My apologies to all. Certain of the blocks mentioned in my prior posting here have already been reclaimed, and are currently being routed by appropriate parties. In particular, these ones: 152.108.0.0/16 155.237.0.0/16 165.4.0.0/16 165.5.0.0/16 Also, I somehow managed to miss mentioning a few blocks that were also quite clearly stolen as part of this extensive and elaborate scheme, specifically these ones: 160.116.0.0/16 163.198.0.0/16 164.88.0.0/16 196.15.96.0/18 A full list of all of the stolen AFRINIC blocks that are still of ongoing concern at the present moment, taking into account the above adjustments, is available here: https://pastebin.com/raw/71zNNriB Note that many of the blocks listed at the link above have already been "reclaimed" as far as the AFRINIC WHOIS records are concerned. But because routing remains almost entirely decoupled from RIR WHOIS data bases, much of this "reclaimed" space is still being routed as I write this. The only difference is that now the space is being routed as bogons, rather than as "legitimately" allocated space. A summary of all of the current routing for all of the stolen AFRINIC IPv4 address space that is still of concern, including routing for recently reclaimed address space that AFRINIC will eventually be returning to its free pool is provided below. This list is sorted by the number of constituent stolen /24 blocks being routed by each listed network, thus showing the most major offenders at the top. A few footnotes concerning specific ASNs in this list follow below the listing. I urge everyone on this mailing list to share this data as widely as possible in and among the global networking connunity. In all cases noted below, the networks in question are unambiguously routing IP blocks that were obtained, in the first instance, via thefts perpetrated by one or more AFRINIC insiders and then resold on the black market in secretive deals. In many and perhaps most cases listed below, the relevant networks appear to have been more than happy to accept some cash in exchange for their services, while not looking all that carefully at the purported (but fradulent) "LOA" documents they were handed. (Repeated use of blatantly fradulent documents has been one of the consistant features of this entire ongoing criminal enterprise.) All routing data is derived from current data published by RIPEstat. ====================================================================== 3719 0 ?? UNROUTED IP SPACE 629 132165 PK Connect Communication 512 18013 HK Asline Limited 504 19969 US Joe's Datacenter, LLC 500 62355 CO Network Dedicated SAS 423 202425 SC IP Volume inc 286 58895 PK Ebone Network (PVT.) Limited 250 136525 PK Wancom (Pvt) Ltd. 192 18530 US Isomedia, Inc. 186 9009 GB M247 Ltd 134 262287 BR Maxihost LTDA 132 204655 NL Novogara LTD 79 132116 IN Ani Network Pvt Ltd 75 136384 PK Optix Pakistan (Pvt.) Limited 68 132422 HK Hong Kong Business Telecom Limited 60 137443 HK Anchnet Asia Limited 48 63956 AU Colocation Australia Pty Ltd 26 132335 IN LeapSwitch Networks Pvt Ltd 21 131284 AF Etisalat Afghan 20 139043 PK WellNetworks (Private) Limited 19 43092 JP OSOA Corporation., LTD 17 36351 US SoftLayer Technologies Inc. 16 56611 NL REBA Communications BV 16 199267 IL Netstyle A. Ltd 16 23679 ID Media Antar Nusa PT. 14 137085 IN Nixi 10 63018 US Dedicated.com 9 136782 JP Pingtan Hotline Co., Limited 8 45671 AU Servers Australia Pty. Ltd 8 57717 NL FiberXpress BV 7 49335 RU LLC "Server v arendy" 7 134451 SG NewMedia Express Pte Ltd 6 49367 IT Seflow S.N.C. Di Marco Brame' & C. 6 26754 ?? {{unknown organization}} 5 198504 AE Star Satellite Communications Company - PJSC 5 198381 AE Star Satellite Communications Company - PJSC 4 38001 SG NewMedia Express Pte Ltd 4 263812 AR TL Group SRL ( IPXON Networks ) 4 30827 GB Extraordinary Managed Services Ltd 4 42831 GB UK Dedicated Servers Limited 4 37200 NG SimbaNET Nigeria Limited 4 133495 PK Vision telecom Private limited 4 198394 AE Star Satellite Communications Company - PJSC 2 44066 DE First Colo GmbH 2 198247 AE Star Satellite Communications Company - PJSC 2 133933 PK NetSat Private Limited 2 328096 UG truIT Uganda Limited 2 38713 PK Satcomm (Pvt.) Ltd. 2 31122 IE Digiweb ltd 2 46562 US Total Server Solutions L.L.C. 2 13737 US Riverfront Internet Systems LLC 2 11990 US Unlimited Net, LLC 2 20860 GB Iomart Cloud Services Limited 2 45382 KR Ehostict 2 17216 