From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
To: abuse@seabone.net, tech@seabone.net,
    antonio.ferretti@telecomitalia.it
Subject: IP space hijacking by your customer: AS205869
Date: Fri, 20 Jul 2018 13:57:20 -0700
Message-ID: <7260.1532120240@segfault.tristatelogic.com>


The data shown here indicates that your network, AS6762, is the primary
provider of connectivity to AS205869 - "Universal IP Solution Corp."

    https://bgp.he.net/AS205869#_asinfo
    https://bgp.he.net/AS205869#_peers

Traceroutes further confirm this information and this association between
your company, Telecom Italia, and AS205869.

Please be advised that AS205869, Universal IP Solution Corp., is undertaking
and has undertaken to hijack numerous large blocks of IPv4 address space
which are registered to other parties that themselves have NO business
connections whatsoever to AS205869, Universal IP Solution Corp.

Please note that your customer, AS205869, has also hijacked a number of
other ASNs, and they have been using these also as part of their overall
deceptive scheme to hijack various IPv4 address blocks.  Specifically,
AS205869, Universal IP Solution Corp. has also hijacked the following set
of (previously abandoned) ASNs:

AS10510
AS10737
AS10800
AS11224
AS13484
AS19529
AS30026
AS30237

This information may be easily confirmed via the following simple command:

   whois -h whois.ripe.net -i mnt-by -B ADMASTER-MNT

Every single entry currently present within the RIPE WHOIS data base
and which is marked as being "mnt-by:" the RIPE handle "ADMASTER-MNT" is
fraudlent.  The evidence indicates that very single one of these fradulent
RIPE WHOIS entries was in fact created by your customer, AS205869, Universal
IP Solution Corp.  For your convenience, I here provide you with the current
output of the above whois command:

    https://pastebin.com/raw/0HMzkW75

By using the above list of hijacked ASNs, your customer, AS205869, Universal
IP Solution Corp. has hijacked and is currently hijacking the following IPv4
address blocks AT THE PRESENT TIME:

ASN   Route
----------------------
10510 216.238.64.0/18
10737 207.183.96.0/20
10800 192.110.32.0/19
19529 104.143.112.0/20
19529 198.14.0.0/20
19529 198.32.208.0/20
19529 206.41.128.0/20
30237 192.73.128.0/20
30237 192.73.144.0/20
30237 192.73.160.0/20
30237 192.73.176.0/20

Please note that for any and every traceroute to any individual IPv4 address
within any of the above hijacked IPv4 blocks, the last hop just prior to
reaching the final destination IP address is one of YOUR routers.  Example:

==============================================================================
% traceroute 192.73.128.99
traceroute to 192.73.128.99 (192.73.128.99), 64 hops max, 52 byte packets
 ...
 8  dls-b21-link.telia.net (62.115.123.136)  59.562 ms  60.227 ms  62.063 ms
 9  telecomitalia-ic-335143-dls-b21.c.telia.net (62.115.162.79)  60.605 ms  59.251 ms  60.137 ms
10  et10-3-0.franco71.fra.seabone.net (195.22.211.55)  198.764 ms
    et11-3-0.franco71.fra.seabone.net (195.22.211.199)  199.916 ms
    et4-0-2.franco71.fra.seabone.net (195.22.211.193)  184.880 ms
11  192.73.128.99 (192.73.128.99)  266.935 ms  266.945 ms  267.070 ms
==============================================================================

Please take special note of the identity of the actual registered owner of
the containing IPv4 address block (192.73.128.0/18) for the final four
hijacked routes listed above.  The legitimate registered owner of the
containing block (192.73.128.0/18) is the United States Air Force:

    https://pastebin.com/raw/HkXACrCa

Please ask yourself this question:  Why is your customer, a Ukranian company,
routing packets for the United States Air Force??

Please note that this exact same criminal IP address space hijacking
enterprise, involving the use and mis-use of the RIPE maintainer handle
"ADMASTER-MNT", was previously discussed multiple times, in November, 2017
and also in April, 2018, on the RIPE DataBase Working Group's mailing list:

https://www.ripe.net/participate/mail/forum/db-wg/PDM5YTI0OGI2LWRlZTMtNTZmYi1mNmUxLTg5YjcyZmRiY2ZmY0BjaG9vcGEuY29tPg==

Now that I have informed your company, Telecom Italia, of this ongoing
hijacking operation WHICH APPEARS TO BE 100% DEPENDENT ON YOUR NETWORK,
if your company, Telecom Italia, continues to provide support to, and
routing and connectivity for AS205869, Universal IP Solution Corp.
(Ukraine), you will effectively be responsible for, and perhaps even
legally liable for any further hacking or other criminal activities
originating from the various hijacked blocks and ASNs that I have listed
above.

Please reply immediately and please inform me as to what steps your
company will take to quickly disconnect this specific large scale
criminal IP address hijacking enterprise from your network.


Regards,
Ronald F. Guilmette
Roseville, California,
Tel: +1 916 796 7945