AS29073, the most fucked-up network ever

ipvolume.net (before quasi networks)

This network has existed for more than 10 years and is known for what they host. Over the weekend, I stumbled upon an interesting blog called “Bad Packets”, where a fellow named Troy has written about various unsavory goings on involving various networks. One network that he called out in particular was AS29073 (today AS202425), formerly called “Quasi Networks” and now “IP Volume”. on his blog, this fellow Troy has noted at length some break-in attempts originating from AS29073 and his inability to get anyone, in particular RIPE NCC, to give a damn. The Master Needler, A Conversation with Ripe, Quasi Networks responds as we witness the death of the master needler.

The fact that RIPE NCC declined to accept the role of The Internet Police didn’t surprise me at all… they never have and probably never will… but I decided to have a quick look at what this newtork was routing, at present, which can be easily see here: http://bgp.he.net/AS29073#_prefixes

So I was looking through the announced routes for AS29073, and it all looked pretty normal… a /24 block, check, a /24 block, check, a /21 block check… another /24 block, and then … WAIT A SECOND! HOLY MOTHER OF GOD! WHAT’S THIS??? 196.16.0.0/14 !!! So how does a little two-bit network with a rather dubious reputation and a grand total of only about a /19 to its name suddenly come to be routing an entire /14 block?? And of course, its a legacy (abandoned) Afrinic block.

BREIN is Taking Infamous ‘Piracy’ Hosting Provider Ecatel to Court (torrentfreak.com)

And of course, there’s no reverse DNS for any of it, because there is no valid delegation for the reverse DNS for any of it… usually a good sign that whoever is routing the block right now -does not- have legit rights to do so. (If they did, then they would have presented their LOAs or whatever to Afrinic and thus gotten the reverse DNS properly delegated to their own name servers.)

I’ve seen this movie before. You all have. This gives every indication of being just another sad chapter in the ongoing mass pillaging of unused Afrinic legacy IPv4 space, by various actors with evil intent. They already documented this hightly unfortunate fad right here on multiple occasions: November, August

This incident is a bit different from the others however, in that it -does not- appear that the 196.16.0.0/14 block has been filed to the brim with snoeshoe spammers. Well, not yet anyway. But if in fact the stories are correct, and if AS29073 does indeed have a history of hosting outbound hacking activities, then the mind reels when thinking about how much mischief such bad actors could get into if given an entire /14 to play with. (And by the way, this is a new world’s record I think, for largest singe-route deliberate hijack. I’ve seen plenty of /16 go walkabout before, and even a whole /15. But an entire /14?? That is uniquely brazen.)

ipv4 from quasi networks

In addition to the above, and the points raised within teh Bad Packets blog (see links above) I found, via passive DNS a number of other causes for concern about AS29073, to wit: pastebin.com/feCztMn0

(In addition to the above, I’ve also found plenty of additional domain names associated with AS29073 which incorporate the names “Apple” “AirBnB”, “Facebook”, and “Groupon”, as well as dozens of other legitimate companies and organizations.) I confess that I have not had the time to look at any of the web sites that may or may not be associated with any of the above FQDNs, but the domain names themselves are certainly strongly suggestive of (a) the possible hosting of child porn and also and separately (b) the possible hosting of phishing sites. So, given the history of this network (as is well documented on the Bad Packets blog) and given all of the above, and given what would appear to be the unauthorized “liberation” of the entire 196.16.0.0/14 block by AS29073, one cannot help but wonder Why does anybody still even peer with these jerks?

The always helpful and informative web site bgp.he.net indicates that very nearly 50% of the connectivity currently enjoyed by AS29073 is being provided to them by Level3. I would thus like to ask Level3 to reconsider that peering arrangement in light of the above facts, and especially in light of what would appear to be the unauthorized routing of the 196.16.0.0/14 block by AS29073. Surprisingly, given its history, AS29073 apparently has a total of 99 different peers, at present, and I would likewise ask all of them to reconsider their current peering arrangements with this network. I am listing all 99 peers below.

