From patchwork Thu Apr 29 20:05:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4231 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FWRMZ4G0Dz44R4 for ; Thu, 29 Apr 2021 20:06:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FWRMZ0y0mzB9; Thu, 29 Apr 2021 20:06:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FWRMY6cZ0z2xZk; Thu, 29 Apr 2021 20:06:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FWRMW5J0dz2xFP for ; Thu, 29 Apr 2021 20:05:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FWRMV2dlgzB9 for ; Thu, 29 Apr 2021 20:05:57 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1619726759; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Mfd0J2SY20laYFu0usNCKeddBct5A/v6F5Rf/8/t+RI=; b=a47vHRZNGb0icUqObeul3U9+ED+xr4iNntJ0XaEQS7St9J6azgP+baCAVdsv6spLFyMbFp sRkqnScuuj2d4sBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1619726759; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Mfd0J2SY20laYFu0usNCKeddBct5A/v6F5Rf/8/t+RI=; b=MClpZOyBa14UJs4MyZgUyhyLKxGrr3tFHSa8FBd1/qwhYFYo8SRt6HkUQwim+aELLqJkKu BFVPQQoFD4mYR8e/61SkHnaSCymmvfIcilrc9jwYtq4l587DZ2CmqdAa/o86kHFz7aRp5Q vMg9V2QqfTQ1PBc0RpbiQ8Z5S8u49FYpvwvNkJWI6leTRSBIMFP/JqqLHd/ymYcI2p+GUa cWIdS+zUvuZRdrfTX4aPV/5JLOoTBCwDGbmQlaKukoFInQ9pT3wkLL5UccDYLBk+NCJAla ZAmjPd3eiBCcUKh20ugfP2O9f/FkJ61fR/kvsQI/L1y6IERsJG1oA21+1XeuMg== To: "IPFire: Location" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 1/3] override-other: mitigate tampered RIR data from customers of Tamatiya EOOD / 4Vendeta Message-ID: <0d4f7143-439c-29fe-d15f-76f28371c2f2@ipfire.org> Date: Thu, 29 Apr 2021 22:05:53 +0200 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" AS50360 has an impressive history on providing IP transit services to shady Autonomous Systems, and continues to do so. While the amount of prefixes with tampered RIR data announced by AS50360 itself has ceased within the past years, it's customers continue to propagate IP space with faked country information. We cannot trust these networks, which is why we pin them on BG altogether, as they are all hosted in Sofia, Bulgaria: 1. X 2. X 3. AS9002 ae5-10.RT.TLP.SOF.BG.retn.net (87.245.232.164) <= RETN infrastructure in Telehouse Sofia, BG 4. AS9002 GW-Tamatiya.retn.net (87.245.240.159) <= Gateway to Tamatiya / 4Vendeta 5. AS50360 ip-25-22.4vendeta.com (195.230.25.22) <= And BOOM goes the dynamite... 6. (waiting for reply) 1. X 2. X 3. AS??? ge0-3.ams.OTEglobe.net (80.249.208.179) 4. AS??? 62.75.27.82 (62.75.27.82) 5. AS12713 62.75.3.2 (62.75.3.2) 6. AS57344 185.148.160.77 (185.148.160.77) 7. AS50360 ip-25-22.4vendeta.com (195.230.25.22) 8. (waiting for reply) Signed-off-by: Peter Müller --- overrides/override-other.txt | 42 ++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 0ec8fa2..f750da0 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -105,8 +105,8 @@ country: US aut-num: AS41466 descr: Treidinvest LLC -remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage -country: RU +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG aut-num: AS41564 descr: Packet Exchange Limited @@ -173,6 +173,11 @@ descr: F.I.H. FORMULA INVESTMENT HOUSE CLEARING LIMITED remarks: claims GR for announced prefixes, but traceroutes dead-end somewhere else in EU country: EU +aut-num: AS50360 +descr: Tamatiya EOOD / 4Vendeta +remarks: Questionable (at best) ISP located in BG, clients massively tamper with RIR data +country: BG + aut-num: AS51558 descr: Smart Telecom S.A.R.L remarks: tampers with RIR data, traces back to RU @@ -288,6 +293,11 @@ descr: ALEXHOST SRL remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network country: MD +aut-num: AS200391 +descr: KREZ 999 EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG + aut-num: AS200699 descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL @@ -313,10 +323,10 @@ descr: FutureNow Incorporated remarks: ISP located in BG, but RIR data for announced prefixes contain garbage country: BG -aut-num: AS202920 -descr: DataClub S.A. -remarks: another shady customer of "DDoS Guard Ltd." -country: RU +aut-num: AS202325 +descr: 4Media Ltd. +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG aut-num: AS202425 descr: IP Volume Inc. @@ -333,6 +343,11 @@ descr: Cooperative Investments LLC remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, traces to NL country: NL +aut-num: AS202920 +descr: DataClub S.A. +remarks: another shady customer of "DDoS Guard Ltd." +country: RU + aut-num: AS204136 descr: Kevin Holly trading as Silent Ghost e.U. remarks: AS run by someone who thinks allocating IP networks to AQ is funny (it is not, kid) :-/ @@ -368,16 +383,31 @@ descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL country: EU +aut-num: AS207812 +descr: DM AUTO EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG + aut-num: AS208046 descr: Maximilian Kutzner trading as HostSlick remarks: traces back to NL, but some RIR data for announced prefixes contain garbage country: NL +aut-num: AS208410 +descr: Internet Hosting Ltd. +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG + aut-num: AS209132 descr: Alviva Holding Limited remarks: ISP located in BG, but RIR data for announced prefixes contain garbage country: BG +aut-num: AS209160 +descr: Miti 2000 EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG + aut-num: AS209272 descr: Alviva Holding Limited remarks: bulletproof ISP operating from a war zone in eastern UA From patchwork Thu Apr 29 20:06:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4232 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FWRNF26wgz44R4 for ; Thu, 29 Apr 2021 20:06:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FWRNF0f02zB9; Thu, 29 Apr 2021 20:06:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FWRNF01CKz2xZk; Thu, 29 Apr 2021 20:06:37 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FWRND2Rnpz2xSc for ; Thu, 29 Apr 2021 20:06:36 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FWRNC14PgzB9 for ; Thu, 29 Apr 2021 20:06:34 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1619726795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H0ct3I/luUGif1sNbVRz22JPT36Tm/it6WO9UHwzvGU=; b=J1jL88k4P7abd5h9fThTXnlTTeL1GOVj6pntPrdMWOi4wkeqsthov5mMFQMn0K0t3remUq 2jb0v/ox2QbkZEAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1619726795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H0ct3I/luUGif1sNbVRz22JPT36Tm/it6WO9UHwzvGU=; b=nl2uejZpurCTtrUqrhv/9QUXxC1XBWv+qEToQKnyXMNwEE/3frZLeasiytAVQKsPYZTrQn evnB815XYKKVvkFIF4migYw1+iqhh30GicWKARCo4k+QOLbUSwpKztXw4ZPla0uU4v0/mg tm4HuO/AcNMAldVChkgfLRDDY1eFEWV3/3bQAE/amRyR3ezCa6nXnEVZ2YBzIoEZ8ZhrHV AYL++lERSumwHLRXsTB46wyfj5sxRv07DSHI7QD3RXrFPx2PpZvKC03itpk8GnwZfkSPhf BEv5VS3NWpzalt4hAY765H+IW0QXMycy21wLrPwNSnXPepEHUEPyjVQiaV7NXw== Subject: [PATCH 2/3] override-other: DignusData LLC thinks messing with countries is funny To: location@lists.ipfire.org References: <0d4f7143-439c-29fe-d15f-76f28371c2f2@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Thu, 29 Apr 2021 22:06:33 +0200 MIME-Version: 1.0 In-Reply-To: <0d4f7143-439c-29fe-d15f-76f28371c2f2@ipfire.org> Content-Language: en-US X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" According to RIPE database, IP networks announced by AS60412 are located in Argentinia, Belgium, USA, Estonia, United Arab Emirates, and Serbia. Nothing of that is true. These all trace back to PL: 1. X 2. X 3. X 4. X 5. AS3320 80.156.160.126 (80.156.160.126) 6. AS9002 ae5-9.RT.LIM.WAW.PL.retn.net (87.245.233.46) 7. AS9002 GW-SkyTech.retn.net (87.245.249.83) 8. AS201814 r2w.skynode.pl (185.16.37.12) 9. (no route to host) 1. X 2. X 3. AS??? amsix-200gbps.core1.ams1.he.net (80.249.209.150) 4. AS6939 100ge0-33.core2.ber1.he.net (184.105.65.18) 5. AS6939 100ge10-2.core1.waw1.he.net (184.105.65.25) 6. AS6939 meverywhere-sp-z-o-o.e0-2.switch1.waw1.he.net (216.66.87.22) 7. AS201814 r2w.skynode.pl (185.16.37.12) 8. (no route to host) Signed-off-by: Peter Müller --- overrides/override-other.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/overrides/override-other.txt b/overrides/override-other.txt index f750da0..e56a208 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -233,6 +233,11 @@ descr: Batterflyai Media Ltd. remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU +aut-num: AS60412 +descr: DignusData LLC +remarks: ISP located in PL, but _all_ RIR data for announced prefixes contain garbage +country: PL + aut-num: AS60485 descr: Inter Connects Inc. / Jing Yun remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks From patchwork Thu Apr 29 20:06:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4233 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FWRNf29Gnz44R4 for ; Thu, 29 Apr 2021 20:06:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FWRNf0y97zB9; Thu, 29 Apr 2021 20:06:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FWRNf0Kxzz2xZk; Thu, 29 Apr 2021 20:06:58 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FWRNc6TtFz2xSc for ; Thu, 29 Apr 2021 20:06:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FWRNc0XfDzB9 for ; Thu, 29 Apr 2021 20:06:55 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1619726816; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dE3QPImIZFx5LCVBkUYHBfpGOyQuIMvsQVK37VFWwQQ=; b=i1k5hR8Vrpc+3C7L5oP1OJPxsYoiF6eGOd5nAMncZogzjotHGu+Pr5yPc+wVi8rRL+usdg Py7UlEjDKcu6/ECA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1619726816; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dE3QPImIZFx5LCVBkUYHBfpGOyQuIMvsQVK37VFWwQQ=; b=RexG8WkRfIwCTogyt+8G/BhpCCTsjWIQUB4ZKCEnl20yNuO+KosMT8E+iiEw8NsyX74rBc dBU2aSZ5nh3rH4ADZBbLEQygLwNDG0aoXrJXKlQf9M6F2bMhpUV4QEF+rxHrNni0yIzwGR 6tNi4V0ueLYjiXKcdAyW15COEapthvhvYxerduqndSh7/9ARA5RsuhfAGRDggpE3d3v/Lh pcEOE+4rJ7F7hCDGvc4wIHO58d3ljRhlzwEe/zRbTDPwq76h+ktA1bDOuL+mxHy1ejFyZO 5exF3ZD/Gs/cfulVrUZ5tRLVt0B0r0J2qUp2CE+8TWQRr/Zsk4iu+EZdjl7dlA== Subject: [PATCH 3/3] override-a1: weekly batch of various overrides To: location@lists.ipfire.org References: <0d4f7143-439c-29fe-d15f-76f28371c2f2@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Thu, 29 Apr 2021 22:06:52 +0200 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" Signed-off-by: Peter Müller --- overrides/override-a1.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index bfe480e..06d2d20 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -28,6 +28,12 @@ descr: Maginfo remarks: VPN provider is-anonymous-proxy: yes +aut-num: AS16255 +descr: IRIDIUM PROVIDER LTD +remarks: VPN provider [high confidence, but not proofed] located in RU +is-anonymous-proxy: yes +country: RU + aut-num: AS23762 descr: VPNsolutions Pty Ltd remarks: VPN provider @@ -1136,6 +1142,11 @@ descr: Wicked Technology Limited remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes +net: 185.214.164.0/22 +descr: Tredinvest LLC / bestwest[.]host +remarks: VPN provider or offering similar services [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 185.220.100.0/22 descr: Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute remarks: Tor relay provider