For the benefit of those of you who may have been living in caves for the past two months, I would like to share the following links regarding a massive fraud that appears to have been perpetrated by at least one AFRINIC insider. (It has still not been definitively determined if he had help or not.) https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-... https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/ https://www.theregister.co.uk/2019/12/17/another_afrinic_scandal/ https://mybroadband.co.za/news/security/335226-here-are-the-police-charges-f... I hate to say that I told you so, but I told you so. I reported right here on the NANOG list, in both 2016 and 2017, that there was quite a lot of funny business going on down in Africa. Nobody listened and there was no meaningful investigation whatsoever by anybody until I took it upon myself, starting in July of last year, to finally get to the bottom of this colossal mess. Here are links to my old public posts relating to this: November, 2016: https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html https://lists.afrinic.net/pipermail/rpd/2016/006129.html August, 2017: https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html https://mailman.nanog.org/pipermail/nanog/2017-August/091954.html https://mailman.nanog.org/pipermail/nanog/2017-August/092092.html AFRINIC supposedly began an investigation of these matters as early as last April (2019), but here's the funny thing: Not a single person from AFRINIC, or from any other part of what passes for "Internet governance" ever contacted me or asked a single question of me about any of this. I can only infer from this that nobody involved in this so-called investigation had any real or burning interest in gathering all of the relevant facts. In light of the facts that have now come out in the press, AFRINIC is still, allegedly, "investigating" and now, even nearly two months after the story broke in the press, AFRINIC has still not even reclaimed 100% of the valuable IPv4 space that was provably stolen from their own free pool. (Various online criminal enterprises are continuing to use that IPv4 space aqs we speak.) Worse yet, AFRINIC has done nothing whatsoever to address the problem of the large number of AFRINIC legacy /16 blocks that got stolen via some clever internal manipulation of AFRINIC's own WHOIS record. Those manipulations, and the benefits from them have flowed to various parties who are now all too well known, including one who previosuly made a brief guest apperance right here on this mailing list. In fact, that party has just recently found a brand new helpful and compliant small-time hosting provider in India to route for him the stolen 165.25.0.0/16 block, which is and has been "liberated" from its rightful owners, i.e. the City of Cape Town, South Africa. https://bgp.he.net/AS393960#_prefixes https://bgp.he.net/net/165.25.8.0/22#_whois Note that whereas AS393960 claims to be located in my own state of California, is is not incorporated here. It -is- incorporated in the state of Wyoming, but the owner and CEO, by his own admission, is actually located in Pune, India: https://in.linkedin.com/in/kushalraha (That small detail did not, of course, prevent ARIN, in its infinite wisdom, from giving the the proprietor of this place his own AS, two IPv4 /22 blocks and one IPv4 /24 block, all apparently on the basis of his tissue-thin Wyoming shell company. But I digress.) Anyway, I just wanted you all to be aware of all of these fun facts. Like I always say, just another day in paradise. Regards, rfg
Hi there, Thank you Ronald, I also heard of governance issue in AFRINIC by some people during the last RIPE meeting so the word is spreading. Now is there any other /16 impacted to your knowledge ? Would be worth pushing to have them in as many Drop list as possible maybe :) I took the liberty to forward your message in FRnoG list (giving you credit of course), as France do have access to AFRINIC via the French indies Isles. Hope you don't mind -- Thomas BRENAC https://www.brenac.eu +33686263575 Registered IPv4 Broker by RIPE NCC, ARIN, APNIC and LACNIC On 28/01/2020 05:46, Ronald F. Guilmette wrote:
For the benefit of those of you who may have been living in caves for the past two months, I would like to share the following links regarding a massive fraud that appears to have been perpetrated by at least one AFRINIC insider. (It has still not been definitively determined if he had help or not.)
https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-...
https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/
https://www.theregister.co.uk/2019/12/17/another_afrinic_scandal/
https://mybroadband.co.za/news/security/335226-here-are-the-police-charges-f...
I hate to say that I told you so, but I told you so. I reported right here on the NANOG list, in both 2016 and 2017, that there was quite a lot of funny business going on down in Africa. Nobody listened and there was no meaningful investigation whatsoever by anybody until I took it upon myself, starting in July of last year, to finally get to the bottom of this colossal mess.
