AFRINIC: The Saga Continues

Ronald F. Guilmette rfg at tristatelogic.com
Thu Jan 30 03:51:17 UTC 2020


My apologies to all.  Certain of the blocks mentioned in my prior
posting here have already been reclaimed, and are currently being
routed by appropriate parties.  In particular, these ones:

152.108.0.0/16
155.237.0.0/16
165.4.0.0/16
165.5.0.0/16

Also, I somehow managed to miss mentioning a few blocks that were also
quite clearly stolen as part of this extensive and elaborate scheme,
specifically these ones:

160.116.0.0/16
163.198.0.0/16
164.88.0.0/16
196.15.96.0/18

A full list of all of the stolen AFRINIC blocks that are still of
ongoing concern at the present moment, taking into account the above
adjustments, is available here:

    https://pastebin.com/raw/71zNNriB

Note that many of the blocks listed at the link above have already
been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
But because routing remains almost entirely decoupled from RIR WHOIS
data bases, much of this "reclaimed" space is still being routed as
I write this.  The only difference is that now the space is being
routed as bogons, rather than as "legitimately" allocated space.

A summary of all of the current routing for all of the stolen AFRINIC
IPv4 address space that is still of concern, including routing for
recently reclaimed address space that AFRINIC will eventually be
returning to its free pool is provided below.  This list is sorted
by the number of constituent stolen /24 blocks being routed by each
listed network, thus showing the most major offenders at the top.
A few footnotes concerning specific ASNs in this list follow below
the listing.

I urge everyone on this mailing list to share this data as widely as
possible in and among the global networking connunity.  In all cases
noted below, the networks in question are unambiguously routing IP
blocks that were obtained, in the first instance, via thefts perpetrated
by one or more AFRINIC insiders and then resold on the black market
in secretive deals.  In many and perhaps most cases listed below, the
relevant networks appear to have been more than happy to accept some
cash in exchange for their services, while not looking all that
carefully at the purported (but fradulent) "LOA" documents they were
handed.  (Repeated use of blatantly fradulent documents has been one
of the consistant features of this entire ongoing criminal enterprise.)

All routing data is derived from current data published by RIPEstat.

======================================================================
  3719  0       ??  UNROUTED IP SPACE
   629  132165  PK  Connect Communication
   512  18013   HK  Asline Limited
   504  19969   US  Joe's Datacenter, LLC
   500  62355   CO  Network Dedicated SAS
   423  202425  SC  IP Volume inc
   286  58895   PK  Ebone Network (PVT.) Limited
   250  136525  PK  Wancom (Pvt) Ltd.
   192  18530   US  Isomedia, Inc.
   186  9009    GB  M247 Ltd
   134  262287  BR  Maxihost LTDA
   132  204655  NL  Novogara LTD
    79  132116  IN  Ani Network Pvt Ltd
    75  136384  PK  Optix Pakistan (Pvt.) Limited
    68  132422  HK  Hong Kong Business Telecom Limited
    60  137443  HK  Anchnet Asia Limited
    48  63956   AU  Colocation Australia Pty Ltd
    26  132335  IN  LeapSwitch Networks Pvt Ltd
    21  131284  AF  Etisalat Afghan
    20  139043  PK  WellNetworks (Private) Limited
    19  43092   JP  OSOA Corporation., LTD
    17  36351   US  SoftLayer Technologies Inc.
    16  56611   NL  REBA Communications BV
    16  199267  IL  Netstyle A. Ltd
    16  23679   ID  Media Antar Nusa PT.
    14  137085  IN  Nixi
    10  63018   US  Dedicated.com
     9  136782  JP  Pingtan Hotline Co., Limited
     8  45671   AU  Servers Australia Pty. Ltd
     8  57717   NL  FiberXpress BV
     7  49335   RU  LLC "Server v arendy"
     7  134451  SG  NewMedia Express Pte Ltd
     6  49367   IT  Seflow S.N.C. Di Marco Brame' & C.
     6  26754   ??  {{unknown organization}}
     5  198504  AE  Star Satellite Communications Company - PJSC
     5  198381  AE  Star Satellite Communications Company - PJSC
     4  38001   SG  NewMedia Express Pte Ltd
     4  263812  AR  TL Group SRL ( IPXON Networks )
     4  30827   GB  Extraordinary Managed Services Ltd
     4  42831   GB  UK Dedicated Servers Limited
     4  37200   NG  SimbaNET Nigeria Limited
     4  133495  PK  Vision telecom Private limited
     4  198394  AE  Star Satellite Communications Company - PJSC
     2  44066   DE  First Colo GmbH
     2  198247  AE  Star Satellite Communications Company - PJSC
     2  133933  PK  NetSat Private Limited
     2  328096  UG  truIT Uganda Limited
     2  38713   PK  Satcomm (Pvt.) Ltd.
     2  31122   IE  Digiweb ltd
     2  46562   US  Total Server Solutions L.L.C.
     2  13737   US  Riverfront Internet Systems LLC
     2  11990   US  Unlimited Net, LLC
     2  20860   GB  Iomart Cloud Services Limited
     2  45382   KR  Ehostict
     2  17216   US  Dc74 Llc
     2  16637   ZA  Mtn Sa
     2  53999   CA  Priority Colo Inc
     1  23470   US  ReliableSite.Net LLC
     1  35074   NG  Cobranet Limited
     1  19832   ZA  Link Data Group
     1  43945   IL  Netstyle A. Ltd
     1  134917  IN  Ragsaa Communication pvt. ltd.
     1  203833  DE  First Colo GmbH
======================================================================

