Internet addresses that Africa’s registry tried to seize used in cyberattack on African journalists

Controversial blocks of African Internet addresses were recently used in a distributed denial-of-service attack (DDoS) that wiped a news outlet off the web that focuses on the human rights of journalists in Somalia.

According to a report released today by the Qurium Media Foundation, a Swedish non-profit that helps independent media weather such attacks, the DDoS targeted the Somali Journalists Syndicate (SJS). This independent trade union covers issues relating to journalists’ human rights in the country.

Qurium’s analysis of the attack traffic found that the attackers used infrastructure supplied by US-based proxy provider Rayobyte, which had leased Internet Protocol (IP) addresses from several players.

It highlighted that a substantial proportion of these IPs — 71 out of 262 prefixes, each representing roughly 254 usable addresses — were leased from controversial IP provider Cloud Innovation.

“The attack resulted in the suspension of the hosting service agreement with HostGator (Endurance International Group) and then later with A2 Hosting,” Qurium stated.

“In both cases, the large volume of malicious traffic affected the services of other hosted customers and the hosting providers therefore brought the website down to minimise the collateral damage.”

The attack against the SJS began on Friday, 11 August.

On Thursday, 17 August, the Committee to Protect Journalists introduced SJS to Qurium, and the website was migrated to its hosting infrastructure.

“A couple of hours after the migration was completed, the denial of service attacks started again,” Qurium said.

Qurium said it saw 120,000 requests per second at the height of the attack.

The graph below shows the attack traffic on 19 August and the morning of 20 August, plotting requests received in 5-second intervals.

Cloud Innovation and its affiliate, Larus Limited, are controversial figures among those who follow Internet governance issues in Africa.

The controversy stems from Africa’s regional Internet registry, Afrinic, awarding Cloud Innovation control over nearly 6.3 million addresses between 2013 and 2016.

These allocations have become incredibly valuable thanks to the global depletion of IP version 4 addresses.

Industry insiders say an IP address can be bought for around $50 on the open market. At an exchange rate of R19 per dollar, Cloud Innovation’s IP addresses are worth close to R6 billion.

Addresses are leased for around $0.40 (R7.60) per month per address.

Some take issue with Cloud Innovation’s substantial allocation because the addresses are not primarily used in Africa or to provide services to Africans.

Others would argue that IP addresses don’t work that way. For example, Google’s IP addresses allocated by the North American regional registry work from anywhere in the world — including Africa.

In truth, many opponents to Cloud Innovation’s massive allocation take issue because the company is owned by a Chinese national who gets to operate a high-margin business and amass significant wealth by leasing out a relatively inexpensive asset given to him by an African regulator.

A new Afrinic administration tried to take back some of Cloud Innovation’s IP address space in 2021, triggering an immediate legal backlash.

Afrinic maintains a list of pending and completed court cases on its website, which stood at 55 proceedings as of September 2023. The page was last updated in July, and the latest pending case was dated April.

Although not all of the cases relate to Cloud Innovation, a substantial proportion of them do.

Cloud Innovation and its associates have also achieved significant success in their legal campaign, effectively paralysing Afrinic.

While the registry is able to continue with its day-to-day operations, it has no CEO and can’t appoint one because it is stuck with an inquorate board.

The only way to elect a board is to approach the courts of Mauritius, where Afrinic is headquartered, and obtain an order to that effect.

Reporting the abuse

When Qurium attempted to report the DDoS attack to Cloud Innovation’s designated abuse email, it was met with silence.

Only after MyBroadband contacted the company for comment did Qurium receive a response.

Cloud Innovation founder Lu Heng explained it was standard practice for super-allocation owners like themselves to handle abuse requests to monitor for any possible malfeasance in their ranges.

He said their system automatically forwards the abuse report to the relevant customer and automatically replies to the original abuse report.

If a customer gets too many abuse reports against their sub-allocated IP addresses, Heng said they will end the lease agreement with them, much like a landlord dealing with a problem tenant.

“Since it’s a fully automated system, it is very strange you did not receive a reply,” Heng stated.

MyBroadband tested Cloud Innovation’s abuse contact again on Thursday, 7 September, and received no response.

Sample of attacking prefixes announced by AS-BLAZINGSEO, the former name of Rayobyte (Click to enlarge)

IP Mambo #5

Another issue Qurium encountered during its analysis was that the country-level location data for the IP addresses used in the attack was inconsistent across databases.

Afrinic’s database showed the IP addresses were being used for services in the US, while geographic information provider Maxmind had them located all over the world — including London, Paris, Bangkok, Berlin, Los Angeles, and Madrid.

Qurium alleged that Rayobyte, or its infrastructure or IP providers, had used fake geolocation data to fool Maxmind and similar services into believing its infrastructure is globally distributed.

“Evidence suggests it is mainly US based,” Qurium stated.

Cloud Innovation affiliate Larus confirmed this, saying that according to the data it provides to the Afrinic WHOIS database, the IPs are registered for US-based services.

Heng also explained that they maintain a “geofeed” file on the Larus website containing this information for providers like Maxmind to consume.

MyBroadband contacted Maxmind for comment, and the company did not answer questions about how it had obtained the location information for the IP addresses used in the attack on Somali Journalists Syndicate.

Spokesperson Shannon Wyatt confirmed to MyBroadband that they allow manual correction requests, which are usually reviewed within 1–2 business days.

“The goal of our service is to list the locations where IPs are actually in use, and not only where they might be registered, so we do expect discrepancies with other geolocation providers from time to time,” Wyatt stated.

“We use a variety of sources, both public and private, to update our database twice a week.”

These updates usually happen on Tuesdays and Fridays.

Wyatt did not respond to further questions asking whether someone had submitted a manual correction request for the IP addresses in question.

Interestingly, Maxmind’s database shows that the service provider linked to several of the IPs was a South African company called Africa on Cloud — not Cloud Innovation.

Africa on Cloud is run by Paul Wollner, a business partner of Larus and Lu Heng.

Since Africa on Cloud is not listed on any official Afrinic records for these IPs (Cloud Innovation is), MyBroadband asked Wollner about their association to the address space.

“Africa on Cloud[…] originate[s] many prefixes for our customers,” Wollner said.

“Looking at our routing table we originate a supernet which encompasses the IP addresses you pointed out. I unfortunately have no knowledge of where and how these subnets are being used.”

Wollner said he has no relationship with the actual user of the address space — in this case, Sprious / Emeigh / Rayobyte.

He also denied submitting location corrections to the Maxmind database.

MyBroadband asked Wollner for further clarity about their role, but he did not respond by publication.

MyBroadband also contacted Rayobyte for comment.

Rayobyte bills itself as an ethical residential proxy seller, but Qurium found it advertising its services in an online forum called BlackHatWorld. It did not respond to questions about the advertising listing by the time of publication.

Update: Wollner responded after publication and stated that he advertises the prefixes on the Internet with Africa on Cloud’s Autonomous System Number.

“If a subset of the blocks I originate are used elsewhere, I would not know who the user is,” Wollner stated.

He did not elaborate on who the customer is for whom he is advertising the IP address space in his Autonomous System.

Now read: Mozilla report finds Tesla is worst carmaker for data privacy — and Nissan the “creepiest”

Latest news

Partner Content

Show comments


Share this article
Internet addresses that Africa’s registry tried to seize used in cyberattack on African journalists