This is part two of an on-going series detailing my investigation of the service providers behind Anon-IB, a revenge-porn site where men post sexually explicit images of local women and underage teens in threads organized by state, county and city, often including personal details of the victims. I also detail malicious cyber activity being allowed by these same providers and make an effort to bring their complicity to the attention of relevant parties. Part one can be found here.
Quasi Networks Reaches Out
Early last week I published part one of this on-going saga of disgust and corporate apathy, but what happened a few weeks prior to that is what accelerated my interest in Quasi Networks and resolved me to eventually just call them out publicly.
On October 3, their ‘abuse team’ (which appears to be just one guy) contacted me, seemingly at random, saying they understood I had some complaints about one of their clients and to contact them and they would look into it. The odd part is that I had not contacted them previously from this email account and their reaching out to me was essentially unsolicited and not specific to any complaint I had sent them.
I had recently posted publicly on Twitter to Troy of the Bad Packets Report asking if he had followed up with Novogara, Ltd., the organization that assigned a block of IP addresses used by Quasi Networks which are implicated in aforementioned abuses.
This contact is the only thing I can imagine that would have prompted Quasi’s abuse person to ‘proactively’ reach out to me just two days later.
In short order, Quasi Networks goes from being virtually unreachable to reaching out to me before I even open a complaint. I found this behavior more than a little odd, because it’s far beyond the norm and implies that, despite their apparent lack of concern for abuse inquiries, they have no problem going out of their way to monitor people on Twitter and that Troy and I had earned their attention.
I forwarded the email to Troy to let him know they reached out to me after our conversation on Twitter and decided to do some follow-up research on Quasi Networks and Novogara.
I was primarily interested with whom they were peering upstream and whether anyone from those organizations were aware of the content and activities going on behind AS29073. The main thought here being, if one can convince their peers to drop them, it could essentially put their AS on its own island of misfit hosts and isolate or reduce their impact to some extent.
This might be a naive or quixotic notion but it does not require a significant time or energy investment to try and, at present, appears to be the only available course of action to me.
BGP Peering investigation
Luckily, routing information is available from a variety of places and most people I know use Hurricane Electric’s BGP Toolkit. From here, we can see what upstream routers the bulk of traffic to and from Quasi Networks is going through, what organizations are responsible for those routers and how much, as a percentage of its total traffic, is Quasi Networks distributing their load among these peers.
As shown here, AS3356 is managed by Level 3 Communications Inc. [NYSE: LTLV] and is handling approximately 56% of AS29073 aka Quasi Networks’ load. In second place is AS56611, REBA Communications BV, handling 15% of the load. As I mentioned in part one of this series, REBA Communications is ran by the same people that ran Ecatel and that run Novogara and DataOne Datacenter.
At the time of this writing the BGP Toolkit has 102 peers listed for Quasi Networks’ AS and shows they are the origin of 29 different IPv4 address prefixes consisting of 278,272 individual IP addresses:
The first two are registered in Russia, the next 19 are registered in the Netherlands, 18.104.22.168/22 LIBERTY is registered in Russia, 22.214.171.124/23 ACASIA SERVICES is registered in the Netherlands, 126.96.36.199/14 is registered in Seychelles and the NET-STYLE-DEVELOPMENT-LTD are all registered in Israel.
I am aware Level 3 is a generally responsible and respectable organization but, as a tier 1 network, they are also gigantic, so I assume they are not aware of the small maze of shell companies behind AS29073 and the type of content and activities they harbor beyond their routers.
That being said, they are handling over half of the load of those activities, so at some point I feel they hold some level of responsibility for taking action when a bad actor has been clearly identified and been made known to them. This is particularly the case if they are profiting from a peering agreement with that entity.
Level 3: Peers of Child Pornography
This led to my searching online to see if I could find any mention of Quasi Networks’ related things along with Level3. The most interesting was a thread from the North American Network Operators Group or NANOG mailing list.
In the thread, Ronald Guilmette of Tristate Logic mentions, via passive DNS, he found a number of troubling things:
“domain names themselves [which] are certainly strongly suggestive of (a) the possible hosting of child porn and also and separately (b) the possible hosting of phishing sites.”
A cursory review of the domains in question leads me to the same conclusion. Without getting into specifics, more than 20 domains included terms such as “preteen”, “angels”, “nude”, and “video”. The rest of the domains attempt to mimic the domains of financial corporations such as Bank of America, Wells Fargo and Barclays as well as mobile carrier Verizon Wireless.
In reviewing some of the apparent phishing domains, many of the sites appeared to be hacked WordPress instances, which is consistent with the outbound WordPress vulnerability scanning I had previously observed being performed by hosts behind Quasi Networks’ AS (hosts which Quasi Networks have since told me are owned by Group-IB, a Russian cyber-security firm. More on that later.)