Here are links to my old public posts relating to this:
November, 2016: https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html https://mailman.nanog.org/pipermail/nanog/2016-November/089232.html https://lists.afrinic.net/pipermail/rpd/2016/006129.html
August, 2017: https://mailman.nanog.org/pipermail/nanog/2017-August/091821.html https://mailman.nanog.org/pipermail/nanog/2017-August/091954.html https://mailman.nanog.org/pipermail/nanog/2017-August/092092.html
AFRINIC supposedly began an investigation of these matters as early as last April (2019), but here's the funny thing: Not a single person from AFRINIC, or from any other part of what passes for "Internet governance" ever contacted me or asked a single question of me about any of this. I can only infer from this that nobody involved in this so-called investigation had any real or burning interest in gathering all of the relevant facts.
In light of the facts that have now come out in the press, AFRINIC is still, allegedly, "investigating" and now, even nearly two months after the story broke in the press, AFRINIC has still not even reclaimed 100% of the valuable IPv4 space that was provably stolen from their own free pool. (Various online criminal enterprises are continuing to use that IPv4 space aqs we speak.) Worse yet, AFRINIC has done nothing whatsoever to address the problem of the large number of AFRINIC legacy /16 blocks that got stolen via some clever internal manipulation of AFRINIC's own WHOIS record. Those manipulations, and the benefits from them have flowed to various parties who are now all too well known, including one who previosuly made a brief guest apperance right here on this mailing list.
In fact, that party has just recently found a brand new helpful and compliant small-time hosting provider in India to route for him the stolen 165.25.0.0/16 block, which is and has been "liberated" from its rightful owners, i.e. the City of Cape Town, South Africa.
https://bgp.he.net/AS393960#_prefixes https://bgp.he.net/net/165.25.8.0/22#_whois
Note that whereas AS393960 claims to be located in my own state of California, is is not incorporated here. It -is- incorporated in the state of Wyoming, but the owner and CEO, by his own admission, is actually located in Pune, India:
https://in.linkedin.com/in/kushalraha
(That small detail did not, of course, prevent ARIN, in its infinite wisdom, from giving the the proprietor of this place his own AS, two IPv4 /22 blocks and one IPv4 /24 block, all apparently on the basis of his tissue-thin Wyoming shell company. But I digress.)
Anyway, I just wanted you all to be aware of all of these fun facts.
Like I always say, just another day in paradise.
Regards, rfg
-- Thomas BRENAC https://www.brenac.eu +33686263575 Certified IPv4 Broker by RIPE NCC, ARIN, APNIC and LACNIC The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. This message has been sent as a part of discussion between BRENAC EURL and the addressee whose name is specified above. Should you receive this message by mistake, we would be most grateful if you informed us that the message has been sent to you. In this case, we also ask that you delete this message from your mailbox, and do not forward it or any part of it to anyone else. Thank you for your cooperation and understanding. We puts the security of the client at a high priority. Therefore, we have put efforts into ensuring that the message is error and virus-free. Unfortunately, full security of the email cannot be ensured as, despite our efforts, the data included in emails could be infected, intercepted, or corrupted. Therefore, the recipient should check the email for threats with proper software, as the sender does not accept liability for any damage inflicted by viewing the content of this email. The views and opinions included in this email belong to their author and do not necessarily mirror the views and opinions of the company. Our employees are obliged not to make any defamatory clauses, infringe, or authorize infringement of any legal right. Therefore, the company will not take any liability for such statements included in emails. In case of any damages or other liabilities arising, employees are fully responsible for the content of their emails.
