In Buenos Aires, Homer Simpson runs your ISP
Last month we had an issue with a multitude of unwanted connections against our mail servers from a specific netblock in Argentina. In my experience, coordinated attacks from IP addresses originating from the same netblock usually indicates an issue on the ISP side.
The offending IP addresses all had port 80/tcp open, providing visitors with an airOS login screen. Like most software, old versions of airOS suffer from severe vulnerabilities, so unsurprisingly, keeping the firmware up to date is important.
I decided to perform a WHOIS search to identify the owner of the netblock and possibly raise my concerns. I’ll admit I choked hard on my coffee when I discovered that the organization in question was run by none other than Bart and Homer Simpson. Surprising, but yet somehow it all made sense.
$ whois -h whois.lacnic.net AR-FESA21-LACNIC % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations owner: ELDA SALERNO(FULLNET) ownerid: AR-FESA21-LACNIC responsible: BART SIMPSON address: Falsa, 123, - address: - - Springfield - ? country: AR phone: +54 2912914075479  owner-c: GDF5 created: 20180802 changed: 20190105 nic-hdl: GDF5 person: Homer Simpson Fullnet e-mail: guillermo@FULL.NET.AR address: Falsa, 123, - address: 8118 - Springfield - ? country: AR phone: +54 2914075479  created: 20180612 changed: 20190105 aut-num: 267690 inetnum: 45.162.20/23 inetnum: 186.0.205/24 inetnum: 192.67.23/24 inetnum: 2803:81a0::/32 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers.
An excellent effort by the Internet Addresses Registry for Latin America and Caribbean (LACNIC) on approving membership applications. I don’t really have much else to say about this other than… D’oh!
Image credit: The Simpsons, Season 7, Episode 7 - “King-Size Homer”.