za article which was
>> published this past Sunday? I decided that it was incumbant upon me to
>> find out.
>>
>> Thus, more that 48 hours ago now I sent the following polite but firm
>> inquiry to Cogent, and a separate nearly identical one directly to the
>> CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).
>>
>> https://pastebin.com/raw/ztipqE96
>>
>> A full forty eight hours later, I have received no reply whatsoever from
>> either Cogent or FDCServers, not even a "Go pound sand" type of response.
>>
>> More importantly, most of the stolen IPv4 space that I called out, very
>> specifically, to both Cogent and FDCservers two+ days ago now is still
>> being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
>> promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
>> still do not know now that Mr. Cohen is a crook, and that he has glommed
>> onto quite a lot of stolen and squatted IPv4 space... which they have
>> been helpfully routing for him, no doubt in exchange for some handsome
>> payments... then I am foreced to say that it appears to be a reasonable
>> conclusion that it must be because neither Cogent nor FDCServers really
>> wants to know what sort of a character Cohen is, or what he has been up
>> to, specifically with their ongoing and material assistance.
>>
>> But you all be the judges. What does it look like to you?
>>
>> Regards,
>> rfg
>>
More information about the NANOG
mailing list