From patchwork Thu Jan 6 11:25:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4955 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JV3ty6wTjz3wjq for ; Thu, 6 Jan 2022 11:25:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JV3ty38JjzWD; Thu, 6 Jan 2022 11:25:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JV3ty1hntz2yHr; Thu, 6 Jan 2022 11:25:46 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JV3tw5hySz2xCy for ; Thu, 6 Jan 2022 11:25:44 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JV3tv0BhyzWD for ; Thu, 6 Jan 2022 11:25:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1641468344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6yc5gDDGSKMtvcwR//UYeb2xie45ExSsE1RSZ9j7bmk=; b=nOj6s2ae8jCXTdIx4Fj35NxbaAk2KT8vs/1SMGGjUIMTSUSCbw1ml1jlPv6v8TsjpcWvwI OtR3QKhn6eaES+NqlAdJOYEYPHQQXg/9Ti9kxnuOV2IDEzoY90Dm0BLGqTN/zDHmuK/F2j 34TlbD55gQvqCfupzxeqtYJTtgdGAgjjIBcbyDN8G2lnmbGut12RqDObwbmr2PFIED0L21 4OIdRW8AVDxlWN/fuOPirPTlvXotQg0KfO3wx/I4Nz5EBUC0y8dFIY6asqVwuXsGT8cXED ZGVSdsUMxezuyXVGjgOsRNOCDLJ7z2EYfO+CpOEGFcETc+apnfE68PJx5zpZZw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1641468344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6yc5gDDGSKMtvcwR//UYeb2xie45ExSsE1RSZ9j7bmk=; b=5al0oHoTEHjIG17PlQ3waue9Npob58UJMUQzadlQ07Zwcmy3rD/dnFp6XfrCqjDLCMWtB4 I/Wi582pFWseV3Bg== Message-ID: Date: Thu, 6 Jan 2022 12:25:39 +0100 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Location" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] overrides-{a1,other,xd}: Regular batch of various overrides X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" Signed-off-by: Peter Müller --- overrides/override-a1.txt | 26 +++----- overrides/override-other.txt | 125 +++++++++++++++++------------------ overrides/override-xd.txt | 96 +++++++++++++++++++++++++-- 3 files changed, 163 insertions(+), 84 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 7365738..5b620fe 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -34,11 +34,6 @@ descr: Maginfo remarks: VPN provider is-anonymous-proxy: yes -aut-num: AS13487 -descr: ULTRA PACKET LLC -remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ -is-anonymous-proxy: yes - aut-num: AS16255 descr: IRIDIUM PROVIDER LTD remarks: VPN provider [high confidence, but not proofed] located in RU @@ -300,21 +295,11 @@ descr: Castle VPN remarks: VPN provider is-anonymous-proxy: yes -aut-num: AS397539 -descr: LAKSH CYBERSECURITY AND DEFENSE LLC -remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ -is-anonymous-proxy: yes - aut-num: AS397685 descr: Business VPN LLC remarks: VPN provider is-anonymous-proxy: yes -aut-num: AS397770 -descr: LAKSH CYBERSECURITY AND DEFENSE LLC -remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ -is-anonymous-proxy: yes - aut-num: AS397881 descr: Stingers, Inc. remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ @@ -341,6 +326,12 @@ descr: Tunbroker LLC remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ is-anonymous-proxy: yes +aut-num: AS399587 +descr: UT +remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ +is-anonymous-proxy: yes +country: US + aut-num: AS399928 descr: STELLAR PROXIES remarks: VPN or open proxy provider @@ -1174,6 +1165,11 @@ descr: IPNET-VPNS remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes +net: 166.137.0.0/16 +descr: Service Provider Corporation +remarks: Loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ +is-anonymous-proxy: yes + net: 169.239.152.0/22 descr: AfriVPN Ltd remarks: VPN provider, traces back to ZA diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 8b228af..56bb12e 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -82,7 +82,7 @@ remarks: has no sane AS name set in APNIC DB aut-num: AS4842 descr: Tianhai InfoTech -remarks: IP hijacker located somewhere in AP, massively tampers with RIR data +remarks: IP hijacker located somewhere in AP, tampers with RIR data country: AP aut-num: AS5408 @@ -146,18 +146,18 @@ country: US aut-num: AS15828 descr: Blue Diamond Network Co., Ltd. -remarks: Hiding behind fake ISP Navitgo LLC (AS59721), tampers with RIR data -country: NL +remarks: Shady ISP located somewhere in AP +country: AP + +aut-num: AS16262 +descr: Datacheap Ltd. +remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage +country: RU aut-num: AS18185 name: Northern Taiwan Community University remarks: has no sane AS name set in APNIC DB -aut-num: AS18254 -descr: KLAYER LLC -remarks: part of the "Asline" IP hijacking gang, traces back to AP region -country: AP - aut-num: AS18530 descr: Isomedia, Inc. remarks: ISP located in US, but some RIR data for announced prefixes contain garbage @@ -178,6 +178,11 @@ descr: xTom Pty. Ltd. remarks: ISP located in AU, RIR data for announced prefixes contain garbage country: AU +aut-num: AS24413 +descr: Sunrise +remarks: ISP located in somewhere in AP +country: AP + aut-num: AS24700 descr: Yes Networks Unlimited Ltd remarks: traces to UA, but some RIR entries seem to contain garbage (VG) @@ -258,6 +263,16 @@ descr: Petersburg Internet Network Ltd. remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU +aut-num: AS34806 +descr: ASLINE LIMITED +remarks: ... located in HK +country: HK + +aut-num: AS34985 +descr: Kirin Communication Limited +remarks: ISP located in JP, but some RIR data for announced prefixes contain garbage +country: JP + aut-num: AS35042 descr: IP Interactive UG (haftungsbeschraenkt) remarks: ISP located in BG, but RIR data for announced prefixes contain garbage @@ -568,6 +583,11 @@ descr: PEG TECH INC remarks: ISP and/or IP hijacker located in US this time, tampers with RIR data country: US +aut-num: AS55330 +descr: AFGHANTELECOM GOVERNMENT COMMUNICATION NETWORK +remarks: For some reason, some "Airbus Defence and Space AS" prefixes are announced by this one... +country: AF + aut-num: AS55836 descr: Reliance Jio Infocomm Limited remarks: ISP located in IN, but some RIR data for announced prefixes contain garbage @@ -703,6 +723,11 @@ descr: 4b42 UG (haftungsbeschränkt) remarks: ... who thinks messing with countries is funny :-/ country: LI +aut-num: AS61635 +descr: GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME +remarks: ... traces back to NL +country: NL + aut-num: AS61977 descr: Vivo Trade L.P. remarks: another shady customer of "DDoS Guard Ltd." @@ -738,11 +763,6 @@ descr: SWISS GLOBAL SERVICES S.A.S. remarks: ... surprisingly, all of their prefixes are hosted in CH, yet they claim CO or PA for them country: CH -aut-num: AS64437 -descr: NForce Entertainment BV -remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL -country: NL - aut-num: AS131685 descr: Sun Network (Hong Kong) Limited remarks: ISP and/or IP hijacker located somewhere in AP @@ -760,8 +780,8 @@ country: HK aut-num: AS133201 descr: ABCDE GROUP COMPANY LIMITED -remarks: ISP and/or IP hijacker located somewhere in AP -country: AP +remarks: ISP and/or IP hijacker located in HK +country: HK aut-num: AS133441 descr: CloudITIDC Global @@ -779,8 +799,8 @@ remarks: IP hijacker located somewhere in AP area, suspected to be part of the " country: AP aut-num: AS134196 -descr: ULan Network Limited -remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region +descr: Cloudie Limited +remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region (HK? CN?) country: AP aut-num: AS134351 @@ -808,16 +828,6 @@ descr: Optix Pakistan (Pvt.) Limited remarks: ISP located in PK, some RIR data for announced prefixes (bogons?) contain garbage country: PK -aut-num: AS136545 -descr: Blue Data Center -remarks: IP hijacker located somewhere in AP area, tampers with RIR data -country: AP - -aut-num: AS136800 -descr: ICIDC NETWORK -remarks: IP hijacker located somewhere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data -country: AP - aut-num: AS136933 descr: Gigabitbank Global / Anchnet Asia Limited (?) remarks: IP hijacker located somewhere in AP area, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data @@ -835,13 +845,8 @@ country: HK aut-num: AS137523 descr: HONGKONG CLOUD NETWORK TECHNOLOGY CO., LIMITED -remarks: IP hijacker located in AP area, tampers with RIR data -country: AP - -aut-num: AS137951 -descr: Clayer Limited -remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region -country: AP +remarks: ISP and IP hijacker located in HK, tampers with RIR data +country: HK aut-num: AS138195 descr: MOACK.Co.LTD @@ -923,11 +928,6 @@ descr: Full Time Hosting remarks: ISP located in DE, tampers with RIR data country: DE -aut-num: AS141159 -descr: Incomparable(HK)Network Co., Limited -remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data -country: AP - aut-num: AS141746 descr: Orenji Server remarks: IP hijacker located somewhere in AP area (JP?) @@ -1153,11 +1153,6 @@ descr: JMT Paso Limited remarks: ISP located in NL, but RIR data for announced prefixes contain garbage country: NL -aut-num: AS211849 -descr: Kakharov Orinbassar Maratuly -remarks: ISP and/or IP hijacker located in RU, but RIR data for announced prefixes contain garbage -country: RU - aut-num: AS211992 descr: WFD SERVICE LTD remarks: ISP located in NL, but RIR data for announced prefixes contain garbage @@ -1238,6 +1233,11 @@ descr: Udasha S.A. remarks: traceroutes dead-end somewhere near NYC, US country: US +aut-num: AS264097 +descr: WIID Telecomunicai¿½i¿½es do Brasil +remarks: ... traces back to NL +country: NL + aut-num: AS267784 descr: Flyservers S.A. remarks: ISP located in NL, but RIR data for most announced prefixes contain garbage @@ -1258,11 +1258,6 @@ descr: Xhostserver LLC remarks: ISP located in ZA, many RIR data for announced prefixes contain garbage country: ZA -aut-num: AS328543 -descr: Sun Network Company Limited -remarks: IP hijacker, traces back to AP region -country: AP - aut-num: AS328608 descr: Africa on Cloud remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes @@ -1293,16 +1288,16 @@ descr: Leaseweb USA, Inc. remarks: ISP located in US, but some RIR data for announced prefixes contain garbage country: US +aut-num: AS397423 +descr: Tier.Net Technologies LLC +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS398343 descr: Baxet Group Inc. remarks: traceroutes dead-end near Moscow, RU country: RU -aut-num: AS398478 -descr: PEG TECH INC -remarks: ISP located in HK, tampers with RIR data -country: HK - aut-num: AS398823 descr: PEG TECH INC remarks: ISP and/or IP hijacker located in HK, tampers with RIR data @@ -1320,7 +1315,7 @@ country: HK aut-num: AS399471 descr: Serverion LLC -remarks: ISP located in NL, RIR data contain garbage +remarks: ISP located in NL, some RIR data contain garbage country: NL aut-num: AS399077 @@ -1418,26 +1413,21 @@ descr: US AFG 20200130 remarks: claims to be located in US, but traces back to SK country: SK +net: 45.155.121.0/24 +descr: Itace International Limited +remarks: claims to be located in HK, but traces back to RO +country: RO + net: 47.60.0.0/14 descr: Vodafone US Inc. remarks: large Vodafone IP chunk used in ES, but assigned by ARIN (inaccurate data) country: ES -net: 80.240.96.0/24 -descr: LLC RusTel -remarks: fake location (RU), traces back to HK -country: HK - net: 85.202.80.0/24 descr: Amarutu Technology Ltd. / KoDDoS / ESecurity remarks: fake offshore location (BZ), traces back to US country: US -net: 88.151.117.0/24 -descr: Golden Internet LLC -remarks: fake location (KP), WHOIS contact points to RU -country: RU - net: 91.90.120.0/24 descr: M247 LTD, Greenland Infrastructure remarks: ... traces back to CA @@ -1588,6 +1578,11 @@ descr: NetConn Services Ltd remarks: APNIC chunk owned by a HK-based company, routed to AP region, but assigned to SC country: AP +net: 