From patchwork Fri Dec 10 07:07:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4914 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4J9MRC1xmHz3wtR for ; Fri, 10 Dec 2021 07:07:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4J9MRB5cShzN7; Fri, 10 Dec 2021 07:07:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4J9MRB4NY4z2y4r; Fri, 10 Dec 2021 07:07:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4J9MR83xjHz2xBc for ; Fri, 10 Dec 2021 07:07:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4J9MR70Z66zN7 for ; Fri, 10 Dec 2021 07:07:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639120036; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wDgYObTlTIWZR2oiSQfu6sj9htkY5obejvWwwtI6EMo=; b=XNWNsBOq5yFMXWKsnJRpgbrEjOru+4myN7XPcfkSAHMYcjkp5xNc9OPmCRd8kK+zl8AQqi QskuxA6BEuQp3tBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639120036; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wDgYObTlTIWZR2oiSQfu6sj9htkY5obejvWwwtI6EMo=; b=Ro2OOlMO7/kngA6Z2DQsv0Ef7CjsnjKsGLvV8MLclYPcubh+dW3rurH8PgBXI2axiXyBdZ kaPhGMfK7MaM4wUH0HWey8yaNeUFvSrHcI+EVgiqaMiBtp7ckSftmKamv0PnL8jRPFPBnv hkB2KN3uVY+vU57yoWlc1LC2lPB1Q/ZAu61LWhgwgGoNJe1CJjggzTJE0zgFkXHEcWKzPh lmsHGVJPhU7iS0Yw+5fecamijUVEU4aalpe9iz16CYPuF5Sss1GjxOFXvuG0SYI5FDIpFi Nysf4T8OtCRn1I/2zyke8lc/9T8IPMi1Q+e4pBVqxUdFai1Mv/YOKc3zD5Odmw== To: "IPFire: Location" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] override-{a1,other,xd}: Regular batch of various overrides Message-ID: <87e75b89-d6b2-3fcc-4181-dd760347348c@ipfire.org> Date: Fri, 10 Dec 2021 08:07:09 +0100 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" Signed-off-by: Peter Müller --- overrides/override-a1.txt | 48 ---------------- overrides/override-other.txt | 104 ++++++++++++++++++++++------------- overrides/override-xd.txt | 50 +++++++++++++++++ 3 files changed, 117 insertions(+), 85 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 5734c08..5fce4d9 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -82,11 +82,6 @@ descr: Asiamax Ltd. VPN remarks: VPN provider is-anonymous-proxy: yes -aut-num: AS39770 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS43233 descr: VPS 404 Ltd. remarks: VPN provider [high confidence, but not proofed] located in ES @@ -114,12 +109,6 @@ descr: BeeVPN ApS remarks: VPN provider is-anonymous-proxy: yes -aut-num: AS51381 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes -country: RU - aut-num: AS51446 descr: SP Argaev Artem Sergeyevich / Foundation Respect My Privacy remarks: VPN provider [high confidence, but not proofed] @@ -142,17 +131,6 @@ remarks: Tor relay and VPN provider, traces back to SE [high confidence, but n is-anonymous-proxy: yes country: SE -aut-num: AS55303 -descr: Eagle Sky Co., Lt[d ?] -remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity -is-anonymous-proxy: yes -country: AP - -aut-num: AS56873 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS58110 descr: IP Volume Ltd. / Epik remarks: Shady Autonomous System registered to letterbox company, possibly copycat operation of Epik registrar, many prefixes announced refer to "anonymize" infrastructure @@ -168,11 +146,6 @@ descr: Geotelco Limited remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes -aut-num: AS60424 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS60729 descr: Zwiebelfreunde e.V. remarks: Tor relay provider @@ -214,12 +187,6 @@ descr: HERN Labs AB remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes -aut-num: AS206819 -descr: ANSON NETWORK LIMITED -remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW -is-anonymous-proxy: yes -country: TW - aut-num: AS207688 descr: DataHome S.A. remarks: VPN provider located in BR [high confidence, but not proofed] @@ -1430,11 +1397,6 @@ descr: Tredinvest LLC / bestwest[.]host remarks: VPN provider or offering similar services [high confidence, but not proofed] is-anonymous-proxy: yes -net: 185.215.113.0/24 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - net: 185.220.100.0/22 descr: Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute remarks: Tor relay provider @@ -1692,11 +1654,6 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie remarks: Hijacked AfriNIC IP chunk mostly used by VPN providers is-anonymous-proxy: yes -net: 196.61.192.0/20 -descr: Inspiring Networks LTD -remarks: hijacked (?) IP network owned by an offshore company [high confidence, but not proofed] -is-anonymous-proxy: yes - net: 197.221.161.0/24 descr: VPNClientPublics remarks: VPN provider @@ -2031,8 +1988,3 @@ net: 2c0f:f930::/32 descr: Cyberdyne S.A. remarks: Tor relay provider is-anonymous-proxy: yes - -net: 2a10:9700::/29 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 7d76534..ca9dbad 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -85,6 +85,11 @@ descr: Tianhai InfoTech remarks: IP hijacker located somewhere in AP, massively tampers with RIR data country: AP +aut-num: AS5408 +descr: Greek Research and Technology Network (GRNET) S.A. +remarks: ... located in GR +country: GR + aut-num: AS6134 descr: XNNET LLC remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data @@ -363,6 +368,11 @@ descr: CNSERVERS LLC remarks: Shady ISP located in US, tampers with RIR data country: US +aut-num: AS41047 +descr: MLAB Open Source Community +remarks: traces back to DE +country: DE + aut-num: AS41466 descr: Treidinvest LLC remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data @@ -408,6 +418,11 @@ descr: DGN TEKNOLOJI A.S. remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage country: TR +aut-num: AS43092 +descr: Kirin Communication Limited +remarks: tampers with RIR data, traces back to AP area +country: AP + aut-num: AS43310 descr: TOV "LVS" remarks: ISP located in UA, but some RIR data for announced prefixes contain garbage @@ -498,11 +513,6 @@ descr: LLC Baxet remarks: tampers with RIR data, traces back to RU country: RU -aut-num: AS49447 -descr: Nice IT Services Group Inc. -remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage -country: CH - aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -748,6 +758,11 @@ descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL country: NL +aut-num: AS131685 +descr: Sun Network (Hong Kong) Limited +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP + aut-num: AS132369 descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED remarks: ISP located in HK, tampers with RIR data @@ -758,9 +773,14 @@ descr: POWER LINE DATACENTER remarks: ISP and/or IP hijacker located in HK, tampers with RIR data country: HK +aut-num: AS133201 +descr: ABCDE GROUP COMPANY LIMITED +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP + aut-num: AS133441 descr: CloudITIDC Global -remarks: ISP and/or IP hijacker located somehwere in AP +remarks: ISP and/or IP hijacker located somewhere in AP country: AP aut-num: AS133752 @@ -810,7 +830,7 @@ country: AP aut-num: AS136800 descr: ICIDC NETWORK -remarks: IP hijacker located somehwere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data +remarks: IP hijacker located somewhere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: AP aut-num: AS136933 @@ -923,6 +943,11 @@ descr: Incomparable(HK)Network Co., Limited remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data country: AP +aut-num: AS141746 +descr: Orenji Server +remarks: IP hijacker located somewhere in AP area (JP?) +country: AP + aut-num: AS196682 descr: FLP Kochenov Aleksej Vladislavovich remarks: ISP located in UA, but RIR data for announced prefixes all say EU @@ -933,11 +958,6 @@ descr: ALEXHOST SRL remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network country: MD -aut-num: AS200391 -descr: KREZ 999 EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS200699 descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL @@ -1028,6 +1048,11 @@ descr: Genius Guard / Genius Security Ltd. remarks: another shady customer of "DDoS Guard Ltd.", probably located in RU country: RU +aut-num: AS206819 +descr: ANSON NETWORK LIMITED +remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW +country: TW + aut-num: AS206898 descr: Server Hosting Pty Ltd remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -1063,11 +1088,6 @@ descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL country: EU -aut-num: AS207812 -descr: DM AUTO EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS208046 descr: Maximilian Kutzner trading as HostSlick remarks: traces back to NL, but some RIR data for announced prefixes contain garbage @@ -1248,6 +1268,11 @@ descr: Sun Network Company Limited remarks: IP hijacker, traces back to AP region country: AP +aut-num: AS328608 +descr: Africa on Cloud +remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes +country: AP + aut-num: AS328703 descr: Seven Network Inc. remarks: traces back to ZA @@ -1313,25 +1338,25 @@ descr: Wolverine Trading, LLC remarks: IP hijacker located in US, tampers with RIR data country: US -net: 5.1.68.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.68.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE -net: 5.1.69.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.69.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE -net: 5.1.83.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.83.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE -net: 5.1.88.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.88.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE net: 5.252.32.0/22 descr: StormWall s.r.o. @@ -1413,6 +1438,11 @@ descr: Golden Internet LLC remarks: fake location (KP), WHOIS contact points to RU country: RU +net: 91.90.120.0/24 +descr: M247 LTD, Greenland Infrastructure +remarks: ... traces back to CA +country: CA + net: 91.149.194.0/24 descr: IP Volume Ltd. / Epik remarks: fake location (CH), traces back to SE @@ -1488,10 +1518,10 @@ descr: Intelcom Group Ltd remarks: fake offshore location (SC), traces back to RU country: RU -net: 185.140.204.0/22 -descr: Hornetsecurity GmbH -remarks: all suballocations are used in DE, but are assigned to US -country: DE +net: 185.140.204.0/22 +descr: Hornetsecurity GmbH +remarks: all suballocations are used in DE, but are assigned to US +country: DE net: 185.175.93.0/24 descr: Perfect Hosting Solutions diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 7df6188..29057d9 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,24 +26,57 @@ # Please keep this file sorted. # +aut-num: AS39770 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS48090 descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL country: NL drop: yes +aut-num: AS49447 +descr: Nice IT Services Group Inc. +remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage +country: CH +drop: yes + +aut-num: AS51381 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +country: RU +drop: yes + +aut-num: AS55303 +descr: Eagle Sky Co., Lt[d ?] +remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity +country: AP +drop: yes + aut-num: AS56611 descr: REBA Communications BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes +aut-num: AS56873 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS57717 descr: FiberXpress BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes +aut-num: AS60424 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS62068 descr: SpectraIP B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL @@ -62,6 +95,12 @@ remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL drop: yes +aut-num: AS200391 +descr: KREZ 999 EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes + aut-num: AS202425 descr: IP Volume Inc. remarks: bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL @@ -74,6 +113,12 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes +aut-num: AS207812 +descr: DM AUTO EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes + aut-num: AS204655 descr: Novogara Ltd. remarks: bulletproof ISP (strongly linked to AS202425) located in NL @@ -85,3 +130,8 @@ descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes + +net: 2a10:9700::/29 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes