Mailing List Archive: NANOG: users

Interesting Point of view - Russian police and RIPE accused of aiding RBN

Index | Next | Previous | View Threaded

ops.lists at gmail

Oct 24, 2009, 12:00 AM

Post #1 of 23 (2040 views)
Permalink

Interesting Point of view - Russian police and RIPE accused of aiding RBN

http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-accused-of-aiding-cybercrime-2165

Some quotes from the article -

Internet registry RIPE NCC turned a blind eye to cybercrime, and Russian police
corruption helped the perpetrators get away with it, according to the UK
Serious Organised Crime Agency

[...]

"RIPE was being paid by RBN for that service, for its IP allocation," he said.
"Essentially what you have - and I make no apologies for saying this is - if
you were going to interpret this very harshly RIPE as the IP allocation body
was receiving criminal funds and therefore RIPE was involved in money
laundering offences," said Auld.

[...]

"All we could get there was a disruption, we weren't able to get a prosecution
in Russia," admitted Auld. "Our biggest concern is where did RBN go? Our
information suggests that RBN is back in business but now pursuing a slightly
different business model which is bad news."

[...]

"Where you have got LIRs (Local Internet Registries) set up to run a criminal
business- that is criminal actvity being taken by the regional internet
registries themselves. "So what we are trying to do is work with them to make
internet governance a somewhat less permissive environment for criminals and
make it more about protecting consumers and individuals," added Auld.
RBN looked legitimate, says RIPE NCC

In response to the comments that it could be accused of being involved in
criminal activity, Paul Rendek, head of external relations and communications
at RIPE NCC said that the organisation has very strict guidelines for dealing
with LIRs.

"The RBN was accepted as an LIR based on our checklists," he said." Our
checklists include the provision of proof that a prospective LIR has the
necessary legal documentation, which proves that a business is bona fide."

etc

jeffrey.lyon at blacklotus

Oct 24, 2009, 12:18 AM

Post #2 of 23 (2008 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Since we're on the subject, here is where RBN went:

inetnum: 91.202.60.0 - 91.202.63.255
netname: AKRINO-NET
descr: Akrino Inc
country: VG
org: ORG-AI38-RIPE
admin-c: IVM27-RIPE
tech-c: IVM27-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: MNT-AKRINO
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: MNT-AKRINO
mnt-domains: MNT-AKRINO
source: RIPE # Filtered
organisation: ORG-AI38-RIPE
org-name: Akrino Inc
org-type: OTHER
address: Akrino Inc.
address: P.O.Box 146 Trident Chambers
address: Road Town, Tortola
address: BVI
e-mail: noc.akrino [at] gmail
mnt-ref: MNT-AKRINO
mnt-by: MNT-AKRINO
source: RIPE # Filtered
person: Igoren V Murzak
address: Akrino Inc
address: P.O.Box 146 Trident Chambers
address: Road Town, Tortola
address: BVI
phone: +1 914 5952753
e-mail: noc.akrino [at] gmail
nic-hdl: IVM27-RIPE
mnt-by: MNT-AKRINO
source: RIPE # Filtered
% Information related to '91.202.60.0/22AS44571'
route: 91.202.60.0/22
descr: AKRINO BLOCK
origin: AS44571
mnt-by: MNT-AKRINO
source: RIPE # Filtered

On Sat, Oct 24, 2009 at 3:00 AM, Suresh Ramasubramanian
<ops.lists [at] gmail> wrote:
> http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-accused-of-aiding-cybercrime-2165
>
> Some quotes from the article -
>
> Internet registry RIPE NCC turned a blind eye to cybercrime, and Russian police
> corruption helped the perpetrators get away with it, according to the UK
> Serious Organised Crime Agency
>
> [...]
>
> "RIPE was being paid by RBN for that service, for its IP allocation," he said.
> "Essentially what you have - and I make no apologies for saying this is - if
> you were going to interpret this very harshly RIPE as the IP allocation body
> was receiving criminal funds and therefore RIPE was involved in money
> laundering offences," said Auld.
>
> [...]
>
> "All we could get there was a disruption, we weren't able to get a prosecution
> in Russia," admitted Auld. "Our biggest concern is where did RBN go? Our
> information suggests that RBN is back in business but now pursuing a slightly
> different business model which is bad news."
>
> [...]
>
> "Where you have got LIRs (Local Internet Registries) set up to run a criminal
> business- that is criminal actvity being taken by the regional internet
> registries themselves. "So what we are trying to do is work with them to make
> internet governance a somewhat less permissive environment for criminals and
> make it more about protecting consumers and individuals," added Auld.
> RBN looked legitimate, says RIPE NCC
>
> In response to the comments that it could be accused of being involved in
> criminal activity, Paul Rendek, head of external relations and communications
> at RIPE NCC said that the organisation has very strict guidelines for dealing
> with LIRs.
>
> "The RBN was accepted as an LIR based on our checklists," he said." Our
> checklists include the provision of proof that a prospective LIR has the
> necessary legal documentation, which proves that a business is bona fide."
>
> etc
>
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

bbillon-ml at splio

Oct 24, 2009, 12:20 AM

Post #3 of 23 (2005 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Accusing RIPE of complicity is in my opinion abusive. So when a RBN
member buys a burger at MacDonald's, should we consider MacDo accepts
money from RBN while helping them to run their "business" as they feed
the criminal member?

