R1.3-billion worth of African IP addresses stolen

J

Jamie McKane

MyBroadband Journalist
Joined
Mar 2, 2016
Messages
7,000
Reaction score
1,007
R1.3-billion worth of African IP addresses stolen

The African Network Information Centre (AFRINIC) has released its long-awaited report of the internal audit it conducted after the discovery that the co-founder of the organisation had abused his position to steal large swaths of African Internet resources.

It confirmed an earlier statement from AFRINIC that a total of over 4.1 million Internet Protocol (IP) addresses had been misappropriated and provided a detailed account of the resources that were compromised.
 
Jamie McKane said:
R1.3-billion worth of African IP addresses stolen

The African Network Information Centre (AFRINIC) has released its long-awaited report of the internal audit it conducted after the discovery that the co-founder of the organisation had abused his position to steal large swaths of African Internet resources.

It confirmed an earlier statement from AFRINIC that a total of over 4.1 million Internet Protocol (IP) addresses had been misappropriated and provided a detailed account of the resources that were compromised.
Click to expand...
wow...
 
Nothing to see here folks, our previous president said corruption doesn't affect Africans, its just something Westerners worry about.
 
Props to AFRINIC that it has tackled this issue and appears to be committed to fixing its WHOIS database.

That said, it has taken them extremely long to get to this point and to my mind they remain responsible for the WHOIS records being compromised in the first place.
 
Thor said:
On the bigger scale, no, but on the smaller scale, the previous report showed the State IT agency to be involved.
Click to expand...
Some of their address space was stolen. So was City of Cape town and many others .
 
Jan said:
Props to AFRINIC that it has tackled this issue and appears to be committed to fixing its WHOIS database.

That said, it has taken them extremely long to get to this point and to my mind they remain responsible for the WHOIS records being compromised in the first place.
Click to expand...
Whilst it's great that these IP's have been returned, how about a follow-up article on how many of these corporates actually need the /16's allocated to them to run their two or three websites and how many could be returned to ISP's that actually need the allocation IP's to end users, instead of two or three websites.

NBS, Syfrets, SASOL, Tredcor, Woolworths certainly don't need 327 680 to run their websites and a few branch connections....

I can't even get 2048 IP's without proving full usage, including audits and proven usability of each IP.

Yet these companies sit on IP assets worth R1.3 billion doing nothing with it ?


@Jan
 
Last edited:
In order to "steal" an IP address you actually need the ability to publish BGP routes otherwise you'll never be able to use the IP addresses. No mention made in the article in how this was accomplished or even done.
 
TheRoDent said:
Whilst it's great that these IP's have been returned, how about a follow-up article on how many of these corporates actually need the /16's allocated to them to run their two or three websites and how many could be returned to ISP's that actually need the allocation IP's to end users, instead of two or three websites.

NBS, Syfrets, SASOL, Tredcor, Woolworths certainly don't need 327 680 to run their websites and a few branch connections....

I can't even get 2048 IP's without proving full usage, including audits and proven usability of each IP.

Yet these companies sit on IP assets worth R1.3 billion doing nothing with it ?


@Jan
Click to expand...
Absolutely. A few years ago looked at the governance, policies and process docs for IANA, and they are pretty rigid and frugal in handing these out, one has to sacrifice virgins, plus there were annual submission that needed to be made with respect to planned vs actual usage, and justifications in the event that they were not used.

I guess that this is also what @Jan refers to when he states that Afrinic is responsible.
 
Space said:
NBS & Syfrets ? - they haven’t existed for decades - how old is this IP-heist ?
Click to expand...
Well the point is that they were acquired by Nedbank. The heists happened because of "moribund" / "unused" blocks and because these blocks were never utilised it was easy to steal them, since nobody would ever know.

But now that they have been re-acquired, and are basically owned by bigger entitities that do absolutely nothing with the IP's -- why shouldn't they be returned?

How many IP's does Nedbank really need ? Are they using several /16's ?

If not...

It seems ridiculous that ISP's that hand out IP's to customers have to beg for 2048 IP's at a time, when big corporates sit on IP's that they will never utilise.
 
Last edited:
r00igev@@r said:
The picture in the article is private IPs. RFC1918. I steal those all the time.

Just stolen another range one minute ago.
Click to expand...
*Adjusts glasses* Well ACKTUELLY...

There are several private ranges that start with 192. Some of them were even part of the heist:

192.96.146.0/24
192.96.148.0/24
192.96.150.0/24

;)

(I do wash my hands of our headline images, though. Unless it's a simple logo 'shoop, far more skilled people than I make them.)

TheRoDent said:
Whilst it's great that these IP's have been returned, how about a follow-up article on how many of these corporates actually need the /16's allocated to them to run their two or three websites and how many could be returned to ISP's that actually need the allocation IP's to end users, instead of two or three websites.

NBS, Syfrets, SASOL, Tredcor, Woolworths certainly don't need 327 680 to run their websites and a few branch connections....

I can't even get 2048 IP's without proving full usage, including audits and proven usability of each IP.

Yet these companies sit on IP assets worth R1.3 billion doing nothing with it ?
Click to expand...

I'm sure they would be happy to lease you some ;)

deweyzeph said:
In order to "steal" an IP address you actually need the ability to publish BGP routes otherwise you'll never be able to use the IP addresses. No mention made in the article in how this was accomplished or even done.
Click to expand...
This is covered at length in previous articles.

The gentlemen who are/were in control of these IP address blocks have their own ASNs and also convinced other Internet companies to announce routes for them.

When we first reported on this in September 2019, they had managed to convince Cogent Communications (AS174) to do a bunch of routing for them. You can see some of the documents used to convince these networks that were leaked to me in that original article: https://mybroadband.co.za/news/inte...how-millions-are-made-on-the-grey-market.html

A lot of these addresses also appear to be leased. If you do a lookup on the BGP routing of that SITA block, for example, you'll see a host of legit ASNs and shady bulletproof networks doing some routing: https://bgpview.io/prefix/196.16.0.0/14 (IP Volume inc. does the vast majority of the routing for this block)

Courtesy of Ron Guilmette, here is a list of the ASNs routing prefixes in the 196.16.0.0/14 block:

Code: 
#blocks  ASN    CC  Name
   538  202425  SC  IP Volume inc
   360  19969   US  Joe's Datacenter, LLC
    47  63956   AU  Colocation Australia Pty Ltd
    12  56611   NL  REBA Communications BV
     6  134451  SG  NewMedia Express Pte Ltd
     6  43092   JP  OSOA Corporation., LTD
     5  38001   SG  NewMedia Express Pte Ltd
     5  57717   NL  FiberXpress BV
     4  49335   RU  LLC "Server v arendy"
     4  42831   GB  UK Dedicated Servers Limited
     4  204655  GB  Novogara LTD
     4  49367   IT  Seflow S.N.C. Di Marco Brame' & C.
     4  263812  AR  TL Group SRL ( IPXON Networks )
     4  20860   GB  Iomart Cloud Services Limited
     2  31122   IE  Digiweb ltd
     2  262287  BR  Maxihost LTDA
     2  63018   US  Dedicated.com
     2  44066   DE  diva-e Datacenters GmbH
     2  45382   KR  Ehostict
     2  136782  JP  Pingtan Hotline Co., Limited
     2  53999   CA  Priority Colo Inc
     2  17216   US  Dc74 Llc
     1  23470   US  ReliableSite.Net LLC
     1  203833  DE  diva-e Datacenters GmbH
     1  9009    GB  M247 Ltd
     1  328671  MA  Datapacket Maroc SARL
     1  202769  US  Cooperative Investments LLC
 
TheRoDent said:
Well the point is that they were acquired by Nedbank. The heists happened because of "moribund" / "unused" blocks and because these blocks were never utilised it was easy to steal them, since nobody would ever know.

But now that they have been re-acquired, and are basically owned by bigger entitities that do absolutely nothing with the IP's -- why shouldn't they be returned?

How many IP's does Nedbank really need ? Are they using several /16's ?

If not...

It seems ridiculous that ISP's that hand out IP's to customers have to beg for 2048 IP's at a time, when big corporates sit on IP's that they will never utilise.
Click to expand...
They probably don't have a frikken clue.

ISP: Nedbank, please give back the IPs you are not using.
Nedbank: Urrr, what's an IP?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter