[afnog] AS35916 and 163.198.0.0/16 AFRINIC block
Mark Tinka
mark.tinka at seacom.mu
Fri Aug 4 11:52:05 UTC 2017
All the more reason for service providers in Africa (and around the
world) to be vigilant and deliberate in how they accept routes from
customers.
Mark.
On 4/Aug/17 05:59, Noah wrote:
> Hi Will,
>
> This is just the beginning, we are going to see more and more of this
> cases as IPv4 continues to deplete in our region.
>
> Cheers,
> Noah
>
> On 3 Aug 2017 8:13 p.m., "Willy MANGA" <mangawilly at gmail.com
> <mailto:mangawilly at gmail.com>> wrote:
>
> Hi,
> read it on NANOG list ...
>
> 163.198.0.0/16 <http://163.198.0.0/16> block is not the first to
> be hijacked but at least if
> someone know the owner or any solution who can fix it ...
>
> ------------------------------
>
> Date: Thu, 03 Aug 2017 02:52:43 -0700
> From: "Ronald F. Guilmette" <rfg at tristatelogic.com
> <mailto:rfg at tristatelogic.com>>
> To: nanog at nanog.org <mailto:nanog at nanog.org>
> Subject: Multicom Hijacks: Do you peer with these turkeys (AS35916)?
> Message-ID: <24545.1501753963 at segfault.tristatelogic.com
> <mailto:24545.1501753963 at segfault.tristatelogic.com>>
>
>
> Well, it took less than a day for my last missive here to get the
> hijacks associated with AS202746 (Nexus Webhosting) taken down.
> I guess that somebody must have smacked Telia upside the head with
> a clue-by-four at long last.
>
> So, with that out of the way, let's see what else I can accomplish
> this week.
>
> As I understand it, the theory is that the thing that keeps the
> entire Internet from descending into the final stages of a totally
> broken "tragedy of the commons" is peer pressure. As everyone knows,
> there is no "Internet Police", so the whole system relies on the
> ability and willingness of networks to de-peer from other networks
> when those other networks are demonstratably behaving badly.
>
> Let's find out if that actually works, in practice, shall we?
>
> According to bgp.he.net <http://bgp.he.net>, the top three peers
> of AS35916 (Multacom)
> are as follows:
>
> AS2914 NTT America, Inc.
> AS3223 Voxility S.R.L.
> AS209 Qwest Communications Company, LLC
>
> I'd like help from any and all subscribers to this mailing list who
> might have contacts in these companies. I'd like you to call their
> attention to Multacom's routing of the following block specifically:
>
> 163.198.0.0/16 <http://163.198.0.0/16>
>
> This is a long-abandoned Afrinic block belonging to a semi-defunct
> company called "Agrihold". In fact, this block was a part of the
> massive number of hijacked legacy Afrinic /16 blocks that I pointed
> out, right here on this maling list, way back last November:
>
>
> https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html
> <https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html>
>
> After that posting, whoever was responsible for all those blatant
> hijackings got cold feet, apparently, and stopped passing all of those
> bogus route announcements out through their pals at AS260,
> Xconnect24 Inc.
>
> And so, for a brief time at least, the wanton pillaging of legacy
> Afrinic
> /16 blocks, and the reselling of those stolen blocks to various
> snowshoe
> spammers stopped... for awhile.
>
> But it appears that on or about January 6th of this year, Mulutacom
> lept into the breach and re-hijacked both the 163.198.0.0/16
> <http://163.198.0.0/16> block
> and also the additional Afrinic legacy block, 160.115.0.0/16
> <http://160.115.0.0/16>. (They
> apparently stopped routing this latter block some time ago, for
> reasons
> unknown. But that fact that Multacom was indeed routing this second
> purloined legacy Afrinic /16 block also is in the historical records
> now, and cannot be denied. Multicom's routing of both blocks began
> around January 6th or so of this year, 2017.)
>
> Just as a courtesy, I sent the block absconders at Multacom a
> short email,
> earlier today, asking them if they had an LOA which demonstrates that
> they have rights/permission to be routing the 163.198.0.0/16
> <http://163.198.0.0/16> block. Of
> course, the mystery person (noc@) who emailed me back claimed that
> they
> did, but unfortunately, he was not under oath at the time. I asked
> if he could show me a copy of this purported LOA, and I haven't heard
> back from anybody at Mulatcom ever since.
>
> I don't really think there is any big mystery here, nor do I think
> that Multacom has or had, at any time, any rights to be routing these
> two legacy Afrinic /16 blocks. But they have done so, and continue
> to do so, in the case of the 163.198.0.0/16
> <http://163.198.0.0/16> block at least, quite
> obviously because -somebody- is paying them to do it, even in the
> total
> absence of a legitimate LOA.
>
> And as it turns out, it is quite easy to figure out who Multacom has
> been routing these two hijacked legacy Afrinic /16 blocks both for and
> to.
>
> It's trivially easy to run a traceroute to any arbitrary IP address
> within the 163.198.0.0/16 <http://163.198.0.0/16> block. No
> matter which one you pick, the
> traceroute always passes through a particular IP address,
> 178.250.191.162,
> before the remainder of the traceroute gets deliberately blocked.
>
> That IP address is registered *not* to some long lost African
> concern, but
> rather to a Romanian networking company called Architecture Iq
> Data S.R.L.
>
> That company itself is apparently owned by a fellow by the name of
> Alexandru ("Andrei") Stanciu who hails from the city of Suceava,
> Romania.
> (Note that this is apparently *not* the same Alexandru Stanciu who
> the FBI
> arrested on bank and wire fraud charges in 2014. That one
> apparently hailed
> from Bucharest.)
>
> Anyway, "networking" seems to be only one of our Mr. Stanciu's
> many and
> varied business interest. His networking company, Architecture Iq
> Data
> S.R.L. has a web site (http://architekiq.ro/) but it is "shallow" to
> say the least. Many, and perhaps evenmost of the links on the
> home page
> of that company's web site seem to lead nowhere.
>
> In cotrast, Mr. Stanciu has the following other well-developed web
> sites
> and companies:
>
> ads.com.ro <http://ads.com.ro>
> promoart.ro <http://promoart.ro>
> largeformatprinting.ro <http://largeformatprinting.ro>
> Promoart S.R.L.
> Advertising Distribution Supplies S.R.L.
>
> Mostly, he seems to be in the advertising business, as evidenced
> by the
> above web sites, and also by his membership in the "Email
> Marketing Gurus"
> special interest group over on LinkedIn:
>
> https://ro.linkedin.com/in/alexandru-stanciu-8846aa12a
> <https://ro.linkedin.com/in/alexandru-stanciu-8846aa12a>
>
> Given Mr. Stanciu's apparent professonal interests, it is not
> really all
> that
> surprising that the two hijacked legacy Afrinic /16 blocks that
> Multacom
> has been kind enough to route... both for him and to him... do in
> fact seem
> to be associated with numerous domain names that obviously consist of
> just two random dictionary words smashed together, followed by
> either .com
> or .net. This exact motif is quite commonly used by and among many of
> the Internet's most prolific snowshoe spammers.
>
> And of course, Mr. Stanciu's snowshoe spamming domains would not be
> maximally productive unless they each had SPF TXT records attached...
> ones that would pass muster with the recipients of Mr. Stanciu's
> spams.
> Those SPF TXT records are listed here, along the relevant domain
> names:
>
> https://pastebin.com/raw/BbK2YGe6
> <https://pastebin.com/raw/BbK2YGe6>
>
> (Whenever possible snowshoe spammers also like to be able to send out
> their spams from from IP addresses where they have already set up
> nicely
> mattching reverse DNS, because a lot of recipient mail servers these
> days just won't accept inbound email anymore from no-reverse-dns IP
> addreses. But unfortunately for Mr. Stanciu, and for Multacom,
> the fact
> that they both just sort of walked off with the 163.198.0.0/16
> <http://163.198.0.0/16> block
> means that although they can -route- that space, they can't get the
> authority to control the reverse DNS for this block delegated to them.
> In order to do that, they'd have to get permission to do reverse
> DNS for
> the block FROM THE REAL AND LEGITIMATE BLOCK OWNER. And since
> that ain't
> them, nor even anybody who even knows what these clever fellows are up
> to, they can't. So Mr. Stanciu is stuck sending out his spams in a
> sub-optimal way, without either matching reverse DNS or even *any*
> reverse DNS for the entire /16 block he's stolen. Sorry Mr. Stanciu!
> Sorry Multacom!)
>
> As anybody who understand this stuff will by now be utterly
> convinced, the
> legacy Afrinic address block, 163.198.0.0/16
> <http://163.198.0.0/16>, has been hijacked, stolen,
> or whatever you prefer to call it, by Mr. Alexandru ("Andrei")
> Stanciu of
> Suceava, Romania, specifically for "snowshode" spamming purposes,
> and with
> the significant help and assistance of AS35916, aka Multacom
> Corporation
> of 16654 Soledad Canyon Rd #150, Canyon Country, Calfornia, 91387,
> which
> is actually the entity announcing the routes to this clearly illicitly
> "liberated" IP block.
>
> So now, would one or more of you kind folks on this list who are more
> fortunate than me, and who have connections please be so kind as to
> let the following entities know about what Multacom is acctually up to
> here?
>
> AS2914 NTT America, Inc.
> AS3223 Voxility S.R.L.
> AS209 Qwest Communications Company, LLC
>
> Maybe they won't care, but they should. Maybe we can find out if the
> notion of peer pressure... or perhaps even de-peer pressure... works
> as well in practice as it allegedly does in theory.
>
> Thanks for listening.
>
>
> Regards,
> rfg
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
> <https://www.afnog.org/mailman/listinfo/afnog>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20170804/e0200fd2/attachment.html>
More information about the afnog
mailing list