You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

Routing Working Group

Threaded
Collapse

Re: [routing-wg] [anti-abuse-wg] An arrest in Russia

Ronald F. Guilmette

2019-12-28 04:03:25 CET

In message <20191228020627.GA9820@allog.giato>, 
furio ercolessi <furio+as _at_ spin _dot_ it> wrote:

>On Fri, Dec 27, 2019 at 02:35:29PM -0800, Ronald F. Guilmette wrote:
>> Anyone have more details about this?
>> 
>> https://belsat.eu/en/news/runet-founder-under-house-arrest/
>> 
>> The Czech company that allagedly received the allegedly stolen
>> 7.5 "B" blocks (/16) would seem to be this one:
>> 
>> ORG-RCS23-RIPE
>> AS15731
>> 
>> https://www.ripe.net/membership/indices/data/cz.relcom.html
>> 
>> But I am not seeing that ORG as having quite that many IPv4 addresses
>> assigned.
>> 
>> Maybe the alleged perp in this case only stole IPv6 addresses (?)
>
>Hello Ron,
>
>in https://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt
>under cz.relcom you can currently see the equivalent of about 2.6 "B" blocks.
>
>However, only 10 days they were apparently a lot more! For instance, the list at
>https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIPE_Allocations/Allocs/CZ.html
>was collected on Thu Dec 19 2019 and shows the equivalent of about 9.6 "B" blocks
>(I enclose it below).
>So the majority of those blocks appears to have changed LIR, leaving cz.relcom/AS2118-MNT
>to return to ROSNIIROS (aka RIPN) in the past 10 days.  Example:

Facinating.

It would be even more facinating to have someone from RIPE NCC come and explain to
us all how it came to pass that something on the order of an alleged 490 thousand
IPv4 addresses got transferred, allegedly illicitly, from a Russian company to a
Czech company, AND what rules and standard procedures were followed in order to
transfer these back to the Russian company...

... but I also asked for a unicorn for Christmas and I didn't get that either.
:-)

I guess that when Russia comes knocking, RIPE NCC submissively complies.

I can only wish that they would do the same for me.


Regards,
rfg

User Image

Erik Bais

2019-12-28 14:44:20 CET

Hi Ronald,  

How these things slip through is when paperwork gets submitted that is incorrect and falsified with fake signatures.  
Despite al the efforts that the RIPE NCC is taking to recognize fake / falsified documents ... 

On the topic how does it get reversed ...  
Typically one of the actual directors reports a theft of IP space to the RIPE NCC..  
The RIPE NCC will then investigate and if things are incorrect, the legitimate holder can request a reverse of the IP space transfer.  

This obviously leaves the buyer ( typically one that paid a lot of money to a certain individual for the IP space ) ... without funds and without IP space.  
This is also why some if not most traders will/should walk away from certain deals if it isn't 100% clear who the actual legitimate holder of the IP space is and if the proper signatures aren't on the paperwork.  

Funds should always be deposited from an escrow into the bank account of the company that sells the IP space, never to a private bank account of a director or sister company ...  
Any other options that are requested are typical red flags for money laundering / fraudulent transactions .. 

Especially with international fraud, it is hard to get the funds back ... the buyer has little to no option to get the funds back and the one that received the funds are probably long gone.

Regards,
Erik Bais 


On 28/12/2019, 04:03, "anti-abuse-wg on behalf of Ronald F. Guilmette" <anti-abuse-wg-bounces _at_ ripe _dot_ net on behalf of rfg _at_ tristatelogic _dot_ com> wrote:

    In message <20191228020627.GA9820@allog.giato>, 
    furio ercolessi <furio+as _at_ spin _dot_ it> wrote:
    
