The African Network Information Centre (AFRINIC) has revealed the full extent of the theft of IP address blocks after conducting an audit of its WHOIS database.
Conservative estimates value the stolen IP address space at $80 million (USD), which is over R1.3 billion at an exchange rate of R16.50 per US dollar.
This follows a report from MyBroadband, published last year, which presented evidence that an AFRINIC insider had stolen large blocks of valuable IP addresses and sold them on the black market.
The report was made possible thanks to years of work by Internet investigator Ron Guilmette, followed by a months-long partnership between Guilmette and a MyBroadband investigative journalist.
After the publication of the report, AFRINIC took disciplinary action against the insider implicated in the alleged fraud and summarily fired him. The organisation also filed a police complaint against the person.
In addition to reporting on the IP address blocks stolen by the insider at AFRINIC, MyBroadband and Guilmette reported months before that swaths of South African legacy IP address space appeared to have been misappropriated.
AFRINIC audited its database of Internet resources
Following an internal audit, AFRINIC has issued a statement in which it confirms these reports.
“An internal AFRINIC investigation was conducted in consultation with APNIC, the Regional Internet Registry for the Asia Pacific Region. AFRINIC then initiated a police investigation which is ongoing and upon which we cannot comment at this time,” the organisation stated.
AFRINIC confirmed that it has reason to believe about 4 million IP addresses were misappropriated. These can be classified into two broad groups:
- Around 2.3 million IP addresses from AFRINIC’s “free pool” which appear to have been incorrectly reclassified in the AFRINIC WHOIS database as legacy address space, and misappropriated.
- Almost 1.7 million “legacy” IP addresses, which appear to have been misappropriated.
“Free pool” IP address blocks are Internet resources which had not yet been assigned to anyone. Individuals and organisation can apply to AFRINIC for IP address space. If you qualify under AFRINIC’s criteria, it will assign you a block of IP addresses from its free pool.
“Legacy” IP address blocks date back to the early days of the Internet, before Regional Internet Registries like AFRINIC existed. These are particularly valuable as they do not attract AFRINIC’s annual fees.
Africa’s deeds office for the Internet compromised
These IP address blocks were misappropriated by manipulating their records in the AFRINIC WHOIS database.
If you think of IP addresses as Internet property, then an IP address block’s WHOIS record is its title deed and the AFRINIC WHOIS database is the deeds office for the African region.
AFRINIC said that it has undertaken a comprehensive and stringent audit of its WHOIS database.
“The detailed results from this audit will be available at the end of the year. The audit covers all existing allocations in the AFRINIC WHOIS database. We are investigating all the IPv4 space that has ever been allocated to or by AFRINIC right back to the beginning of AFRINIC’s operations in 2005,” it stated.
AFRINIC begins reclaiming stolen address space
Of the 2.3 million IP addresses which appear to have been taken from AFRINIC’s “free pool”, the organisation said it has reclaimed about 1 million addresses.
“We have contacted all the organisations labelled as holders of this address space to ask for proof that they are the rightful holders,” AFRINIC stated.
“The reclaimed space is under quarantine until such time that it can be made available for allocation to AFRINIC Resource Members. Investigation of the remaining 1.3 million IP addresses is ongoing with the organisations labelled as holding these resources.”
Of the 1.7 million “legacy” IP addresses, AFRINIC said it has reversed changes to the WHOIS records of about 300,000 so far.
“We have contacted all the legacy space holders concerned in order to ensure that the AFRINIC WHOIS database is updated with the information from the rightful holders of that address space.”
Questions regarding reclaiming “legacy” IP address blocks
When asked what will happen if the registered holder of one of the potentially compromised IP address blocks can’t prove to AFRINIC’s satisfaction that it is the legitimate owner of the resource, the organisation said that it looks at each claim of ownership on a case by case basis.
“There is a process in place that any legitimate legacy resource holder needs to comply with before any updates are reflected. A number of legacy resource holders have already followed the process,” AFRINIC stated.
MyBroadband also went through the WHOIS data of several legacy IP address blocks that Guilmette identified as stolen and found that AFRINIC had changed the contact information on several of them. AFRINIC had made itself the administrative and technical contacts for several of these blocks.
Questioned about this, AFRINIC said that the AFRINIC community currently does not have set policies that can provide it with any guidance on dealing with outdated or stale legacy resources.
Despite this, AFRINIC said that it will engage with legacy resource holders to improve the accuracy of the data in its WHOIS database.
AFRINIC said it changed the contact information on some legacy blocks, while keeping the original owner’s names in place, to lock down these resources after it reversed unauthorised changes.
“These resources will remain locked until the original holder contacts AFRINIC to claim them,” it stated.