In Buenos Aires, Homer Simpson runs your ISP
Last month we had an issue with a multitude of unwanted connections against our mail servers from a specific netblock in Argentina. In my experience, coordinated attacks from IP addresses originating from the same netblock usually indicates an issue on the ISP side.
The offending IP addresses all had port 80/tcp open, providing visitors with an airOS login screen. Like most software, old versions of airOS suffer from severe vulnerabilities, so unsurprisingly, keeping the firmware up to date is important.
The Simpsons
I decided to perform a WHOIS search to identify the owner of the netblock and possibly raise my concerns. I’ll admit I choked hard on my coffee when I discovered that the organization in question was run by none other than Bart and Homer Simpson. Surprising, but yet somehow it all made sense.
$ whois -h whois.lacnic.net AR-FESA21-LACNIC
% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
owner: ELDA SALERNO(FULLNET)
ownerid: AR-FESA21-LACNIC
responsible: BART SIMPSON
address: Falsa, 123, -
address: - - Springfield - ?
country: AR
phone: +54 2912914075479 [0000]
owner-c: GDF5
created: 20180802
changed: 20190105
nic-hdl: GDF5
person: Homer Simpson Fullnet
e-mail: guillermo@FULL.NET.AR
address: Falsa, 123, -
address: 8118 - Springfield - ?
country: AR
phone: +54 2914075479 [0000]
created: 20180612
changed: 20190105
aut-num: 267690
inetnum: 45.162.20/23
inetnum: 186.0.205/24
inetnum: 192.67.23/24
inetnum: 2803:81a0::/32
% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.
An excellent effort by the Internet Addresses Registry for Latin America and Caribbean (LACNIC) on approving membership applications. I don’t really have much else to say about this other than… D’oh!
Image credit: The Simpsons, Season 7, Episode 7 - “King-Size Homer”.