    >On Fri, Dec 27, 2019 at 02:35:29PM -0800, Ronald F. Guilmette wrote:
    >> Anyone have more details about this?
    >> 
    >> https://belsat.eu/en/news/runet-founder-under-house-arrest/
    >> 
    >> The Czech company that allagedly received the allegedly stolen
    >> 7.5 "B" blocks (/16) would seem to be this one:
    >> 
    >> ORG-RCS23-RIPE
    >> AS15731
    >> 
    >> https://www.ripe.net/membership/indices/data/cz.relcom.html
    >> 
    >> But I am not seeing that ORG as having quite that many IPv4 addresses
    >> assigned.
    >> 
    >> Maybe the alleged perp in this case only stole IPv6 addresses (?)
    >
    >Hello Ron,
    >
    >in https://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt
    >under cz.relcom you can currently see the equivalent of about 2.6 "B" blocks.
    >
    >However, only 10 days they were apparently a lot more! For instance, the list at
    >https://www-public.imtbs-tsp.eu/~maigron/RIR_Stats/RIPE_Allocations/Allocs/CZ.html
    >was collected on Thu Dec 19 2019 and shows the equivalent of about 9.6 "B" blocks
    >(I enclose it below).
    >So the majority of those blocks appears to have changed LIR, leaving cz.relcom/AS2118-MNT
    >to return to ROSNIIROS (aka RIPN) in the past 10 days.  Example:
    
    Facinating.
    
    It would be even more facinating to have someone from RIPE NCC come and explain to
    us all how it came to pass that something on the order of an alleged 490 thousand
    IPv4 addresses got transferred, allegedly illicitly, from a Russian company to a
    Czech company, AND what rules and standard procedures were followed in order to
    transfer these back to the Russian company...
    
    ... but I also asked for a unicorn for Christmas and I didn't get that either.
    :-)
    
    I guess that when Russia comes knocking, RIPE NCC submissively complies.
    
    I can only wish that they would do the same for me.
    
    
    Regards,
    rfg
    
    

User Image

Randy Bush

2019-12-28 20:09:54 CET

> How these things slip through is when paperwork gets submitted that is
> incorrect and falsified with fake signatures.

and the ncc has a job advert out to hire even more lawyers (no blame;
it's a mess).  can ripe keep from becoming arin?

randy

User Image

Lu Heng

2019-12-29 01:14:26 CET

+1



Randy Bush <randy _at_ psg _dot_ com>于2019年12月29日 周日04:10写道:

> > How these things slip through is when paperwork gets submitted that is
> > incorrect and falsified with fake signatures.
>
> and the ncc has a job advert out to hire even more lawyers (no blame;
> it's a mess).  can ripe keep from becoming arin?
>
> randy
>
> --
--
Kind regards.
Lu

Ronald F. Guilmette

2019-12-29 04:46:27 CET

In message <CAAvCx3iky28KdLYYQ3Adubkj9i2gsTYv7GQxUzHK4MzcyV93MA _at_ mail.gmail _dot_ com>
Lu Heng <h.lu _at_ anytimechinese _dot_ com> wrote:

>+1

I should think so!

Lu, as the owner of a great deal of legitimately acquired AFRINIC IPv4
space, I should think that you would be suitably outraged to see others
committing fraud and/or other kinds of malfeasance in order to scam their
way into the same sort of IPv4 space that you legitimately bought and paid
for.  All of these crooked schemes should quite rightly be an outrage to
an honest man such as yourself.

And for that reason I feel sure that you'll be dismayed to learn that you
have... undoubtedly unintentionally... been paying at least some of your
honest and hard earned money to obtain routing for a small sub-part of
your sizable IPv4 holdings to a company that's rather unambiguously linked
to yet another apparent IPv4 scam that was already outted some months ago
by my friend, journalist Brian Krebs.