US Dc74 Llc 2 16637 ZA Mtn Sa 2 53999 CA Priority Colo Inc 1 23470 US ReliableSite.Net LLC 1 35074 NG Cobranet Limited 1 19832 ZA Link Data Group 1 43945 IL Netstyle A. Ltd 1 134917 IN Ragsaa Communication pvt. ltd. 1 203833 DE First Colo GmbH ====================================================================== The actual current route announcements corresponding to all of the above are listed in the table given here, which is sorted by ASN: https://pastebin.com/raw/XQyJ8EK2 Footnotes: [1] AS62355 gives all indications of being a false front fradulent network, possibly one that was set up by one or more of the black market dealers involved in this case. There is no actual web site associated with its contact domain (networkdedicated.com) at present, the alleged contact phone number in the associated AS WHOIS record was non-orking when I tried it, and the street address given for this entity in Bogotá, Columbia, is one that Google maps cannot locate. Traceroutes to the one and only IPv4 block that is being routed by this AS and that is actually registed to the company itself (185.39.8.0/22) do not terminate in Columbia, South America, as one would expectm, based on the WHOIS, but rather such traceroutes dead- end somwhere on the network of core-backbone.com (Core-Backbone GmbH, Germany) in the general vicinity of Amsterdam, Netherlands. [2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655 (Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV - Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all believed by me to be onwed and controled by a certain pair of Dutch gentlemen who I have previously posted about. For more information on these characters, please google for "Ecatel" and/or "Quasi Networks". Both of those are, I believe, demonstratably the predecessors of what is now called "IP volume, Inc." [3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. - Israel) belongs to one of the persons featured in Jan Vermeulen's detailed December 4th report on this whole AFRINIC caper, i.e. the particular fellow who has been going around passing out fradulent LOAs of such shockingly low quality that one wonders why he even bothers. [4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned to the entirely fictitious business entity called "ITC'. That entity appears to have just been an imaginary concoction of Mr. Ernest Byaruhanga, formerly of AFRINIC, and now the target of an ongoing crimininal investigation in Africa, and/or other AFRINIC insiders who worked with or along side Mr. Byaruhanga to criminally strip assets from AFRINIC and its legacy block holders. The registration for this AS number has now been withdrawn by AFRINIC, thus rendering the ASN itself a bogon. [5] AS19832 ("Link Data Group") is yet another fiction that was manufactured out of -nearly- whole cloth, either by Mr. Byaruhanga and/or by other AFRINIC insiders who were working with him. It is not immediately clear why this ASN is still registered, let alone why is its route announcements are still being accepted or propagated anywhere.
On Wed, 29 Jan 2020 19:51:17 -0800 "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
A full list of all of the stolen AFRINIC blocks that are still of ongoing concern at the present moment, taking into account the above adjustments, is available here:
https://pastebin.com/raw/71zNNriB
Note that many of the blocks listed at the link above have already been "reclaimed" as far as the AFRINIC WHOIS records are concerned. But because routing remains almost entirely decoupled from RIR WHOIS data bases, much of this "reclaimed" space is still being routed as I write this. The only difference is that now the space is being routed as bogons, rather than as "legitimately" allocated space.
Rightful owners should create RPKI ROAs, what can help, since some large networks have deployed origin validation and drop RPKI invalids.
On Wed, 29 Jan 2020, Ronald F. Guilmette wrote:
In all cases noted below, the networks in question are unambiguously routing IP blocks that were obtained, in the first instance, via thefts perpetrated by one or more AFRINIC insiders and then resold on the black market in secretive deals.
What can or should be done when a registry goes rogue? -Dan
In message <Pine.LNX.4.64.2001301338580.909@yuri.anime.net>, Dan Hollis <goemon@sasami.anime.net> wrote:
What can or should be done when a registry goes rogue?
