This article is the first part of a series of articles I am publishing about my dealings with a cesspool on the internet and my colleagues and my coordinated attempts to bring it to the attention of various network peers, internet policy organizations, law enforcement and victims of attacks originating from there, as well as raising general awareness.
Anon-IB and its Abuse of Women and Teens
Several months ago, an old classmate brought to this author’s attention an anonymous image board called Anon-IB. The image board acts as a hub for the sharing of revenge pornography and slut-shaming: people from around the country request and share sexually explicit photographs taken from ex-girlfriends, hacked or stolen mobile phones or other personal caches they have accumulated, which they refer to as ‘wins’.
Revenge porn sites are a thing many are now aware of, but what makes this one different is the website has separate boards dedicated to each state; locals from various cities, my hometown included, create local threads for their city where they and others can post and request nude images or videos of local young women, without the victims’ knowledge or consent, often by name and including other personally identifiable details such as their high school or college and their graduation year.
Underage posts are not allowed, however, Gabrielle Fonrouge of the New York Post wrote in September there are numerous, verifiable cases of images being shared of underage girls and cites specific examples of several women who were 15–17 years old in the images being shared of them on Anon-IB.
It is also a rule on Anon-IB that personally identifiable information is prohibited, however, this author writes that “many users flaunt these rules … [p]articularly in the sections that are done by city.” The New York Post article also cites its own cases of victims’ full names being included in posts, which often include the victims’ school.
This is disturbing in a number of ways. It is grossly hostile, threatening, and objectifying to women and all of the posters clearly have no respect for them. One might feel it promotes stalking and sexually harassing women. This author recognized names of people they know being requested and so they started considering what they could do about it since the whole thing is pretty ugly, offensive, and, in his legally untrained belief, illegal in many jurisdictions.
The old classmate that originally brought the site to this author’s attention had told him the site was hosted in Russia, according to co-workers that had shared the site with him, and thus it could not be taken down. So, this author started investigating who is behind it and what could be done.
Quasi Networks LTD.
According to DNS records, the public-facing web server for the image board is located on a host at 188.8.131.52. This author reviewed the IP’s public registration information from the RIPE NCC WHOIS database and learned it is registered to Quasi Networks Ltd, Suite 1, Second Floor, Sound & Vision House, Francis Rachel Street, Victoria, Mahe, Seychelles.
Seychelles is an archipelago and country, officially known as the Republic of Seychelles, which is east of mainland East Africa in the Indian Ocean. It has recently had some media attention, e.g. in The Washington Post, for being host to new cases of the plague, as travelers to and from nearby Madagascar have contracted it and brought it back to Seychelles. Travel between Seychelles and Madagascar is common and flights had been suspended as a result of the plague presence in both countries.
In the recent past, attacks originating from within Quasi Networks’ AS29073 had caused denial-of-service outages on web servers this author leased and managed. Large amounts of failed SSH login attempts and vulnerability probes being executed against WordPress sites would spike usage on the servers and occasionally make services unavailable. It also would also increase Amazon Web Services costs beyond expectations.
This author had previously sent abuse reports to Quasi Networks, only to never receive a response while the attacks continued. Ultimately, adding a ‘drop’ rule to the firewalls for every netblock that was assigned to Quasi Networks, effectively ignoring all communications from them, was the only solution. In realizing that Quasi Networks was associated with Anon-IB and these past attacks, this author was interested to learn what else was going on behind AS29073 and why no one appeared to do anything about it.
Troy and the Bad Packets Report
Searching online for their AS number made this author realize they were not alone in their experiences with Quasi Networks. Troy Mursch had written on April 25th, 2017 about his experiences on his website, the Bad Packets Report. Troy was on the receiving end of attacks from a host on a Quasi Networks IP address, 184.108.40.206, that he referred to as ‘The Master Needler’.
Troy had already contacted RIPE NCC about Quasi Networks and published the results of his communications with them. He was concerned about their apparent lack of attention to abuse complaints sent to their registered abuse contact address and hoped RIPE could provide guidance.
RIPE suggested Troy contact Novogara Ltd at their abuse contact, as the particular subnet 220.127.116.11/24 was a ‘PA assignment’ created by that RIPE NCC member without RIPE participation. They also noted that Quasi Networks holds AS29073 and that RIPE NCC had validated the abuse email at the time they were assigned the AS number. Knowing RIPE NCC could not be of much further help, Troy wrote he would consider following up with Novogara as RIPE NCC had suggested.
Also worth noting is RIPE NCC has since released a new policy proposal on how they handle abuse contact validation, which includes at least an annual validation of the abuse email and following up when an IP owner is unresponsive after two weeks. Under the proposed policy, if an organization is not cooperative, RIPE NCC could close their membership and de-register their IP resources. Whether Troy’s conversation and subsequent article about RIPE helped spur that proposal or not, this author likes to think it did.
Collaboration with Troy and The Hague Case
At the time, I found no additional follow-up had been published yet by Troy, so I decided to reach out to him via Twitter to see if he had any updates. He told me he had not yet contacted Novogara, but did have important news: There is currently an on-going case in The Hague and directors of Ecatel Ltd, Quasi Networks Ltd, Novogara Ltd and REBA Communications B.V. are named as co-defendants in it.
According to court documents, which I am reading and quoting via Google Translate since they are entirely in Dutch, an organization named Stichting Brein, or BREIN Foundation, “wants to call [the defendants] as witnesses to further clarify the structure and relationship between these companies, where the servers are located and which (right) persons responsible behind Quasi Networks. Stichting Brein is interested in this information in order to be able to judge who she can appeal to and whether it is useful to start a procedure.”
“Stichting Brein wenst daarom [verweerder 1] , [verweerder 2] en [verweerder 3] als getuigen te horen om verdere duidelijkheid te krijgen over de structuur van en de relatie tussen deze ondernemingen, waar de servers zich bevinden en welke (rechts)personen de verantwoordelijken achter Quasi Networks zijn. Stichting Brein heeft belang bij deze informatie om te kunnen beoordelen wie zij kan aanspreken en of het zinvol is een procedure te beginnen.”
BREIN Foundation, according to court documents, represents several motion picture and sound associations, producers and film distributors in combating unauthorized distribution of their clients’ content on the internet. They are essentially an anti-piracy group representing the creative industry in the Netherlands.
BREIN alleges they have found infringing content on websites hosted by Ecatel in the past years and they allege Ecatel has historically been structurally negligent in complying with their statutory obligations by not taking the infringing content or sites offline or by not doing so in a timely manner.
How Are These Entities Associated?
According to official, public documents this author obtained from the Dutch chamber of commerce, the director of Novogara Ltd, since its inception on April 30, 2015, is Ferdinand Reinier van Eeden.
Reinier van Eeden was also a director of Ecatel Ltd, from September 13, 2005 until October 14, 2014, and a director of REBA Communications B.V. from February 1, 2016 to June 1, 2016. From October 2010 to February 2016, REBA Communications B.V. was owned by B&R Holding B.V. of which Reinier van Eeden was also director, from September 17, 2010 to October 5, 2010.
According to official Dutch records, REBA Communications B.V. also operates under the trade names Rebacom, Datazone, Dataone and Dataone Datacenter. According to Dutch court filings, BREIN believes the servers of all these companies are physically located in the Dataone datacenter in Wormer, North Holland.
BREIN also notes that, in late 2015, a bundle of Ecatel IP addresses was taken over by Quasi Networks and Novogara’s website is also hosted by Quasi Networks. BREIN also says there are concrete indications that Quasi Networks uses servers located in the Dataone datacenter in Wormer, which is owned by REBA Communications B.V.
As a result of this information, BREIN and this author believe there is good reason to suspect that all of these organizations are tightly related to one another.
What to do Now?
Since Novogara is likely to be as unhelpful as Ecatel, Rebacom and Quasi Networks, additional research on who they are peering with is forthcoming in part two of this series. My hope is to appeal to their more respectable network peers, making them aware of the shenanigans going on there, with the hopes they will drop their peering contracts. Quasi Networks’ main peer, aside from Level 3 Communications, is REBA Communications B.V. and through this company they are peers with Cogent and NTT America Inc, gaining them considerable, high-bandwidth uplinks to the Internet.
We have a direct channel to the managing director of BREIN Foundation and he has forwarded all relevant communications and research Troy and I obtained in the process of conducting these separate, independent inquiries to the investigations team working on The Hague cases.
Still worth investigating is their Quasi Networks “acquisition” of a /14 subnet of abandoned Afrinic IP address space containing 262,144 addresses: 18.104.22.168/14.
This is the end of part one of this series on Quasi Networks. Part 2 covers Quasi Networks contacting me out of the blue, discovering worse things behind their AS, opening an abuse complaint, their responses, who their biggest network peers are, bank account phishing and notifying Bank of America and the latest updates.