I'm speaking specifically about your 154.81.1.0/24, 154.208.12.0/22, and
154.208.16.0/20 blocks, all of which are apparently currently being routed
by a recently slapped together Virginia company named "Ting Wireless, LLC"
and its apparent proprietor, Roy Tyree Franklin (age 31).

    https://opencorporates.com/companies/us_va/S7848650

As we speak, it appears that this company and its ASN, i.e. AS398083, is
routing the above named blocks for you, and is also routing a number of
blocks for a somewhat slippery company known as Residential Networking
Solutions LLC, aka "RESNET", which Brian Krebs identified as being located
in the state of Maryland (consistant with th 240 area code of the phone
number on the company web site, resnet.io), but which at least some
relevant RIPE WHOIS records (e.g. ORG-RI49-RIPE) suggest is actually
located in Norwalk, Connecticut.

Here's is Brian's article about this apparent scam from August:

    https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/

Since the time of Brian's article, it seems that "RESNET" and its apparent
sister company, Maryland Broadband, found the general ambiance rather less
accomodating of their chicanery in the ARIN region, so they did the logical
thing and started getting their IPv4 space from the always accomodating
RIPE region, where no criminal with a good story and a freshly minted
shell company is ever turned away, regardless of criminal past or present.

So anyway, Lu, your blocks are being routed by Ting Wireless, LLC, right
along with a bunch of others that I have more than a little reason to be
suspicious about, specifically regarding their provenance.  I feel sure
that this horrifies you, just as it does me, and that thus, you'll help
me to get to the bottom of it all.

As a first step, I hope that you will introduce me to whoever it was who
you contracted with at Ting Wireless in order to arrange for that company
to route your blocks, which it is quite clearly doing, right along side
all of the questionable stuff:

    https://bgp.he.net/AS398083#_prefixes

Who did you send your check to at the fresh new company Ting Wireless, LLC?

Would that have been Mr. Roy Tyree Franklin?

Is that by any chance the exact same same high-end experienced and seasoned
networking professional, Roy Tyree Franklin, who was busted on March 15, 
2015, in Petersburg, Virginia for fishing without a license?

    https://www.pressreader.com/usa/the-progress-index/20150420/281573764231659

Like I always say, "Beware the Ides of March!"

I have to say, I think that he would have been better served if he had been
stringing cat6 that day, or maybe upgrading his A/C plant, rather than
trawling for catfish.  But that's just my opinion.

Anyway, if you can arrange it, I would love to have you make a personal
introduction so that I can maybe get to the bottom of this whole set of
questions I have about this whole RESNET / Maryland Boradband thing.
Please do let me know if you can do that.  I don't see any reason why
you wouldn't be able to do make connections for me, considering that
you are clearly doing business with this company (Ting Wireless).


Regards,
rfg


P.S.  Brian said in his article that AT&T had told him that "“We have taken
steps to terminate this company’s services and have referred the matter to
law enforcement.” but I guess that whichever LE people AT&T spoke with,
they have other more pressing things on their plates, and other fish to
fry... no pun intended.  So I guess it's up to me... again... to figure
out what's actually going on here, and your kind assistance would be
greatly appreciated.

User Image

Hank Nussbacher

2019-12-29 06:40:41 CET

On 28/12/2019 21:09, Randy Bush wrote:
>> How these things slip through is when paperwork gets submitted that is
>> incorrect and falsified with fake signatures.
> and the ncc has a job advert out to hire even more lawyers (no blame;
> it's a mess).  can ripe keep from becoming arin?
>
> randy

  It would be nice if RIPE NCC could provide as part of its annual 
report a list of incidents of this nature so we have an idea of how 
wide-spread this is - or not.


-Hank


User Image

Randy Bush

2019-12-29 06:45:58 CET

> It would be nice if RIPE NCC could provide as part of its annual
> report a list of incidents of this nature so we have an idea of how
> wide-spread this is - or not.

as i try not to indulge in schadenfreude, i don't have much use for this
information.

we spent some time in this space in rotterdam.  the presos were well
done, but not my cup of coffee.  i am sure there were others who found
it fascinating.  i guess that's what makes the world go 'round.

randy