In message <ff4bd087-2a84-b9d9-6f5b-715826a35aa6@brenac.eu>, thomas brenac <thomas@brenac.eu> wrote:
Thank you Ronald, I also heard of governance issue in AFRINIC by some people during the last RIPE meeting so the word is spreading. Now is there any other /16 impacted to your knowledge ? Would be worth pushing to have them in as many Drop list as possible maybe :)
As reported in Jan Vermeulen's article on the web site mybroadband.co.za published December 4, there has been, and continues to be a large number of blocks, both "legacy" blocks and other blocks, that were stolen from the Afrinic free pool. These blocks are of varying sizes, generally /16 blocks but also some larger ones as well as a few smaller ones. The list of affected legacy blocks from Jan's article are as follows: 196.10.64.0/19 196.10.61.0/24 196.10.62.0/23 160.121.0.0/16 155.235.0.0/16 152.108.0.0/16 155.237.0.0/16 169.129.0.0/16 165.25.0.0/16 160.122.0.0/16 168.80.0.0/15 165.3.0.0/16 165.4.0.0/16 165.5.0.0/16 160.115.0.0/16 In addition to all of the above, I have some reason to believe that the following additional legacy block WAS (past tense) stolen, but has now been reclaimed by, and ressigned to its rightful modern owner: 152.108.0.0/16 It is highly probable that there are other and additional legacy blocks that have also been stolen. I have been prevented from fully completing my research work on this part of the problem by ongoing stonewalling by Afrinic. Specifically, despite Afrinic having a defined protocol whereby legitimate researchers may request confidential access to the unredacted Afrinic WHOIS data base for legitimate research purposes... a protocol and a process which is fully supported and operational at all of the other four global RIRs... Afrinic has, for reasons unknown, elected to only provide redacted versions of its WHOIS data base which are identical to what may be obtained at any time, and without any special protocol, directly from Afrinic's FTP server (via anonymous FTP). Because the accurate identification of stolen Afrinic legacy blocks involves the careful analysis of the *unredacted* contact person: records, access to only the redacted data base is of no value whatsoever in the task of identifying stolen Afrinic legacy blocks. Here is the page on the Afrinic web site where they needlessly torment legitimate researchers into believing that they will be able to get the same kind of unredacted WHOIS data base access as is provided, upon vetting and approval, by all of the other RIRs: https://www.afrinic.net/services/207-bulk-whois-access The list of blocks that appear to have been stolen from the Afrinic free pool, as published in Jan's Dec 4 article are as follows: "Infoplan"/"Network and Information Technology Limited": 196.16.0.0/14 196.4.36.0/22 196.4.40.0/22 196.4.44.0/23 "Cape of Good Hope Bank"/"CGHB": 165.52.0.0/14 137.171.0.0/16 160.184.0.0/16 168.211.0.0/16 192.96.146.0/24 -- NOTE!! -- 100% legitimate legacy allocation! The following additional blocks had also been stolen from the Afrinic free pool. I had informed Jan about these blocks also, but for some reason these were not mentioned in Jan's Dec 4th article. (I assume that this was simply a clerical oversight on Jan's part. I had given him quite a lot of material to sort through.) "ITC": 196.194.0.0/15 196.246.0.0/16 196.45.112.0/20 196.42.128.0/17 196.193.0.0/16 "Link Data Group": 160.255.0.0/16 196.62.0.0/16 198.54.232.0/24 196.207.64.0/18 196.192.192.0/18 160.181.0.0/16 213.247.0.0/19 As of this moment, Afrinic has properly reclaimed all of the "ITC" and "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks. Those blocks are now officially unregistered. I am informed and believe that it is Afrinic's intent to place all of these blocks into a "quarantine" status for a minimum of 1 year, which I think is entirely proper and prudent, under the circumstances. I have no explanation for why Afrinic has not yet reclaimed any of the "Infoplan"/"Network and Information Technology Limited" blocks, especially the 196.16.0.0/14 block. This is for me deeply troubling, as I have some reason to believe that these blocks were stolen by a party or parties, who were also Afrinic insiders, but people other than the one "insider" perpetrator of these crimes who has already been identified by myself and Jan, and who is now the subject of a police investigation in Mauritius. I am not personally aware of any action that Afrinic has taken to try to remediate the situation with regards to the stolen legacy blocks, as listed above. These blocks all quite provably had their associated person: contact records fiddled in the WHOIS data base in a manner so as to redirect both emails and phone calls to either the perpetrators or those others to whom the perpetrators had re-sold these stolen goods. In fact, I am not even sure that Afrinic even has the capability to undo the damage in the case of these legacy blocks and their fiddled contact person: records. Quite obviously, proper remediation of the affected person: records would involve restoring those to what they were before they had been fradulently fiddled. Completion of that task is quite obviously dependent upon Afrinic having access to historical backups of its own WHOIS data base from as much as ten years ago. It is not at this moment clear to me that Afrinic is even in possession of such historical backups, and the fact that they have, as yet, made no apparent efforts to remediate the fradulently fiddled person: records suggests to me that they likely do not possess such backups. Many of the legacy blocks and many parts of the blocks that were stolen from the Afrinic free pool, both those that have been reclaimed and those that haven't yet been reclaimed, continue to be routed by various parties on behalf of the thieves and black market buyers of these blocks even as we speak. I hope to be able to post a fully list of those routes and the relevant ASNs that are providing the ongoing routing for various parts of this mass of stolen booty in the very near future. Regards, rfg
Hi All, http://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-20200129 Another thing that stuck it's head out today now. No ASN, nor IP prefixes allocated since 2019/05/15 is listed in the delegated text files. Our (and I am sure others) prefixes is now null routed at team CYMRU (contacted them, waiting for response). Yesterday's file was incomplete (looks like there were errors with the script perhaps), and today's file is missing an enormous amount of data (1 ASN, 163 IPv4 allocations, and 272 IPv6 allocations). This is comparing the data file from 2020/01/29 (today) to 2020/01/27 (two days ago). We also have a ticket with AfriNIC (no response yet), and when we called them there was no one "available" to assist. On Wed, Jan 29, 2020 at 1:20 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <ff4bd087-2a84-b9d9-6f5b-715826a35aa6@brenac.eu>, thomas brenac <thomas@brenac.eu> wrote:
Thank you Ronald, I also heard of governance issue in AFRINIC by some people during the last RIPE meeting so the word is spreading. Now is there any other /16 impacted to your knowledge ? Would be worth pushing to have them in as many Drop list as possible maybe :)
As reported in Jan Vermeulen's article on the web site mybroadband.co.za published December 4, there has been, and continues to be a large number of blocks, both "legacy" blocks and other blocks, that were stolen from the Afrinic free pool. These blocks are of varying sizes, generally /16 blocks but also some larger ones as well as a few smaller ones.
The list of affected legacy blocks from Jan's article are as follows:
196.10.64.0/19 196.10.61.0/24 196.10.62.0/23 160.121.0.0/16 155.235.0.0/16 152.108.0.0/16 155.237.0.0/16 169.129.0.0/16 165.25.0.0/16 160.122.0.0/16 168.80.0.0/15 165.3.0.0/16 165.4.0.0/16 165.5.0.0/16 160.115.0.0/16
In addition to all of the above, I have some reason to believe that the following additional legacy block WAS (past tense) stolen, but has now been reclaimed by, and ressigned to its rightful modern owner:
152.108.0.0/16
It is highly probable that there are other and additional legacy blocks that have also been stolen. I have been prevented from fully completing my research work on this part of the problem by ongoing stonewalling by Afrinic. Specifically, despite Afrinic having a defined protocol whereby legitimate researchers may request confidential access to the unredacted Afrinic WHOIS data base for legitimate research purposes... a protocol and a process which is fully supported and operational at all of the other four global RIRs... Afrinic has, for reasons unknown, elected to only provide redacted versions of its WHOIS data base which are identical to what may be obtained at any time, and without any special protocol, directly from Afrinic's FTP server (via anonymous FTP). Because the accurate identification of stolen Afrinic legacy blocks involves the careful analysis of the *unredacted* contact person: records, access to only the redacted data base is of no value whatsoever in the task of identifying stolen Afrinic legacy blocks.
Here is the page on the Afrinic web site where they needlessly torment legitimate researchers into believing that they will be able to get the same kind of unredacted WHOIS data base access as is provided, upon vetting and approval, by all of the other RIRs:
https://www.afrinic.net/services/207-bulk-whois-access
The list of blocks that appear to have been stolen from the Afrinic free pool, as published in Jan's Dec 4 article are as follows:
"Infoplan"/"Network and Information Technology Limited": 196.16.0.0/14 196.4.36.0/22 196.4.40.0/22 196.4.44.0/23
"Cape of Good Hope Bank"/"CGHB": 165.52.0.0/14 137.171.0.0/16 160.184.0.0/16 168.211.0.0/16 192.96.146.0/24 -- NOTE!! -- 100% legitimate legacy allocation!