193.176.24.0/22 +descr: REACOM GmbH +remarks: The entire network is used out of RU +country: RU + net: 193.186.196.0/22 descr: QUIKA LTD remarks: claims to be located in DE, traces back to GB diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index b669621..76ceab3 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,16 +26,34 @@ # Please keep this file sorted. # +aut-num: AS18254 +descr: KLAYER LLC +remarks: part of the "Asline" IP hijacking gang, traces back to AP region +country: AP +drop: yes + aut-num: AS18013 descr: ASLINE LIMITED -remarks: IP hijacker, traces back to AP region -country: AP +remarks: IP hijacker, traces back to HK +country: HK +drop: yes + +aut-num: AS211849 +descr: Kakharov Orinbassar Maratuly +remarks: ISP and IP hijacker located in RU, many RIR data for announced prefixes contain garbage +country: RU +drop: yes + +aut-num: AS24009 +descr: LANLIAN INTERNATIONAL HOLDING GROUP LIMITED +remarks: IP hijacker and bulletproof ISP, possibly located near Los Angeles, US +country: US drop: yes aut-num: AS22769 descr: DDOSING NETWORK -remarks: IP hijacker located somewhere in AP, massively tampers with RIR data -country: AP +remarks: IP hijacker located in US, massively tampers with RIR data +country: US drop: yes aut-num: AS24009 @@ -119,6 +137,11 @@ descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Owned by an offshore letterbox company, suspected rogue ISP drop: yes +aut-num: AS61414 +descr: EDGENAP LTD +remarks: IP hijacking? Rogue ISP? +drop: yes + aut-num: AS62068 descr: SpectraIP B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL @@ -131,6 +154,41 @@ remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL drop: yes +aut-num: AS136545 +descr: Blue Data Center +remarks: IP hijacker located somewhere in AP area, tampers with RIR data +country: AP +drop: yes + +aut-num: AS136800 +descr: ICIDC NETWORK +remarks: IP hijacker located in HK, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data +country: HK +drop: yes + +aut-num: AS137951 +descr: Clayer Limited +remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to HK +country: HK +drop: yes + +aut-num: AS138648 +descr: ASLINE Global Exchange +remarks: IP hijacker located somewhere in AP area +country: AP +drop: yes + +aut-num: AS140107 +descr: CITIS CLOUD GROUP LIMITED +remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, location unknown (AP? HK? US?) +drop: yes + +aut-num: AS141159 +descr: Incomparable(HK)Network Co., Limited +remarks: ISP and IP hijacker located in HK, tampers with RIR data +country: HK +drop: yes + aut-num: AS200391 descr: KREZ 999 EOOD remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data @@ -149,6 +207,12 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes +aut-num: AS204428 +descr: SS-Net +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes + aut-num: AS204655 descr: Novogara Ltd. remarks: bulletproof ISP (strongly linked to AS202425) located in NL @@ -167,18 +231,42 @@ remarks: bulletproof ISP operating from a war zone in eastern UA country: UA drop: yes +aut-num: AS211193 +descr: ABDILAZIZ UULU ZHUSUP +remarks: bulletproof ISP and IP hijacker, traces to RU +country: RU +drop: yes + aut-num: AS213058 descr: Private Internet Hosting LTD remarks: bulletproof ISP located in RU country: RU drop: yes +aut-num: AS328543 +descr: Sun Network Company Limited +remarks: IP hijacker, traces back to AP region +country: AP +drop: yes + aut-num: AS328671 descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes +aut-num: AS398478 +descr: PEG TECH INC +remarks: ISP located in HK, tampers with RIR data +country: HK +drop: yes + +net: 196.11.32.0/20 +descr: Sanlam Life Insurance Limited +remarks: Stolen AfriNIC IPv4 space announced from NL +country: NL +drop: yes + net: 2a0e:b107:d10::/44 descr: NZB.si Enterprises remarks: Tampers with RIR data, not a safe place to route traffic to