jeffrey.lyon at blacklotus

Oct 24, 2009, 12:24 AM

Post #4 of 23 (2003 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Indeed. If they bought fries and a drink that's two counts.

Jeff

On Sat, Oct 24, 2009 at 3:20 AM, Benjamin Billon <bbillon-ml [at] splio> wrote:
> Accusing RIPE of complicity is in my opinion abusive. So when a RBN member
> buys a burger at MacDonald's, should we consider MacDo accepts money from
> RBN while helping them to run their "business" as they feed the criminal
> member?
>
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

bbillon-ml at splio

Oct 24, 2009, 12:29 AM

Post #5 of 23 (2004 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

That's what I thought.

I still see the author's point =)

pbosworth at gmail

Oct 24, 2009, 1:05 AM

Post #6 of 23 (1996 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

I think the larger point is that ripe turned a blind eye to an
internationally recognized criminal network.

On Oct 24, 2009 2:01 AM, "Suresh Ramasubramanian" <ops.lists [at] gmail>
wrote:

http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-accused-of-aiding-cybercrime-2165

Some quotes from the article -

Internet registry RIPE NCC turned a blind eye to cybercrime, and Russian
police
corruption helped the perpetrators get away with it, according to the UK
Serious Organised Crime Agency

[...]

"RIPE was being paid by RBN for that service, for its IP allocation," he
said.
"Essentially what you have - and I make no apologies for saying this is - if
you were going to interpret this very harshly RIPE as the IP allocation body
was receiving criminal funds and therefore RIPE was involved in money
laundering offences," said Auld.

[...]

"All we could get there was a disruption, we weren't able to get a
prosecution
in Russia," admitted Auld. "Our biggest concern is where did RBN go? Our
information suggests that RBN is back in business but now pursuing a
slightly
different business model which is bad news."

[...]

"Where you have got LIRs (Local Internet Registries) set up to run a
criminal
business- that is criminal actvity being taken by the regional internet
registries themselves. "So what we are trying to do is work with them to
make
internet governance a somewhat less permissive environment for criminals and
make it more about protecting consumers and individuals," added Auld.
RBN looked legitimate, says RIPE NCC

In response to the comments that it could be accused of being involved in
criminal activity, Paul Rendek, head of external relations and
communications
at RIPE NCC said that the organisation has very strict guidelines for
dealing
with LIRs.

"The RBN was accepted as an LIR based on our checklists," he said." Our
checklists include the provision of proof that a prospective LIR has the
necessary legal documentation, which proves that a business is bona fide."

etc

Paul.Martin at viatel

Oct 24, 2009, 1:23 AM

Post #7 of 23 (1996 views)
Permalink

RE: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

So considering they're widely regarded as a criminal network hosting the
more dodgy/dangerous stuff on the net, surely we could 'protect' our
customers by blocking the 91.202.60.0/22 range?

Consider that can of worms opened :o)

Paul

-----Original Message-----
From: Jeffrey Lyon [mailto:jeffrey.lyon [at] blacklotus]
Sent: 24 October 2009 08:18
To: Suresh Ramasubramanian
Cc: nanog [at] nanog
Subject: Re: Interesting Point of view - Russian police and RIPE accused
of aiding RBN

Since we're on the subject, here is where RBN went:

inetnum: 91.202.60.0 - 91.202.63.255
netname: AKRINO-NET
descr: Akrino Inc
country: VG
org: ORG-AI38-RIPE
admin-c: IVM27-RIPE
tech-c: IVM27-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: MNT-AKRINO
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: MNT-AKRINO
mnt-domains: MNT-AKRINO
source: RIPE # Filtered
organisation: ORG-AI38-RIPE
org-name: Akrino Inc
org-type: OTHER
address: Akrino Inc.
address: P.O.Box 146 Trident Chambers
address: Road Town, Tortola
address: BVI
e-mail: noc.akrino [at] gmail
mnt-ref: MNT-AKRINO
mnt-by: MNT-AKRINO
source: RIPE # Filtered
person: Igoren V Murzak
address: Akrino Inc
address: P.O.Box 146 Trident Chambers
address: Road Town, Tortola
address: BVI
phone: +1 914 5952753
e-mail: noc.akrino [at] gmail
nic-hdl: IVM27-RIPE
mnt-by: MNT-AKRINO
source: RIPE # Filtered
% Information related to '91.202.60.0/22AS44571'
route: 91.202.60.0/22
descr: AKRINO BLOCK
origin: AS44571
mnt-by: MNT-AKRINO
source: RIPE # Filtered

On Sat, Oct 24, 2009 at 3:00 AM, Suresh Ramasubramanian
<ops.lists [at] gmail> wrote:
>
http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-a
ccused-of-aiding-cybercrime-2165
>
> Some quotes from the article -
>
> Internet registry RIPE NCC turned a blind eye to cybercrime, and
Russian police
> corruption helped the perpetrators get away with it, according to the
UK
> Serious Organised Crime Agency
>
> [...]
>
> "RIPE was being paid by RBN for that service, for its IP allocation,"
he said.
> "Essentially what you have - and I make no apologies for saying this
is - if
> you were going to interpret this very harshly RIPE as the IP
allocation body
> was receiving criminal funds and therefore RIPE was involved in money
> laundering offences," said Auld.
>
> [...]
>
> "All we could get there was a disruption, we weren't able to get a
prosecution
> in Russia," admitted Auld. "Our biggest concern is where did RBN go?
Our
> information suggests that RBN is back in business but now pursuing a
slightly
> different business model which is bad news."
>
> [...]
>
> "Where you have got LIRs (Local Internet Registries) set up to run a
criminal
> business- that is criminal actvity being taken by the regional
internet
> registries themselves. "So what we are trying to do is work with them
to make
> internet governance a somewhat less permissive environment for
criminals and
> make it more about protecting consumers and individuals," added Auld.
> RBN looked legitimate, says RIPE NCC
>
> In response to the comments that it could be accused of being involved
in
> criminal activity, Paul Rendek, head of external relations and
communications
> at RIPE NCC said that the organisation has very strict guidelines for
dealing
> with LIRs.
>
> "The RBN was accepted as an LIR based on our checklists," he said."
Our
> checklists include the provision of proof that a prospective LIR has
the
> necessary legal documentation, which proves that a business is bona
fide."
>
> etc
>
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

For more information about the Viatel Group, please visit www.viatel.com

VTL (UK) Limited Registered in England and Wales
Registered Address: Inbucon House, Wick Road, Egham, Surrey TW20 0HR
Company Registration No: 04287100 VAT Registration Number: 781 4991 88

THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is prohibited, and you should delete this e-mail from your system.

This message has been scanned for viruses and spam by Viatel MailControl - www.viatel.com

a.harrowell at gmail

Oct 24, 2009, 2:11 AM

Post #8 of 23 (1998 views)
Permalink

RE: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

I'd like to apologise in advance for SOCA. Frankly, I am surprised that they are even aware of RIPE or its role in life. They have done so poorly since subsuming the old National Hi-Tech Crime Unit that the other police forces want NHTCU back.

It ought to be superfluous to point out that the only effective action taken against RBN was by the Internet community in getting all their upstreams to null route them. As is blindingly obvious, SOCA would never have been granted a warrant by the Russians.

Pathetic to take it out on RIPE.
-original message-
Subject: RE: Interesting Point of view - Russian police and RIPE accused of aiding RBN
From: "Martin, Paul" <Paul.Martin [at] viatel>
Date: 24/10/2009 9:23 am

So considering they're widely regarded as a criminal network hosting the
more dodgy/dangerous stuff on the net, surely we could 'protect' our
customers by blocking the 91.202.60.0/22 range?

Consider that can of worms opened :o)

Paul

-----Original Message-----
From: Jeffrey Lyon [mailto:jeffrey.lyon [at] blacklotus]
Sent: 24 October 2009 08:18
To: Suresh Ramasubramanian
Cc: nanog [at] nanog
Subject: Re: Interesting Point of view - Russian police and RIPE accused
of aiding RBN

Since we're on the subject, here is where RBN went:

inetnum: 91.202.60.0 - 91.202.63.255
netname: AKRINO-NET
descr: Akrino Inc
country: VG
org: ORG-AI38-RIPE
admin-c: IVM27-RIPE
tech-c: IVM27-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: MNT-AKRINO
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: MNT-AKRINO
mnt-domains: MNT-AKRINO
source: RIPE # Filtered
organisation: ORG-AI38-RIPE
org-name: Akrino Inc
org-type: OTHER
address: Akrino Inc.
address: P.O.Box 146 Trident Chambers
address: Road Town, Tortola
address: BVI
e-mail: noc.akrino [at] gmail
mnt-ref: MNT-AKRINO
mnt-by: MNT-AKRINO
source: RIPE # Filtered
person: Igoren V Murzak
address: Akrino Inc
address: P.O.Box 146 Trident Chambers
address: Road Town, Tortola
address: BVI
phone: +1 914 5952753
e-mail: noc.akrino [at] gmail
nic-hdl: IVM27-RIPE
mnt-by: MNT-AKRINO
source: RIPE # Filtered
% Information related to '91.202.60.0/22AS44571'
route: 91.202.60.0/22
descr: AKRINO BLOCK
origin: AS44571
mnt-by: MNT-AKRINO
source: RIPE # Filtered

On Sat, Oct 24, 2009 at 3:00 AM, Suresh Ramasubramanian
<ops.lists [at] gmail> wrote:
>
http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-a
ccused-of-aiding-cybercrime-2165
>
> Some quotes from the article -
>
> Internet registry RIPE NCC turned a blind eye to cybercrime, and
Russian police
> corruption helped the perpetrators get away with it, according to the
UK
> Serious Organised Crime Agency
>
> [...]
>
> "RIPE was being paid by RBN for that service, for its IP allocation,"
he said.
> "Essentially what you have - and I make no apologies for saying this
is - if
> you were going to interpret this very harshly RIPE as the IP
allocation body
> was receiving criminal funds and therefore RIPE was involved in money
> laundering offences," said Auld.
>
> [...]
>
> "All we could get there was a disruption, we weren't able to get a
prosecution
> in Russia," admitted Auld. "Our biggest concern is where did RBN go?
Our
> information suggests that RBN is back in business but now pursuing a
slightly
> different business model which is bad news."
>
> [...]
>
> "Where you have got LIRs (Local Internet Registries) set up to run a
criminal
> business- that is criminal actvity being taken by the regional
internet
> registries themselves. "So what we are trying to do is work with them
to make
> internet governance a somewhat less permissive environment for
criminals and
> make it more about protecting consumers and individuals," added Auld.
> RBN looked legitimate, says RIPE NCC
>
> In response to the comments that it could be accused of being involved
in
> criminal activity, Paul Rendek, head of external relations and
communications
> at RIPE NCC said that the organisation has very strict guidelines for
dealing
> with LIRs.
>
> "The RBN was accepted as an LIR based on our checklists," he said."
Our
> checklists include the provision of proof that a prospective LIR has
the
> necessary legal documentation, which proves that a business is bona
fide."
>
> etc
>
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

For more information about the Viatel Group, please visit www.viatel.com

VTL (UK) Limited Registered in England and Wales
Registered Address: Inbucon House, Wick Road, Egham, Surrey TW20 0HR
Company Registration No: 04287100 VAT Registration Number: 781 4991 88

THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is prohibited, and you should delete this e-mail from your system.

This message has been scanned for viruses and spam by Viatel MailControl - www.viatel.com

marcoh at marcoh

Oct 24, 2009, 2:18 AM

Post #9 of 23 (1999 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

On Oct 24, 2009, at 9:00 AM, Suresh Ramasubramanian wrote:

> http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-accused-of-aiding-cybercrime-2165

With more on that:

http://www.ripe.net/news/rbn.html

"Press coverage this week portrayed the RIPE NCC as being involved
with the criminal network provider Russian Business Network (RBN). Any
connection with criminal activity, or with RBN itself, is completely
unfounded.

The press coverage arose from a speech given by the Serious Organised
Crime Agency (SOCA) in the UK. SOCA has since contacted the RIPE NCC
with an apology. The RIPE NCC will continue to work with SOCA and
other bodies to ensure criminal investigations can be carried out in
an efficient manner within established laws and guidelines."

MarcoH

fw at deneb

Oct 24, 2009, 2:38 AM

Post #10 of 23 (2000 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

* a. harrowell:

> It ought to be superfluous to point out that the only effective
> action taken against RBN was by the Internet community in getting
> all their upstreams to null route them. As is blindingly obvious,
> SOCA would never have been granted a warrant by the Russians.

Ugh, in reality, they needed a warrant from the Metropolitan Police
(which could have been equally problematic).

jeffrey.lyon at blacklotus

Oct 24, 2009, 2:44 AM

Post #11 of 23 (1995 views)
Permalink

Re: RE: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

We already filter this network but the move is largely symbolic. This needs
to be done by eyeball networks, not just hosting networks.

In filtering 91.202.60.0/22 we primarily keep our reverse proxies from
serving up their "content" and keep them from offering proxies on our
network.

Its pretty rare that we will filter any network as a whole but in this case
the need is pretty blatent.

Jeff

On Oct 24, 2009 4:25 AM, "Martin, Paul" <Paul.Martin [at] viatel> wrote:

So considering they're widely regarded as a criminal network hosting the
more dodgy/dangerous stuff on the net, surely we could 'protect' our
customers by blocking the 91.202.60.0/22 range?

Consider that can of worms opened :o)

Paul

-----Original Message----- From: Jeffrey Lyon [mailto:
jeffrey.lyon [at] blacklotus] Sent: 24 Octobe...
For more information about the Viatel Group, please visit www.viatel.com

VTL (UK) Limited Registered in England and Wales
Registered Address: Inbucon House, Wick Road, Egham, Surrey TW20 0HR
Company Registration No: 04287100 VAT Registration Number: 781 4991 88

THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO WHICH
IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL
AND EXEMPT FROM DISCLOSURE. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering the
message to the intended recipient, you are notified that any dissemination,
distribution or copying of this e-mail is prohibited, and you should delete
this e-mail from your system.

This message has been scanned for viruses and spam by Viatel MailControl -
www.viatel.com

ops.lists at gmail

Oct 24, 2009, 5:36 AM

Post #12 of 23 (1982 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

On Sat, Oct 24, 2009 at 2:48 PM, Marco Hogewoning <marcoh [at] marcoh> wrote:
> On Oct 24, 2009, at 9:00 AM, Suresh Ramasubramanian wrote:
\>> http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-accused-of-aiding-cybercrime-2165
>
> With more on that:
> http://www.ripe.net/news/rbn.html

I am glad this ugly situation has been resolved - and I do wish the
resolution gets better coverage than this.

suresh

daniel.karrenberg at ripe

Oct 24, 2009, 6:59 AM

Post #13 of 23 (1979 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

On 24.10 03:05, Paul Bosworth wrote:
> I think the larger point is that ripe turned a blind eye to an
> internationally recognized criminal network.

That may be a point but not a convincing one.

Imagine the outcry on this list if ARIN were to deny some organisation
address space or ASNs just because they are "internationally recognised"
criminals. Wouldn't we demand a little more due process?
Especially since the alternatives are not as easy as walking to the
next fastfood joint.

The RIPE NCC operates in a region where whole sovereign states call each
other criminals or worse on a daily basis.

The only tenable position for each RIR is to strictly apply the
policies developed in its bottom-up self-regulatory process. Doing
anything else would require intervention via a proper legal process,
e.g. a *judge* with appropriate jurisdiction telling the RIR that
its actions are unlawful.

Frustration is a bad advisor when trying to stop crime, unrelenting
application of due process is the only way ... frustrating as it may be.

Daniel Karrenberg
Chief Scientist RIPE NCC
Speaking only for himself as is customary here.

PS: This is old news, compare
http://www.h-online.com/security/news/item/Security-expert-calls-for-IP-address-ranges-of-criminal-providers-to-be-sent-direct-to-the-police-737905.html

And see the press release that Marco pointed out.

Daniel

jeffrey.lyon at blacklotus

Oct 24, 2009, 11:28 AM

Post #14 of 23 (1981 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

The decision to filter networks should remain with the collective
network operators. Everyone, even criminals, has a "right" to
distribute content but it's up to each operator to decide if that
content will be allowed to transit their network. Personally, if an
entire /22 does not have a single legitimate resource on it in the
case of 91.202.60.0/22 *and* is widely suspected of being
owned/operated by a criminal enterprise then filtering makes sense.

Historically it takes a few pioneers to present a case for filtering
specific networks before larger networks will begin to see the light.

Jeff

On Sat, Oct 24, 2009 at 9:59 AM, Daniel Karrenberg
<daniel.karrenberg [at] ripe> wrote:
> On 24.10 03:05, Paul Bosworth wrote:
>> I think the larger point is that ripe turned a blind eye to an
>> internationally recognized criminal network.
>
> That may be a point but not a convincing one.
>
> Imagine the outcry on this list if ARIN were to deny some organisation
> address space or ASNs just because they are "internationally recognised"
> criminals. �Wouldn't we demand a little more due process?
> Especially since the alternatives are not as easy as walking to the
> next fastfood joint.
>
> The RIPE NCC operates in a region where whole sovereign states call each
> other criminals or worse on a daily basis.
>
> The only tenable position for each RIR is to strictly apply the
> policies developed in its bottom-up self-regulatory process. �Doing
> anything else would require intervention via a proper legal process,
> e.g. �a *judge* with appropriate jurisdiction telling the RIR that
> its actions are unlawful.
>
> Frustration is a bad advisor when trying to stop crime, unrelenting
> application of due process is the only way ... frustrating as it may be.
>
> Daniel Karrenberg
> Chief Scientist RIPE NCC
> Speaking only for himself as is customary here.
>
> PS: This is old news, compare
> http://www.h-online.com/security/news/item/Security-expert-calls-for-IP-address-ranges-of-criminal-providers-to-be-sent-direct-to-the-police-737905.html
>
> And see the press release that Marco pointed out.
>
> Daniel
>
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

marcoh at marcoh

Oct 30, 2009, 3:23 AM

Post #15 of 23 (1864 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

On 24 okt 2009, at 14:36, Suresh Ramasubramanian wrote:

> On Sat, Oct 24, 2009 at 2:48 PM, Marco Hogewoning
> <marcoh [at] marcoh> wrote:
>> On Oct 24, 2009, at 9:00 AM, Suresh Ramasubramanian wrote:
> \>> http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-accused-of-aiding-cybercrime-2165
>>
>> With more on that:
>> http://www.ripe.net/news/rbn.html
>
> I am glad this ugly situation has been resolved - and I do wish the
> resolution gets better coverage than this.

It finally hit the press as well:

http://www.pcworld.com/businesscenter/article/174651/uk_police_smooth_over_rift_with_internet_registry.html

MarcoH

noc.akrino at gmail

Nov 6, 2009, 10:20 AM

Post #16 of 23 (1765 views)
Permalink

Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Greetings!

Let me introduce myself - I as a part of a support team represent NOC
Akrino, the team responsible of the technical use of AKRINO Networks,
AS44571 (91.202.61.0/21). It's a service network for DDoS-mitigation
purposes, using a combination of hardware and self-developed software which
allow us to efficiently filter mostly any kind of malicious traffic
providing the white traffic to the client's server. Among our clients there
are some e-businesses, e-shops, e-mass media, etc. with critical losses in
case of possible DDoS-attacks. I'd apply in case it's necessary, the
recommendations of our foreign resellers. Anyway we have never declared
ourselves as an abuse-resistant service provider - every abuse sent to
service email "noc.akrino [at] gmail" is being investigated and responded: we
can block the exact URLS or even block completely the traffic redirection to
the client in case of his abusive network behavior.

We're completely shocked by the declaration that the RBN moved to our AS. We
have no affiliation to RBN, the personal data is hidden and can be provided
by request just because of our members' personal security - in rare cases we
even had those risks (just because our filtration works cyber criminals
often search for other ways of influence upon us, including coercion).

In fact there are some problem clients like some adult sites whose
advertising programs could be popular with the spammers, but our policy
demands normal network behavior and in case of the abuse - their advert
partner is blocked.

So, if you have any evidence of abusive network behavior of our clients you
should send it directly to noc.akrino [at] gmail and we'll respond. If there
were any unsolved cases - we'll close them.

Please, excuse us if in somehow Akrino Networks were the source of problems
for you - we'll do our best to prevent it in the future.

And I'll sincerely ask *Jeffrey Lyon *as a representative of Blacklotus team
to clarify his accusations: aren't they connected with the fact that many of
your DDoS-protected clients have chosen our reseller Blockdos (blockdos.net)
just because our pricing doesn't depend on the amount of attack? As far as I
understand it's a question of about $20k/month. Please, tell me if I'm not
right.

Thank you.

Kanak

Akrino Abuse Team

jeffrey.lyon at blacklotus

Nov 6, 2009, 11:01 AM

Post #17 of 23 (1758 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Kanak,

It's good to see you here. The primary issue is that we receive a fair
deal of customers who end up with wide scale DDoS attacks followed by
an offer for "protection" to move to your network. In almost every
case the attacks cease once the customer has agreed to pay this
"protection" fee. Every one of these attacks was nearly identical in
signature.

A couple of years back we followed up on this and a handful of trusted
security analysts who focus on RBN alleged that Akrino was an RBN
shill network thus prompting the spawn of this article:
http://www.computerworld.com/s/article/9063418/Russian_hosting_network_running_a_protection_racket_researcher_says
.

Since first seeing your network arise in early 2008 i've never
actually seen anyone claim to own it and a Google search for your name
and ASN were completely devoid of any useful information. The ASN and
IP assignment are registered to a BVI offshore corporation that based
on my research do not seem to correlate to any legitimate commercial
activity. All of these things seem to support the Computerworld
article.

I would love to be proven wrong on this issue as I do not like to see
a good net op ostracized without just cause. Perhaps your reseller(s)
are giving you a bad name? Either way I would love to chat, feel free
to Skype: blacklotus.net .

