In message <calz3u+aah7xmfotv6p2h9pgavknk9uj0la96prij7cyr4er...@mail.gmail.com>, =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <xima...@gmail.com> wrote:
>> Neither AS44050 nor AS58552 was never announcing any of the squatted >> prefixes themselves directly. >> Rather AS44050 was... for reasons which have yet to be explained... peering >> with the set of four apparently squatted ASNs > >Yes, this is understood. There's no peering anymore. See e.g.: Very good. I have confirmed. >> If you are in a position to have one more short conversation with the >> owners and/or operators of AS44050, Petersburg Internet Network Ltd., >> then please be so kind as to ask them on my behalf why they were >> peering with those four different apparently squatted & abandoned ASNs. > >I don't think I'm anywhere close to a position where I can ask them >questions like that. OK. Just give me the contact information that was used to have this previous "brief conversation" with them, and I will ask them myself. See, I'm not like most folks who just shrug and move on after an incident like this. I sort of like to find out what really happened, why, and who is actually responsible. Either Petersburg Internet Network did this themselves, or else *somebody* was paying them a *lot* of money to get them to provide peering & transit to all of these bogus squatted ASNs. >> The name "Petersburg Internet" has come up, time and time again, >> in relation to online skulduggery and malfesance. [..] >> https://krebsonsecurity.com/page/2/?s=3DPetersburg+Internet&x=3D0&y=3D0 > >This search yields all the results containing "petersburg" OR >"internet". There's no doubt there would be many in this case. That's actually not correct, but it turns out that we were both half right and both half wrong about Brian Kerbs' web site search function. I looked into this, and it now appears that if you search for "Petersburg Internet" on Brian's site, you *do not* get the results for "Petersburg OR Internet" and you also *do not* get results for "Petersburg AND Internet". In fact, it looks like the search function just ignores the second word entirely, so the search is effectively for just "Petersburg". In any case, you may wish to have a loook at the following article in which the company *is* mentioned, and not in any good way: https://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/ I would also recommend perusing page 28 of the following expert witness statement, which relates to botnet command & control servers: http://cdn.cnn.com/cnn/2019/images/03/15/xbt.doc.248.2.pdf See also page 5 of this academic paper about automated Internet attacks: https://grehack.fr/data/2017/slides/GreHack17_Automation_Attacks_at_Scale_paper.pdf >AS44050 is basically the SOHO provider for the St. Petersburg Internet >Exchange. St. Petersburg's population is slightly below 5 million >people, not counting satellite cities and suburbs (which, if counted, >would contribute another 2 millions I think), and the city has quite >got a reputation for hidden criminal activity. It's Chicago-style if >you will. Surely there are also quite a few criminals in one of the >largest ISP networks of the city. Yes, but if any of -our- criminals attack people or businesses located in other countries, we will allow them to be extradited to those other countries to face trial. Your country, I am sad to say, instead protects online miscreants, and insures that they never have to face justice. You know that, I know that, everybody who knows even the first thing about online cybercrime knows that. It's not exactly a secret. Regards, rfg
