Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

Fri Sep 6 15:38:41 UTC 2019

On Fri, Sep 6, 2019 at 8:13 AM Neo Soon Keat <neo at soonkeat.sg> wrote:

> Sorry, re-sending to include the list.
>
> Looking at the history of the prefix, it does look like it did belong to
> the now-defunct Port of Melbourne Authority, with the matching e-mail
> address. That particular organization, however, no longer exists, having
> been absorbed into the Port of Melbourne Corporation, which is a proper
> statutory organization in Australia.
>
> A quick MX lookup does show that pma.vic.gov.au does not have any
> functioning mail servers on it however, and likely hasn’t been for some
> time (given it was absorbed in 2003).
>
>
it's hard for a domein that doesn't exist to have any records, really...
just sayin.

> On Sep 6, 2019, at 21:26, Mel Beckman <mel at beckman.org> wrote:
>
> 
> A quick check of one of your facts produces unexpected results, so you
> might want to perform more research. According the APNIC, 139.44.0.0/16
>  does not “belong unambiguously to the Port Authority of Melbourne”. It
> belongs to an individual, with an *office address *at a building *called
> “*Port Authority of Melbourne”:
>
> person: Rob Shute
>
> address: Port of Melbourne Authority
> Level 47 South
> 525 Collins St
>
> country: AU
> phone: +61 3 9628 7613
> e-mail: djk at pma.vic.gov.au
> nic-hdl: RS54-AP
> remarks: ----------
> remarks: imported from ARIN object:
> remarks:
> remarks: poc-handle: RS546-ARIN
> remarks: is-role: N
> remarks: last-name: Shute
> remarks: first-name: Rob
> remarks: street: Port of Melbourne Authority
> Level 47 South
> 525 Collins St
> remarks: country: AU
> remarks: mailbox: djk at pma.vic.gov.au
> remarks: bus-phone: +61 3 9628 7613
> remarks: reg-date: 1970-01-01
> remarks: changed: hostmaster at arin.poc 20001127
> remarks: source: ARIN
> remarks:
> remarks: ----------
> notify: djk at pma.vic.gov.au
> mnt-by: MNT-ERX-PRTMELAUTH-NON-AU
> <https://wq.apnic.net/static/search.html?query=MNT-ERX-PRTMELAUTH-NON-AU>
> last-modified: 2008-09-04T07:31:33Z
> source: APNIC
>
> The *building *called the Port Authority of Melbourne is not, by all
> accounts, a government agency. It’s just the name of a 54-story office
> building, like the World Trade Center in NYC. In fact, *World Trade
> Centre (Melbourne) *is another name for the building, and although it
> houses the Port of Melbourne Authority agency (on Level 4, not Level 47),
> it appears to be largely just a toney address for business offices. Some,
> perhaps, not unlike American “Mail Boxes Etc” (although I haven’t confirmed
> this). But the following Wikipedia excerpt says this unambiguously:
>
> *The building currently houses some offices of the headquarters of
> Victoria Police, and the Victoria Police Museum , a collection of exhibits
> and memorabilia from over 150 years of policing in Victoria.[3] It also
> houses offices for companies, including Thales Australia.*
>
> https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority
>
> Now, I’m not an Ossie, and in fact have never been down under, but it
> seems likely that the *address* in the registration is akin to a US
> business having a World Trade Center address in NYC. It means nothing as
> far as APNIC asset ownership is concerned. It’s just an address.
>
> I could be wrong. However, it seems a simple fact to verify by calling
> management at that building. I tried sending email to the registered “.
> gov.au” address:
>
> djk at pma.vic.gov.au
>
> But the domain does not exist.
>
>  -mel beckman
>
> On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg at tristatelogic.com>
> wrote:
>
> Few of you here probably know about this, but nearly a week ago now
> an article appeared in South Africa's largest and most popular online
> tech publication, MyBroadband.co.za.  It detailed many, but certainly not
> all of the results of my multi-month investigation of a massive and
> ongoing fraud involving the theft of large numbers of large (generally
> /16 or larger) abandoned legacy blocks, taken from the AFRINIC region
> and beyond:
>
>
> https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html
>
> For various editorial reasons, the article that was published actually
> downplayed the magnitude of the of the thefts quite dramatically.  The
> totality of the IPv4 space that has been stolen or squatted, primarily
> but not exclusively, from South African companies and South African
> national
> goverment agencies and departments is actually at least 5x bigger than what
> was reported in the MyBroadband.co.za article.
>
> The overwhelming majority of this stolen and squatted IPv4 space has
> been helpfully routed by Cogent (AS174), to their customer, FDCServers
> of Chicago, and then on to the prefered destinations of a certain Mr.
> Elad Cohen of Israel, and his company Netstyle Atarim, Ltd.  (I have
> saved traceroutes up the wazoo that prove the involvement of FDCServers,
> in particular, in all of this.)
>
> Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
> activities, basically grabbing everything that wasn't nailed down, both
> within the AFRINIC region and also within the APNIC region.
>
> In order to try to legitimize all of these thefts and squats, Mr. Cohen
> created quite a sizable number of fradulent route: objects within the
> Merit/RADB data base which, as most here should already know, has
> essentially zero authentication of any kind before it allows J. Random
> Luser to add pretty much any any route: object he wants to the RADB.
>
> Here's a full listing of all of Mr. Cohen's RADB route: objects as they
> existed as recently as August 17th:
>
>    https://pastebin.com/raw/ZNgNuvtt
>
> And here is the short summary version showing just all of the