The following additional blocks had also been stolen from the Afrinic free pool. I had informed Jan about these blocks also, but for some reason these were not mentioned in Jan's Dec 4th article. (I assume that this was simply a clerical oversight on Jan's part. I had given him quite a lot of material to sort through.)
"ITC": 196.194.0.0/15 196.246.0.0/16 196.45.112.0/20 196.42.128.0/17 196.193.0.0/16
"Link Data Group": 160.255.0.0/16 196.62.0.0/16 198.54.232.0/24 196.207.64.0/18 196.192.192.0/18 160.181.0.0/16 213.247.0.0/19
As of this moment, Afrinic has properly reclaimed all of the "ITC" and "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks. Those blocks are now officially unregistered. I am informed and believe that it is Afrinic's intent to place all of these blocks into a "quarantine" status for a minimum of 1 year, which I think is entirely proper and prudent, under the circumstances.
I have no explanation for why Afrinic has not yet reclaimed any of the "Infoplan"/"Network and Information Technology Limited" blocks, especially the 196.16.0.0/14 block. This is for me deeply troubling, as I have some reason to believe that these blocks were stolen by a party or parties, who were also Afrinic insiders, but people other than the one "insider" perpetrator of these crimes who has already been identified by myself and Jan, and who is now the subject of a police investigation in Mauritius.
I am not personally aware of any action that Afrinic has taken to try to remediate the situation with regards to the stolen legacy blocks, as listed above. These blocks all quite provably had their associated person: contact records fiddled in the WHOIS data base in a manner so as to redirect both emails and phone calls to either the perpetrators or those others to whom the perpetrators had re-sold these stolen goods.
In fact, I am not even sure that Afrinic even has the capability to undo the damage in the case of these legacy blocks and their fiddled contact person: records. Quite obviously, proper remediation of the affected person: records would involve restoring those to what they were before they had been fradulently fiddled. Completion of that task is quite obviously dependent upon Afrinic having access to historical backups of its own WHOIS data base from as much as ten years ago. It is not at this moment clear to me that Afrinic is even in possession of such historical backups, and the fact that they have, as yet, made no apparent efforts to remediate the fradulently fiddled person: records suggests to me that they likely do not possess such backups.
Many of the legacy blocks and many parts of the blocks that were stolen from the Afrinic free pool, both those that have been reclaimed and those that haven't yet been reclaimed, continue to be routed by various parties on behalf of the thieves and black market buyers of these blocks even as we speak. I hope to be able to post a fully list of those routes and the relevant ASNs that are providing the ongoing routing for various parts of this mass of stolen booty in the very near future.
Regards, rfg
-- Regards, Chris Knipe
Hi all, I am still looking into the history of this issue, but presently, the prefix Chris shared with us is not on our IPv4 BOGON list. For those wanting to see the list, it is available in plain text here: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt I welcome input on this as I look into the history a little more. Cheers! James On 1/29/20 7:27 AM, Chris Knipe wrote:
Hi All,
http://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-20200129
Another thing that stuck it's head out today now. No ASN, nor IP prefixes allocated since 2019/05/15 is listed in the delegated text files. Our (and I am sure others) prefixes is now null routed at team CYMRU (contacted them, waiting for response).
Yesterday's file was incomplete (looks like there were errors with the script perhaps), and today's file is missing an enormous amount of data (1 ASN, 163 IPv4 allocations, and 272 IPv6 allocations). This is comparing the data file from 2020/01/29 (today) to 2020/01/27 (two days ago).
We also have a ticket with AfriNIC (no response yet), and when we called them there was no one "available" to assist.
On Wed, Jan 29, 2020 at 1:20 AM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <ff4bd087-2a84-b9d9-6f5b-715826a35aa6@brenac.eu>, thomas brenac <thomas@brenac.eu> wrote:
Thank you Ronald, I also heard of governance issue in AFRINIC by some people during the last RIPE meeting so the word is spreading. Now is there any other /16 impacted to your knowledge ? Would be worth pushing to have them in as many Drop list as possible maybe :)
As reported in Jan Vermeulen's article on the web site mybroadband.co.za published December 4, there has been, and continues to be a large number of blocks, both "legacy" blocks and other blocks, that were stolen from the Afrinic free pool. These blocks are of varying sizes, generally /16 blocks but also some larger ones as well as a few smaller ones.