Answering that question is a task which is above my pay grade. I would be remiss however if I did not take this opportunity to make a few brief and relevant points. *) There are other and additional shoes yet to drop with respect to AFRINIC. I am not free to go into more details regarding that assertion at this time. *) It is implausible on the face of it that only one AFRINIC insider was stealing all of this stuff and spiriting it all out the backdoor at midnight while all other AFRINIC employees, management, and board were entirely clueless and totally in the dark about the fact that any of this was going on, right under their own roof and right under their noses. And I have some not-entirely-speculative reasons to believe that others were involved. *) Throughout my investigation, AFRINIC officials and board members have, almost without exception, avoided answering many simple and relevant questions regarding this and other matters, even when the questions quite obviously do not have any relevance whatsoever to AFRINIC's contractual confidentiality commitments to its member organizations. If you ask AFRINIC what time of day it is, they will tell you that that is covered under an NDA, and that thus, they can't tell you. It really is almost that bad, and there appears to me to be a pervasive culture of secrecy within the organization which effectively thwarts reasonable inquiry and any and all outside accountability. This appeared to me to be the case even well before AFRINIC became fully aware of the activities of their rogue employee, and now, the existance of what is supposedly a serious police inquiry by the crack Mauritian police investigators is being used as a basis for AFRINIC to answer even fewer questions than before, since the whole matter is now said to be "under police investigation". (It is left as an exercise for the reader to deduce whether or not the high-tech crimes investigative unit of the Mauritian national police is at all likely to obtain or expose more answers in this case than I and journalist Jan Vermeulen already have done. In estimating the odds of that, it may be of value to keep in mind that the entire nation of Mauritius, known primarily for sunny beaches and tax avoidance schemes, has a total population of slighty less than the city of Dallas, Texas.) *) Ever since the publication of Jan Vermeulen's first article on this matter on September 1, 2019, it has been alleged that AFRINIC has been conducting its own internal investigation. More recently Jan has learned that AFRINIC's internal investigation may have actually started much earlier, in April of 2019. In all this time, neither anyone from AFRINIC nor anyone from the Mauritian national police have made any effort to ask either Jan or myself what, if anything, we know about these matters that has not yet appeared in print. If they had asked, as part of their "internal investigation", we could have told them some things. They never asked. *) Entirely separate from the matter of the looting of IPv4 resources from AFRINIC, it was announced some time ago the AFRINIC's auditor of many years, PriceWaterhouseCoopers (PwC), has effectively fired its client, AFRINIC, for reasons that have yet to be revealed, either to the AFRINIC membership or to the public at large. This is the same accounting firm that has been named in numerous recent press reports as having possibly played some role in the large scale looting of the state coffers of the southern African country of Angola: https://www.nytimes.com/2020/01/19/world/africa/isabel-dos-santos-angola.htm... https://www.theguardian.com/world/2020/jan/23/pwc-growing-scrutiny-isabel-do... https://www.icij.org/investigations/luanda-leaks/pwc-head-shocked-and-disapp... This raises the almost unavoidable question: How bad must AFRINIC's books be in order to cause even the likes of PriceWaterhouseCoopers to walk away from their client, AFRINIC, after so many years? And what is it in those books that AFRINIC and its board would prefer everyone not know about? *) At the present time, and reportedly even well before Jan Vermeulen's September 1st article which suggested, unambiguously, that there was something rotten going on within AFRINIC, AFRINIC has been allegedly endeavoring to investigate itself. I problems with that are, I believe, self-evident to any unbiased observer. I personally have no faith that the full truth or the full facts relating either to the IPv4 pilfering or to the other and unrelated accounting issues, whatever they may be, are at all likely to emerge from AFRINIC's investigation of itself. Furthermore, I believe that this is itself considered by the AFRINIC board to be a feature rather than a bug. If anyone were seriously motivated to get to the full truth of these matters then the solution is quite obvious. There should be an independent outside investigation. And to be clear, I am most definitely *not* talking about an investigation performed by what is effectively AFRINIC's parent company, ICANN. That organization also has more than a little vested interest in seeing to it that both of these matters, the IP thefts and the accounting irregularities, are all swept under the rug as quickly and as quietly as possible. For this reason, I have no doubt whatsoever that both AFRINIC and ICANN would vigorously oppose the notion of an independent outside investigation. And since ICANN calls the tune with respect to all Internet governance matters I also have no doubt at all that there will be no indepndent inquiry into any of this abundant funny business, and that the full facts will never be known to the public, and most likely not even to the few AFRINIC staff members who are, at present, and reportedly since last April, "investigating". Regards, rfg
Ronald, Speaking only for myself… As I’ve recently seen complaints about RIRs directed to ICANN (in a different context than the issues at AfriNIC), a bit of clarification may be in order:
What can or should be done when a registry goes rogue?
In my view, it is primarily the responsibility of the community served the the RIR to reign it in if it goes rogue.
And to be clear, I am most definitely *not* talking about an investigation performed by what is effectively AFRINIC's parent company, ICANN.
ICANN is not the parent company of AfriNIC (or any other RIR, some of which existed prior to ICANN being created). While ICANN recognizes new RIRs (according to https://www.icann.org/resources/pages/new-rirs-criteria-2012-02-25-en) and recognizes “global policies” that reach consensus across all RIRs, there are no policies, processes, or mechanisms by which ICANN can exert any form of control over the RIRs. ICANN performs a set of functions for the RIRs at their request via the IANA functions and can be seen in that light as a service provider to the RIRs. It is probably most accurate to view ICANN and the RIRs as peer organizations, connected operationally via the IANA functions, which primarily focus on different universes (domain names in ICANN’s case, IP addresses in the RIRs’ case).
That organization also has more than a little vested interest in seeing to it that both of these matters, the IP thefts and the accounting irregularities, are all swept under the rug as quickly and as quietly as possible.
I’ll admit some curiosity as to what this “more than a little vested interest” might be, however this is simply wrong. Like pretty much everybody else, we have an interest in an accurate and trustable registration database.
For this reason, I have no doubt whatsoever that both AFRINIC and ICANN would vigorously oppose the notion of an independent outside investigation.
As RIR operational matters are outside ICANN’s remit as defined by our Bylaws, at least by my reading, I am skeptical ICANN would even have an opinion.
And since ICANN calls the tune with respect to all Internet governance matters
I suspect the folks at the RIRs, Internet Society, IGF, ITU, W3C, ETSI, IETF, IAB, etc. may not agree with this assertion. Regards, -drc ICANN CTO, but speaking only for myself.
On Jan 31, 2020, at 09:38 , David Conrad <drc@virtualized.org> wrote:
Ronald,
Speaking only for myself…
As I’ve recently seen complaints about RIRs directed to ICANN (in a different context than the issues at AfriNIC), a bit of clarification may be in order:
What can or should be done when a registry goes rogue?
In my view, it is primarily the responsibility of the community served the the RIR to reign it in if it goes rogue.
And to be clear, I am most definitely *not* talking about an investigation performed by what is effectively AFRINIC's parent company, ICANN.
ICANN is not the parent company of AfriNIC (or any other RIR, some of which existed prior to ICANN being created). While ICANN recognizes new RIRs (according to https://www.icann.org/resources/pages/new-rirs-criteria-2012-02-25-en <https://www.icann.org/resources/pages/new-rirs-criteria-2012-02-25-en>) and recognizes “global policies” that reach consensus across all RIRs, there are no policies, processes, or mechanisms by which ICANN can exert any form of control over the RIRs. ICANN performs a set of functions for the RIRs at their request via the IANA functions and can be seen in that light as a service provider to the RIRs.
It is probably most accurate to view ICANN and the RIRs as peer organizations, connected operationally via the IANA functions, which primarily focus on different universes (domain names in ICANN’s case, IP addresses in the RIRs’ case).
It is sad to see this statement coming from someone so high up in ICANN… So often ICANN has focused strictly on that first N. I would say it is more accurate to refer to ICANN in the context of the RIRs as a vendor and little more. ICANN performs services (maintenance of the central registry and coordination of large blocks of number resources being delegated to the individual RIRs from that central registry). Technically, I believe this is done through PTI, though I admit that I still haven’t managed to gain 100% clarity on how the PTI<->ICANN relationship functions or whether the RIRs are contracted to ICANN or to PTI or to both.
And since ICANN calls the tune with respect to all Internet governance matters
I suspect the folks at the RIRs, Internet Society, IGF, ITU, W3C, ETSI, IETF, IAB, etc. may not agree with this assertion.
Speaking only for myself, I certainly don’t agree with this assertion. Owen
participants (5)
-
afpd@yandex.ru -
Dan Hollis -
David Conrad -
Owen DeLong -
Ronald F. Guilmette