> prefixes/CIDRs
> that Mr. Cohen was effectively claiming rights and/or title to as of that
> same date:
>
>    https://pastebin.com/raw/4LTaCg5R
>
> Plese do note the numerous blocks of size /16 or greater.
>
> The bottom line is that this one tiny little Israeli company was
> effectively
> claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
> August 17th, 2019.  (Not too shabby for one lone guy who teaches
> programming
> classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
> and generally consists of blocks having sizes of /16 or larger.
>
> Some of Mr. Cohen claims in his RADB entries are as humorous as they
> are pathetically fradulent.  For example, Mr. Cohen has effectively
> claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
> Authority of the City of Melbourne, Australia.  But hell!  That's merely
> city property!  Mr. Cohen's limitless appetite for other people's IPv4
> space is more vividly on display in his claims to ownerhip over the
> 168.198.0.0/16 block, which actually belongs to the Department of Finance
> of the Australian national government.  And I haven't even mentioned yet
> another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
> which he did not see fit to create an RADB entry for, but which he's
> been squatting on for for quite some time now, quite clearly with the
> aid and assistance of both Cogent and FDCServers.  That one belongs to
> th City of Cape Town, South Africa.  That city's engineers have been
> struggling to regain control of their block back from Cogent, from
> FDCServers, and from Mr. Cohen for some time now.   I know because I've
> personally spoken to them about it.  Cogent, in its infinite wisdom, is
> continuing to fight the city for control over property that clearly and
> righfully belongs to the City of Cape Town, even as we speak:
>
>    https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view
>
> When asked for LOAs attesting to his legitimate authority to route at
> least a few of these blocks, Mr. Cohen has produced blatantly forged
> documents, many of which appeared in the MyBroadband.co.za story.  And
> when I say "blatant" that's a gross understatement.  Any half-way decent
> forger would consider these documents an embarrasment.  The documents all
> bear identical signatures, and identical and vaguely official looking
> stamps, and purport to actually be sales reciepts attesting to the
> alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
> company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
> company called Afrivestment, Ltd., which may actually exist in some
> faraway galaxy, or in Mr. Cohen's active imagination, but which both
> Google and OpenCorporates.com seem to agree exists exactly noplace on
> this planet.  Here are the manufactured LOAs supplied by Mr. Cohen:
>
>    https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
>    https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
>    https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view
>
> Recently, Cohen started to move some, but not all, of his stolen and
> squatted
> IPv4 blocks off of Cogent/FDCServers and onto a friendly little
> bullet-proof
> hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
> to its several sister networks, e.g. AS204655 - Novogara Ltd., all of
> which,
> coincidently, just happen to be owned by the exact same pair of Dutch
> gentlemen who previously owned the notorious Ecatel, follwed by the
> notorious
> Quasi Networks.  (IP Volume, Inc. appears to have intherited all or nearly
> all of its legitimately assigned IP space from its predecessor entities,
> Ecatel and Quasi Networks.)
>
> Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
> are still helpfully being routed to Mr. Cohen's preferred desitnations by
> his good friends at Cogent and FDCServers, even as we speak.  The current
> set of such routes that Cogent is maintaining, at the moment, apparently on
> behalf of their customer, Mr. Cohen, consists of the prefixes listed here:
>
>    https://pastebin.com/raw/EA3xJVLF
>
> When I noticed two days ago that all of these routes were still up I was
> deeply confused.  Did both Cogent and FDCServrs not get the memo??  Do
> they not know yet that Cohen is stealing stuff, left, right, and sideways?
> Did nobody even tell them about the MyBroadband.co.za article which was
> published this past Sunday?  I decided that it was incumbant upon me to
> find out.
>
> Thus, more that 48 hours ago now I sent the following polite but firm
> inquiry to Cogent, and a separate nearly identical one directly to the
> CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).
>
>    https://pastebin.com/raw/ztipqE96
>
> A full forty eight hours later, I have received no reply whatsoever from
> either Cogent or FDCServers, not even a "Go pound sand" type of response.
>
> More importantly, most of the stolen IPv4 space that I called out, very
> specifically, to both Cogent and FDCservers two+ days ago now is still
> being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
> promptly paying customer, Mr. Cohen.  If neither Cogent nor FDCServers
> still do not know now that Mr. Cohen is a crook, and that he has glommed
> onto quite a lot of stolen and squatted IPv4 space... which they have
> been helpfully routing for him, no doubt in exchange for some handsome
> payments... then I am foreced to say that it appears to be a reasonable
> conclusion that it must be because neither Cogent nor FDCServers really
> wants to know what sort of a character Cohen is, or what he has been up
> to, specifically with their ongoing and material assistance.
>
> But you all be the judges.  What does it look like to you?
>
>
> Regards,
> rfg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190906/ae84634f/attachment.html>