The list of affected legacy blocks from Jan's article are as follows:
196.10.64.0/19 196.10.61.0/24 196.10.62.0/23 160.121.0.0/16 155.235.0.0/16 152.108.0.0/16 155.237.0.0/16 169.129.0.0/16 165.25.0.0/16 160.122.0.0/16 168.80.0.0/15 165.3.0.0/16 165.4.0.0/16 165.5.0.0/16 160.115.0.0/16
In addition to all of the above, I have some reason to believe that the following additional legacy block WAS (past tense) stolen, but has now been reclaimed by, and ressigned to its rightful modern owner:
152.108.0.0/16
It is highly probable that there are other and additional legacy blocks that have also been stolen. I have been prevented from fully completing my research work on this part of the problem by ongoing stonewalling by Afrinic. Specifically, despite Afrinic having a defined protocol whereby legitimate researchers may request confidential access to the unredacted Afrinic WHOIS data base for legitimate research purposes... a protocol and a process which is fully supported and operational at all of the other four global RIRs... Afrinic has, for reasons unknown, elected to only provide redacted versions of its WHOIS data base which are identical to what may be obtained at any time, and without any special protocol, directly from Afrinic's FTP server (via anonymous FTP). Because the accurate identification of stolen Afrinic legacy blocks involves the careful analysis of the *unredacted* contact person: records, access to only the redacted data base is of no value whatsoever in the task of identifying stolen Afrinic legacy blocks.
Here is the page on the Afrinic web site where they needlessly torment legitimate researchers into believing that they will be able to get the same kind of unredacted WHOIS data base access as is provided, upon vetting and approval, by all of the other RIRs:
https://www.afrinic.net/services/207-bulk-whois-access
The list of blocks that appear to have been stolen from the Afrinic free pool, as published in Jan's Dec 4 article are as follows:
"Infoplan"/"Network and Information Technology Limited": 196.16.0.0/14 196.4.36.0/22 196.4.40.0/22 196.4.44.0/23
"Cape of Good Hope Bank"/"CGHB": 165.52.0.0/14 137.171.0.0/16 160.184.0.0/16 168.211.0.0/16 192.96.146.0/24 -- NOTE!! -- 100% legitimate legacy allocation!
The following additional blocks had also been stolen from the Afrinic free pool. I had informed Jan about these blocks also, but for some reason these were not mentioned in Jan's Dec 4th article. (I assume that this was simply a clerical oversight on Jan's part. I had given him quite a lot of material to sort through.)
"ITC": 196.194.0.0/15 196.246.0.0/16 196.45.112.0/20 196.42.128.0/17 196.193.0.0/16
"Link Data Group": 160.255.0.0/16 196.62.0.0/16 198.54.232.0/24 196.207.64.0/18 196.192.192.0/18 160.181.0.0/16 213.247.0.0/19
As of this moment, Afrinic has properly reclaimed all of the "ITC" and "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks. Those blocks are now officially unregistered. I am informed and believe that it is Afrinic's intent to place all of these blocks into a "quarantine" status for a minimum of 1 year, which I think is entirely proper and prudent, under the circumstances.
I have no explanation for why Afrinic has not yet reclaimed any of the "Infoplan"/"Network and Information Technology Limited" blocks, especially the 196.16.0.0/14 block. This is for me deeply troubling, as I have some reason to believe that these blocks were stolen by a party or parties, who were also Afrinic insiders, but people other than the one "insider" perpetrator of these crimes who has already been identified by myself and Jan, and who is now the subject of a police investigation in Mauritius.
I am not personally aware of any action that Afrinic has taken to try to remediate the situation with regards to the stolen legacy blocks, as listed above. These blocks all quite provably had their associated person: contact records fiddled in the WHOIS data base in a manner so as to redirect both emails and phone calls to either the perpetrators or those others to whom the perpetrators had re-sold these stolen goods.
