nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

From: Ben Cannon <ben () 6by7 net>
Date: Fri, 6 Sep 2019 07:02:42 -0700
Important realization: Things don’t always work there like they work here (wherever “here” is for you).

-Ben


On Sep 6, 2019, at 6:57 AM, Carlos Friaças via NANOG <nanog () nanog org> wrote:


Hi,

(Also never been in Australia, unfortunately...)

Netname is "PMANET":
...isn't it OK to assume it could stand for "Port of Melbourne Authority Network"?

* pma.vic.gov.au is not operational
(i wonder what can be found with passive dns)

* vic.gov.au is still operational.


Quick googling also allowed me to find this:

https://www.portofmelbourne.com/about-us/port-history/timeline/

"1996    Melbourne Port Corporation established as successor to Port of
Melbourne Authority."


Regards,
Carlos




On Fri, 6 Sep 2019, Mel Beckman wrote:

A quick check of one of your facts produces unexpected results, so you might want to perform more research. 
According the APNIC,
139.44.0.0/16  does not ?belong unambiguously to the Port Authority of Melbourne?. It belongs to an individual, with 
an office address
at a building called ?Port Authority of Melbourne?:
person:
Rob Shute
address:
Port of Melbourne Authority
Level 47 South
525 Collins St
country:
AU
phone:
+61 3 9628 7613
e-mail:
djk () pma vic gov au
nic-hdl:
RS54-AP
remarks:
----------
remarks:
imported from ARIN object:
remarks:
remarks:
poc-handle: RS546-ARIN
remarks:
is-role: N
remarks:
last-name: Shute
remarks:
first-name: Rob
remarks:
street: Port of Melbourne Authority
Level 47 South
525 Collins St
remarks:
country: AU
remarks:
mailbox: djk () pma vic gov au
remarks:
bus-phone: +61 3 9628 7613
remarks:
reg-date: 1970-01-01
remarks:
changed: hostmaster () arin poc 20001127
remarks:
source: ARIN
remarks:
remarks:
----------
notify:
djk () pma vic gov au
mnt-by:
MNT-ERX-PRTMELAUTH-NON-AU
last-modified:
2008-09-04T07:31:33Z
source:
APNIC
The building called the Port Authority of Melbourne is not, by all accounts, a government agency. It?s just the name 
of a 54-story
office building, like the World Trade Center in NYC. In fact, World Trade Centre (Melbourne) is another name for the 
building, and
although it houses the Port of Melbourne Authority agency (on Level 4, not Level 47), it appears to be largely just 
a toney address
for business offices. Some, perhaps, not unlike American ?Mail Boxes Etc? (although I haven?t confirmed this). But 
the following Wikipedia
excerpt says this unambiguously:
The building currently houses some offices of the headquarters of Victoria Police, and the Victoria Police Museum , 
a collection of
exhibits and memorabilia from over 150 years of policing in Victoria.[3] It also houses offices for companies, 
including Thales
Australia.
https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority
Now, I?m not an Ossie, and in fact have never been down under, but it seems likely that the address in the 
registration is akin to a
US business having a World Trade Center address in NYC. It means nothing as far as APNIC asset ownership is 
concerned. It?s just an
address.
I could be wrong. However, it seems a simple fact to verify by calling management at that building. I tried sending 
email to the
registered ?.gov.au? address:
djk () pma vic gov au
But the domain does not exist. 
 -mel beckman
On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg () tristatelogic com> wrote:

     Few of you here probably know about this, but nearly a week ago now
     an article appeared in South Africa's largest and most popular online
     tech publication, MyBroadband.co.za.  It detailed many, but certainly not
     all of the results of my multi-month investigation of a massive and
     ongoing fraud involving the theft of large numbers of large (generally
     /16 or larger) abandoned legacy blocks, taken from the AFRINIC region
     and beyond:
https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

     For various editorial reasons, the article that was published actually
     downplayed the magnitude of the of the thefts quite dramatically.  The
     totality of the IPv4 space that has been stolen or squatted, primarily
     but not exclusively, from South African companies and South African national
     goverment agencies and departments is actually at least 5x bigger than what
     was reported in the MyBroadband.co.za article.

     The overwhelming majority of this stolen and squatted IPv4 space has
     been helpfully routed by Cogent (AS174), to their customer, FDCServers
     of Chicago, and then on to the prefered destinations of a certain Mr.
     Elad Cohen of Israel, and his company Netstyle Atarim, Ltd.  (I have
     saved traceroutes up the wazoo that prove the involvement of FDCServers,
     in particular, in all of this.)

     Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
     activities, basically grabbing everything that wasn't nailed down, both
     within the AFRINIC region and also within the APNIC region.

     In order to try to legitimize all of these thefts and squats, Mr. Cohen
     created quite a sizable number of fradulent route: objects within the
     Merit/RADB data base which, as most here should already know, has
     essentially zero authentication of any kind before it allows J. Random
     Luser to add pretty much any any route: object he wants to the RADB.

     Here's a full listing of all of Mr. Cohen's RADB route: objects as they
     existed as recently as August 17th:

        https://pastebin.com/raw/ZNgNuvtt

     And here is the short summary version showing just all of the prefixes/CIDRs
     that Mr. Cohen was effectively claiming rights and/or title to as of that
     same date:

        https://pastebin.com/raw/4LTaCg5R

     Plese do note the numerous blocks of size /16 or greater.

     The bottom line is that this one tiny little Israeli company was effectively
     claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
     August 17th, 2019.  (Not too shabby for one lone guy who teaches programming
     classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
     and generally consists of blocks having sizes of /16 or larger.

     Some of Mr. Cohen claims in his RADB entries are as humorous as they
     are pathetically fradulent.  For example, Mr. Cohen has effectively
     claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
     Authority of the City of Melbourne, Australia.  But hell!  That's merely
     city property!  Mr. Cohen's limitless appetite for other people's IPv4
     space is more vividly on display in his claims to ownerhip over the
     168.198.0.0/16 block, which actually belongs to the Department of Finance
     of the Australian national government.  And I haven't even mentioned yet
     another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
     which he did not see fit to create an RADB entry for, but which he's
     been squatting on for for quite some time now, quite clearly with the
     aid and assistance of both Cogent and FDCServers.  That one belongs to
     th City of Cape Town, South Africa.  That city's engineers have been
     struggling to regain control of their block back from Cogent, from
     FDCServers, and from Mr. Cohen for some time now.   I know because I've
     personally spoken to them about it.  Cogent, in its infinite wisdom, is
     continuing to fight the city for control over property that clearly and
     righfully belongs to the City of Cape Town, even as we speak:

        https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view

     When asked for LOAs attesting to his legitimate authority to route at
     least a few of these blocks, Mr. Cohen has produced blatantly forged
     documents, many of which appeared in the MyBroadband.co.za story.  And
     when I say "blatant" that's a gross understatement.  Any half-way decent
     forger would consider these documents an embarrasment.  The documents all
     bear identical signatures, and identical and vaguely official looking
     stamps, and purport to actually be sales reciepts attesting to the
     alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
     company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
     company called Afrivestment, Ltd., which may actually exist in some
     faraway galaxy, or in Mr. Cohen's active imagination, but which both
     Google and OpenCorporates.com seem to agree exists exactly noplace on
     this planet.  Here are the manufactured LOAs supplied by Mr. Cohen:

        https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
        https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
        https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view

     Recently, Cohen started to move some, but not all, of his stolen and squatted
     IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
     hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
     to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
     coincidently, just happen to be owned by the exact same pair of Dutch
     gentlemen who previously owned the notorious Ecatel, follwed by the notorious
     Quasi Networks.  (IP Volume, Inc. appears to have intherited all or nearly
     all of its legitimately assigned IP space from its predecessor entities,
     Ecatel and Quasi Networks.)

     Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
     are still helpfully being routed to Mr. Cohen's preferred desitnations by
     his good friends at Cogent and FDCServers, even as we speak.  The current
     set of such routes that Cogent is maintaining, at the moment, apparently on
     behalf of their customer, Mr. Cohen, consists of the prefixes listed here:

        https://pastebin.com/raw/EA3xJVLF

     When I noticed two days ago that all of these routes were still up I was
     deeply confused.  Did both Cogent and FDCServrs not get the memo??  Do
     they not know yet that Cohen is stealing stuff, left, right, and sideways?
     Did nobody even tell them about the MyBroadband.co.za article which was
     published this past Sunday?  I decided that it was incumbant upon me to
     find out.

     Thus, more that 48 hours ago now I sent the following polite but firm
     inquiry to Cogent, and a separate nearly identical one directly to the
     CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).

        https://pastebin.com/raw/ztipqE96

     A full forty eight hours later, I have received no reply whatsoever from
     either Cogent or FDCServers, not even a "Go pound sand" type of response.

     More importantly, most of the stolen IPv4 space that I called out, very
     specifically, to both Cogent and FDCservers two+ days ago now is still
     being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
     promptly paying customer, Mr. Cohen.  If neither Cogent nor FDCServers
     still do not know now that Mr. Cohen is a crook, and that he has glommed
     onto quite a lot of stolen and squatted IPv4 space... which they have
     been helpfully routing for him, no doubt in exchange for some handsome
     payments... then I am foreced to say that it appears to be a reasonable
     conclusion that it must be because neither Cogent nor FDCServers really
     wants to know what sort of a character Cohen is, or what he has been up
     to, specifically with their ongoing and material assistance.

     But you all be the judges.  What does it look like to you?

     Regards,
     rfg
Previous By Date Next
Previous By Thread Next

Current thread: