Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Mass Hijacking of AFRINIC IPv4 Space by U.S.A. Spammers

fransossen at yahoo.com fransossen at yahoo.com
Fri Nov 18 17:07:52 UTC 2016 


 

Hi Ronald,

You always discover very nice spamming network setups!


> But I guess that the whole Cloud Innovation incident proves that I should 
> not be expecting anything even remotely like "good stewardship" of limited 
> IPv4 resources out of Afrinic.

Please see Heng Lu's explanation about the whole Cloud Innovation incident, it was a very clever abuse of internet resources and peering agreement, and not one that a resource holder can prevent in any kind of way.

He actually did an excellent job at actually tracking where the problem was and notifying the involved parties as it was not a simple case of hijacking unannounced resources.


In your emails you tend to come as blaming the resource holders for their resources being hijacked. 

The Dutch government had its unannounced resources hijacked by similar schemes a while back. 

It can happen to anyone, when it happens, good netizens should inform the resource holders, inform the respective RIR is good practice as well, as they maintain a lot of contact with their members. 



>From the list you provided, there are some interesting things that pops up almost immediately, removing all kind of doubt on the nature of the people behind.


>From your pastebin, I randomly took one domain:
piecedrill.com 
160.115.50.12

It takes you to a copy of "Bouygues" website, so red flag can be raised as to the intention of whoever is behind this.
You can now report it to "Bouygues", I am sure they have enough lawyers to drive this further...

And to whomever is behind the IP address in the AFFRINIC DB:

inetnum:        160.115.0.0 - 160.115.255.255 
netname:        COLUMBUS-ZA1 
descr:          Columbus Stainless 
descr:          P.O. Box 133 
descr:          Middelburg Tvl 
descr:          1050 
country:        ZA 
admin-c:        KC224-AFRINIC 
tech-c:         KC224-AFRINIC 
status:         ASSIGNED PI 
mnt-by:         TF-160-115-MNT 
mnt-lower:      TF-160-115-MNT 
mnt-domains:    TF-160-115-MNT 
changed:        hostmaster at arin.net 19840101 
changed:        hostmaster at arin.net 19950725 
changed:        hostmaster at afrinic.net 20050221 
changed:        hostmaster at afrinic.net 20060203 
source:         AFRINIC 
parent:         0.0.0.0 - 255.255.255.255 

person:         Kezia Crawford-Cousins 
address:        P O Box 3234 
address:        Parklands 2121 
address:        ZA 
phone:          +27 11 447 5566 
e-mail:         kezia at noc-is.co.za 
nic-hdl:        KC224-AFRINIC 
remarks:        http://www.is.co.za 
changed:        hostmaster at arin.net 19950622 
changed:        hostmaster at arin.net 19951127 
changed:        hostmaster at afrinic.net 20050221 
source:         AFRINIC


If Kezia is not the correct person then the company registered on the resources still seem to exist at least:
http://www.columbus.co.za/

That range itself seems indeed pretty broken up and announced via various AS numbers:

https://stat.ripe.net/widget/routing-history#w.resource=160.115.0.0-160.115.255.255

All those AS going indeed to AS260:
https://stat.ripe.net/widget/asn-neighbours#w.resource=AS260

And all recently and sometimes briefly revived: 
https://stat.ripe.net/widget/ris-first-last-seen#w.resource=6560%2C7971%2C10505%2C14029


The AFRINIC community at large is not to be blamed for what happened here, the AFRINIC is not to be blamed either, some of that space is registered to member other is not registered to organisation with whom the AFRINIC is in contact due to it being legacy, it makes no difference at the end as it will get hijacked anyway, their space was most likely misused, the rightful holders should be contacted so they can take the needed measures.

AS260 is registered to ARIN, and the company behind is an LIR at the RIPE NCC as well, you have means to contact them, their peering partners and so on for explanation, but the best course of action is imho to contact the resources holders and the RIR.


And I hope the noise you created now is going to have some effect in cleaning up that mess.

Keep tracking those nasty networks, but don't blame the victims!

Ducth government was not a spammer.
Cloud Innovation was not a spammer.

And for wiw most of those African resources are not spammers either, they are victims.

Cheers,
David Hilario


_______________________________________________

RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd

More information about the RPD mailing list