AFRINIC: The Saga Continues
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jan 30 03:51:17 UTC 2020
My apologies to all. Certain of the blocks mentioned in my prior
posting here have already been reclaimed, and are currently being
routed by appropriate parties. In particular, these ones:
152.108.0.0/16
155.237.0.0/16
165.4.0.0/16
165.5.0.0/16
Also, I somehow managed to miss mentioning a few blocks that were also
quite clearly stolen as part of this extensive and elaborate scheme,
specifically these ones:
160.116.0.0/16
163.198.0.0/16
164.88.0.0/16
196.15.96.0/18
A full list of all of the stolen AFRINIC blocks that are still of
ongoing concern at the present moment, taking into account the above
adjustments, is available here:
https://pastebin.com/raw/71zNNriB
Note that many of the blocks listed at the link above have already
been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
But because routing remains almost entirely decoupled from RIR WHOIS
data bases, much of this "reclaimed" space is still being routed as
I write this. The only difference is that now the space is being
routed as bogons, rather than as "legitimately" allocated space.
A summary of all of the current routing for all of the stolen AFRINIC
IPv4 address space that is still of concern, including routing for
recently reclaimed address space that AFRINIC will eventually be
returning to its free pool is provided below. This list is sorted
by the number of constituent stolen /24 blocks being routed by each
listed network, thus showing the most major offenders at the top.
A few footnotes concerning specific ASNs in this list follow below
the listing.
I urge everyone on this mailing list to share this data as widely as
possible in and among the global networking connunity. In all cases
noted below, the networks in question are unambiguously routing IP
blocks that were obtained, in the first instance, via thefts perpetrated
by one or more AFRINIC insiders and then resold on the black market
in secretive deals. In many and perhaps most cases listed below, the
relevant networks appear to have been more than happy to accept some
cash in exchange for their services, while not looking all that
carefully at the purported (but fradulent) "LOA" documents they were
handed. (Repeated use of blatantly fradulent documents has been one
of the consistant features of this entire ongoing criminal enterprise.)
All routing data is derived from current data published by RIPEstat.
======================================================================
3719 0 ?? UNROUTED IP SPACE
629 132165 PK Connect Communication
512 18013 HK Asline Limited
504 19969 US Joe's Datacenter, LLC
500 62355 CO Network Dedicated SAS
423 202425 SC IP Volume inc
286 58895 PK Ebone Network (PVT.) Limited
250 136525 PK Wancom (Pvt) Ltd.
192 18530 US Isomedia, Inc.
186 9009 GB M247 Ltd
134 262287 BR Maxihost LTDA
132 204655 NL Novogara LTD
79 132116 IN Ani Network Pvt Ltd
75 136384 PK Optix Pakistan (Pvt.) Limited
68 132422 HK Hong Kong Business Telecom Limited
60 137443 HK Anchnet Asia Limited
48 63956 AU Colocation Australia Pty Ltd
26 132335 IN LeapSwitch Networks Pvt Ltd
21 131284 AF Etisalat Afghan
20 139043 PK WellNetworks (Private) Limited
19 43092 JP OSOA Corporation., LTD
17 36351 US SoftLayer Technologies Inc.
16 56611 NL REBA Communications BV
16 199267 IL Netstyle A. Ltd
16 23679 ID Media Antar Nusa PT.
14 137085 IN Nixi
10 63018 US Dedicated.com
9 136782 JP Pingtan Hotline Co., Limited
8 45671 AU Servers Australia Pty. Ltd
8 57717 NL FiberXpress BV
7 49335 RU LLC "Server v arendy"
7 134451 SG NewMedia Express Pte Ltd
6 49367 IT Seflow S.N.C. Di Marco Brame' & C.
6 26754 ?? {{unknown organization}}
5 198504 AE Star Satellite Communications Company - PJSC
5 198381 AE Star Satellite Communications Company - PJSC
4 38001 SG NewMedia Express Pte Ltd
4 263812 AR TL Group SRL ( IPXON Networks )
4 30827 GB Extraordinary Managed Services Ltd
4 42831 GB UK Dedicated Servers Limited
4 37200 NG SimbaNET Nigeria Limited
4 133495 PK Vision telecom Private limited
4 198394 AE Star Satellite Communications Company - PJSC
2 44066 DE First Colo GmbH
2 198247 AE Star Satellite Communications Company - PJSC
2 133933 PK NetSat Private Limited
2 328096 UG truIT Uganda Limited
2 38713 PK Satcomm (Pvt.) Ltd.
2 31122 IE Digiweb ltd
2 46562 US Total Server Solutions L.L.C.
2 13737 US Riverfront Internet Systems LLC
2 11990 US Unlimited Net, LLC
2 20860 GB Iomart Cloud Services Limited
2 45382 KR Ehostict
2 17216 US Dc74 Llc
2 16637 ZA Mtn Sa
2 53999 CA Priority Colo Inc
1 23470 US ReliableSite.Net LLC
1 35074 NG Cobranet Limited
1 19832 ZA Link Data Group
1 43945 IL Netstyle A. Ltd
1 134917 IN Ragsaa Communication pvt. ltd.
1 203833 DE First Colo GmbH
======================================================================
The actual current route announcements corresponding to all of the above
are listed in the table given here, which is sorted by ASN:
https://pastebin.com/raw/XQyJ8EK2
Footnotes:
[1] AS62355 gives all indications of being a false front fradulent
network, possibly one that was set up by one or more of the black
market dealers involved in this case. There is no actual web site
associated with its contact domain (networkdedicated.com) at present,
the alleged contact phone number in the associated AS WHOIS record
was non-orking when I tried it, and the street address given for
this entity in Bogotá, Columbia, is one that Google maps cannot
locate. Traceroutes to the one and only IPv4 block that is being
routed by this AS and that is actually registed to the company itself
(185.39.8.0/22) do not terminate in Columbia, South America, as one
would expectm, based on the WHOIS, but rather such traceroutes dead-
end somwhere on the network of core-backbone.com (Core-Backbone GmbH,
Germany) in the general vicinity of Amsterdam, Netherlands.
[2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655
(Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV -
Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all
believed by me to be onwed and controled by a certain pair of Dutch
gentlemen who I have previously posted about. For more information on
these characters, please google for "Ecatel" and/or "Quasi Networks".
Both of those are, I believe, demonstratably the predecessors of what
is now called "IP volume, Inc."
[3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. -
Israel) belongs to one of the persons featured in Jan Vermeulen's
detailed December 4th report on this whole AFRINIC caper, i.e. the
particular fellow who has been going around passing out fradulent LOAs
of such shockingly low quality that one wonders why he even bothers.
[4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned
to the entirely fictitious business entity called "ITC'. That entity
appears to have just been an imaginary concoction of Mr. Ernest
Byaruhanga, formerly of AFRINIC, and now the target of an ongoing
crimininal investigation in Africa, and/or other AFRINIC insiders
who worked with or along side Mr. Byaruhanga to criminally strip
assets from AFRINIC and its legacy block holders. The registration
for this AS number has now been withdrawn by AFRINIC, thus rendering
the ASN itself a bogon.
[5] AS19832 ("Link Data Group") is yet another fiction that was
manufactured out of -nearly- whole cloth, either by Mr. Byaruhanga
and/or by other AFRINIC insiders who were working with him. It is
not immediately clear why this ASN is still registered, let alone why
is its route announcements are still being accepted or propagated
anywhere.
More information about the NANOG
mailing list