Search RPD Archives
[rpd] Mass Hijacking of AFRINIC IPv4 Space by U.S.A. Spammers
fransossen at yahoo.com
fransossen at yahoo.com
Fri Nov 18 17:07:52 UTC 2016
Hi Ronald,
You always discover very nice spamming network setups!
> But I guess that the whole Cloud Innovation incident proves that I should
> not be expecting anything even remotely like "good stewardship" of limited
> IPv4 resources out of Afrinic.
Please see Heng Lu's explanation about the whole Cloud Innovation incident, it was a very clever abuse of internet resources and peering agreement, and not one that a resource holder can prevent in any kind of way.
He actually did an excellent job at actually tracking where the problem was and notifying the involved parties as it was not a simple case of hijacking unannounced resources.
In your emails you tend to come as blaming the resource holders for their resources being hijacked.
The Dutch government had its unannounced resources hijacked by similar schemes a while back.
It can happen to anyone, when it happens, good netizens should inform the resource holders, inform the respective RIR is good practice as well, as they maintain a lot of contact with their members.
>From the list you provided, there are some interesting things that pops up almost immediately, removing all kind of doubt on the nature of the people behind.
>From your pastebin, I randomly took one domain:
piecedrill.com
160.115.50.12
It takes you to a copy of "Bouygues" website, so red flag can be raised as to the intention of whoever is behind this.
You can now report it to "Bouygues", I am sure they have enough lawyers to drive this further...
And to whomever is behind the IP address in the AFFRINIC DB:
inetnum: 160.115.0.0 - 160.115.255.255
netname: COLUMBUS-ZA1
descr: Columbus Stainless
descr: P.O. Box 133
descr: Middelburg Tvl
descr: 1050
country: ZA
admin-c: KC224-AFRINIC
tech-c: KC224-AFRINIC
status: ASSIGNED PI
mnt-by: TF-160-115-MNT
mnt-lower: TF-160-115-MNT
mnt-domains: TF-160-115-MNT
changed: hostmaster at arin.net 19840101
changed: hostmaster at arin.net 19950725
changed: hostmaster at afrinic.net 20050221
changed: hostmaster at afrinic.net 20060203
source: AFRINIC
parent: 0.0.0.0 - 255.255.255.255
person: Kezia Crawford-Cousins
address: P O Box 3234
address: Parklands 2121
address: ZA
phone: +27 11 447 5566
e-mail: kezia at noc-is.co.za
nic-hdl: KC224-AFRINIC
remarks: http://www.is.co.za
changed: hostmaster at arin.net 19950622
changed: hostmaster at arin.net 19951127
changed: hostmaster at afrinic.net 20050221
source: AFRINIC
If Kezia is not the correct person then the company registered on the resources still seem to exist at least:
http://www.columbus.co.za/
That range itself seems indeed pretty broken up and announced via various AS numbers:
https://stat.ripe.net/widget/routing-history#w.resource=160.115.0.0-160.115.255.255
All those AS going indeed to AS260:
https://stat.ripe.net/widget/asn-neighbours#w.resource=AS260
And all recently and sometimes briefly revived:
https://stat.ripe.net/widget/ris-first-last-seen#w.resource=6560%2C7971%2C10505%2C14029
The AFRINIC community at large is not to be blamed for what happened here, the AFRINIC is not to be blamed either, some of that space is registered to member other is not registered to organisation with whom the AFRINIC is in contact due to it being legacy, it makes no difference at the end as it will get hijacked anyway, their space was most likely misused, the rightful holders should be contacted so they can take the needed measures.
AS260 is registered to ARIN, and the company behind is an LIR at the RIPE NCC as well, you have means to contact them, their peering partners and so on for explanation, but the best course of action is imho to contact the resources holders and the RIR.
And I hope the noise you created now is going to have some effect in cleaning up that mess.
Keep tracking those nasty networks, but don't blame the victims!
Ducth government was not a spammer.
Cloud Innovation was not a spammer.
And for wiw most of those African resources are not spammers either, they are victims.
Cheers,
David Hilario
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
More information about the RPD
mailing list