From patchwork Sun Jan 16 11:28:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4972 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JcCT66CK3z3wcx for ; Sun, 16 Jan 2022 11:28:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JcCT62qBjzyn; Sun, 16 Jan 2022 11:28:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JcCT61lvKz2yNY; Sun, 16 Jan 2022 11:28:10 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JcCT46pT4z2xPJ for ; Sun, 16 Jan 2022 11:28:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JcCT36h0Tzyn for ; Sun, 16 Jan 2022 11:28:07 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1642332488; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n4lUL6GmcCm1pHa1VUyX49iAR2Xu4tQnnbZrZDK5UJM=; b=y3XXV64pGAMauWtYzNHKMEWocg8IG2zJF3yfDtfoBr2tXGK/zFpvcg5yRXAJW7+abztH4H 8MVeCMRTy8y1b7AA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1642332488; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n4lUL6GmcCm1pHa1VUyX49iAR2Xu4tQnnbZrZDK5UJM=; b=kw4p4NgtrtBMTh6D6cg9/bRqPXE5YyiQMJiYMbcozPNZ1O4IV8sMBFcWHHQGbjVOhm/nup YXJyXz3MB/sjw4w82cYtV6fbNdey6KpI+LLn3NWvy7ed7LMS4UtnKxEBNQAzb3Xxzb2gl6 B6LtJMdicOqV36FXk0fmfK4sbUchyLaJcCwVdnr1IbzjWrMyCpSI2Ei79ikJzs2tp2u4+V PyCkbXKUWepkRrMKa3kVZwk0opaWz3VJ6gxFNBY/WGy1LYSwAdZMg7NxsGUHRAVqg9jjtN SiWBetA2uaswfPitoB+YSvEMDTgY28G0VfT25A0CceWpl+7jCsq3deBPhZJrQw== Message-ID: Date: Sun, 16 Jan 2022 11:28:07 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Location" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH v2] override-{a1, other, xd}: Regular batch of various overrides X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" The second version of this patch keeps a necessary override for AS207812, which was mistakenly deleted completely in the first version. Signed-off-by: Peter Müller --- overrides/override-a1.txt | 5 ++ overrides/override-other.txt | 97 +++++++++++++++++++----------------- overrides/override-xd.txt | 66 +++++++++++++++++++++--- 3 files changed, 116 insertions(+), 52 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 43e0174..a97e7ce 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -639,6 +639,11 @@ descr: Gabor Marton remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ is-anonymous-proxy: yes +net: 45.203.128.0/18 +descr: ProxyWow LLC +remarks: CloudInnovation space leased to "ProxyWow LLC" - not a safe area to accept traffic from anyways +is-anonymous-proxy: yes + net: 45.220.72.0/22 descr: Low budget VPN service remarks: VPN provider diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 89ad8e0..a8faabf 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -63,6 +63,11 @@ aut-num: AS4134 name: Chinanet Backbone remarks: has no sane AS name set in APNIC DB +aut-num: AS4609 +descr: Companhia de Telecomunicacones de Macau SARL +remarks: ISP located in MO, but some RIR data needs manual correction due to ARIN DB situation +country: MO + aut-num: AS4754 name: Software Technology Park of India remarks: has no sane AS name set in APNIC DB @@ -90,6 +95,11 @@ descr: Greek Research and Technology Network (GRNET) S.A. remarks: ... located in GR country: GR +aut-num: AS6079 +descr: RCN +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS6134 descr: XNNET LLC remarks: traces back to HK, seems to tamper with RIR data @@ -208,6 +218,11 @@ descr: Unicycle, LLC remarks: traces back to NL country: NL +aut-num: AS26548 +descr: PureVoltage Hosting Inc. +remarks: ISP and IP hijacker located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS26636 descr: GBTCloud, Inc. remarks: ISP located in US, but some RIR data for announced prefixes contain garbage @@ -263,6 +278,11 @@ descr: Neterra Ltd. remarks: ISP located in BG, but some RIR data for announced prefixes contain garbage country: BG +aut-num: AS34549 +descr: meerfarbig GmbH & Co. KG +remarks: ISP located in DE, but some RIR data for announced prefixes contain garbage +country: DE + aut-num: AS34665 descr: Petersburg Internet Network Ltd. remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -388,10 +408,10 @@ descr: MLAB Open Source Community remarks: traces back to DE country: DE -aut-num: AS41564 -descr: Orion Network Limited -remarks: shady uplink for a bunch of dirty ISPs in SE (and likely elsewhere in EU), routing stolen AfriNIC networks, RIR data of prefixes announced by this AS cannot be trusted -country: SE +aut-num: AS41378 +descr: Kirino LLC +remarks: traces back to AP vincinity, tampers with RIR data +country: AP