A troubling aspect was a response on that NANOG thread from a, presumably, Level 3 employee named David Siegel:
“If you believe that a customer of a network service provider is in violation of that service providers AUP, you should email abuse [at] serviceprovider [dot] net. Most large networks have a security team that monitors that email address regularly and will cooperate with you to address the problem.”
The troubling part is the boilerplate reaction from Dave and his casual passage of the buck. Sure, this is how the system is supposed to work, but Ecatel (the ‘who’ before Quasi Networks and Novogara) and Quasi Networks have a documented history of doing nothing with these complaints and instead of cooperation, they argue with people, if they bother replying at all: a point that was also brought up by Troy in his response.
Either way, that response from Level 3 is not satisfactory in this circumstance and the tiniest amount of follow-up by them would have shown as much. Dave and Level 3 might disagree, but that is corporate apathy for you.
Notifying Bank of America
Surprisingly, Bank of America is taking a hands-on approach in an effort to protect their customers’ information. I reached out to a member of their Global Information Security division and reported the specific IP addresses and hostnames that were reported in the NANOG mailing list. I was told that their cyber-response team was not previously aware of the threat and that they would be opening an investigation and working to mitigate risks to themselves and their customers.
Quasi Networks’ Responds
Since Level 3 took the position they did, I decided to follow-up on Quasi Networks’ abuse request from a week or so prior. I figured I would report the worst of the worst domains and host IPs and let their response be a litmus test for how much I should expect them to do about any further complaints.
I reported all of the child porn domains and IP addresses to them along with the IP address of a specific host that had been causing denial-of-service on a web server I was managing by performing multiple threads of WordPress vulnerability probes beyond the server’s capacity.
So, up to this point, they completely dodged the child porn issue and have told me the malicious activity coming from their network is actually a “white-hat” security auditing firm named Group-IB in Russia. There are two problems here: first of which is their digression on how they are not the judges of content they host on their networks and non-response to my specific report and their “white-hat” response on the malicious host.
White hat security auditors get expressed permission, generally in writing, from the owner of a system before they perform a vulnerability analysis. Having consent is one of the defining characteristics of a “white hat.” That not withstanding, whether they are a white hat firm or not, their behavior of performing massive amounts of outbound vulnerability probes without authorization is still malicious behavior and should be handled as such, as I explain in my response.
I also make a point to mention that Quasi Networks is absolutely allowed to judge the content being hosted in their address space and that no one is forcing them to take money from a client hosting such content, particularly if they themselves find the content disgusting. Essentially, they do not need the police to tell them content is child porn for them to take action when a reasonable person would find the content grossly obscene.
This response to their apparent inaction prompted an obviously frustrated response from their abuse person:
I agree the scanner should have some opt-out form. Many scanners using our service do have that. You dont need to tell us you contact the company I provided information about, if you have so much time, do whatever you want. It is your life, you are free to do whatever you want. If we would care we wouldn’t have provided you this informations. [sic]
It is nice to know I have their permission to do as I please. This seemed a little overly hostile. He then quotes my paragraph about the underage content and the fact they can choose to take it down if they want to:
We are not a service provider, we are a network provider. And It is even illegal to watch CP,also for us. So as said before. If you report CP we dont even look, because that is by the law already illegal. We just forward to the authorities and THEY judge. If they say it is illegal demand the reseller to remove the content, if no action within 24 hours the ip gets blackholed. There is nothing wrong with this behaviour, we dont sit on the seat of the court and anyone could only respect this. laws are laws. And we dont make our own laws. [sic]
He goes on to say:
What is legal by the law is allowed by us, what is illegal is not allowed by us. As said before; All CP websites which are reported are forwarded to law enforcement, We have excellent co-operations with all law enforcements worldwide, we even have a special department for law enforcement. They get back to us if something is CP by the law..
I have the feeling you already step into this on a negative way, and are only looking for things to judge us badly maybe because you heard some bad things from a friend or whatever. But if you do not know who you are dealing with.. dont judge please. And step into it a positive way instead of immediately negative. If I am wrong, we haven’t said the above. [sic]
Here is a screenshot of the remaining text of his reply:
After this, I did not bother following up with them. To me, it seems clear they are intentionally evading direct questions and at the time of this writing the sites in question are still active and the malicious host is still up. They ask me to tell them what I think is illegal after I already provided a list of domains and IPs that are clearly hosting what I believe to be illegal content and accuse me of being argumentative.
This is the level of cooperation and action we get when we contact the service provider. I am looking at you, “Dave Siegel from Level 3”.