<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB">Hi Ronald,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and brought this matter to their attention.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Vivek<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Member Services Manager, APNIC<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">From: Ronald F. Guilmette <rfg@tristatelogic.com><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Date: Fri, Sep 6, 2019 at 6:30 PM<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Subject: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> To: <nanog@nanog.org><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Few of you here probably know about this, but nearly a week ago now<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> an article appeared in South Africa's largest and most popular online<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> tech publication, MyBroadband.co.za. It detailed many, but certainly not<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> all of the results of my multi-month investigation of a massive and<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> ongoing fraud involving the theft of large numbers of large (generally<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> /16 or larger) abandoned legacy blocks, taken from the AFRINIC region<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> and beyond:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> For various editorial reasons, the article that was published actually<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> downplayed the magnitude of the of the thefts quite dramatically. The<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> totality of the IPv4 space that has been stolen or squatted, primarily<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> but not exclusively, from South African companies and South African national<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> goverment agencies and departments is actually at least 5x bigger than what<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> was reported in the MyBroadband.co.za article.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> The overwhelming majority of this stolen and squatted IPv4 space has<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> been helpfully routed by Cogent (AS174), to their customer, FDCServers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> of Chicago, and then on to the prefered destinations of a certain Mr.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> saved traceroutes up the wazoo that prove the involvement of FDCServers,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> in particular, in all of this.)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> activities, basically grabbing everything that wasn't nailed down, both<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> within the AFRINIC region and also within the APNIC region.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> In order to try to legitimize all of these thefts and squats, Mr. Cohen<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> created quite a sizable number of fradulent route: objects within the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Merit/RADB data base which, as most here should already know, has<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> essentially zero authentication of any kind before it allows J. Random<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Luser to add pretty much any any route: object he wants to the RADB.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Here's a full listing of all of Mr. Cohen's RADB route: objects as they<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> existed as recently as August 17th:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://pastebin.com/raw/ZNgNuvtt<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> And here is the short summary version showing just all of the prefixes/CIDRs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> that Mr. Cohen was effectively claiming rights and/or title to as of that<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> same date:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://pastebin.com/raw/4LTaCg5R<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Plese do note the numerous blocks of size /16 or greater.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> The bottom line is that this one tiny little Israeli company was effectively<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> August 17th, 2019. (Not too shabby for one lone guy who teaches programming<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> and generally consists of blocks having sizes of /16 or larger.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Some of Mr. Cohen claims in his RADB entries are as humorous as they<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> are pathetically fradulent. For example, Mr. Cohen has effectively<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Authority of the City of Melbourne, Australia. But hell! That's merely<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> city property! Mr. Cohen's limitless appetite for other people's IPv4<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> space is more vividly on display in his claims to ownerhip over the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> 168.198.0.0/16 block, which actually belongs to the Department of Finance<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> of the Australian national government. And I haven't even mentioned yet<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> which he did not see fit to create an RADB entry for, but which he's<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> been squatting on for for quite some time now, quite clearly with the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> aid and assistance of both Cogent and FDCServers. That one belongs to<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> th City of Cape Town, South Africa. That city's engineers have been<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> struggling to regain control of their block back from Cogent, from<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> FDCServers, and from Mr. Cohen for some time now. I know because I've<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> personally spoken to them about it. Cogent, in its infinite wisdom, is<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> continuing to fight the city for control over property that clearly and<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> righfully belongs to the City of Cape Town, even as we speak:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> When asked for LOAs attesting to his legitimate authority to route at<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> least a few of these blocks, Mr. Cohen has produced blatantly forged<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> documents, many of which appeared in the MyBroadband.co.za story. And<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> when I say "blatant" that's a gross understatement. Any half-way decent<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> forger would consider these documents an embarrasment. The documents all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> bear identical signatures, and identical and vaguely official looking<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> stamps, and purport to actually be sales reciepts attesting to the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> company, Afri Holdings, Ltd., of various /16 blocks from a mysterious<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> company called Afrivestment, Ltd., which may actually exist in some<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> faraway galaxy, or in Mr. Cohen's active imagination, but which both<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Google and OpenCorporates.com seem to agree exists exactly noplace on<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> this planet. Here are the manufactured LOAs supplied by Mr. Cohen:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Recently, Cohen started to move some, but not all, of his stolen and squatted<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> coincidently, just happen to be owned by the exact same pair of Dutch<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> gentlemen who previously owned the notorious Ecatel, follwed by the notorious<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> all of its legitimately assigned IP space from its predecessor entities,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Ecatel and Quasi Networks.)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Despite these relocations, many of Mr. Cohen's stolen and squatted blocks<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> are still helpfully being routed to Mr. Cohen's preferred desitnations by<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> his good friends at Cogent and FDCServers, even as we speak. The current<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> set of such routes that Cogent is maintaining, at the moment, apparently on<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> behalf of their customer, Mr. Cohen, consists of the prefixes listed here:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://pastebin.com/raw/EA3xJVLF<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> When I noticed two days ago that all of these routes were still up I was<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> deeply confused. Did both Cogent and FDCServrs not get the memo?? Do<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> they not know yet that Cohen is stealing stuff, left, right, and sideways?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Did nobody even tell them about the MyBroadband.co.za article which was<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> published this past Sunday? I decided that it was incumbant upon me to<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> find out.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Thus, more that 48 hours ago now I sent the following polite but firm<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> inquiry to Cogent, and a separate nearly identical one directly to the<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> https://pastebin.com/raw/ztipqE96<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> A full forty eight hours later, I have received no reply whatsoever from<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> either Cogent or FDCServers, not even a "Go pound sand" type of response.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> More importantly, most of the stolen IPv4 space that I called out, very<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> specifically, to both Cogent and FDCservers two+ days ago now is still<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> being routed by Cogent/FDCservers to their fun-loving and, I'm sure,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> still do not know now that Mr. Cohen is a crook, and that he has glommed<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> onto quite a lot of stolen and squatted IPv4 space... which they have<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> been helpfully routing for him, no doubt in exchange for some handsome<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> payments... then I am foreced to say that it appears to be a reasonable<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> conclusion that it must be because neither Cogent nor FDCServers really<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> wants to know what sort of a character Cohen is, or what he has been up<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> to, specifically with their ongoing and material assistance.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> But you all be the judges. What does it look like to you?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> rfg<o:p></o:p></span></p>
</div>
</body>
</html>