RIPE NCC Responds to the Rove Digital/DNS Changer Re-allocations

(Last Updated On: February 7, 2018)

RIPE has publicly responded to the surprise felt by members of the DCWG and others involved with the Rove Digital/DNS Changer clean up community. The statement on their web page is as follows:

15 Aug 2012 — ripe ncc

As reported in previous announcements, the RIPE NCC will go to court in the Netherlands on 29 November 2012 to seek clarification on the procedure taken by the Dutch police on 8 November 2011 when it presented the RIPE NCC with a police order to “lock” registrations in the RIPE Database.

For background on this story, see: Summons of the RIPE NCC Against the State of the Netherlands.

After receiving independent legal advice that the police order had no sufficient legal grounds to force the RIPE NCC to execute the order, the RIPE NCC unlocked the blocks of IPv4 address space on 10 January 2012. We’d like to give you an update on the current situation.

Two of the four address blocks included in the police order ( and 85.255.112/20) were reallocated after the contractual relationship with the member holding the address space was terminated. The member’s account was closed and the space was deregistered according to ripe-541, “Closure of LIR and Deregistration of Internet Number Resources”. The address space was quarantined for six weeks before being returned to the RIPE NCC’s available pool of IPv4 address space. It was then randomly reallocated to a new resource holder according to normal allocation procedures.

As the RIPE NCC nears IPv4 exhaustion, it will reduce the quarantine period of returned address space accordingly to ensure that there is no more IPv4 address space available before the last /8 is reached. The  RIPE NCC recognises that this shortened quarantine could lead to routability problems and offers its members assistance to reduce this.

As mentioned in my previous blog, the general behind the scenes reaction is surprise. This statement by RIPE has not helped the situation. In fact, it might have made it worse given what RIPE has communicated in this statement.

First, we understand RIPE’s leadership has issues with the court order – a court order RIPE specifically requested from the law enforcement agencies involved with the Rove Digital/DNS Changer operation. RIPE needed a court order through the Dutch courts to take action. RIPE’s issue is reflected on this page: Summons of the RIPE NCC Against the State of the Netherlands. RIPE does have legitimate issues with the use of “seizure” and how the court order was phased. This is no surprise and expected. Legal dialog of this nature is how the world legal system progresses.

Second, everyone involved with the DNS Changer Working Group failed to read between the lines of RIPE’s announcement on 10 Jan 2012 where they would unlock the prefixed used for this criminal operation and then “reallocated the resources.” The people who missed this ranges from law enforcement in several countries, to some of the worlds best National CSIRT Teams (see for a list), to the top security vendors, to key security researchers, to network vendors, and to many of the largest service providers in the industry (most of whom are RIPE members).  The details of the “unlocking” is here: RIPE NCC Unlocks Registration in RIPE Registry.  This “miss” was bad news for everyone working to protect the people victimized by DNS Changer. The community “should have noticed” the RIPE announcement and then understand the dangers of reallocation (which includes myself – as one of the active DCWG members).

Finally, where is RIPE’s accountability? The fact that RIPE took NO ACTION to notify anyone in the DCWG community that “unlocking” really means RIPE is activating the “deregistration” policies in document RIPE-541, “Closure of LIR and Deregistration of Internet Number Resources.” RIPE’s leadership and staff knows many of the people in DCWG. Many of the DCWG participants are RIPE members. It would have been simple for RIPE to communicate officially or un-officially that they were moving beyond unlocking to using RIPE 541 to re-allocated.

Given the number of organizations within the RIPE community who participated in the DNS Changer clean up, it can only be assumed that RIPE intentionally decided to NOT communicate. There was on-going dialog between members of the DCWG and ARIN/RIPE leadership to find ways to responsibly mange all IPv4 blocked involved with the Rove Digital/DNS Changer activity. At no time was it communicated from RIPE to their membership who were part of DCWG that contractual relationship for and 85.255.112/20 ended and that these would then be put back into the allocation pool. RIPE could have clued in the community when the contract ended. RIPE could have clued in the community when the addresses went back into the allocation pool’s quarantine period. RIPE could have communicated when the addresses were live in the allocation pool.

The surprise expressed by the community was that RIPE’s actions indicate mindful intent to not communicate.

What should you do?

If you are a operator in the RIPE community, and LIR, or a National CSIRT in the RIPE Community, please ask RIPE why they mindfully choose the path of non-cooperation. This choice will have an impact on future work against cyber-crime. Many of the DCWG participants know about RIR policies and procedures. They understand checks, balances, and limitations crafted in those policies and procedures to protect the interest of the Internet and the RIR constituents. Everyone would understand if RIPE’s leadership communicated “hey, contract is over, our hands are tied, RIPE doc 541 says we need to reallocate.” This is not what happened. 🙁

The fact that RIPE’s leadership mindfully choose a path of non-cooperation with their peers and members is a worry all RIPE constituents should take note.

Individuals and RIPE members can contact RIPE at

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.