The African Network Information Centre (AFRINIC) is reclaiming blocks of IP addresses that were stolen through the manipulation of its WHOIS database.
This comes after MyBroadband reported about the theft together with Internet investigator Ron Guilmette.
Guilmette found that great swaths of African IP address space, estimated to be worth over $54 million (R800 million), had found themselves registered to suspicious entities in the AFRINIC WHOIS database.
These stolen blocks of IP addresses are so valuable because everyone online needs an IP address, whether you are just trying to browse the web or host a website.
Unfortunately, most of the Internet is still using an old addressing system, and these older type of IP addresses have become a relatively scarce resource.
If you think of IP addresses as Internet real estate, then the AFRINIC WHOIS database is like the deeds office.
Our investigation with Guilmette unearthed strong evidence which showed that an AFRINIC insider had manipulated the records of this “deeds office”.
Several of these records traced back to a man who helped establish AFRINIC, Ernest M. Byaruhanga. He was the second-ever employee hired at AFRINIC in 2004, after former CEO and Internet Hall of Famer Adiel Akplogan.
With the AFRINIC WHOIS records pointing back to Byaruhanga, this meant that he had control over the stolen IP address space.
Other evidence showed that Byaruhanga had received money for selling some of the stolen IP address space.
The money for a block of IP addresses was paid to a Ugandan company called Amiek Holdings. Byaruhanga, his wife, and three minors with the surname “Byaruhanga” are the registered shareholders of Amiek Holdings.
Taking back the stolen IP address blocks
Since we published our report in December, AFRINIC has begun to reclaim the stolen IP address space.
“We are also working at restoring the WHOIS accuracy and reinforcing existing controls to eliminate potential internal or external threats to our operations,” AFRINIC CEO Eddy Kayihura said in an update in January.
AFRINIC is purging allegedly fraudulent records from its WHOIS database and has decided to “quarantine” the affected IP address space.
Kayihura explained to MyBroadband that the quarantine period for the affected blocks of IP addresses is 12 months.
Kayihura previously told MyBroadband that data is only deleted from the WHOIS database in the case of deregistration.
“This is part of the normal lifecycle of resources,” Kayihura stated. “Any deregistration is fully documented as part of our internal procedures.”
Kayihura also said that the holder of the IP address block is notified before any records are removed from the AFRINIC WHOIS database.
The table below summarises which of the IP address blocks, which Guilmette identified as stolen, have been reclaimed by AFRINIC.
Values for the blocks are estimated according to a market value of $20 per IP address, and an exchange rate of R14.84 per USD.
These are the “non-legacy” IP address blocks identified in our previous report. We previously said the most likely source of these blocks is AFRINIC’s own inventory of available IP address space.
The fact that AFRINIC is reclaiming these blocks by deleting their registration history from its WHOIS database appears to confirm that this IP address space was stolen from AFRINIC itself.
In other words, an AFRINIC insider helped themselves to IP address blocks in AFRINIC’s free pool, then sold or leased that IP address space for their own profit.
|IP address block(s)||(Formerly) Registered to||Estimated value||Date of first suspicious activity||Status|
|184.108.40.206/14||CGHB (Previously: Cape of Good Hope Bank)||R136,157,594||2014-07-18||Reclaimed / history purged|
|220.127.116.11/16||Link Data Group (Previously: Link Data Solutions)||R70,510,182||2013-05-24||Reclaimed / history purged|
|18.104.22.168/20||ITC (Previously: Afriq*Access||R108,196,659||2010-11-04||Reclaimed / history purged|
|22.214.171.124/14||Infoplan / Network and Information Technology Limited||R78,564,147||2014-03-10||Active route squatters: IP Volume (RADb: Netstyle)|
|126.96.36.199/22||2015-03-05||Not reclaimed / Unchanged|
Disciplinary hearing and police charges
Kayihura filed the police report on 10 December for a case of Computer Misuse and Cybercrime Act against Byaruhanga.
Byaruhanga’s disciplinary hearing was held on 13 December, after which he was fired.
“Given the serious nature of the allegations, a disciplinary hearing was held on 13 December 2019 after which management decided to summarily dismiss Ernest Byaruhanga with immediate effect on grounds of very serious professional misconduct,” Kayihura said.