AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

My analysis: Serious and apparently long-lived bogosity, with a clear
history of substantial spamming aactivity.

But you be the judge.

Looks to me like an unregistered RIPE AS announcing a route to a /20
worth of unregistered RIPE IPv4 space.

And this didn't exactly crop up just yesterday. Looks like this has
been ongoing for one hell of a long time:

https://stat.ripe.net/widget/routing-history#w.resource=AS47860

Of course, it's not even nearly as much of an issue -now- as it was,
say, about 1 year ago, in October of 2015, when the /20 was apparently
populated by a huge boat load of snowshoe spammer domains. Sadly,
Spamhaus has a bad habit of consistantly failing to ever put any
helpful date information on any of its listings, otherwise I'd be
able to see when -they- first noticed this absurd mess.

https://www.spamhaus.org/pbl/query/PBL1626432

Anyway, it's rather annoying to me personally... and I hope I'm not the
only one who feels that way... to know that this has gone mostly unnoticed
for so long, that nobody within the RIPE region has ever bothered to -do-
anything about it, and that the AS and the bogus route are still being
announced, even as we speak.

Assuming the thing remains in play, how long will be be before the spammers
return to use and abuse it yet again?

Maybe they were just waiting for a full year to go by so that they might
have some hopes of this /20 being automatically aged off some blacklists.

Regards,
rfg

P.S. This crap appears to be be brought to us courtesy of AS29632,
NetAssist, LLC:

    http://new.netassist.ua/

So anyway, where are the grownups?

clearly whomever provides transit to 29632... probably worth hunting them
all down and asking questions.

I had a look in my feeds, then a few global BGP LG's and well, it's not in the BGP table.

In reality, it's the upstream, that feeds it in, that really needs to be penalised.

Kind regards,
Martin List-Petersen

P.S. This crap appears to be be brought to us courtesy of AS29632,
NetAssist, LLC:

    http://new.netassist.ua/

assuming accuracy of records, etc...

or courtesy of both AS43659 (who was peering with and announcing the prefix to)
and AS29632 (who was then accepting and announcing to its upstreams)? seems to
be an interesting relationship between the two (2) of them; along with an even
more interesting relationship/affiliation between AS43659 and AS57166 - and the
upstream for both the ASNs is/was AS29632 (NetAssist LLC).

   - AS57166 UA-D2INVESTUKRAINE-AS, UA; D2 International Investment Ukraine Ltd.
   - AS43659 BUDREMYER-AS, UA; D2 International Investment Ukraine Ltd.

SAME EMAIL/ABUSE CONTACTS (and address) for both ASNs (AS43659 and AS57166):
   - EMAIL CONTACTS: abuse@etthua.net; d2invest@meta.ua; support@etthua.net
   - ABUSE CONTACTS: abuse@etthua.net

RELATED DOMAINS:
   - budremyer.su
   - etthua.net
   - meta.ua

BOGUS ROUTES AND AS ANNOUNCEMENTS
93.175.240.0/20 AS47860 -Reserved AS-, ZZ 93.175.240.0 - 93.175.255.255

   - 93.175.240.0/20: http://93.175.240.0.20.potaroo.net/

     Origins: 47860 (7d 10h 47m 1s, 1 times) -- (AS47860: -Reserved AS-, ZZ)
Next AS Hops: 43659 (7d 10h 47m 1s, 1 times) -- (AS43659: BUDREMYER-AS , UA)
       Paths: 4608 1221 4637 174 29632 43659 47860 (5d 13h 41m 44s, 1 times, avg 5d 13h 41m 44.0s)
              4777 2497 6939 29632 29632 29632 29632 29632 43659 47860 (1d 21h 5m 17s, 1 times, avg 1d 21h 5m 17.0s)

AS47860 -> AS43659 -> AS29632
   - AS47860 (RIPE NCC ASN BLOCK); http://www.cidr-report.org/cgi-bin/as-report?as=AS47860&view=2.0
       - AS43659 (BUDREMYER-AS, UKRAINE); http://www.cidr-report.org/cgi-bin/as-report?as=AS43659&view=2.0
           - AS29632 (NASSIST-AS, UKRAINE); http://www.cidr-report.org/cgi-bin/as-report?as=AS29632&view=2.0
               - UPSTREAM ADJACENT AS
                   - AS20485 TRANSTELECOM Moscow, Russia, RU
                   - AS29107 SYNAPSE-AS , UA
                   - AS8359 MTS , RU
                   - AS35320 ETT-AS , UA
                   - AS6939 HURRICANE - Hurricane Electric, Inc., US

regards,

In message <20161006163137.uvcnzodrve6tom43@cisco.com>,

P.S. This crap appears to be be brought to us courtesy of AS29632,
NetAssist, LLC:

    http://new.netassist.ua/

assuming accuracy of records, etc...

Right. An that doesn't seem to be RIPE's strong suit.

or courtesy of both AS43659 (who was peering with and announcing the prefix to>)
and AS29632 (who was then accepting and announcing to its upstreams)? seems to
be an interesting relationship between the two (2) of them; along with an even
more interesting relationship/affiliation between AS43659 and AS57166 - and the
upstream for both the ASNs is/was AS29632 (NetAssist LLC).

Well, yes. I tried to untangle the relationships here just by looking at
bgp.he.net, but as I looked at all of the relevant pages, nothing seemed
to be adding up, or even remaining consistant among all of the info that
bgp.he.net was showing me. So I just shrugged, gave up, and reported the
few facts that I felt sure about here.

Specifically, bgp.he.net is reporting the name associated with AS47860 as
"Albino, LLC", but personally, I have no idea where they are getting that
name from. (And it sure doesn't look like a European style of company
name... rather more American, I think.)

Then I looked at the bgp.he.net connectivity graph for AS47860:

    AS47860 OOO "OTC" - bgp.he.net

This suggests that AS47860 is connected to the Internet only via AS43659,
D2 International Investment Ukraine Ltd. (That AS, it seems, is currently
announcing -zero- routes of its own, which seems, well, odd.)

The connectivity graph for AS43659 is here:

    AS43659 Neterra Ltd. - bgp.he.net

This seems to indicate that AS43659 is only connected to the Internet via
AS29632 and that AS29632 is itself -only- connected to the Internet via
AS6939. But then when I looked at the connectivity graph for AS29632
it actually appears to have -five- different IPv4 peers:

   AS29632 Netassist Limited - bgp.he.net

But then I looked at the actual -list- of IPv4 peers of AS29632 and I see
it has 121 of them!

     AS29632 Netassist Limited - bgp.he.net

So, anyay, bottom line, there are clearly things about how bgp.he.net draws
connectivity graphs that I don't actually undetrstand.

That's OK. I don't need to understand any of that in order to understand
that AS47860 is a bogus unregistered AS which is, and which has been, apparently,
for some long time, announcing a route (93.175.240.0/20) to unregistered RIPE
IPv4 space.

Sadly, announcing of bogons is not uncommon, so I wouldn't even have mentioned
this if it hadn't been for the fact that historical passive DNS data indicate
quite clearly that at least one snowshoe spammer was using that IPv4 space at
about this time last year.

Regards,
rfg

Private reply:

bgp.he.net sees it. For me.

ERROR: 93.175.240.0/20 Not Found - bgp.he.net

I don�t know why they do and you do not.

�Sandy

That just means, they "have" seen it. Not that they're seeing it right now, actually.

I checked our feed, which you also can at http://lg.as42227.net

And various upstream looking glasses, for example HE.net's actually.

NIKHEF Amsterdam
Interxion Copenhagen
he.net Freemont 2

None of them have the route in the table.

Even the CIDR report reports, that it's withdrawn:
http://www.cidr-report.org/cgi-bin/as-report?as=AS47860&view=2.0

But it has been seen in the last 7 days.

Kind regards,
Martin List-Petersen
Airwire Ltd.

In message <20161006163137.uvcnzodrve6tom43@cisco.com>,

P.S. This crap appears to be be brought to us courtesy of AS29632,
NetAssist, LLC:

    http://new.netassist.ua/

assuming accuracy of records, etc...

Right. An that doesn't seem to be RIPE's strong suit.

It's not so much a questions on RIPE's strong suit, but more the LIRs, that don't keep their info updated.

RIPE only updates the basic data, to match it the contract data, but they're quite adament about updated data, if you want further allocations, which now sort of again is ... void.

Specifically, bgp.he.net is reporting the name associated with AS47860 as
"Albino, LLC", but personally, I have no idea where they are getting that
name from. (And it sure doesn't look like a European style of company
name... rather more American, I think.)

I reckon .. but this is a guestimate, that the AS and prefix probably was allocated to that company in the past, but either their contract never was finalised or their contract was cancelled by one of the parties.

So that might have been the name that "used" to be in the whois database for that prefix and ASN, but now isn't anymore, if the entity has ceased to exist.

That could also be the reason, why the prefix and ASN have been seen historically.

Either way ... that's a guestimate, but a very plausable one. Only somebody inside RIPE would be able to shed more light into, what actually happened. If they're actually permitted (could be prevented by data protection).

Kind regards,
Martin List-Petersen

Some still have the route:

    http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=93.175.240.0/20

Kind regards,

Job