A Comprehensive Audit of the AFRINIC WHOIS Database

By AFRINIC -

AFRINIC has taken actions and kept its stakeholders informed about the situation. Infrastructural improvements on its database have been implemented, and the operational business rules and procedures have been reviewed, including, but not limited to, a review of infrastructural user access.

Introduction

AFRINIC undertook an audit of all IPv4 number resources, which consisted of verifying the rightful custodianship of those resources. The audit verified the processes adopted for the allocation of IPv4 number resources which covered both legacy and non-legacy resources that fall under AFRINIC’s service region.

AFRINIC has taken actions and kept its stakeholders informed about the situation, brought about infrastructural improvements on its database, reviewed its operational business rules and procedures, including, but not limited to, a review of infrastructural user access.

Finally, the report provided some recommendations which will assist AFRINIC in ensuring an accurate WHOIS Database.

Read the report.

What Happened?

The misappropriation of IP number resources in AFRINIC’s WHOIS Database was brought into light around mid-2019. Following an internal investigation, a former employee was found to have misappropriated IP number resources forming part of AFRINIC’s pool of resources. This matter was reported to the Mauritian Central Criminal Investigation Division, and an enquiry is presently ongoing.

What we found

The audit reveals that 2,371,584 IPv4 addresses were misappropriated from AFRINIC’s pool of resources and attributed to organisations without justification.

A total of 1,060,864 IPv4 resources have been reclaimed, i.e. deregistered from the AFRINIC WHOIS Database and are presently in ‘quarantine’ for a period of 12 months. Following the ‘quarantine’ period, the resources may be added to AFRINIC’s pool of resources available for new allocations.

A total of 1,310,720 IPv4 resources, related to two distinct organisations, are yet to be reclaimed due to ongoing due diligence.

With regard to misappropriation of IPv4 legacy space, 1,799,168 IPv4 addresses, deemed to be legacy address space appeared to have been compromised, and actions have been taken to contact the source-holders:

  1. 394,496 legacy IPv4 addresses have subsequently been consolidated at the request of the holding company of the organisations to which the resources were registered;
  2. Unsubstantiated changes to 467,968 legacy IPv4 addresses have been reversed;
  3. 936,704 legacy IPv4 addresses are currently under dispute and pending determination of rightful custodianship.

What is being done to keep this from happening again?

Following the findings of the audit, AFRINIC took several remedial actions such as reinforcing internal and external processes and adding multiple layers of verification to our IP allocation and database update processes. Here is what has been done so far by AFRINIC.

  • We communicated regularly through email updates and blog articles to keep our stakeholders informed about the situation. All concerned organisations were informed to take appropriate measures to protect the custodianship of the resources they hold.
  • AFRINIC undertook a review of its current processes relating to its core function and made various improvements in the control mechanisms for the management of Internet number resources. These covered the adoption of a fraud and corruption policy, and the introduction of a whistleblowing mechanism and many more.
  • Our current business rules now provide better support to legacy resource holders such that proper verification for legacy resources holders will be conducted before any updates are made to the records on the AFRINIC WHOIS database.
  • Resource members have to meet new checks to comply with AFRINIC’s Internal business process and policies: only registered contacts are allowed to request for service support, verify domain names registration information, and cross-verify company registration information where those services are available.
  • AFRINIC has been reinforcing its internal capacity and has embarked on a training program for staff members in the registration services. This is ongoing to ensure that all team members are capable of diligently evaluating the requests and also able to identify any risks involved.
  • The WHOIS Database has been upgraded with authentication mechanisms with additional safety features. Staff authorised to perform changes to records on MyAfrinic and WHOIS databases authenticate such changes using their PGP key. Power maintainers only use PGP authentication. All Resource Holders have also been instructed to adopt secure password mechanisms.
  • Additional layers of control for systems privileges for the staff in the Registration Services department have been implemented.
  • AFRINIC has a mechanism in place that ensures all objects in its WHOIS Database are protected by a maintainer (auto-generated for person and role objects).
  • AFRINIC also regularly monitors inconsistencies in its databases through reports which are generated daily. Registration Services Team are informed when inconsistencies are detected between the resource file entries and the registry database.

How can we contribute to making things better?

As a result of the audit that was carried out on the accuracy of the AFRINIC WHOIS Database, the following recommendations were made:

  • The report recommends that all Resource Members keep their contact information updated.
  • The report recommends that organisations ensure that their details appearing on AFRINIC’s WHOIS Database are kept up to date all times.
  • The report recommends that AFRINIC devote resources to ensure that Legacy Resource Holders’ requests are attended to within the service timelines.
  • The report recommends that the AFRINIC community critically assess how best the accuracy of the information pertaining to Legacy Resource Holders can be improved and considers whether unused legacy resources should be left idle while AFRINIC exhausts its remaining pool of IPv4 addresses.
  • The report also recommends that policies which may assist AFRINIC in ensuring, at all times, an accurate WHOIS Database are developed.

What’s Next?

AFRINIC is committed to effectively execute the recommendations highlighted in the report. As the Regional Internet Registry (RIR) for Africa and the Indian Ocean region, AFRINIC relies on the support and inputs of its community to implement those recommendations and improve on the accuracy and security of the WHOIS Database.

As we move forward, AFRINIC will keep its community informed about any improvements it brings along on the WHOIS Database.

This article was orginally published on the AFRINIC website.

POST WRITTEN BY:
Any views, positions, statements or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions or errors contained in a guest blog post.