From patchwork Sun Dec 13 12:44:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 3722 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Cv43r6n8pz3wfx for ; Sun, 13 Dec 2020 12:44:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Cv43r4N1Gzm3; Sun, 13 Dec 2020 12:44:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Cv43r3qySz2xSn; Sun, 13 Dec 2020 12:44:56 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Cv43q5NWNz2x9g for ; Sun, 13 Dec 2020 12:44:55 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Cv43p6wqzzm3; Sun, 13 Dec 2020 12:44:54 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4Cv43p62l8z2xgQ; Sun, 13 Dec 2020 12:44:54 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: location@lists.ipfire.org Subject: [PATCH] override-{a[1, 3}, other}: add overrides for Akamai and some AP-based IP hijackers Date: Sun, 13 Dec 2020 12:44:54 +0000 Message-Id: <20201213124454.26443-1-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" Those came to my attention last night... These two "Cloud Innovation Ltd." networks are especially interesting, since they strongly suggest to be hijacked or stolen from AFRINIC for the sole purpose to be routed by various dirty networks worldwide. Some of them host a decent amount of phishing and C&Cs, while others seem to be used as proxy infrastructure by miscreants, which is why an A1 flag seems to be justified from my point of view. Signed-off-by: Peter Müller --- overrides/override-a1.txt | 21 +++++++++++++++++++++ overrides/override-a3.txt | 10 ++++++++++ overrides/override-other.txt | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 7aca339..6d9132a 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -406,6 +406,11 @@ descr: Express VPN International Ltd remarks: VPN provider is-anonymous-proxy: yes +net: 45.192.0.0/12 +descr: Cloud Innovation Ltd. +remarks: hijacked AFRINIC IP chunk owned by an offshore company, routed to several dirty networks worldwide, cannot tell what is going on here +is-anonymous-proxy: yes + net: 45.220.72.0/22 descr: Low budget VPN service remarks: VPN provider @@ -611,6 +616,11 @@ descr: CloudMine NET remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes +net: 92.118.204.0/22 +descr: Mo's Operations GmbH +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 94.199.160.0/23 descr: MIK Telecom VPN pool remarks: VPN provider @@ -801,6 +811,11 @@ descr: WIFI and PROXY NET / Atlantique Telecom remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes +net: 154.192.0.0/11 +descr: Cloud Innovation Ltd. +remarks: hijacked AFRINIC IP chunk, owned by suspicous offshore company, scattered across dirty networks worldwide - not a safe place to go +is-anonymous-proxy: yes + net: 161.129.60.0/24 descr: 10VPN Hosting remarks: VPN provider @@ -1167,6 +1182,11 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie remarks: large IP chunk mostly used by VPN providers is-anonymous-proxy: yes +net: 196.61.192.0/20 +descr: Inspiring Networks LTD +remarks: hijacked (?) IP network owned by an offshore company [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 197.221.161.0/24 descr: VPNClientPublics remarks: VPN provider @@ -1195,6 +1215,7 @@ is-anonymous-proxy: yes net: 202.9.16.0/20 descr: VPNsolutions Pty Ltd remarks: VPN provider + is-anonymous-proxy: yes net: 202.152.146.0/24 diff --git a/overrides/override-a3.txt b/overrides/override-a3.txt index 07b2621..1112e6d 100644 --- a/overrides/override-a3.txt +++ b/overrides/override-a3.txt @@ -25,6 +25,16 @@ descr: DirectNIC, Ltd. remarks: Generic anycast network [high confidence, but not proofed] is-anycast: yes +aut-num: AS16625 +descr: Akamai Technologies, Inc. +remarks: Worldwide CDN, does not make sense to assign their networks to a specific country +is-anycast: yes + +aut-num: AS20940 +descr: Akamai International BV +remarks: Worldwide CDN, does not make sense to assign their networks to a specific country +is-anycast: yes + aut-num: AS31529 descr: DENIC eG remarks: TLD operator's anycast network diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 98ea79b..5eb7796 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -28,6 +28,16 @@ descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region country: AP +aut-num: AS22769 +descr: DDOSING NETWORK +remarks: IP hijacker located somewhere in AP, massively tampers with RIR data +country: AP + +aut-num: AS24009 +descr: HK UNITE TELECOMMUNICATIONS DEVELOPMENT LIMITED +remarks: IP hijacker (?) located in HK, tampers with RIR data +country: HK + aut-num: AS24700 descr: Yes Networks Unlimited Ltd remarks: traces to UA, but some RIR entries seem to contain garbage (VG) @@ -43,6 +53,11 @@ descr: IP Interactive UG (haftungsbeschraenkt) remarks: ISP located in BG, but RIR data for announced prefixes contain garbage country: BG +aut-num: AS35251 +descr: NetLab +remarks: tampers with RIR data, most probabyl located in HK +country: HK + aut-num: AS35478 descr: Buena Telecom SRL remarks: ISP located in RO, but RIR data for announced prefixes contain garbage @@ -123,11 +138,21 @@ descr: Network Dedicated SAS remarks: bulletproof ISP, claims to be located in CH, but traces to NL country: NL +aut-num: AS62468 +descr: VpsQuan L.L.C. +remarks: claims to be located in US, but traces to HK +country: HK + aut-num: AS134548 descr: DXTL Tseung Kwan O Service remarks: tampers with RIR data, traces back to AP region country: AP +aut-num: AS137443 +descr: Anchnet Asia Limited +remarks: IP hijacker located in HK, tampers with RIR data +country: HK + aut-num: AS137951 descr: Clayer Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region @@ -213,6 +238,16 @@ descr: FlokiNET Ltd. remarks: fake offshore location (SC), traces back to RO country: RO +net: 45.93.16.0/22 +descr: IPv4 Superhub Limited +remarks: network owned by an HK company, traces back to HK as well - but is assigned to DE. Nice try... +country: HK + +net: 45.134.144.0/22 +descr: IPv4 Superhub Limited +remarks: same as 45.93.16.0/22 +country: HK + net: 45.145.36.0/22 descr: GlobalCache Technology CO., Ltd. remarks: claims to be located in DE, but traces back to HK