Hi James, Just want to make this clear to NANOG as well - there's no beef here. The priority was to get delisted.
The beef is with AfriNIC in this case :) It's not CYMRU's fault. The datasets are incomplete. -- C On Wed, Jan 29, 2020 at 4:03 PM James Shank <jsh...@cymru.com> wrote: > Hi all, > > I am still looking into the history of this issue, but presently, the > prefix Chris shared with us is not on our IPv4 BOGON list. > > For those wanting to see the list, it is available in plain text here: > > https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt > > I welcome input on this as I look into the history a little more. > > Cheers! > > James > > On 1/29/20 7:27 AM, Chris Knipe wrote: > > Hi All, > > > > http://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-20200129 > > > > Another thing that stuck it's head out today now. No ASN, nor IP > prefixes > > allocated since 2019/05/15 is listed in the delegated text files. Our > (and > > I am sure others) prefixes is now null routed at team CYMRU (contacted > > them, waiting for response). > > > > Yesterday's file was incomplete (looks like there were errors with the > > script perhaps), and today's file is missing an enormous amount of data > (1 > > ASN, 163 IPv4 allocations, and 272 IPv6 allocations). This is comparing > the > > data file from 2020/01/29 (today) to 2020/01/27 (two days ago). > > > > We also have a ticket with AfriNIC (no response yet), and when we called > > them there was no one "available" to assist. > > > > > > On Wed, Jan 29, 2020 at 1:20 AM Ronald F. Guilmette < > r...@tristatelogic.com> > > wrote: > > > >> In message <ff4bd087-2a84-b9d9-6f5b-715826a35...@brenac.eu>, > >> thomas brenac <tho...@brenac.eu> wrote: > >> > >>> Thank you Ronald, I also heard of governance issue in AFRINIC by some > >>> people during the last RIPE meeting so the word is spreading. Now is > >>> there any other /16 impacted to your knowledge ? Would be worth pushing > >>> to have them in as many Drop list as possible maybe :) > >> > >> As reported in Jan Vermeulen's article on the web site > mybroadband.co.za > >> published December 4, there has been, and continues to be a large number > >> of blocks, both "legacy" blocks and other blocks, that were stolen from > >> the Afrinic free pool. These blocks are of varying sizes, generally /16 > >> blocks but also some larger ones as well as a few smaller ones. > >> > >> The list of affected legacy blocks from Jan's article are as follows: > >> > >> 196.10.64.0/19 > >> 196.10.61.0/24 > >> 196.10.62.0/23 > >> 160.121.0.0/16 > >> 155.235.0.0/16 > >> 152.108.0.0/16 > >> 155.237.0.0/16 > >> 169.129.0.0/16 > >> 165.25.0.0/16 > >> 160.122.0.0/16 > >> 168.80.0.0/15 > >> 165.3.0.0/16 > >> 165.4.0.0/16 > >> 165.5.0.0/16 > >> 160.115.0.0/16 > >> > >> In addition to all of the above, I have some reason to believe that the > >> following additional legacy block WAS (past tense) stolen, but has now > >> been reclaimed by, and ressigned to its rightful modern owner: > >> > >> 152.108.0.0/16 > >> > >> It is highly probable that there are other and additional legacy blocks > >> that have also been stolen. I have been prevented from fully completing > >> my research work on this part of the problem by ongoing stonewalling by > >> Afrinic. Specifically, despite Afrinic having a defined protocol > whereby > >> legitimate researchers may request confidential access to the unredacted > >> Afrinic WHOIS data base for legitimate research purposes... a protocol > >> and a process which is fully supported and operational at all of the > other > >> four global RIRs... Afrinic has, for reasons unknown, elected to only > >> provide redacted versions of its WHOIS data base which are identical > >> to what may be obtained at any time, and without any special protocol, > >> directly from Afrinic's FTP server (via anonymous FTP). Because the > >> accurate identification of stolen Afrinic legacy blocks involves the > >> careful analysis of the *unredacted* contact person: records, access to > >> only the redacted data base is of no value whatsoever in the task of > >> identifying stolen Afrinic legacy blocks. > >> > >> Here is the page on the Afrinic web site where they needlessly torment > >> legitimate researchers into believing that they will be able to get the > >> same kind of