AFRINIC has completed a comprehensive audit of its WHOIS Database following the misappropriation of IPv4 resources that came to light in 2019. A full report on the outcomes of their audit is now available.
In 2019, news emerged that a significant number of IPv4 addresses had been stolen from AFRINIC's pool. This triggered an investigation into exactly which addresses had been compromised and left the RIR with the task of making sure all those addresses were properly reclaimed.
AFRINIC has now completed a comprehensive audit of all its IPv4 number resources, to establish rightful holdership and verify the processes by which the resources were allocated. The findings were made public in a full report published earlier this month, along with recommendations on how to prevent this from happening again.
As one of the five RIRs, we at the RIPE NCC believe transparency is essential to the proper functioning of the global Internet registry system. That being the case, we strongly support the steps AFRINIC has taken here in carrying out this audit and making the results public.
We also want to acknowledge the work of Ronald Guilmette and Jan Vermeulen in discovering and bringing awareness to this issue.
To help make sure the report reaches as many of you as possible, we wanted to provide a link to the report itself as well as an overview of its findings that was recently released by AFRINIC.
Read the full AFRINIC WHOIS Audit Report
The following overview was originally published on the AFRINIC website on 21 January 2021:
The misappropriation of IP number resources in AFRINIC’s WHOIS Database was brought into light around mid-2019. Following an internal investigation, a former employee was found to have misappropriated IP number resources forming part of AFRINIC’s pool of resources. This matter was reported to the Mauritian Central Criminal Investigation Division, and an enquiry is presently on-going.
What we found
The audit reveals that 2,371,584 IPv4 addresses were misappropriated from AFRINIC’s pool of resources and attributed to organisations without justification.
A total of 1,060,864 IPv4 resources have been reclaimed, i.e deregistered from the AFRINIC WHOIS Database and are presently in ‘quarantine’ for a period of 12 months. Following the ‘quarantine’ period, the resources may be added to AFRINIC’s pool of resources available for new allocations.
A total of 1,310,720 IPv4 resources, related to two distinct organisations, are yet to be reclaimed due to ongoing due diligence.
With regard to misappropriation of IPv4 legacy space, 1,799,168 IPv4 addresses, deemed to be legacy address space appeared to have been compromised, and actions have been taken to contact the source-holders:
- 394,496 legacy IPv4 addresses have subsequently been consolidated at the request of the holding company of the organisations to which the resources were registered;
- Unsubstantiated changes to 467,968 legacy IPv4 addresses have been reversed;
- 936,704 legacy IPv4 addresses are currently under dispute and pending determination of rightful custodianship.
What is being done to keep this from happening again?
Following the findings of the audit, AFRINIC took several remedial actions such as reinforcing internal and external processes and adding multiple layers of verification to our IP allocation and database update processes. Here is what has been done so far by AFRINIC.
- We communicated regularly through email updates and blog articles to keep our stakeholders informed about the situation. All concerned organisations were informed to take appropriate measures to protect the custodianship of the resources they hold.
- AFRINIC undertook a review of its current processes relating to its core function and made various improvements in the control mechanisms for the management of Internet number resources. These covered the adoption of a fraud and corruption policy, and the introduction of a whistleblowing mechanism and many more.
- Our current business rules now provide better support to legacy resource holders such that proper verification for legacy resources holders will be conducted before any updates are made to the records on the AFRINIC WHOIS database.
- Resource members have to meet new checks to comply with AFRINIC’s Internal business process and policies: only registered contacts are allowed to request for service support, verify domain names registration information, and cross-verify company registration information where those services are available.
- AFRINIC has been reinforcing its internal capacity and has embarked on a training program for staff members in the registration services. This is ongoing to ensure that all team members are capable of diligently evaluating the requests and also able to identify any risks involved.
- The WHOIS Database has been upgraded with authentication mechanisms with additional safety features. Staff authorised to perform changes to records on MyAfrinic and WHOIS databases authenticate such changes using their PGP key. Power maintainers only use PGP authentication. All Resource Holders have also been instructed to adopt secure password mechanisms.
- Additional layers of control for systems privileges for the staff in the Registration Services department have been implemented.
- AFRINIC has a mechanism in place that ensures all objects in its WHOIS Database are protected by a maintainer (auto-generated for person and role objects).
- AFRINIC also regularly monitors inconsistencies in its databases through reports which are generated daily. Registration Services Team are informed when inconsistencies are detected between the resource file entries and the registry database.
How can we contribute to making things better
As a result of the audit that was carried out on the accuracy of the AFRINIC WHOIS Database, the following recommendations were made:
- The report recommends that all Resource Members keep their contact information updated.
- The report recommends that organisations ensure that their details appearing on AFRINIC’s WHOIS Database are kept up to date all times.
- The report recommends that AFRINIC devote resources to ensure that Legacy Resource Holders’ requests are attended to within the service timelines.
- The report recommends that the AFRINIC community critically assess how best the accuracy of the information pertaining to Legacy Resource Holders can be improved and considers whether unused legacy resources should be left idle while AFRINIC exhausts its remaining pool of IPv4 addresses.
- The report also recommends that policies which may assist AFRINIC in ensuring at all times an accurate WHOIS Database are developed.
AFRINIC is committed to effectively execute the recommendations highlighted in the report. As the Regional Internet Registry (RIR) for Africa and the Indian Ocean region, AFRINIC relies on the support and inputs of its community to implement those recommendations and improve on the accuracy and security of the WHOIS Database.
As we move forward, AFRINIC will keep its community informed about any improvements it brings along on the WHOIS Database.
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Wessel Sandkuijl •
The link to the full AFRINIC whois audit report is not working.
Hide one reply
Alun Davies •
Thanks Wessel! Should be working for everyone now.
Ron Guilmette •
When I and my journalistic colleague, Jan Vermeulen of MyBroaddband.co.za began our investigations into this colossal and truly epic malfeasance and theft of valuable IPv4 resources in mid 2019, the notion of either of us becoming famous or of receiving any credit for unraveling and publicly documenting this gigantic scandal was not what motivated us, nor has it been, since the beginning. Rather, we merely wished to right some wrongs and return to the people of Africa some IP resources critically needed for the ongoing development of the Internet in Africa. Nonetheless, it would have been, I think, at least minimally respectful if either AFRINIC or (now) RIPE had taken a moment to at least mention our names and our very evident, abundant, and key contributions towards exposing this whole huge mess. Neither organization, it seems, has thus far elected to do so publicly. Such is the reward, or lack thereof, of a job well done.
Hide one reply
Alun Davies •
Sorry for the oversight. I've updated the article with some additional information and a link so readers can find out more about how the news emerged.