The actual current route announcements corresponding to all of the above
are listed in the table given here, which is sorted by ASN:

   https://pastebin.com/raw/XQyJ8EK2

Footnotes:

[1]  AS62355 gives all indications of being a false front fradulent
network, possibly one that was set up by one or more of the black
market dealers involved in this case.  There is no actual web site
associated with its contact domain (networkdedicated.com) at present,
the alleged contact phone number in the associated AS WHOIS record
was non-orking when I tried it, and the street address given for
this entity in Bogotá, Columbia, is one that Google maps cannot
locate.  Traceroutes to the one and only IPv4 block that is being
routed by this AS and that is actually registed to the company itself
(185.39.8.0/22) do not terminate in Columbia, South America, as one
would expectm, based on the WHOIS, but rather such traceroutes dead-
end somwhere on the network of core-backbone.com (Core-Backbone GmbH,
Germany) in the general vicinity of Amsterdam, Netherlands.

[2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655
(Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV -
Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all
believed by me to be onwed and controled by a certain pair of Dutch
gentlemen who I have previously posted about.  For more information on
these characters, please google for "Ecatel" and/or "Quasi Networks".
Both of those are, I believe, demonstratably the predecessors of what
is now called "IP volume, Inc."

[3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. -
Israel) belongs to one of the persons featured in Jan Vermeulen's
detailed December 4th report on this whole AFRINIC caper, i.e. the
particular fellow who has been going around passing out fradulent LOAs
of such shockingly low quality that one wonders why he even bothers.

[4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned
to the entirely fictitious business entity called "ITC'.  That entity
appears to have just been an imaginary concoction of Mr. Ernest
Byaruhanga, formerly of AFRINIC, and now the target of an ongoing
crimininal investigation in Africa, and/or other AFRINIC insiders
who worked with or along side Mr. Byaruhanga to criminally strip
assets from AFRINIC and its legacy block holders.  The registration
for this AS number has now been withdrawn by AFRINIC, thus rendering
the ASN itself a bogon.

[5] AS19832 ("Link Data Group") is yet another fiction that was
manufactured out of -nearly- whole cloth, either by Mr. Byaruhanga
and/or by other AFRINIC insiders who were working with him.  It is
not immediately clear why this ASN is still registered, let alone why
is its route announcements are still being accepted or propagated
anywhere.



More information about the NANOG mailing list