From patchwork Sat Mar 20 20:17:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 3953 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4F2sW16KyBz40Qq for ; Sat, 20 Mar 2021 20:17:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4F2sW12M9Rzln; Sat, 20 Mar 2021 20:17:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4F2sW11GX9z2x9h; Sat, 20 Mar 2021 20:17:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4F2sVz5Dv4z2xGT for ; Sat, 20 Mar 2021 20:17:15 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4F2sVy52r6zZH; Sat, 20 Mar 2021 20:17:14 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4F2sVy3GKsz2y1R; Sat, 20 Mar 2021 20:17:14 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: location@lists.ipfire.org Subject: [PATCH] add overrides for dirty ISP conglomerate "Inter Connects Inc. & friends" Date: Sat, 20 Mar 2021 20:17:12 +0000 Message-Id: <20210320201712.10402-1-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" AS owned by a couple of letterbox companies in London (most notably Inter Connects Inc. and Packet Exchange Ltd.) were found to tamper massively with RIR data of prefixes they own or announce. Aside from that, these AS are currently hijacking AfriNIC chunks widely believed as being stolen - plus hosting some cybercrime stuff for good measure. Except for AS63119, all of these networks show strong links to Sweden, while some traceroutes dead-end at other places in Europe. As a consequence, we cannot trust the county information published by this actor, generously overriding them to limit damage to IPFire location database users. The author strongly recommends against accepting any traffic from or to these networks (some of them have ASN-DROP listings at Spamhaus indeed), but this aspect is out of scope for the IPFire location database. Just mentioning it here for the sake of completeness. :-) In addition, this patch features some IPv4 networks apparently operated by VPN providers in US - being shady as well, just saying. Signed-off-by: Peter Müller --- overrides/override-a1.txt | 20 ++++++++++++++++++++ overrides/override-other.txt | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 1ccfa0a..76a5a52 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -297,6 +297,11 @@ descr: CloudVPN Inc. remarks: VPN provider is-anonymous-proxy: yes +net: 23.230.23.0/24 +descr: Colorberry VPN Services +remarks: VPN provider +is-anonymous-proxy: yes + net: 23.239.176.0/22 descr: CloudVPN Inc. remarks: VPN provider @@ -798,6 +803,11 @@ descr: PureVPN remarks: VPN provider is-anonymous-proxy: yes +net: 107.186.38.0/24 +descr: Colorberry VPN services +remarks: VPN provider +is-anonymous-proxy: yes + net: 109.70.100.0/24 descr: Foundation for Applied Privacy remarks: Tor relay provider @@ -853,6 +863,11 @@ descr: GZ Systems Limited / PureVPN remarks: VPN provider is-anonymous-proxy: yes +net: 142.252.111.0/24 +descr: Hurricane VPN +remarks: VPN provider +is-anonymous-proxy: yes + net: 145.249.104.0/22 descr: Liberty Services / IP Volume Inc. remarks: VPN provider [high confidence, but not proofed] @@ -1344,6 +1359,11 @@ descr: VPN Consumer Network Services remarks: VPN provider is-anonymous-proxy: yes +net: 205.164.4.0/24 +descr: OpenVPN Technologies, Inc. +remarks: VPN provider +is-anonymous-proxy: yes + net: 205.185.193.0/24 descr: SecuredConnectivity remarks: VPN provider diff --git a/overrides/override-other.txt b/overrides/override-other.txt index bec4d80..b428d9f 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -103,6 +103,11 @@ descr: Treidinvest LLC remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU +aut-num: AS41564 +descr: Packet Exchange Limited +remarks: shady uplink for a bunch of dirty ISPs in SE (and likely elsewhere in EU), routing stolen AfriNIC networks, RIR data of prefixes announced by this AS cannot be trusted +country: EU + aut-num: AS42397 descr: Bunea TELECOM SRL remarks: ISP located in RO, but some RIR data for announced prefixes contain garbage @@ -133,6 +138,11 @@ descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL country: NL +aut-num: AS41564 +descr: Global Colocation Limited +remarks: part of a dirty ISP conglomerate most likely operating out of SE +country: SE + aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -168,6 +178,11 @@ descr: FiberXpress BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL +aut-num: AS57858 +descr: Inter Connects Inc. +remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking stolen AfriNIC networks, massively tampers with RIR data +country: SE + aut-num: AS58073 descr: YISP BV remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -183,6 +198,11 @@ descr: Batterflyai Media Ltd. remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU +aut-num: AS60485 +descr: Inter Connects Inc. / Jing Yun +remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks +country: SE + aut-num: AS62355 descr: Network Dedicated SAS remarks: bulletproof ISP and IP hijacker, claims to be located in CH, but traces to NL @@ -193,6 +213,11 @@ descr: VpsQuan L.L.C. remarks: claims to be located in US, but traces to HK country: HK +aut-num: AS63119 +descr: Inter Connects Inc. +remarks: part of a dirty ISP conglomerate, traces back to US this time +country: US + aut-num: AS64437 descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL @@ -268,6 +293,11 @@ descr: Kevin Holly trading as Silent Ghost e.U. remarks: AS run by someone who thinks allocating IP networks to AQ is funny (it is not, kid) :-/ country: NL +aut-num: AS204353 +descr: Global Offshore Limited +remarks: part of a dirty ISP conglomerate with links to SE, RIR data of prefixes announced by this AS cannot be trusted +country: EU + aut-num: AS204655 descr: Novogara Ltd. remarks: bulletproof ISP (strongly linked to AS202425) located in NL @@ -343,6 +373,11 @@ descr: PEG TECH INC remarks: ISP located in HK, tampers with RIR data country: HK +aut-num: AS398826 +descr: OLink Cloud LLC +remarks: shady ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + net: 5.1.68.0/24 descr: GaiacomLC remarks: routed to DE, inaccurate RIR data