Before I get to that however, I’d liek to also note that there currently exists, within the RIPE Routing Registry, the following route object:

ipvolume.net hosted websites

route: 196.16.0.0/14
origin: AS29073
mnt-by: QUASINETWORKS-MNT
mnt-by: EC42500-MNT
mnt-routes: EC42500-MNT
mnt-routes: M247-EU-MNT
created: 2017-03-28T21:47:03Z
last-modified: 2017-08-11T19:58:39Z
source: RIPE

I confess that I am not 100% sure of the exact semantics of the “mnt-routes” tag, but it would appear from the above that the UK’s M247 network (AS9009)… which itself is not even peering with AS29073… appears to have, in effect countersigned the above RIPE route object, vouching for its correctness and authenticity as they did so. Why they would have done that, especially given that they themselves are not even peering with AS29073, is, I confess, beyond me. But I would love to have them explain it, or even try to explain it. It’s enigmatic, to say the least. Anyway, the “created” date in the above record seems to be consistant with that actual start of the announcement of 196.16.0.0/14 by AS29073, which the RIPE Routing History tool says occured sometime in March of this year.

One additional (and rather bizzare) footnote to this whole story about the 196.16.0.0/14 block has to do with the entity that allegedly -is- the current rightful owner of the block (as far as Afrinic is concerned). That entity is designated by the Afrinic handle ORG-IA41-AFRINIC and that in turn has an admin-c and tech-c of NAIT1-AFRINIC. The record for that handle is as follows:

Ecatel.net

person:          Network and Information Technology Administrator
address:        Unit 117, Orion Mall, Palm Street
address:        Victoria, Mahe
address:        Seychelles (SC)
phone:          +972-54-2203545
e-mail:          info at networkandinformationtechnology.com
nic-hdl:         NAIT1-AFRINIC
mnt-by:        MNT-NETWORKANDINFORMATIONTECHNOLOGY
changed:      info at networkandinformationtechnology.com 20150725
source:         AFRINIC

Upon fetching the current WHOIS record for networkandinformationtechnology.com I found it more than passing strange that all of the contact details therein are associated *not* with anything in Africa, nor even anything in the home country of AS29073 (Netherlands) but rather, the address and ophone numbers therein all appear to be ones associated with a relatively well known Internet attorney in Santa Monica, Califiornia by the name of Bennet Kelly. As it happens, in the distant past (about 10 years ago) I personally crossed swords with this particular fellow. He may

bad packets biggest enemy

be a lot of things, but it never seemed to me that stupid was one of them. And indeed the domain name networkandinformationtechnology.com and all of its connections to the 196.16.0.0/14 block appear to date from 2015… long before AS29073 started routing this block (which only started in March of this year).

So, my best guess about this whole confuseing mess is that the -original- legitimate owners of the 196.16.0.0/14 block most probably sold it on, in a legitimate transaction, to some other party in 2015, where that other party was/is represented by Mr. Bennet Kelly, Esq. And my guess is that neither he nor the new owners, who he represents, even know that their expensive /14 has gone walkabout, as of March of this year. I will be trying to make contact with Mr. Kelley today to discuss this with him and will post a follow-up if any new and interesting information arises from that conversation.

Peers of AS29073:
pastebin.com/prV5YNCh

When Advertising Networks..

…start requesting ID’s from you. Then you think twice whether you want to do this. Especially if they come from the grey zone. I was asked a few days ago to send my ID to Propellerads. I was registered with them as a publisher for almost a year and gave them more than a million impressions a month. They decided to start something new called KYC System. I can understand when payment systems or governments exert pressure. This forces such networks as Propellerads to take action.

Propellerads knows, however, that their advertising. I suppose 50 or 60% if even more come from the grey zone or from the scene. Just the thought of subscription traps, viruses, gambling and other methods used as advertising media makes this even more suspicious. Especially for webmasters.Of course I would have no problem sending my ID to such a company. However, as a webmaster you still think about whether you should take such a step. Nevertheless, anonymity is more important to a webmaster than something like that, isn’t it?

Mail from Propellerads

Advertising from Adsterra, Adcash, Popcash, Popads and much more is simply used by illegal Warez, Porn, Stream or Filehoster and Streamhoster and also these companies know this and do targeted advertising for them. Maybe I’m wrong, maybe I’m overreacting. However, I find that such a sensitive topic has to be reconsidered again and again, especially with such providers. Especially if providers also offer payouts in the form of crypto currencies, this is still a bigger issue.

I have come to the decision to move from Propellerads and register with other providers.

Let’s see if other providers will join in or if this is the case everywhere. Otherwise alternatives have to be found.

When suddenly Hetzner..

.. the runner in the hosting industry is and every Webmaster messes up because possibilities arise which nobody would never have thought. Hetzner started last year to expand their bandwidth offer. The bandwidth was on a dedicated 1000mbps connection for actually all of their dedicated servers. However, they were still limited to 20TB per month until almost the end of 2018. When you exceeded 20TB, the connection was throttled.

Hetzner decided, how it also came to lift the whole limitation of the bandwidth. Now there is unlimited bandwidth for almost all dedicated Hetzner servers. On LowEndTalk the topic was hotly discussed and the users did not hesitate to create the first memes.

hetzner memes

The interesting thing about the whole thing is that after Hetzner increased the bandwidth, OVH went straight along with it. There was suddenly double bandwidth at OVH and that’s exactly what revived the whole community and webmaster scene. Hetzner offers more and more servers where you just can’t look away and have to buy them. That’s why many users keep saying “RIP wallet” with offers from Hetzner. Exactly for these reasons there are the memes for Hetzner.

You are forced to buy servers from Hetzner because they are simply good and cheap and there is no competitor. However, there is a problem for webmasters from the file sharing scene. The server locations are in Germany (Germany is not a lucrative location for file sharers). That makes the whole again interesting. Hetzner was abused again and again by Warez, streaming or even Warez Linking websites because their offers are simply unbeatable. That reminds me of the story from Kino.to. After the whole Kino.to gang was blown up and arrested, new stuff came from the background of the whole crew and website. Kino.to was like any other streaming site a concept where the streams were only linked and forwarded to

where are the competitors for hetzner?

streaming providers. At that time there were providers like Freakshare, Bitshare, Duckload and the one provider called Archiv.to.

Archiv.to was actually a stream hoster that had all the storage servers at Hetzner. One employee had close contact with the Archiv.to operators, who were actually also the operators of Kino.to. They had agreed on a deal where everyone saw a profitable business. With the arrests at Kino.to such stories came into the net that might have been true or false.

However, we hope that Hetzner will continue to be so cool and bring offers that will burn the bank accounts of his loyal customers again and again.

Wi.to? What now?

Many knew the former Wi.to. For more than five years, the site has been a victim of projects that were put on ice due to lack of experience and wrong approach. The domain is currently used as an image host for me privately. Through ShareX I create screenshots or GIFs which I link here or just need privately to show or send pictures.

Wi.to was a successful imagehoster last year. With over 3 million picture uploads it was one of the most popular imagehosters on the net. The sad story developed after the summer last year when Wi.to was completely censored by internet service providers in India. The traffic originated 60% from India where we could cover the whole server costs. This censorship was caused by child pornographic content that was discovered too late to be completely deleted from the server. The funny thing about this story was that although there was a contact form on the site, this content was never reported. Despite trying to contact the internet service providers in India, we were not able to unblock the site due to this court order.

2

private layer inc

By the two-digit .to domain it makes the site so unique to do anything at all with it. At the moment, however, it is simply used privately by me and this will also remain so. At the moment the main page leads to a filehoster of a colleague I know very well and I would like to support.

The site ran completely on Chevereto software and was slightly modified. The servers were all located at Private Layer Inc. This gave us more flexibility with reported images where we could react accordingly. This would never have been possible with server locations like Germany.

Users were warned before the site was shut down that the site would be removed from the net and we could not finance it due to circumstances.