aut-num: AS41608 descr: NextGenWebs, S.L. @@ -603,11 +623,6 @@ descr: Reliance Jio Infocomm Limited remarks: ISP located in IN, but some RIR data for announced prefixes contain garbage country: IN -aut-num: AS55933 -descr: Cloudie Limited -remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region -country: AP - aut-num: AS56322 descr: ServerAstra Kft. remarks: ISP located in HU, but some RIR data for announced prefixes contain garbage @@ -633,16 +648,6 @@ descr: Telefonica LLC remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU -aut-num: AS57858 -descr: Inter Connects Inc. -remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking stolen AfriNIC networks, massively tampers with RIR data -country: SE - -aut-num: AS57972 -descr: Inter Connects Inc. -remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking stolen AfriNIC networks, massively tampers with RIR data -country: SE - aut-num: AS58061 descr: Scalaxy B.V. remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -665,8 +670,8 @@ country: BG aut-num: AS58349 descr: INNETRA PC -remarks: another shady customer of "DDoS Guard Ltd.", jurisdiction is probably RU, but traceroutes dead-end somewhere else in EU -country: EU +remarks: ... traceroutes dead-end in NL +country: NL aut-num: AS58879 descr: Shanghai Anchang Network Security Technology Co.,Ltd. @@ -723,11 +728,6 @@ descr: DignusData LLC remarks: ISP located in PL, but _all_ RIR data for announced prefixes contain garbage country: PL -aut-num: AS60485 -descr: Inter Connects Inc. / Jing Yun -remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks -country: SE - aut-num: AS60546 descr: EU Routing Ltd remarks: fake offshore location (CY), hosted in NL @@ -818,6 +818,11 @@ descr: CloudITIDC Global remarks: ISP and/or IP hijacker located somewhere in AP country: AP +aut-num: AS133613 +descr: MTel telecommunication company ltd. +remarks: ISP and located in MO, but some prefixes needs manual correction due to ARIN DB situation +country: MO + aut-num: AS133752 descr: Leaseweb Asia Pacific pte. ltd. remarks: ISP located in HK, some RIR data for announced prefixes contain garbage @@ -853,6 +858,11 @@ descr: LUOGELANG (FRANCE) LIMITED remarks: Shady ISP located in HK, RIR data for announced prefixes contain garbage country: HK +aut-num: AS136167 +descr: China Telecom (Macau) Company Limited +remarks: located in MO, yet some prefixes show CN or HK instead +country: MO + aut-num: AS136274 descr: Cloud Servers Pvt Ltd remarks: ISP located in NL, all RIR data for announced prefixes contain garbage @@ -918,11 +928,6 @@ descr: Cloudflare Sydney, LLC remarks: ... but CF failed to set the country for announced prefixes to AU as well :-/ country: AU -aut-num: AS139330 -descr: SANREN DATA LIMITED -remarks: IP hijacker located somewhere in AP region, tampers with RIR data -country: AP - aut-num: AS139471 descr: HWA CENT TELECOMMUNICATIONS LIMITED remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data @@ -955,7 +960,7 @@ country: HK aut-num: AS139879 descr: Galaxy Broadband -remarks: ISP located in PK, but announces 204.137.128.0/18, which is ARIN space, assigned to "AGIS" / Cogent - odd... +remarks: ISP located in PK, but some RIR data need manual correction due to ARIN DB situation country: PK aut-num: AS140214 @@ -983,10 +988,10 @@ descr: Full Time Hosting remarks: ISP located in DE, tampers with RIR data country: DE -aut-num: AS141746 -descr: Orenji Server -remarks: IP hijacker located somewhere in AP area (JP?) -country: AP +aut-num: AS141677 +descr: Nathosts Limited +remarks: ... located in HK? +country: HK aut-num: AS196682 descr: FLP Kochenov Aleksej Vladislavovich @@ -1138,6 +1143,11 @@ descr: Inteldome Corporation remarks: ... whose location we are unable to determine precisely, but its definitely not MH :-/ country: EU +aut-num: AS207812 +descr: DM AUTO EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG + aut-num: AS207968 descr: Internetservice Hahn remarks: AQ != DE, you know @@ -1198,11 +1208,6 @@ descr: Des Capital B.V. remarks: Shady ISP located in NL, but RIR data for announced prefixes contain garbage country: NL -aut-num: AS210848 -descr: Telkom Internet LTD -remarks: shady ISP currently located in NL -country: NL - aut-num: AS211380 descr: PAYWISE HOLDING Sp. z.o.o. remarks: ISP located in NL, but RIR data for announced prefixes contain garbage @@ -1248,11 +1253,6 @@ descr: MILEGROUP LTD remarks: traceroutes dead-end somewhere in Central Europe country: EU -aut-num: AS212552 -descr: BitCommand LLC -remarks: Hides behind a CDN ISP, traceroutes dead-end somewhere in Central Europe -country: EU - aut-num: AS212667 descr: RECONN LLC remarks: ISP located in RU, but RIR data for announced prefixes contain garbage @@ -1533,6 +1533,11 @@ descr: SpaceX Canada Corp. remarks: Accurate country code missing due to ARIN DB situation, see also: #12746 country: CA +net: 103.126.4.0/23 +descr: Cyber Telecom ISP +remarks: Despite being allocated to AF, traceroutes end in NL +country: NL + net: 103.197.148.0/22 descr: I.C.S. Trabia-Network S.R.L. remarks: fake offshore location (HK), traces back to MD diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 738a699..2b50406 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -67,6 +67,12 @@ descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Owned by an offshore letterbox company, suspected rogue ISP drop: yes +aut-num: AS41564 +descr: Orion Network Limited +remarks: shady uplink for a bunch of dirty ISPs in SE (and likely elsewhere in EU), routing stolen AfriNIC networks, RIR data of prefixes announced by this AS cannot be trusted +country: EU +drop: yes + aut-num: AS43092 descr: Kirin Communication Limited remarks: Hijacks IP space and tampers with RIR data, traces back to JP @@ -79,6 +85,12 @@ remarks: bulletproof ISP with strong links to RU country: RU drop: yes +aut-num: AS44446 +descr: OOO SibirInvest +remarks: bulletproof ISP (related to AS202425 and AS57717) located in NL +country: NL +drop: yes + aut-num: AS48090 descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL @@ -109,6 +121,12 @@ remarks: Autonomous System registered to offshore company, abuse contact is a fr country: AP drop: yes +aut-num: AS55933 +descr: Cloudie Limited +remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region +country: AP +drop: yes + aut-num: AS56611 descr: REBA Communications BV remarks: bulletproof ISP (related to AS202425) located in NL @@ -126,6 +144,18 @@ remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes +aut-num: AS57858 +descr: Inter Connects Inc. +remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking stolen AfriNIC networks, massively tampers with RIR data +country: SE +drop: yes + +aut-num: AS57972 +descr: Inter Connects Inc. +remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking stolen AfriNIC networks, massively tampers with RIR data +country: SE +drop: yes + aut-num: AS58271 descr: FOP Gubina Lubov Petrivna remarks: bulletproof ISP operating from a war zone in eastern UA @@ -143,6 +173,12 @@ descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Owned by an offshore letterbox company, suspected rogue ISP drop: yes +aut-num: AS60485 +descr: Inter Connects Inc. / Jing Yun +remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks +country: SE +drop: yes + aut-num: AS61414 descr: EDGENAP LTD remarks: IP hijacking? Rogue ISP? @@ -190,6 +226,12 @@ remarks: IP hijacker located somewhere in AP area country: AP drop: yes +aut-num: AS139330 +descr: SANREN DATA LIMITED +remarks: IP hijacker located somewhere in AP region, tampers with RIR data +country: AP +drop: yes + aut-num: AS140107 descr: CITIS CLOUD GROUP LIMITED remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, location unknown (AP? HK? US?) @@ -201,6 +243,12 @@ remarks: ISP and IP hijacker located in HK, tampers with RIR data country: HK drop: yes +aut-num: AS141746 +descr: Orenji Server +remarks: IP hijacker located somewhere in AP area (JP?) +country: AP +drop: yes + aut-num: AS200391 descr: KREZ 999 EOOD remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data @@ -231,24 +279,30 @@ remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes -aut-num: AS207812 -descr: DM AUTO EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG -drop: yes - aut-num: AS209272 descr: Alviva Holding Limited remarks: bulletproof ISP operating from a war zone in eastern UA country: UA drop: yes +aut-num: AS210848 +descr: Telkom Internet LTD +remarks: Rogue ISP (linked to AS202425) located in NL +country: NL +drop: yes + aut-num: AS211193 descr: ABDILAZIZ UULU ZHUSUP remarks: bulletproof ISP and IP hijacker, traces to RU country: RU drop: yes +aut-num: AS212552 +descr: BitCommand LLC +remarks: Dirty ISP located somewhere in EU, cannot trust RIR data of this network +country: EU +drop: yes + aut-num: AS213058 descr: Private Internet Hosting LTD remarks: bulletproof ISP located in RU