unredacted WHOIS data base access as is provided, upon > >> vetting and approval, by all of the other RIRs: > >> > >> https://www.afrinic.net/services/207-bulk-whois-access > >> > >> The list of blocks that appear to have been stolen from the Afrinic free > >> pool, as published in Jan's Dec 4 article are as follows: > >> > >> "Infoplan"/"Network and Information Technology Limited": > >> 196.16.0.0/14 > >> 196.4.36.0/22 > >> 196.4.40.0/22 > >> 196.4.44.0/23 > >> > >> "Cape of Good Hope Bank"/"CGHB": > >> 165.52.0.0/14 > >> 137.171.0.0/16 > >> 160.184.0.0/16 > >> 168.211.0.0/16 > >> 192.96.146.0/24 -- NOTE!! -- 100% legitimate legacy allocation! > >> > >> The following additional blocks had also been stolen from the Afrinic > free > >> pool. I had informed Jan about these blocks also, but for some reason > >> these were not mentioned in Jan's Dec 4th article. (I assume that this > >> was simply a clerical oversight on Jan's part. I had given him quite > >> a lot of material to sort through.) > >> > >> "ITC": > >> 196.194.0.0/15 > >> 196.246.0.0/16 > >> 196.45.112.0/20 > >> 196.42.128.0/17 > >> 196.193.0.0/16 > >> > >> "Link Data Group": > >> 160.255.0.0/16 > >> 196.62.0.0/16 > >> 198.54.232.0/24 > >> 196.207.64.0/18 > >> 196.192.192.0/18 > >> 160.181.0.0/16 > >> 213.247.0.0/19 > >> > >> As of this moment, Afrinic has properly reclaimed all of the "ITC" and > >> "Link Data Group" and "Cape of Good Hope Bank"/"CGHB" blocks. Those > >> blocks are now officially unregistered. I am informed and believe that > >> it is Afrinic's intent to place all of these blocks into a "quarantine" > >> status for a minimum of 1 year, which I think is entirely proper and > >> prudent, under the circumstances. > >> > >> I have no explanation for why Afrinic has not yet reclaimed any of the > >> "Infoplan"/"Network and Information Technology Limited" blocks, > especially > >> the 196.16.0.0/14 block. This is for me deeply troubling, as I have > some > >> reason to believe that these blocks were stolen by a party or parties, > >> who were also Afrinic insiders, but people other than the one "insider" > >> perpetrator of these crimes who has already been identified by myself > and > >> Jan, and who is now the subject of a police investigation in Mauritius. > >> > >> I am not personally aware of any action that Afrinic has taken to try to > >> remediate the situation with regards to the stolen legacy blocks, as > >> listed above. These blocks all quite provably had their associated > >> person: contact records fiddled in the WHOIS data base in a manner so > >> as to redirect both emails and phone calls to either the perpetrators > >> or those others to whom the perpetrators had re-sold these stolen goods. > >> > >> In fact, I am not even sure that Afrinic even has the capability to undo > >> the damage in the case of these legacy blocks and their fiddled contact > >> person: records. Quite obviously, proper remediation of the affected > >> person: records would involve restoring those to what they were before > >> they had been fradulently fiddled. Completion of that task is quite > >> obviously dependent upon Afrinic having access to historical backups of > >> its own WHOIS data base from as much as ten years ago. It is not at > this > >> moment clear to me that Afrinic is even in possession of such historical > >> backups, and the fact that they have, as yet, made no apparent efforts > to > >> remediate the fradulently fiddled person: records suggests to me that > they > >> likely do not possess such backups. > >> > >> Many of the legacy blocks and many parts of the blocks that were stolen > >> from the Afrinic free pool, both those that have been reclaimed and > those > >> that haven't yet been reclaimed, continue to be routed by various > parties > >> on behalf of the thieves and black market buyers of these blocks even as > >> we speak. I hope to be able to post a fully list of those routes and > the > >> relevant ASNs that are providing the ongoing routing for various parts > of > >> this mass of stolen booty in the very near future. > >> > >> > >> Regards, > >> rfg > >> > > > > > > -- > James Shank > Senior Security Evangelist; Chief Architect, Community Services > Team Cymru, Inc. > jsh...@cymru.com; +1-847-378-3365; http://www.team-cymru.com/ > -- Regards, Chris Knipe