In fact, I am not even sure that Afrinic even has the capability to undo the damage in the case of these legacy blocks and their fiddled contact person: records. Quite obviously, proper remediation of the affected person: records would involve restoring those to what they were before they had been fradulently fiddled. Completion of that task is quite obviously dependent upon Afrinic having access to historical backups of its own WHOIS data base from as much as ten years ago. It is not at this moment clear to me that Afrinic is even in possession of such historical backups, and the fact that they have, as yet, made no apparent efforts to remediate the fradulently fiddled person: records suggests to me that they likely do not possess such backups.
Many of the legacy blocks and many parts of the blocks that were stolen from the Afrinic free pool, both those that have been reclaimed and those that haven't yet been reclaimed, continue to be routed by various parties on behalf of the thieves and black market buyers of these blocks even as we speak. I hope to be able to post a fully list of those routes and the relevant ASNs that are providing the ongoing routing for various parts of this mass of stolen booty in the very near future.
Regards, rfg
-- James Shank Senior Security Evangelist; Chief Architect, Community Services Team Cymru, Inc. jshank@cymru.com; +1-847-378-3365; http://www.team-cymru.com/
Hi James, Just want to make this clear to NANOG as well - there's no beef here. The priority was to get delisted. The beef is with AfriNIC in this case :) It's not CYMRU's fault. The datasets are incomplete. -- C On Wed, Jan 29, 2020 at 4:03 PM James Shank <jshank@cymru.com> wrote:
Hi all,
I am still looking into the history of this issue, but presently, the prefix Chris shared with us is not on our IPv4 BOGON list.
For those wanting to see the list, it is available in plain text here:
https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
I welcome input on this as I look into the history a little more.
Cheers!
James
Hi All,
http://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-20200129
Another thing that stuck it's head out today now. No ASN, nor IP
allocated since 2019/05/15 is listed in the delegated text files. Our (and I am sure others) prefixes is now null routed at team CYMRU (contacted them, waiting for response).
Yesterday's file was incomplete (looks like there were errors with the script perhaps), and today's file is missing an enormous amount of data (1 ASN, 163 IPv4 allocations, and 272 IPv6 allocations). This is comparing
data file from 2020/01/29 (today) to 2020/01/27 (two days ago).
We also have a ticket with AfriNIC (no response yet), and when we called them there was no one "available" to assist.
On Wed, Jan 29, 2020 at 1:20 AM Ronald F. Guilmette < rfg@tristatelogic.com> wrote:
In message <ff4bd087-2a84-b9d9-6f5b-715826a35aa6@brenac.eu>, thomas brenac <thomas@brenac.eu> wrote:
Thank you Ronald, I also heard of governance issue in AFRINIC by some people during the last RIPE meeting so the word is spreading. Now is there any other /16 impacted to your knowledge ? Would be worth pushing to have them in as many Drop list as possible maybe :)
As reported in Jan Vermeulen's article on the web site mybroadband.co.za published December 4, there has been, and continues to be a large number of blocks, both "legacy" blocks and other blocks, that were stolen from the Afrinic free pool. These blocks are of varying sizes, generally /16 blocks but also some larger ones as well as a few smaller ones.
The list of affected legacy blocks from Jan's article are as follows:
196.10.64.0/19 196.10.61.0/24 196.10.62.0/23 160.121.0.0/16 155.235.0.0/16 152.108.0.0/16 155.237.0.0/16 169.129.0.0/16 165.25.0.0/16 160.122.0.0/16 168.80.0.0/15 165.3.0.0/16 165.4.0.0/16 165.5.0.0/16 160.115.0.0/16
In addition to all of the above, I have some reason to believe that the following additional legacy block WAS (past tense) stolen, but has now been reclaimed by, and ressigned to its rightful modern owner:
152.108.0.0/16
It is highly probable that there are other and additional legacy blocks that have also been stolen. I have been prevented from fully completing my research work on this part of the problem by ongoing stonewalling by Afrinic. Specifically, despite Afrinic having a defined protocol whereby legitimate researchers may request confidential access to the unredacted Afrinic WHOIS data base for legitimate research purposes... a protocol and a process which is fully supported and operational at all of the other four global RIRs... Afrinic has, for reasons unknown, elected to only provide redacted versions of its WHOIS data base which are identical to what may be obtained at any time, and without any special protocol, directly from Afrinic's FTP server (via anonymous FTP). Because the accurate identification of stolen Afrinic legacy blocks involves the careful analysis of the *unredacted* contact person: records, access to only the redacted data base is of no value whatsoever in the task of identifying stolen Afrinic legacy blocks.
