AFRINIC: The Saga Continues
savage at savage.za.org
Wed Jan 29 15:13:46 UTC 2020
Just want to make this clear to NANOG as well - there's no beef here. The
priority was to get delisted.
The beef is with AfriNIC in this case :) It's not CYMRU's fault. The
datasets are incomplete.
On Wed, Jan 29, 2020 at 4:03 PM James Shank <jshank at cymru.com> wrote:
> Hi all,
> I am still looking into the history of this issue, but presently, the
> prefix Chris shared with us is not on our IPv4 BOGON list.
> For those wanting to see the list, it is available in plain text here:
> I welcome input on this as I look into the history a little more.
> On 1/29/20 7:27 AM, Chris Knipe wrote:
> > Hi All,
> > http://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-20200129
> > Another thing that stuck it's head out today now. No ASN, nor IP
> > allocated since 2019/05/15 is listed in the delegated text files. Our
> > I am sure others) prefixes is now null routed at team CYMRU (contacted
> > them, waiting for response).
> > Yesterday's file was incomplete (looks like there were errors with the
> > script perhaps), and today's file is missing an enormous amount of data
> > ASN, 163 IPv4 allocations, and 272 IPv6 allocations). This is comparing
> > data file from 2020/01/29 (today) to 2020/01/27 (two days ago).
> > We also have a ticket with AfriNIC (no response yet), and when we called
> > them there was no one "available" to assist.
> > On Wed, Jan 29, 2020 at 1:20 AM Ronald F. Guilmette <
> rfg at tristatelogic.com>
> > wrote:
> >> In message <ff4bd087-2a84-b9d9-6f5b-715826a35aa6 at brenac.eu>,
> >> thomas brenac <thomas at brenac.eu> wrote:
> >>> Thank you Ronald, I also heard of governance issue in AFRINIC by some
> >>> people during the last RIPE meeting so the word is spreading. Now is
> >>> there any other /16 impacted to your knowledge ? Would be worth pushing
> >>> to have them in as many Drop list as possible maybe :)
> >> As reported in Jan Vermeulen's article on the web site
> >> published December 4, there has been, and continues to be a large number
> >> of blocks, both "legacy" blocks and other blocks, that were stolen from
> >> the Afrinic free pool. These blocks are of varying sizes, generally /16
> >> blocks but also some larger ones as well as a few smaller ones.
> >> The list of affected legacy blocks from Jan's article are as follows:
> >> 188.8.131.52/19
> >> 184.108.40.206/24
> >> 220.127.116.11/23
> >> 18.104.22.168/16
> >> 22.214.171.124/16
> >> 126.96.36.199/16
> >> 188.8.131.52/16
> >> 184.108.40.206/16
> >> 220.127.116.11/16
> >> 18.104.22.168/16
> >> 22.214.171.124/15
> >> 126.96.36.199/16
> >> 188.8.131.52/16
> >> 184.108.40.206/16
> >> 220.127.116.11/16
> >> In addition to all of the above, I have some reason to believe that the
> >> following additional legacy block WAS (past tense) stolen, but has now
> >> been reclaimed by, and ressigned to its rightful modern owner:
> >> 18.104.22.168/16
> >> It is highly probable that there are other and additional legacy blocks
> >> that have also been stolen. I have been prevented from fully completing
> >> my research work on this part of the problem by ongoing stonewalling by
> >> Afrinic. Specifically, despite Afrinic having a defined protocol
> >> legitimate researchers may request confidential access to the unredacted
> >> Afrinic WHOIS data base for legitimate research purposes... a protocol
> >> and a process which is fully supported and operational at all of the
> >> four global RIRs... Afrinic has, for reasons unknown, elected to only
> >> provide redacted versions of its WHOIS data base which are identical
> >> to what may be obtained at any time, and without any special protocol,
> >> directly from Afrinic's FTP server (via anonymous FTP). Because the
> >> accurate identification of stolen Afrinic legacy blocks involves the
> >> careful analysis of the *unredacted* contact person: records, access to
> >> only the redacted data base is of no value whatsoever in the task of
> >> identifying stolen Afrinic legacy blocks.
