AFRINIC: The Saga Continues

• Previous message (by thread): AFRINIC: The Saga Continues
• Next message (by thread): AFRINIC: The Saga Continues
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi James,

Just want to make this clear to NANOG as well - there's no beef here.  The
priority was to get delisted.

The beef is with AfriNIC in this case :) It's not CYMRU's fault.  The
datasets are incomplete.

--
C


On Wed, Jan 29, 2020 at 4:03 PM James Shank <jshank at cymru.com> wrote:

> Hi all,
>
> I am still looking into the history of this issue, but presently, the
> prefix Chris shared with us is not on our IPv4 BOGON list.
>
> For those wanting to see the list, it is available in plain text here:
>
> https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
>
> I welcome input on this as I look into the history a little more.
>
> Cheers!
>
> James
>
> On 1/29/20 7:27 AM, Chris Knipe wrote:
> > Hi All,
> >
> > http://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-20200129
> >
> > Another thing that stuck it's head out today now.  No ASN, nor IP
> prefixes
> > allocated since 2019/05/15 is listed in the delegated text files.  Our
> (and
> > I am sure others) prefixes is now null routed at team CYMRU (contacted
> > them, waiting for response).
> >
> > Yesterday's file was incomplete (looks like there were errors with the
> > script perhaps), and today's file is missing an enormous amount of data
> (1
> > ASN, 163 IPv4 allocations, and 272 IPv6 allocations). This is comparing
> the
> > data file from 2020/01/29 (today) to 2020/01/27 (two days ago).
> >
> > We also have a ticket with AfriNIC (no response yet), and when we called
> > them there was no one "available" to assist.
> >
> >
> > On Wed, Jan 29, 2020 at 1:20 AM Ronald F. Guilmette <
> rfg at tristatelogic.com>
> > wrote:
> >
> >> In message <ff4bd087-2a84-b9d9-6f5b-715826a35aa6 at brenac.eu>,
> >> thomas brenac <thomas at brenac.eu> wrote:
> >>
> >>> Thank you Ronald, I also heard of governance issue in AFRINIC by some
> >>> people during the last RIPE meeting so the word is spreading. Now is
> >>> there any other /16 impacted to your knowledge ? Would be worth pushing
> >>> to have them in as many Drop list as possible maybe :)
> >>
> >> As reported in Jan Vermeulen's article on the web site
> mybroadband.co.za
> >> published December 4, there has been, and continues to be a large number
> >> of blocks, both "legacy" blocks and other blocks, that were stolen from
> >> the Afrinic free pool.  These blocks are of varying sizes, generally /16
> >> blocks but also some larger ones as well as a few smaller ones.
> >>
> >> The list of affected legacy blocks from Jan's article are as follows:
> >>
> >> 196.10.64.0/19
> >> 196.10.61.0/24
> >> 196.10.62.0/23
> >> 160.121.0.0/16
> >> 155.235.0.0/16
> >> 152.108.0.0/16
> >> 155.237.0.0/16
> >> 169.129.0.0/16
> >> 165.25.0.0/16
> >> 160.122.0.0/16
> >> 168.80.0.0/15
> >> 165.3.0.0/16
> >> 165.4.0.0/16
> >> 165.5.0.0/16
> >> 160.115.0.0/16
> >>
> >> In addition to all of the above, I have some reason to believe that the
> >> following additional legacy block WAS (past tense) stolen, but has now
> >> been reclaimed by, and ressigned to its rightful modern owner:
> >>
> >> 152.108.0.0/16
> >>
> >> It is highly probable that there are other and additional legacy blocks
> >> that have also been stolen.  I have been prevented from fully completing
> >> my research work on this part of the problem by ongoing stonewalling by
> >> Afrinic.  Specifically, despite Afrinic having a defined protocol
> whereby
> >> legitimate researchers may request confidential access to the unredacted
> >> Afrinic WHOIS data base for legitimate research purposes... a protocol
> >> and a process which is fully supported and operational at all of the
> other
> >> four global RIRs... Afrinic has, for reasons unknown, elected to only
> >> provide redacted versions of its WHOIS data base which are identical
> >> to what may be obtained at any time, and without any special protocol,
> >> directly from Afrinic's FTP server (via anonymous FTP).  Because the
> >> accurate identification of stolen Afrinic legacy blocks involves the
> >> careful analysis of the *unredacted* contact person: records, access to
> >> only the redacted data base is of no value whatsoever in the task of
> >> identifying stolen Afrinic legacy blocks.
> >>
> >> Here is the page on the Afrinic web site where they needlessly torment
> >> legitimate researchers into believing that they will be able to get the
> >> same kind of unredacted WHOIS data base access as is provided, upon
> >> vetting and approval, by all of the other RIRs:
> >>
> >>     https://www.afrinic.net/services/207-bulk-whois-access
> >>
> >> The list of blocks that appear to have been stolen from the Afrinic free
> >> pool, as published in Jan's Dec 4 article are as follows:
> >>
> >> "Infoplan"/"Network and Information Technology Limited":
> >> 196.16.0.0/14
> >> 196.4.36.0/22
> >> 196.4.40.0/22
> >> 196.4.44.0/23
> >>
> >> "Cape of Good Hope Bank"/"CGHB":
> >> 165.52.0.0/14
> >> 137.171.0.0/16
> >> 160.184.0.0/16
> >> 168.211.0.0/16
> >> 192.96.146.0/24  -- NOTE!!  -- 100% legitimate legacy allocation!
> >>
> >> The following additional blocks had also been stolen from the Afrinic
> free
> >> pool.  I had informed Jan about these blocks also, but for some reason
> >> these were not mentioned in Jan's Dec 4th article.  (I assume that this
> >> was simply a clerical oversight on Jan's part.  I had given him quite
> >> a lot of material to sort through.)
> >>
> >> "ITC":
> >> 196.194.0.0/15
> >> 196.246.0.0/16
> >> 196.45.112.0/20
> >> 196.42.128.0/17
> >> 196.193.0.0/16
> >>
> >> "Link Data Group":
> >> 160.255.0.0/16
> >> 196.62.0.0/16
> >> 198.54.232.0/24
> >> 196.207.64.0/18
> >> 196.192.192.0/18
> >> 160.181.0.0/16
> >> 213.247.0.0/19
> >>
> >> As of this moment, Afrinic has properly reclaimed all of the "ITC" and
> >> "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks.  Those
> >> blocks are now officially unregistered.  I am informed and believe that
> >> it is Afrinic's intent to place all of these blocks into a "quarantine"
> >> status for a minimum of 1 year, which I think is entirely proper and
> >> prudent, under the circumstances.
> >>
> >> I have no explanation for why Afrinic has not yet reclaimed any of the
> >> "Infoplan"/"Network and Information Technology Limited" blocks,
> especially
> >> the 196.16.0.0/14 block.  This is for me deeply troubling, as I have
> some
> >> reason to believe that these blocks were stolen by a party or parties,
> >> who were also Afrinic insiders, but people other than the one "insider"
> >> perpetrator of these crimes who has already been identified by myself
> and
> >> Jan, and who is now the subject of a police investigation in Mauritius.
> >>
> >> I am not personally aware of any action that Afrinic has taken to try to
> >> remediate the situation with regards to the stolen legacy blocks, as
> >> listed above.  These blocks all quite provably had their associated
> >> person: contact records fiddled in the WHOIS data base in a manner so
> >> as to redirect both emails and phone calls to either the perpetrators
> >> or those others to whom the perpetrators had re-sold these stolen goods.
> >>
> >> In fact, I am not even sure that Afrinic even has the capability to undo
> >> the damage in the case of these legacy blocks and their fiddled contact
> >> person: records.  Quite obviously, proper remediation of the affected
> >> person: records would involve restoring those to what they were before
> >> they had been fradulently fiddled.  Completion of that task is quite
> >> obviously dependent upon Afrinic having access to historical backups of
> >> its own WHOIS data base from as much as ten years ago.  It is not at
> this
> >> moment clear to me that Afrinic is even in possession of such historical
> >> backups, and the fact that they have, as yet, made no apparent efforts
> to
> >> remediate the fradulently fiddled person: records suggests to me that
> they
> >> likely do not possess such backups.
> >>
> >> Many of the legacy blocks and many parts of the blocks that were stolen
> >> from the Afrinic free pool, both those that have been reclaimed and
> those
> >> that haven't yet been reclaimed, continue to be routed by various
> parties
> >> on behalf of the thieves and black market buyers of these blocks even as
> >> we speak.  I hope to be able to post a fully list of those routes and
> the
> >> relevant ASNs that are providing the ongoing routing for various parts
> of
> >> this mass of stolen booty in the very near future.
> >>
> >>
> >> Regards,
> >> rfg
> >>
> >
> >
>
> --
> James Shank
> Senior Security Evangelist; Chief Architect, Community Services
> Team Cymru, Inc.
> jshank at cymru.com; +1-847-378-3365; http://www.team-cymru.com/
>


-- 

Regards,
Chris Knipe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200129/875fb8a0/attachment.html>

• Previous message (by thread): AFRINIC: The Saga Continues
• Next message (by thread): AFRINIC: The Saga Continues
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]