ipvolume.net (before quasi networks)
This network has existed for more than 10 years and is known for what they host. Over the weekend, I stumbled upon an interesting blog called “Bad Packets”, where a fellow named Troy has written about various unsavory goings on involving various networks. One network that he called out in particular was AS29073 (today AS202425), formerly called “Quasi Networks” and now “IP Volume”. on his blog, this fellow Troy has noted at length some break-in attempts originating from AS29073 and his inability to get anyone, in particular RIPE NCC, to give a damn. The Master Needler, A Conversation with Ripe, Quasi Networks responds as we witness the death of the master needler.
The fact that RIPE NCC declined to accept the role of The Internet Police didn’t surprise me at all… they never have and probably never will… but I decided to have a quick look at what this newtork was routing, at present, which can be easily see here: http://bgp.he.net/AS29073#_prefixes
So I was looking through the announced routes for AS29073, and it all looked pretty normal… a /24 block, check, a /24 block, check, a /21 block check… another /24 block, and then … WAIT A SECOND! HOLY MOTHER OF GOD! WHAT’S THIS??? 22.214.171.124/14 !!! So how does a little two-bit network with a rather dubious reputation and a grand total of only about a /19 to its name suddenly come to be routing an entire /14 block?? And of course, its a legacy (abandoned) Afrinic block.
BREIN is Taking Infamous ‘Piracy’ Hosting Provider Ecatel to Court (torrentfreak.com)
And of course, there’s no reverse DNS for any of it, because there is no valid delegation for the reverse DNS for any of it… usually a good sign that whoever is routing the block right now -does not- have legit rights to do so. (If they did, then they would have presented their LOAs or whatever to Afrinic and thus gotten the reverse DNS properly delegated to their own name servers.)
I’ve seen this movie before. You all have. This gives every indication of being just another sad chapter in the ongoing mass pillaging of unused Afrinic legacy IPv4 space, by various actors with evil intent. They already documented this hightly unfortunate fad right here on multiple occasions: November, August
This incident is a bit different from the others however, in that it -does not- appear that the 126.96.36.199/14 block has been filed to the brim with snoeshoe spammers. Well, not yet anyway. But if in fact the stories are correct, and if AS29073 does indeed have a history of hosting outbound hacking activities, then the mind reels when thinking about how much mischief such bad actors could get into if given an entire /14 to play with. (And by the way, this is a new world’s record I think, for largest singe-route deliberate hijack. I’ve seen plenty of /16 go walkabout before, and even a whole /15. But an entire /14?? That is uniquely brazen.)
ipv4 from quasi networks
In addition to the above, and the points raised within teh Bad Packets blog (see links above) I found, via passive DNS a number of other causes for concern about AS29073, to wit: pastebin.com/feCztMn0
(In addition to the above, I’ve also found plenty of additional domain names associated with AS29073 which incorporate the names “Apple” “AirBnB”, “Facebook”, and “Groupon”, as well as dozens of other legitimate companies and organizations.) I confess that I have not had the time to look at any of the web sites that may or may not be associated with any of the above FQDNs, but the domain names themselves are certainly strongly suggestive of (a) the possible hosting of child porn and also and separately (b) the possible hosting of phishing sites. So, given the history of this network (as is well documented on the Bad Packets blog) and given all of the above, and given what would appear to be the unauthorized “liberation” of the entire 188.8.131.52/14 block by AS29073, one cannot help but wonder Why does anybody still even peer with these jerks?
The always helpful and informative web site bgp.he.net indicates that very nearly 50% of the connectivity currently enjoyed by AS29073 is being provided to them by Level3. I would thus like to ask Level3 to reconsider that peering arrangement in light of the above facts, and especially in light of what would appear to be the unauthorized routing of the 184.108.40.206/14 block by AS29073. Surprisingly, given its history, AS29073 apparently has a total of 99 different peers, at present, and I would likewise ask all of them to reconsider their current peering arrangements with this network. I am listing all 99 peers below.
Before I get to that however, I’d liek to also note that there currently exists, within the RIPE Routing Registry, the following route object:
ipvolume.net hosted websites
I confess that I am not 100% sure of the exact semantics of the “mnt-routes” tag, but it would appear from the above that the UK’s M247 network (AS9009)… which itself is not even peering with AS29073… appears to have, in effect countersigned the above RIPE route object, vouching for its correctness and authenticity as they did so. Why they would have done that, especially given that they themselves are not even peering with AS29073, is, I confess, beyond me. But I would love to have them explain it, or even try to explain it. It’s enigmatic, to say the least. Anyway, the “created” date in the above record seems to be consistant with that actual start of the announcement of 220.127.116.11/14 by AS29073, which the RIPE Routing History tool says occured sometime in March of this year.
One additional (and rather bizzare) footnote to this whole story about the 18.104.22.168/14 block has to do with the entity that allegedly -is- the current rightful owner of the block (as far as Afrinic is concerned). That entity is designated by the Afrinic handle ORG-IA41-AFRINIC and that in turn has an admin-c and tech-c of NAIT1-AFRINIC. The record for that handle is as follows:
person: Network and Information Technology Administrator
address: Unit 117, Orion Mall, Palm Street
address: Victoria, Mahe
address: Seychelles (SC)
e-mail: info at networkandinformationtechnology.com
changed: info at networkandinformationtechnology.com 20150725
Upon fetching the current WHOIS record for networkandinformationtechnology.com I found it more than passing strange that all of the contact details therein are associated *not* with anything in Africa, nor even anything in the home country of AS29073 (Netherlands) but rather, the address and ophone numbers therein all appear to be ones associated with a relatively well known Internet attorney in Santa Monica, Califiornia by the name of Bennet Kelly. As it happens, in the distant past (about 10 years ago) I personally crossed swords with this particular fellow. He may
bad packets biggest enemy
be a lot of things, but it never seemed to me that stupid was one of them. And indeed the domain name networkandinformationtechnology.com and all of its connections to the 22.214.171.124/14 block appear to date from 2015… long before AS29073 started routing this block (which only started in March of this year).
So, my best guess about this whole confuseing mess is that the -original- legitimate owners of the 126.96.36.199/14 block most probably sold it on, in a legitimate transaction, to some other party in 2015, where that other party was/is represented by Mr. Bennet Kelly, Esq. And my guess is that neither he nor the new owners, who he represents, even know that their expensive /14 has gone walkabout, as of March of this year. I will be trying to make contact with Mr. Kelley today to discuss this with him and will post a follow-up if any new and interesting information arises from that conversation.
Peers of AS29073: