Home page logo
/

nanog logo nanog mailing list archives

New hijacks, and lots of them
From: "Ronald F. Guilmette" <rfg () tristatelogic com>
Date: Thu, 14 Apr 2011 04:22:06 -0700



One particular large and well-distributed snowshoe spamming operation
became the subject of my special scrutiny recently.  After seeing all
of the the various apparently hijacked IP blocks that this particular
snowshoe spamming operation seemed to be relying upon for much of its
IP space, it seemed like the right thing to do for me to report on the
whole mess here.

To begin with here are a couple of files which show the full extent of
this particular rather vast snowshoe operation (including both hijacked
and non-hijacked parts).  By my count we are talking in excess of 6,300
separate second-level gTLD domain names.

   http://www.47-usc-230c2.org/20110414-snowshoe-1.txt
   http://www.47-usc-230c2.org/20110414-snowshoe-2.txt

Dredging into this operation more deeply led me to the following con-
clusions...

Based upon information and belief, the following number resources have
been hijacked, i.e. they either are now, or were in the recent past being
used without proper authorization by a party or parties to whom these
resources were not assigned by any RiR.  (Unless otherwise specified
below, these are all ARIN-assigned number resources.)

AS8143  (1)
AS29987 (2)
AS11756 (3) (4)
AS47024 (5)
AS27906 (6)(7)

198.23.32.0/20 - NET-198-23-32-0-1 (8)
198.57.64.0/20 - NET-198-57-64-0-1 (9)
199.88.32.0/20 - NET-199-88-32-0-1 (10)
199.192.16.0/20 - NET-199-192-16-0-1 (11)
199.196.192.0/19 - NET-199-196-192-0-1 (12)
200.107.216.0/21 - GT-AGSA1-LACNIC (13)
204.147.240.0/20 - NET-204-147-240-0-1 (14)
207.22.224.0/19 - (NET-207-22-192-0-1) (15) (16)

Notes
-----
(1) Probable fradulent falsification of JD47-ORG-ARIN - 2010-11-22
(2) Probable fradulent falsification of AS29987 & IPADM448-ARIN - 2010-11-04
(3) Probable fradulent falsification of AS11756 - 2011-03-15
(4) Probable fradulent falsification of JR1271-ARIN - 2010-07-08
(5) ARIN unable to validate contact NOC3622-ARIN since 2010-06-19
(6) LACNIC assigned AS
(7) Contact record ERJ3 modified - 2011-04-06 (falsified?)

(8) Probable fradulent falsification of NET-199-88-32-0-1 & SH174-ARIN - 2010-11-03
(9) ARIN unable to valiadate contact GW449-ARIN since 2010-07-18
(10) ARIN unable to valiadate contact DM126-ARIN since 2010-07-16
(11) ARIN unable to valiadate contact RP56-ARIN since 2010-07-22
(12) ARIN unable to valiadate contact FB43-ARIN since 2010-07-17
(13) LACNIC assigned IPv4 block
(14) ARIN unable to valiadate contact LT127-ORG-ARIN since 2010-07-20
(15) Only the 207.22.224.0/19 portion of 207.22.192.0/18 is being routed
(16) ARIN unable to valiadate contact MH521-ARIN since 2010-07-12


Discussion
----------

The entire scope of this particular spamming operation spans both the
aforementioned (hijacked) IP ranges and also a number of IP ranges that
are clearly NOT hijacked.  I have attempted to list below all ranges
that either are now in use by this operation, or that have been in use
by this operation, in the relatively recent past.

The various IP blocks listed below are connected, in one way or another,
to several entities that have been caught doing IP block hijacking in
the past, in particular:

   *)  Joytel Wireless of Florida... which apparently has some significant
       connection to an entity called "GoRack", also of South Florida, and

   *)  Xeex aka AS27524 aka Nishant Ramachandran, and

   *)  last but by no means least, Media Breakaway, LLC aka JKS Media, LLC,
       aka Dynamic Dolphin (ICANN Accredited Registrar) aka "OptInRealBig"
       aka the notorious Scott Richter.

