[[ My apologies to thos eof you who may see this twice. I have posted the
   message below also to the RIPE Anti-Abuse Working Group mailing list,
   so any of you who are on that list also will see this twice. But I
   believe that it is relevant here also. ]]

It's quite conveniently to have all botnets C&C in several known ASNs. More pain if it will be spread through thousands regular residential customers, like when use fast(double)flux or peertopeer technologies :wink: Joke.

Really, there were a lot of cases all upstreams had disconnected some ASN for that type of activity. So it really works.

16.03.19 22:51, Ronald F. Guilmette пише:

Looking at the AS adjacencies for Webzilla, what would prevent them from disconnecting all of their US/Western Euro based peers and transits, and remaining online behind a mixed selection of the largest Russian ASes? I do not think that any amount of well-researched papers and appeals to ethical ISPs on the NANOG mailing list will bring down those relationships.

The likelihood of the Russian domestic legal system implementing US/Western European court orders against bulletproof hosting companies is quite low.

isn’t i the case that 35415 peers with 174/3356/2914 directly and shouldn’t you just be asking those folk: “Hey, err… are you getting these complaints? do you care about the harm?”

In message <CAB69EHiS0dAFyrUQ0ajEc3+En8+ccCVNcPaXmFvwz1CjBNQ2WA@mail.gmail.com>,

Looking at the AS adjacencies for Webzilla, what would prevent them from
disconnecting all of their US/Western Euro based peers and transits, and
remaining online behind a mixed selection of the largest Russian ASes? I do
not think that any amount of well-researched papers and appeals to ethical
ISPs on the NANOG mailing list will bring down those relationships.

Everything you say may be correct, but I personally would feel remiss if
I failed to point out the facts of this case to an audience that has it
within its power to do something about the issue.

And the facts in this case could not be more plain. At best, it can only
be said that Webzilla, and all of its various faces, simply doesn't care
about the majority of us who just want to use the Internet in peace and
security. (And that abundant lack of care seems to be the overriding
message of the reports I have cited.)

At worst, the company and its various nefarious customers present a clear
and present danger, if not to Western democracies then perhaps just to
anyone and anything that's connected to the Internet. And all of the
companies peering with the various Webzilla companies have a choice --
to support Webzilla and the harmful activities of all of its customers,
many of whom have proven themselves, time and again, to be outright
dangerous to the rest of us, or alternatively, to take reasonable measures,
and do what they can to save themselves, their customers, and people around
the world from so easily, conveniently, and inexpensively being hacked,
fiddled, hoodwinked and penetrated.

So this is the question. Can Western companies really justify, to themselves,
to their stockholders, and to their customers, their acts which make it
easier than it has to be for the likes of Webzilla to have connectivity?
Should these companies, whose profitability and mere existance rests on
both the freedom and justice, such as they are, that is commonly available
in Western liberal democracies... should these companies continue to support,
even if only indirectly, those who would undermine that same freedom and
justice on which the companies themselves depend? And even setting aside
THAT consequential question, are the long term best interests of these
same Western companies best served by an Internet that is known to the
public at large as a place primarily characterized by scamming, scheming,
and skulduggery? And finally, is it a persuasive arguement to say that
because there is crime in the world, and always has been, and likely always
will be, that we, and each of us, should harbor and abet criminals simply
because it is convenient for us to do so, and perhaps even profitable in the
short run?

You may think me naive, but I say that the answer each and all of these
questions is a resounding "no". It shall not profit any of these companies
who provide peering to Webzilla, even if they gain the whole world, if they
lose their souls. Will there still be a thriving and growing market for
moving bits when nobody in his or her right mind trusts the Internet anymore?

Although I am cloaking my arguments, at least to some extent, in moral and
ethical terms, I do understand that such considerations are not at all
likely to be persuasive when it comes to the world of commerce. That's
perfectly OK, because in this instance I believe that I am also arguing in
favor of enlightened self-interest. Are any of the customers of any of the
companies that provide peering to Webzilla and/or its various parts and
pieces better off or worse off because of that peering? I believe that
sober and informed reflection on this simple question will yield the Right

In the early years of the 20th century, Vladimir Lenin, leader of the
Bolshevik, revolution, famously quipped to his communist collegues that
"The capitalists will sell us the rope to hang them with." His prescient
words have endured even the fall of the empire he founded because they
clarify a simple and fundamental truth -- in capitalist systems, short
term greed often overrides both rationality and simple common sense.
My hope is that it will not be so on this occasion, and that enligtened
long-term self interest will prevail, at least among those companies that
are peering with any of Webzilla's ASNs.

I would be happy to see Webzilla be given no choice other than to beat a
retreat, back to Russia, and to have the company seek connectivity there
and only there. If the company wishes to continue either its support for,
or its abject tolerance of the kind of nefarious activities documented
in detail in the report I cited, then I say let them do that, let them
connect only via Russia, and let the company's true allegiances be revealed
for all to see. If, as now seems evident, the company wants to continue
to flaunt the norms and traditions of the civilized portions of the Internet,
then I don't see it as being in anyone else's best interests for Webzilla
to continue to be welcomed with open arms, as they currently are, in Dallas,
in Singapore, or in any other place where democracy and the rule of law
still hold sway.


P.S. For those of you who missed it, I would like to suggest to you all
that you google the name "Spammy Bear" and start reading. The press
reports on this case arose from my determined efforts to investigate the
source of a large scale set of bitcoin extortion spams, which had been
sent to tens or hundreds of thousands of recipients across the United
States, Canada, Australia, New Zealand, and Hong Kong on December 13th,
2018. These scam-spams informed all those who received it that there
was a bomb in their building, and that the bomb would detonante if a
certain bitcoin ransom wasn't paid by the end of business on that same

In te wake of this large scale scam-spam, police, first responders, and
bomb squads were called out in innumerable locations throughout all of
the affected countries. Innumerable businesses, schools, hospitals,
universities, and government buildings were either evacuated or put on
lockdown as a reasonable precaution. Even now, several months after
the event, you can still get a sense of how widespread this event was
by simply going to YouTube and searching for "bitcoin" and "bomb threat".
You will then be able to see numerous local media reports from around
the country describing the widespread mayhem.

I expended some considerable time and effort to try to find out who and
what was the source of this massively disruptive event. Although I was
not able, in the end, to find a conclusive attribution to any specific
individuals, I was at least able to track down the full set of IPv4
addresses that were the likely sources of these bogus bitcoin extortion
threats. And in turn, I identified the full set of ASNs that were the
likely sources. (I also found out that GoDaddy had a rather serious
security problem, but that is and was another story.)

Several Russian ASNs were the primary sources of these unambiguously
criminal scam-spams. Also however, at least a few of the source IP
addresses involved traced back to at least two different Webzilla ASNs.

I may not know for certain who the specific criminals were who sent out
those bomb threat spams, but Webzilla does, or should anyway. I would
be more than happy to receive that information from them, as, I'm sure
would any one of the countless law enforcement agencies that were called
out, on an emergency basis, on December 13th, 2018, to investigate these
bogus bomb threats. I feel sure that, like me, they too are all still
hopping mad about this bogus waste of their time and resources.

That having been said, I do not anticipate that Webzilla will so easily
give up their criminal customers who did this anytime soon. I invite
the company to prove me wrong about this. (Not that it would make much
difference to anything anyway, in the end. The actual perps who sent
those scam-spams are almost certainly located in Russia, and thus, not
subject to extradition, even if they were proven to be serial killers.)

P.P.S. In a simpler and less naive time, an event like the coast-to-coast
wall of bomb threats that was unleashed against my country, the United
States of America, on December 13th, 2018 might well have been considered
an Act of War. These days, everyone just shrugs and goes back to work.
It is left as an exercise for the reader to deduce which response is the
more appropriate one, given the totality of present circumstances.

Your speech is very reminiscent of this very Lenin, who climbed on an armored car and broadcasted speech to the "worker class" and told how bad are rich and how to restore justice.
Only instead of rich people you have "those pesky Russians", and instead of the working class - "Western democracies". But let's not get into politics too deep.
What prevents those who consider the activities of this hosting to be so harmful that they are worth blocking - to filter and add to the ACL lists of networks, where Webzilla AS is origin?
Or make some easy to use lists, API, BGP feed, and those who decide to participate will null-route offenders, and you will see how many people will support you.
If this list is compiled carefully, then I am sure it will interest many(including me). If it turns into a political tool or a tool for extortion ... then of course not.

And generally speaking, all these speeches from an armored cars end with a witch hunt, and almost always entire nations or categories of people are appointed as witches, depending on the trends.
Who will be next? Cloudflare? Their attempt to maintain neutrality annoys many.
Amazon? They react very slowly to abuse.
OVH? It seems they do not care about abuse at all.
Or maybe it will go into fashion to make the guilty - legal arms sellers? Or internet-stores who sell alcohol?
Just create a cause for a depeering, and a lot of people with their special views will demand a depeering at every opportunity.

P.S. North Korea, as far as I know, is very limited in connectivity choice, and this does not prevent them from creating a bunch of problems.
As Max Tulyev said, and they are good example, just sprayed through countless proxies.