Anyone hear of the SundownGroup?
On Thursday we received an interesting RFQ from them and suspect their intentions for requesting an IP assignment isn't exactly what they state. We have already turned them down, but thought others might be interested in their activities as well. RIPE NCC has also been notified of this.
In brief they wanted to buy colo form us: "P4 single core @ 2 Ghz, 1 GB RAM, 60 GB HD, Linux CentOS 5x.x, 10 Mbps bandwidth. A single /21 or /20 net block of IP Adresses"
Their reason for requesting such a large address block was "As we are currently launching our WholesaleVOIP operation we are in desperate need of this IP space as part of our ARIN process we will need these ranges SWIPd to us and we will in turn renumber with ARIN and return the netblocks to you as soon as ours are allocated and routed."
Interesting tidbits about the company we and the networking community have already found out:
Compare http://sundowngroup.com/ and http://www.edgecast.com/ (Edgecast has been notified).
The contact address is the same as National University Nevada (nu.edu):
Sundown Capital Management LLC
2850 Horizon Ridge Parkway
Henderson, Nevada 89052
United States of America
They also have virtually no Internet presence (http://www.google.com/search?q="Sundown+Capital+Management")
The first result shows them as a franchicing company with contact address in California: http://www.scribd.com/doc/14385124/QFA-Unit-Final-PDF-File-of-32709-FDD-With-Exhibits
I'd say this case is pretty obvious...
With Kind Regards,
We see this all the time, usually it involves either a /20 or multiple-/xx
that change every month.
Jeff
Kind of funny how they intend to do enough 'WholesaleVoIP" on a 10Mbps connection/1GB RAM for a /20 
That is a giveaway in itself.
Yeah, it's pretty obvious from the start. I'd like to see the VoIP-system with those requirements...
I just think these cases should be made public to at least slow these guys down, just in case someone else is less cluefull If these really happen all the time in the big world, this list may not be the right place, but just something Google can find. This is not first case we have come across requests like this, but still not so common in the Finnish hosting scene.
With Kind Regards,
They hit up one of our sales guys last week. I gave it an immediate two thumbs down. I think the sales guy knew the request was bogus and was really just showing it to me out of humor.
If they want frequently changing IPs, it's almost certainly for spamming.
I got the impression with these people they were just trying to get a bunch of SWIPs in order to go to ARIN and request as big a block of ipv4 as they could get with the intent to chop it up and resell it in pieces as soon as ARIN runs out of IPs to satisfy normal requests.
it used to be (~4-5 years ago) that the spammer code of 'voip service
provider' was really 'we intend on raping proxies all over the planet'
... when you call them out on the random port traffic out of their
pipe they point at their 'business' model that this is 'voip traffic,
you know that rtp uses random ports, right?'
I used to have some quick/dirty instructions for how to verify that
the traffic was in fact proxy traffic, something like:
1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
2) pick an external 'top talker'
3) route that /32 to a host you control
4) run NC on the port that /32 is being contacted on
5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
smtp.xxxxx:25"
from the connection...
-Chris
it used to be (~4-5 years ago) that the spammer code of 'voip service
provider' was really 'we intend on raping proxies all over the planet'
... when you call them out on the random port traffic out of their
pipe they point at their 'business' model that this is 'voip traffic,
you know that rtp uses random ports, right?'
I haven't seen that excuse/justification from customers. What I did see recently that I have to admit was very slick was a customer who claimed they were going to be doing a bunch of remote "terminals" in stores VPN'd into their dedi servers and would be streaming video from the servers to the clients. This was of course 99% BS. There was VPN involved....they used the dedi servers as VPN endpoints for their spam servers that were hosted elsewhere. When we shut them down, there was absolutely nothing incriminating of spam operations on their servers...and all they had to do was sign up for service at another hosting company, setup the VPN server, change the IPs their spam servers VPN to, and they're back in business.
When sales brought me their initial request, I really didn't believe it, but I didn't have good enough cause to reject it.
I used to have some quick/dirty instructions for how to verify that
the traffic was in fact proxy traffic, something like:
1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
2) pick an external 'top talker'
3) route that /32 to a host you control
4) run NC on the port that /32 is being contacted on
5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
smtp.xxxxx:25"
Seems like a lot of work when you could just setup a monitor session on their port and capture a few minutes of actual spam traffic as evidence just before shutting their port.
Yeah. This is just the way snowshoe spammers operate - GRE or VPN
tunnels back to a master server, and a /24 full of output points with
throwaway hostnames / reverse dns
sorry, can't do monitor on a ptp oc-12 link 
Anyone hear of the SundownGroup?
yes it is the fictional name - it pertains to a covert operations group
from a Tommy Lee Scott & Gene Hackman movie called "The Package". As I
recall "Operation Sundown" was the op name and it was a bunch of
assassins but there were a number of instances used.
In this instance the SundownGroup (or Sundowner Group) was a specialized
Army strikeforce who was about to assassinate the Russian Prime Minister
or somesuch.
TGlassey