       (Essentially all of the domains of this operation are, apparently,
       registered anonymously with Dynamic Dophin, and as noted below, A
       portion of them are also being routed by JKS Media, and a subset of
       those are either hosted in and/or are getting DNS service from IP
       blocks registered to Media Breakaway.)

As you will see below, a few of the ranges that I have identified as
having been hijacked were already/previously blacklisted by Spamhaus
some months ago.  Also, in at least one case, Spamhaus records indicate
that they too believe that the block in question was indeed hijacked.
(It is always nice to have a second, confirming opinion.)

I could speculate on the identity of the person or company which might
most accurately be said to be "behind" all this, but I actually do not
feel the need to do so in this instance.  The data speaks for itself,
and I do believe that any diligent researcher who really wants to dredge
into it all will likely reach what I consider to be the proper conclusion(s).

===========================================================================
All IP ranges containing assets of this specific snowshoe operation:
--------------------------------------------------------------------

8.24.248.0/21 - via AS19844 (gorack.net)

66.115.166.0/24 - NET-66-115-166-0-1 - via AS22384 (nationalnet.com)
66.115.167.0/24 - NET-66-115-167-0-1 - via AS22384 (nationalnet.com)
66.115.168.0/24 - NET-66-115-168-0-1 - via AS22384 (nationalnet.com)
66.115.172.0/24 - NET-66-115-172-0-1 - via AS22384 (nationalnet.com)

66.232.42.0/23 - via AS21510 (tristarcorp.net)
66.232.44.0/24 - via AS21510 (tristarcorp.net)
66.232.46.0/23 - via AS21510 (tristarcorp.net)
66.232.48.0/23 - via AS21510 (tristarcorp.net)

67.55.111.0/24 - "Masterly International S.A."[1] - via AS27257 (webair.com)

67.220.69.0/24 - via AS17048 (awknet.com)

69.6.29.0/24 - NET-69-6-29-0-1 - Media Breakaway - via AS32311 (jksmedia.net)
69.6.31.0/24 - NET-69-6-31-0-1 RRM LLC - via AS32311 (jksmedia.net)
69.6.36.0/24 - NET-69-6-36-0-1 - Media Breakaway - via AS32311 (jksmedia.net)
69.6.42.0/24 - via AS32311 (jksmedia.net)
69.6.43.0/24 - via AS32311 (jksmedia.net)
69.6.49.0/24 - NET-69-6-49-0-1 - Media Breakaway - via AS32311 (jksmedia.net)
69.6.56.0/24 - via AS32311 (jksmedia.net)

69.42.77.64/28 - "Masterly International S.A."[1] - via AS27257 (webair.com)

74.202.216.0/21 - Joytel Wireless - via AS4323 (twtelecom.net)

91.90.192.0/19 - via AS41331 (moda-ua.net/Ukraine)

93.171.64.0/21 - via AS27257 (webair.com)

173.239.8.0/24 - "Masterly International S.A."[1] - via AS27257 (webair.com)
173.239.9.0/24 - "Masterly International S.A."[1] - via AS27257 (webair.com)

198.23.32.0/20 - NET-198-23-32-0-1 - Was Hijacked - via AS11756 [5] (BitStorm)
        http://www.spamhaus.org/sbl/sbl.lasso?query=SBL101186
                05-Jan-2011 22:17 GMT | SR22

198.57.64.0/20 - NET-198-57-64-0-1 - Was Hijacked (AS?)
        http://www.spamhaus.org/sbl/sbl.lasso?query=SBL101250
                07-Jan-2011 21:28 GMT | SR03

199.88.32.0/20 - NET-199-88-32-0-1 - Hijacked - via AS29987 [3]

199.192.16.0/20 - NET-199-192-16-0-1 - Was hijacked (AS?)
        http://www.spamhaus.org/sbl/sbl.lasso?query=SBL101188
                05-Jan-2011 22:08 GMT | SR22

199.196.192.0/19 - NET-199-196-192-0-1 - Hijacked - via AS8143 [2]

200.107.216.0/21 - GT-AGSA1-LACNIC - Hijacked - via AS27906 [7]

204.147.240.0/20 - NET-204-147-240-0-1 - Hijacked - via AS47024 [6]

206.246.104.0/22 - via AS11194 (nni.com)

207.22.224.0/19 - (NET-207-22-192-0-1) Hijacked - via AS8143 [2] [4]

207.178.179.0/24 - NET-207-178-179-0-1 - Prime Directive - via AS5033
207.178.191.0/24 - NET-207-178-191-0-1 - Prime Directive - via AS5033
207.178.192.0/24 - NET-207-178-192-0-1 - Prime Directive - via AS5033

207.199.128.0/18 - via AS11194 (nni.com)

207.231.96.0/21 - NET-207-231-96-0-1 - via AS11194 (nni.com)

209.141.0.0/20 - NET-209-141-0-0-1 - via AS12124 (thorn.net)

209.147.86.0/23 - via AS11194 (nni.com)
209.147.88.0/21 - via AS11194 (nni.com)

209.200.23.128/28 - "Masterly International S.A."[1] - via AS27257 (webair.com)


Notes:
======
[1] "Masterly International S.A." -- Identified as snowshoer 2005-06-01 by rfg
[2] AS8143 hijacked;
    JD47-ORG-ARIN revised 2010-11-22
    4publicom.com - newly registered 2010-11-22
    AS8143 is connected to the net only via AS19844 (gorack.com)
[3] AS29987 hijacked;
    IPADM448-ARIN revised 2010-11-04;
    braziliancomputing.com - newly registered 2010-10-07
    AS29987 is connected to the net only via AS3257 (tiscali.net)
[4] Not currently inhabited
[5] AS11756 hijacked;
    JR1271-ARIN revised 2010-07-08
    jandamy.com - newly registered 2010-11-03
    Company declared dead as of 09/22/2000:
   
http://www.sunbiz.org/scripts/cordet.exe?action=DETFIL&inq_doc_number=P96000102349&inq_came_from=NAMFWD&cor_web_names_seq_number=0000&names_name_ind=N&names_cor_number=&names_name_seq=&names_name_ind=&names_comp_name=BITSTORM&names_filing_type=
    AS11756 currently has -zero- peers (according to www.robtex.com)
[6] AS47024 hijacked;
    NOC3622-ARIN - ARIN unable to validate since 2010-06-19
    No company web site;
    909-941-8100 - reassigned;
    909-743-6182 - disconnected;
    intiumservices.com newly (re-)registered - 2010-11-04
    AS47024 currenly connected only via AS3257 (tiscali.net)
[7] AS27906 currently only routed via AS27524 (Xeex) according to robtex.com
===========================================================================


As you can see, there is a large volume of material here, and a large amount
of research went into it all.  I have tried diligently to ensure the complete
accuracy of all of the above information, however it is certainly possible
that I may have made a mistake or two, here or there, or that circumstances
and facts may have changed since I first began compiling this information
two days ago.  Certainly, no one should rely in any way upon the above
information in the absence of your own independent due diligence.

I hereby disavow any and all responsibility for any errors or omissions.

The above information may only be used at the reader's own risk.

This information is being published in accordance with 47 USC 230(c)(2)(B),
to enable or make available to information content providers or others the
technical means to restrict access to material described in 47 USC 230(c)(1).


Via con dios,
rfg


P.S. ARIN's attempts, during July of last year, to validate various con-
tacts that were the responsible parties for various IP allocations was a
good and noble effort on ARIN's part.  In the present context however it
does seem a pity that more was not done with the various negative results
from that valiant effort.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault