[nsp-sec] bullet proof hosting AS47995 (DEDINOW)?

Tom Fischer tfischer at bfk.de
Tue Apr 11 09:59:40 EDT 2017 

Hi,

we're working on a case with

AS      | IP               | AS Name
47995   | 185.188.204.0/24 | DEDINOW, GB

PEER_AS | IP               | AS Name
44050   | 185.188.204.0/24 | PIN-AS, RU


inetnum:        185.188.204.0 - 185.188.207.255
netname:        UK-TRIONCLOUD-20170206
country:        RU
org:            ORG-NL306-RIPE
admin-c:        AW5811-RIPE
tech-c:         AW5811-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         uk-trioncloud-1-mnt
created:        2017-02-06T11:38:24Z
last-modified:  2017-03-15T16:20:04Z
source:         RIPE

organisation:   ORG-NL306-RIPE
org-name:       NanoHash LTD
org-type:       LIR
descr:          DediNow Ltd.
remarks:        *****************************************************************************
remarks:        DEDINOW.NET NETWORK
remarks:        Please only use abuse at dedinow.net for abuse complaints
remarks:        For more info please visit our website https://dedinow.net/.
remarks:        *****************************************************************************
address:        27 Creffield Rd
address:        W5 3RR
address:        London
address:        UNITED KINGDOM
admin-c:        AW5811-RIPE
tech-c:         AW5811-RIPE
abuse-c:        AR39163-RIPE
mnt-ref:        uk-trioncloud-1-mnt
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         uk-trioncloud-1-mnt
created:        2017-02-04T11:28:19Z
last-modified:  2017-04-06T15:33:57Z
source:         RIPE # Filtered
phone:          +7 00000000


route:          154.16.131.0/24
origin:         AS47995
mnt-by:         uk-trioncloud-1-mnt
created:        2017-03-23T12:17:30Z
last-modified:  2017-03-23T12:17:30Z
source:         RIPE

% Information related to '185.188.204.0/22AS47995'

route:          185.188.204.0/22
origin:         AS47995
mnt-by:         uk-trioncloud-1-mnt
created:        2017-03-08T14:50:55Z
last-modified:  2017-03-08T14:50:55Z
source:         RIPE

% Information related to '185.74.67.0/24AS47995'

route:          185.74.67.0/24
origin:         AS47995
mnt-by:         uk-trioncloud-1-mnt
created:        2017-04-06T15:23:30Z
last-modified:  2017-04-06T15:23:30Z
source:         RIPE


pDNS shows only phishing sites and malware (especially Android malware) command&control servers.
e.g.

[...]
2017-04-04 05:01:13 2017-04-04 10:20:07 www.banking.sparkasse.de-kundennummer-z8ffxbyhe7jpkqx.top A 154.16.131.20  
2017-03-30 18:24:47 2017-04-04 11:13:23 www.banking.sparkasse.de-kundennummer-gzm6jdftyc5sjyp.top A 154.16.131.20  
2017-03-31 10:34:40 2017-04-04 18:00:37 www.banking.sparkasse.de-kundennummer-zql4bu82dvml7x5.top A 154.16.131.20  
2017-03-30 18:24:45 2017-04-04 18:22:08 www.banking.sparkasse.de-kundennummer-rcdqkwsug3a7zkx.top A 154.16.131.20  
2017-04-04 19:59:33 2017-04-05 01:35:15 kundensicherheitsverifizierung.pro A 154.16.131.5  
2017-04-04 15:20:42 2017-04-05 01:37:15 kundensicherheitsverifizierung.top A 154.16.131.5  
2017-03-29 00:03:57 2017-04-10 14:19:48 cool-shortener.top A 154.16.131.25  
2017-03-30 21:19:10 2017-04-10 14:58:24 www.banking.sparkasse.de-kundennummer-m9nqawj6dkeszvb.top A 154.16.131.20  


[...]
2017-04-09 05:29:18 2017-04-09 05:29:18 de-paypa.l-kunden-center.info A 185.188.204.248  
2017-04-09 11:29:23 2017-04-09 11:59:13 kunde9432009423.bestaetigung-4287894.jkfewuhikfewdwqe.pw A 185.188.204.22  
2017-04-09 11:29:40 2017-04-09 12:20:15 2354353.id543299543.43242342confimration.pw A 185.188.204.22  
2017-04-03 16:59:28 2017-04-09 13:19:57 de-paypa.lhilfe-service.info A 185.188.204.148  
2017-04-06 22:20:03 2017-04-09 17:17:32 de-paypa.l-kunde-support.info A 185.188.204.248  
2017-04-09 18:03:28 2017-04-09 18:03:28 referrer-4298428943.goto04842943.custom4316432service.link A 185.188.204.22  
2017-03-29 15:04:38 2017-04-10 09:55:48 kundenservice-commerzbank.online A 185.188.204.7  
2017-03-30 08:51:32 2017-04-10 09:55:50 commerzbank-sicherheitsupdate.online A 185.188.204.7  
2017-03-30 08:53:23 2017-04-10 09:55:50 sicherheit-commerzbank.online A 185.188.204.7  
2017-04-05 08:32:26 2017-04-10 09:55:55 www.commerz-7387.online A 185.188.204.38  
2017-03-20 10:34:59 2017-04-10 10:17:20 consulting-center-performace.com A 185.188.204.16  
2017-04-10 13:08:41 2017-04-10 13:08:41 fenstermane.net A 185.188.204.31  
2017-04-10 13:25:04 2017-04-10 13:51:39 fenstermane.org A 185.188.204.31  
2017-03-22 10:51:12 2017-04-10 14:06:14 grapfix-desgin-ltd24.at A 185.188.204.16  
2017-04-10 13:25:09 2017-04-10 17:01:57 fenstermane.com A 185.188.204.31  
2017-04-10 13:23:55 2017-04-10 17:02:07 millions.darienkickboxing.com A 185.188.204.32  
2017-04-10 10:16:41 2017-04-10 17:08:00 service-consultiong-ltd-spain.net A 185.188.204.16  
2017-04-10 13:53:09 2017-04-10 17:10:43 personal.darienfitness.com A 185.188.204.32  
2017-04-10 13:24:10 2017-04-10 17:15:35 android-service.at A 185.188.204.34  
2017-04-10 20:22:10 2017-04-10 20:22:10 www.securekunden.xyz A 185.188.204.96  
2017-04-10 19:59:50 2017-04-11 03:07:53 www.kundenservicesicherheit.xyz A 185.188.204.96  
2017-04-09 13:29:56 2017-04-11 07:05:16 www.kundensupport.gdn A 185.188.204.96  
2017-04-05 08:32:05 2017-04-11 07:24:26 www.commerz-7385.online A 185.188.204.38  
2017-04-05 08:43:58 2017-04-11 08:27:42 www.commerz-7883.online A 185.188.204.38  
2017-04-06 07:20:59 2017-04-11 09:27:21 www.commerz-7773.online A 185.188.204.38  
2017-04-11 09:40:02 2017-04-11 09:40:02 sparkasse.de-home.me A 185.188.204.14  
2017-03-20 09:57:54 2017-04-11 09:47:16 commerzbank-update.email A 185.188.204.7  
2017-04-05 08:30:47 2017-04-11 11:22:45 www.commerz-7783.online A 185.188.204.38  
2017-03-20 09:22:55 2017-04-11 11:58:56 commerzbank-update.link A 185.188.204.7  
2017-04-11 12:16:59 2017-04-11 12:16:59 de-home.me A 185.188.204.14  
2017-04-11 12:29:39 2017-04-11 12:29:39 kundensupport.gdn A 185.188.204.96 

We've contacted Dedinow and the upstream AS44050 

organisation:   ORG-PINl1-RIPE
org-name:       Petersburg Internet Network ltd.
org-type:       LIR
address:        Obuhovskoy oborony pr. 120-b, office 620.
address:        192012
address:        Saint-Petersburg
address:        RUSSIAN FEDERATION
phone:          +78126772525
fax-no:         +78123093916
admin-c:        MNV32-RIPE
tech-c:         SEO-RIPE
abuse-c:        PIN44050-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-PIN
abuse-mailbox:  abuse at pinspb.ru
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MNT-PIN
created:        2009-05-28T09:40:17Z
last-modified:  2016-07-04T12:21:44Z
source:         RIPE # Filtered


several times without any response - apart from DDoS attacks against our 
mail servers (several Gbits of DNS reflection/amplification attacks) ...

Peering partners of PIN-AS/ORG-PINl1-RIPE are

1103    | 5.101.0.214      | SURFNET-NL SURFnet, The Netherlands, NL
196844  | 5.101.0.214      | PIONIER-AS-AMS-IX PIONIER, National Research and Education Network in Poland, PL

Any chance to look into this (and to drop AS47995)?

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99
Geschäftsführer: Christoph Fischer HRB105469 Mannheim

More information about the nsp-security mailing list