> >> Here is the page on the Afrinic web site where they needlessly torment
> >> legitimate researchers into believing that they will be able to get the
> >> same kind of unredacted WHOIS data base access as is provided, upon
> >> vetting and approval, by all of the other RIRs:
> >> https://www.afrinic.net/services/207-bulk-whois-access
> >> The list of blocks that appear to have been stolen from the Afrinic free
> >> pool, as published in Jan's Dec 4 article are as follows:
> >> "Infoplan"/"Network and Information Technology Limited":
> >> 22.214.171.124/14
> >> 126.96.36.199/22
> >> 188.8.131.52/22
> >> 184.108.40.206/23
> >> "Cape of Good Hope Bank"/"CGHB":
> >> 220.127.116.11/14
> >> 18.104.22.168/16
> >> 22.214.171.124/16
> >> 126.96.36.199/16
> >> 188.8.131.52/24 -- NOTE!! -- 100% legitimate legacy allocation!
> >> The following additional blocks had also been stolen from the Afrinic
> >> pool. I had informed Jan about these blocks also, but for some reason
> >> these were not mentioned in Jan's Dec 4th article. (I assume that this
> >> was simply a clerical oversight on Jan's part. I had given him quite
> >> a lot of material to sort through.)
> >> "ITC":
> >> 184.108.40.206/15
> >> 220.127.116.11/16
> >> 18.104.22.168/20
> >> 22.214.171.124/17
> >> 126.96.36.199/16
> >> "Link Data Group":
> >> 188.8.131.52/16
> >> 184.108.40.206/16
> >> 220.127.116.11/24
> >> 18.104.22.168/18
> >> 22.214.171.124/18
> >> 126.96.36.199/16
> >> 188.8.131.52/19
> >> As of this moment, Afrinic has properly reclaimed all of the "ITC" and
> >> "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks. Those
> >> blocks are now officially unregistered. I am informed and believe that
> >> it is Afrinic's intent to place all of these blocks into a "quarantine"
> >> status for a minimum of 1 year, which I think is entirely proper and
> >> prudent, under the circumstances.
> >> I have no explanation for why Afrinic has not yet reclaimed any of the
> >> "Infoplan"/"Network and Information Technology Limited" blocks,
> >> the 184.108.40.206/14 block. This is for me deeply troubling, as I have
> >> reason to believe that these blocks were stolen by a party or parties,
> >> who were also Afrinic insiders, but people other than the one "insider"
> >> perpetrator of these crimes who has already been identified by myself
> >> Jan, and who is now the subject of a police investigation in Mauritius.
> >> I am not personally aware of any action that Afrinic has taken to try to
> >> remediate the situation with regards to the stolen legacy blocks, as
> >> listed above. These blocks all quite provably had their associated
> >> person: contact records fiddled in the WHOIS data base in a manner so
> >> as to redirect both emails and phone calls to either the perpetrators
> >> or those others to whom the perpetrators had re-sold these stolen goods.
> >> In fact, I am not even sure that Afrinic even has the capability to undo
> >> the damage in the case of these legacy blocks and their fiddled contact
> >> person: records. Quite obviously, proper remediation of the affected
> >> person: records would involve restoring those to what they were before
> >> they had been fradulently fiddled. Completion of that task is quite
> >> obviously dependent upon Afrinic having access to historical backups of
> >> its own WHOIS data base from as much as ten years ago. It is not at
> >> moment clear to me that Afrinic is even in possession of such historical
> >> backups, and the fact that they have, as yet, made no apparent efforts
> >> remediate the fradulently fiddled person: records suggests to me that
> >> likely do not possess such backups.
> >> Many of the legacy blocks and many parts of the blocks that were stolen
> >> from the Afrinic free pool, both those that have been reclaimed and
> >> that haven't yet been reclaimed, continue to be routed by various
> >> on behalf of the thieves and black market buyers of these blocks even as
> >> we speak. I hope to be able to post a fully list of those routes and
> >> relevant ASNs that are providing the ongoing routing for various parts
> >> this mass of stolen booty in the very near future.
> >> Regards,
> >> rfg
> James Shank
> Senior Security Evangelist; Chief Architect, Community Services
> Team Cymru, Inc.
> jshank at cymru.com; +1-847-378-3365; http://www.team-cymru.com/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG