Thank you for your interesting analysis.
Is then RIPE not a "partner in crime" for such criminal companies?
B/c it seems RIPE does not take any action against such evidently
criminal members abusing the network and the other members and users.
RIPE just says this ( https://www.ripe.net/support/abuse ):
"
...
At the RIPE NCC, we allocate blocks of IP addresses to ISPs and
other organisations, but we have no involvement in how these
addresses are used by their users.
...
However, we can help you find out who is abusing your network
by providing you with the relevant network operator contact details.
Our role is to ensure that all abuse contacts are valid and
up-to-date in the RIPE Database. From there, it is the
responsibility of the network operator to handle your abuse report.
There is nothing we can do if a network operator chooses not to reply.
...
"
IMO, RIPE very well can do some more, and needs to do some more...
Natale Maria Bianchi wrote on 11/01/23 19:06:
On Wed, Nov 01, 2023 at 01:55:42PM +0100, John Levine wrote:
It appears that ? ngel Gonzalez Berdasco via anti-abuse-wg
<angel.gonza...@incibe.es> said:
Just block their network 80.94.95.0/24 and forget about it.
organisation: ORG-BA1515-RIPE
org-name: BtHoster LTD
country: GB
org-type: OTHER
address: 26, New Kent Road, London, SE1 6TJ, UNITED KINGDOM
If you look at that address on Google stret view, you will see a late
2022 picture of a construction site.
Unless you care enough to contact their transit providers and try
and get them disconnected, I wouldn't waste more time on it.
BtHoster is indeed a well known bulletproof hoster, and nothing good can be
expected also from the other two blocks announced by AS204428, 87.246.7.0/24
and 212.70.149.0/24 (4media.bg/4vendeta.com, who also have much cleaner
ranges directly behind their own AS50360). BtHoster also has AS198465,
today announcing 45.129.14.0/24 and 77.90.185.0/24.
Sending abuse reports to these places is - how to say? - a bit naive.
Abuse is their core business. You can see for instance BtHoster's ad in
https://bitcointalk.org/index.php?topic=5407833.0 :
RDP FOR SCAN/BRUTE - PRICE 10 $ /MONTH
WHM FOR PISHING WITH UNLIMITED DOMAIN LICENSE -PRICE 130 $ /MONTH
RESELLER FOR RDP WITH PANEL -PRICE 150 $ + IP /MONTH
SERVER FOR SCAN/BRUTE 32 GB RAM -PRICE 130 $ /MONTH
So the "ignoring" is fully expected, it is a feature of their hosting offer.
The best action is to completely prevent their packets from entering your
networks
through protection at the network edge. This is precisely what our
DROP/EDROP/ASN-DROP
free datasets are for: block all packets on the edge router.
Of course, like it or not, the people behind this are members of this
community, read these
lists, make posts, etc, and of course they would not be connected to the
Internet if there
weren't facilitating ISPs between them and backbones - in this case the
operators of
AS47890, AS202425 and the abovementioned AS50360. These are also part of the
abuse
ecosystem.
The two-layered approach is essential for the stability of their connectivity -
otherwise the backbones would just cut them off. When pressure from backbones
becomes
excessive and the intermediary is forced to disconnect them, they change
intermediary
or they create a new company, get a new ASN and move the operation so that
reputation
restarts from zero. These patterns are very established, and cause a
considerable
ASN turnaround. RIPE NCC apparently noted a high number of ASNs being abandoned
[https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-June/013757.html]
but does not seem to note the relation with abuse that should explain a fraction
of them.
Natale M Bianchi
Spamhaus Project
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
