AFRINIC: The Saga Continues

Chris Knipe savage at savage.za.org
Wed Jan 29 12:27:59 UTC 2020


Hi All,

http://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-20200129

Another thing that stuck it's head out today now.  No ASN, nor IP prefixes
allocated since 2019/05/15 is listed in the delegated text files.  Our (and
I am sure others) prefixes is now null routed at team CYMRU (contacted
them, waiting for response).

Yesterday's file was incomplete (looks like there were errors with the
script perhaps), and today's file is missing an enormous amount of data (1
ASN, 163 IPv4 allocations, and 272 IPv6 allocations). This is comparing the
data file from 2020/01/29 (today) to 2020/01/27 (two days ago).

We also have a ticket with AfriNIC (no response yet), and when we called
them there was no one "available" to assist.


On Wed, Jan 29, 2020 at 1:20 AM Ronald F. Guilmette <rfg at tristatelogic.com>
wrote:

> In message <ff4bd087-2a84-b9d9-6f5b-715826a35aa6 at brenac.eu>,
> thomas brenac <thomas at brenac.eu> wrote:
>
> >Thank you Ronald, I also heard of governance issue in AFRINIC by some
> >people during the last RIPE meeting so the word is spreading. Now is
> >there any other /16 impacted to your knowledge ? Would be worth pushing
> >to have them in as many Drop list as possible maybe :)
>
> As reported in Jan Vermeulen's article on the web site mybroadband.co.za
> published December 4, there has been, and continues to be a large number
> of blocks, both "legacy" blocks and other blocks, that were stolen from
> the Afrinic free pool.  These blocks are of varying sizes, generally /16
> blocks but also some larger ones as well as a few smaller ones.
>
> The list of affected legacy blocks from Jan's article are as follows:
>
> 196.10.64.0/19
> 196.10.61.0/24
> 196.10.62.0/23
> 160.121.0.0/16
> 155.235.0.0/16
> 152.108.0.0/16
> 155.237.0.0/16
> 169.129.0.0/16
> 165.25.0.0/16
> 160.122.0.0/16
> 168.80.0.0/15
> 165.3.0.0/16
> 165.4.0.0/16
> 165.5.0.0/16
> 160.115.0.0/16
>
> In addition to all of the above, I have some reason to believe that the
> following additional legacy block WAS (past tense) stolen, but has now
> been reclaimed by, and ressigned to its rightful modern owner:
>
> 152.108.0.0/16
>
> It is highly probable that there are other and additional legacy blocks
> that have also been stolen.  I have been prevented from fully completing
> my research work on this part of the problem by ongoing stonewalling by
> Afrinic.  Specifically, despite Afrinic having a defined protocol whereby
> legitimate researchers may request confidential access to the unredacted
> Afrinic WHOIS data base for legitimate research purposes... a protocol
> and a process which is fully supported and operational at all of the other
> four global RIRs... Afrinic has, for reasons unknown, elected to only
> provide redacted versions of its WHOIS data base which are identical
> to what may be obtained at any time, and without any special protocol,
> directly from Afrinic's FTP server (via anonymous FTP).  Because the
> accurate identification of stolen Afrinic legacy blocks involves the
> careful analysis of the *unredacted* contact person: records, access to
> only the redacted data base is of no value whatsoever in the task of
> identifying stolen Afrinic legacy blocks.
>
> Here is the page on the Afrinic web site where they needlessly torment
> legitimate researchers into believing that they will be able to get the
> same kind of unredacted WHOIS data base access as is provided, upon
> vetting and approval, by all of the other RIRs:
>
>     https://www.afrinic.net/services/207-bulk-whois-access
>
> The list of blocks that appear to have been stolen from the Afrinic free
> pool, as published in Jan's Dec 4 article are as follows:
>
> "Infoplan"/"Network and Information Technology Limited":
> 196.16.0.0/14
> 196.4.36.0/22
> 196.4.40.0/22
> 196.4.44.0/23
>
> "Cape of Good Hope Bank"/"CGHB":
> 165.52.0.0/14
> 137.171.0.0/16
> 160.184.0.0/16
> 168.211.0.0/16
> 192.96.146.0/24  -- NOTE!!  -- 100% legitimate legacy allocation!
>
> The following additional blocks had also been stolen from the Afrinic free
> pool.  I had informed Jan about these blocks also, but for some reason
> these were not mentioned in Jan's Dec 4th article.  (I assume that this
> was simply a clerical oversight on Jan's part.  I had given him quite
> a lot of material to sort through.)
>
> "ITC":
> 196.194.0.0/15
> 196.246.0.0/16
> 196.45.112.0/20
> 196.42.128.0/17
> 196.193.0.0/16
>
> "Link Data Group":
> 160.255.0.0/16
> 196.62.0.0/16
> 198.54.232.0/24
> 196.207.64.0/18
> 196.192.192.0/18
> 160.181.0.0/16
> 213.247.0.0/19
>
> As of this moment, Afrinic has properly reclaimed all of the "ITC" and
> "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks.  Those
> blocks are now officially unregistered.  I am informed and believe that
> it is Afrinic's intent to place all of these blocks into a "quarantine"
> status for a minimum of 1 year, which I think is entirely proper and
> prudent, under the circumstances.
>
> I have no explanation for why Afrinic has not yet reclaimed any of the
> "Infoplan"/"Network and Information Technology Limited" blocks, especially
> the 196.16.0.0/14 block.  This is for me deeply troubling, as I have some
> reason to believe that these blocks were stolen by a party or parties,
> who were also Afrinic insiders, but people other than the one "insider"
> perpetrator of these crimes who has already been identified by myself and
> Jan, and who is now the subject of a police investigation in Mauritius.
>
> I am not personally aware of any action that Afrinic has taken to try to
> remediate the situation with regards to the stolen legacy blocks, as
> listed above.  These blocks all quite provably had their associated
> person: contact records fiddled in the WHOIS data base in a manner so
> as to redirect both emails and phone calls to either the perpetrators
> or those others to whom the perpetrators had re-sold these stolen goods.
>
> In fact, I am not even sure that Afrinic even has the capability to undo
> the damage in the case of these legacy blocks and their fiddled contact
> person: records.  Quite obviously, proper remediation of the affected
> person: records would involve restoring those to what they were before
> they had been fradulently fiddled.  Completion of that task is quite
> obviously dependent upon Afrinic having access to historical backups of
> its own WHOIS data base from as much as ten years ago.  It is not at this
> moment clear to me that Afrinic is even in possession of such historical
> backups, and the fact that they have, as yet, made no apparent efforts to
> remediate the fradulently fiddled person: records suggests to me that they
> likely do not possess such backups.
>
> Many of the legacy blocks and many parts of the blocks that were stolen
> from the Afrinic free pool, both those that have been reclaimed and those
> that haven't yet been reclaimed, continue to be routed by various parties
> on behalf of the thieves and black market buyers of these blocks even as
> we speak.  I hope to be able to post a fully list of those routes and the
> relevant ASNs that are providing the ongoing routing for various parts of
> this mass of stolen booty in the very near future.
>
>
> Regards,
> rfg
>


-- 

Regards,
Chris Knipe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200129/aa6074d1/attachment.html>


More information about the NANOG mailing list