Here is the page on the Afrinic web site where they needlessly torment legitimate researchers into believing that they will be able to get the same kind of unredacted WHOIS data base access as is provided, upon vetting and approval, by all of the other RIRs:
https://www.afrinic.net/services/207-bulk-whois-access
The list of blocks that appear to have been stolen from the Afrinic free pool, as published in Jan's Dec 4 article are as follows:
"Infoplan"/"Network and Information Technology Limited": 196.16.0.0/14 196.4.36.0/22 196.4.40.0/22 196.4.44.0/23
"Cape of Good Hope Bank"/"CGHB": 165.52.0.0/14 137.171.0.0/16 160.184.0.0/16 168.211.0.0/16 192.96.146.0/24 -- NOTE!! -- 100% legitimate legacy allocation!
The following additional blocks had also been stolen from the Afrinic free pool. I had informed Jan about these blocks also, but for some reason these were not mentioned in Jan's Dec 4th article. (I assume that this was simply a clerical oversight on Jan's part. I had given him quite a lot of material to sort through.)
"ITC": 196.194.0.0/15 196.246.0.0/16 196.45.112.0/20 196.42.128.0/17 196.193.0.0/16
"Link Data Group": 160.255.0.0/16 196.62.0.0/16 198.54.232.0/24 196.207.64.0/18 196.192.192.0/18 160.181.0.0/16 213.247.0.0/19
As of this moment, Afrinic has properly reclaimed all of the "ITC" and "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks. Those blocks are now officially unregistered. I am informed and believe that it is Afrinic's intent to place all of these blocks into a "quarantine" status for a minimum of 1 year, which I think is entirely proper and prudent, under the circumstances.
I have no explanation for why Afrinic has not yet reclaimed any of the "Infoplan"/"Network and Information Technology Limited" blocks, especially the 196.16.0.0/14 block. This is for me deeply troubling, as I have some reason to believe that these blocks were stolen by a party or parties, who were also Afrinic insiders, but people other than the one "insider" perpetrator of these crimes who has already been identified by myself and Jan, and who is now the subject of a police investigation in Mauritius.
I am not personally aware of any action that Afrinic has taken to try to remediate the situation with regards to the stolen legacy blocks, as listed above. These blocks all quite provably had their associated person: contact records fiddled in the WHOIS data base in a manner so as to redirect both emails and phone calls to either the perpetrators or those others to whom the perpetrators had re-sold these stolen goods.
In fact, I am not even sure that Afrinic even has the capability to undo the damage in the case of these legacy blocks and their fiddled contact person: records. Quite obviously, proper remediation of the affected person: records would involve restoring those to what they were before they had been fradulently fiddled. Completion of that task is quite obviously dependent upon Afrinic having access to historical backups of its own WHOIS data base from as much as ten years ago. It is not at
moment clear to me that Afrinic is even in possession of such historical backups, and the fact that they have, as yet, made no apparent efforts to remediate the fradulently fiddled person: records suggests to me that
likely do not possess such backups.
Many of the legacy blocks and many parts of the blocks that were stolen from the Afrinic free pool, both those that have been reclaimed and
that haven't yet been reclaimed, continue to be routed by various
on behalf of the thieves and black market buyers of these blocks even as we speak. I hope to be able to post a fully list of those routes and
On 1/29/20 7:27 AM, Chris Knipe wrote: prefixes the this they those parties the
relevant ASNs that are providing the ongoing routing for various parts of this mass of stolen booty in the very near future.
Regards, rfg
-- James Shank Senior Security Evangelist; Chief Architect, Community Services Team Cymru, Inc. jshank@cymru.com; +1-847-378-3365; http://www.team-cymru.com/
-- Regards, Chris Knipe
participants (4)
-
Chris Knipe
-
James Shank
-
Ronald F. Guilmette
-
thomas brenac