Best regards, Jeff

On Fri, Nov 6, 2009 at 1:20 PM, noc acrino <noc.akrino [at] gmail> wrote:
> Greetings!
>
> Let me introduce myself - I as a part of a support team represent NOC
> Akrino, the team responsible of the technical use of AKRINO Networks,
> AS44571 (91.202.61.0/21). It's a service network for DDoS-mitigation
> purposes, using a combination of hardware and self-developed software which
> allow us to efficiently filter mostly any kind of malicious traffic
> providing the white traffic to the client's server. Among our clients there
> are some e-businesses, e-shops, e-mass media, etc. with critical losses in
> case of possible DDoS-attacks. I'd apply in case it's necessary, the
> recommendations of our foreign resellers. Anyway we have never declared
> ourselves as an abuse-resistant service provider - every abuse sent to
> service email "noc.akrino [at] gmail" is being investigated and responded: we
> can block the exact URLS or even block completely the traffic redirection to
> the client in case of his abusive network behavior.
>
> We're completely shocked by the declaration that the RBN moved to our AS. We
> have no affiliation to RBN, the personal data is hidden and can be provided
> by request just because of our members' personal security - in rare cases we
> even had those risks (just because our filtration works cyber criminals
> often search for other ways of influence upon us, including coercion).
>
> In fact there are some problem clients like some adult sites whose
> advertising programs could be popular with the spammers, but our policy
> demands normal network behavior and in case of the abuse - their advert
> partner is blocked.
>
> So, if you have any evidence of abusive network behavior of our clients you
> should send it directly to noc.akrino [at] gmail and we'll respond. If there
> were any unsolved cases - we'll close them.
>
> Please, excuse us if in somehow Akrino Networks were the source of problems
> for you - we'll do our best to prevent it in the future.
>
> And I'll sincerely ask *Jeffrey Lyon *as a representative of Blacklotus team
> to clarify his accusations: aren't they connected with the fact that many of
> your DDoS-protected clients have chosen our reseller Blockdos (blockdos.net)
> just because our pricing doesn't depend on the amount of attack? As far as I
> understand it's a question of about $20k/month. Please, tell me if I'm not
> right.
>
> Thank you.
>
> Kanak
>
> Akrino Abuse Team
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

jeffrey.lyon at blacklotus

Nov 6, 2009, 2:02 PM

Post #18 of 23 (1761 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Kanak,

Can you please detail your plans to correct the malware issues on your
network? (reference:
http://google.com/safebrowsing/diagnostic?site=AS:44571 ).

Best regards, Jeff

[offlist communication snipped for privacy]

>
> Kanak
>
> Akrino Abuse Team
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

noc.akrino at gmail

Nov 7, 2009, 1:58 PM

Post #19 of 23 (1749 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Hello, Jeffery and other NANOC members.

Sorry for making another thread - I'm not too experienced in mailgroups.

The problem is in structure of new generation advert or banner networks -
they allow to return other subject traffic to the partner's URL. And this
could also be used to redirect the traffic to different exploits (a simple
way to compromise a banner network or hosting provider). This is extremely
hard to monitor or to take preventive measures in case of a large banner or
advert network. Unfortunately Google doesn't provide a detailed report on
their check results: this could allow the resource's owner easily block
their partners in that case.

Anyway I'll contact the owner of this resource (91.202.63.96) now in order
to perform a check of their partners. I suppose, just having a few domains
would be enough.

The other resource is situated on the public ip of our reseller - I'll ask
him to check this domain, too.

Thank you for that information, I'll report on that issue later.

Kanak

Akrino Support Team

2009/11/7 Jeffrey Lyon <jeffrey.lyon [at] blacklotus>

> Kanak,
>
> Can you please detail your plans to correct the malware issues on your
> network? (reference:
> http://google.com/safebrowsing/diagnostic?site=AS:44571 ).
>
> Best regards, Jeff
>
>
>
> [offlist communication snipped for privacy]
>
> >
> > Kanak
> >
> > Akrino Abuse Team
> >
>
>
>
> --
> Jeffrey Lyon, Leadership Team
> jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
> Black Lotus Communications of The IRC Company, Inc.
>
> Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
> 21 to find out how to "protect your booty."
>

noc.akrino at gmail

Nov 8, 2009, 2:27 AM

Post #20 of 23 (1750 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

2009/11/6 Jeffrey Lyon <jeffrey.lyon [at] blacklotus>

> The primary issue is that we receive a fair
> deal of customers who end up with wide scale DDoS attacks followed by
> an offer for "protection" to move to your network. In almost every
> case the attacks cease once the customer has agreed to pay this
> "protection" fee. Every one of these attacks was nearly identical in
> signature.
>

By the way, Jeffrey, we can provide reports on HTTP-flood because our system
builds it's signatures on http traffic dumps like

=== IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many
identical requests (length 198):
GET / HTTP/1.1
Accept: */*
Accept-language: en-us
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1)
Gecko/20061204 Firefox/2.0.0.1
Host: [censored]
Connection: Keep-Alive

So using this info we can map botnets, learn different attacks and in
collaboration with ISPs - find CCs of new botnets. And what are your
accusations of the identical signatures based on when simple Staminus
resellers (like you are) do not have access to their signatures database?

Kanak

Akrino Abuse Team

jeffrey.lyon at blacklotus

Nov 8, 2009, 12:01 PM

Post #21 of 23 (1739 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Kanak,

We're not a Staminus reseller. Please do your homework:
http://webtrace.info/asn/32421 .

I'm not going to hold court on whether or not you or your resellers
are DDoSing competitor's customers, I was merely stating my opinion.
The reader can draw their own conclusion. I think your network is
blackhat, you say it's not. I say your entire network has minimal
legitimate traffic and you say you have a diverse customer base. The
way I see it right now:

- You're an anonymous BVI company with no physical location
- This Computerworld article is referring to Akrino:
http://www.computerworld.com/s/article/9063418/Russian_hosting_network_running_a_protection_racket_researcher_says.
I was consulted on this article before it went to print and i'll put
my reputation on that.
- All of the sites on Akrino around early 2008 were on NEAVE LIMITED
until shutdown by uplink Eltel. They all came back up under Akrino
uplink to Anders (AS39792).
- 91.202.60.0/22 has one actual company with legitimate commercially
necessary traffic (will provide a full report if you want to push the
issue) yet is responsible for hundreds of malware infections over the
past 6 months (see again,
http://google.com/safebrowsing/diagnostic?site=AS:44571 )
-- The aforementioned company (solidtrustpay.com) was a Black Lotus
customer and had received several days of multi-Gbps DDoS that
subsided only once the customer agreed to use your network
--- Post-DDoS the customer's server began receiving SSH connections
from some former Soviet country (forget which offhand) trying to debug
a reverse proxy (not sure if you/they realize that we filter your
announcements). In the real world DDoS does not stop just hours before
the gaining host goes to setup a proxy.
- The attacks you claim to be filtering would not be possible unless
your connection to AS39792 is 10GE or they're doing the filters for
you.
- The above has occurred at least three times with Akrino, zero times
with better known, respected providers.
- A handful of respected net ops have contacted me off list to confirm
much of this data and provide additional evidence.

Again, these are merely *opinions* and form the foundation of why I
believe Akrino is a black hat network. Perhaps if you didn't have
black hat resellers you wouldn't have this reputation? Maybe you
should reconsider who you allow to resell your network? I don't know
for certain but you need to clean up your network so you don't end up
like Atrivo. Clean up now and everyone wins.

Jeff

On Sun, Nov 8, 2009 at 5:27 AM, noc acrino <noc.akrino [at] gmail> wrote:
> 2009/11/6 Jeffrey Lyon <jeffrey.lyon [at] blacklotus>
>>
>> �The primary issue is that we receive a fair
>> deal of customers who end up with wide scale DDoS attacks followed by
>> an offer for "protection" to move to your network. In almost every
>> case the attacks cease once the customer has agreed to pay this
>> "protection" fee. Every one of these attacks was nearly identical in
>> signature.
>
> By the way, Jeffrey, we can provide reports on HTTP-flood because our system
> builds it's signatures on http traffic dumps like
>
> === IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many
> identical requests (length 198):
> GET / HTTP/1.1
> Accept: */*
> Accept-language: en-us
> User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1)
> Gecko/20061204 Firefox/2.0.0.1
> Host: [censored]
> Connection: Keep-Alive
>
> So using this info we can map botnets, learn different attacks and in
> collaboration with ISPs - find CCs of new botnets. And what are your
> accusations of the identical signatures based on when simple Staminus
> resellers (like you are) do not have access to their signatures database?
>
> Kanak
>
> Akrino Abuse Team
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

noc.akrino at gmail

Nov 10, 2009, 10:50 AM

Post #22 of 23 (1684 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Greetings!

By the way, Jeffrey, by the 24th of October, when you posted the information
that the RBN is located in our networks we couldn't even know about any
malware redirectors on our clients resources -
http://www.stopbadware.org/reports/asn/44571. I'm trying to solve the Google
SB issue (still under investigation both by our team and the resource owner,
but NB - it's only 1 ip from 345 sites tested by Google ) but one little
question - how did you get to know about the malware abuse _before_ the
actual report on stopbadware.org or on google? What were your conclusions
based on? Why didn't you write to the abuse email the way it's traditionally
done in the network operators' sphere?

Kanak

Akrino Abuse Team

jeffrey.lyon at blacklotus

Nov 10, 2009, 11:09 AM

Post #23 of 23 (1689 views)
Permalink

Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN [In reply to]

Kanak,

NANOG moderators have requested this conversation go off list.

Jeff

On Tue, Nov 10, 2009 at 1:50 PM, noc acrino <noc.akrino [at] gmail> wrote:
> Greetings!
>
> By the way, Jeffrey, by the 24th of October, when you posted the information
> that the RBN is located in our networks we couldn't even know about any
> malware redirectors on our clients resources -
> http://www.stopbadware.org/reports/asn/44571. I'm trying to solve the Google
> SB issue (still under investigation both by our team and the resource owner,
> but NB - it's only 1 ip from 345 sites tested by Google ) but one little
> question - how did you get to know about the malware abuse _before_ the
> actual report on stopbadware.org or on google? What were your conclusions
> based on? Why didn't you write to the abuse email the way it's traditionally
> done in the network operators' sphere?
>
> Kanak
>
> Akrino Abuse Team
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads