From patchwork Thu Jun 3 14:02:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4397 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Fwndz27DMz3wc6 for ; Thu, 3 Jun 2021 14:02:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Fwndy5tZSzMn; Thu, 3 Jun 2021 14:02:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Fwndy5Qsfz2xd1; Thu, 3 Jun 2021 14:02:30 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Fwndx4z9kz2xJj for ; Thu, 3 Jun 2021 14:02:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Fwndw2fdGzMn for ; Thu, 3 Jun 2021 14:02:27 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1622728949; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BxUpGJN7EMuDS1z5I4yYGDJ5uIBQKIpya89vUrN2gek=; b=wuTmqq/QpNHHSRPnOSpKdSrjI5W+PSyzc6nLUsUvxOLfieZ59VPGl7Zl3Lik18crOfFr0G F9IQSgSTqoiafjBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1622728949; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BxUpGJN7EMuDS1z5I4yYGDJ5uIBQKIpya89vUrN2gek=; b=bpZNd006wlAlhGz3o7vw45vfCnsy8MzLnbX9hpb9tzX3w00CHv8YTfRjKPNx4k0g7Ix7lQ QKf4iLeh82hIdd0Q4kzxqq6vy82VQTAK6qGHjC6J2znHDEX7EFFWJI/ZvGTHIjXSc1ntr2 bS7CN6QsVa1tP/x6LXkWw8nEcU7IKHBDwWXZMc178xkfsYsmGTQd/npaLESyvpzlz79sZX ARdX9hhj/lwDbn0NUA2Ucv6jT8HU3uC2+V0l6z8xHFBiDlEHcLEjpkojU64cr1O+z3B4e1 VW+4SpZCi0BZfkZ1a9C41R9qjrUqGI8MIJJ0G9SDoQ7qgSis2LWN4NHCUPyM4g== To: "IPFire: Location" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] overrides-{a{1,3},other}: regular batch of various overrides Message-ID: <377bff96-f1e1-74ac-60c9-fb16e6e13a3f@ipfire.org> Date: Thu, 3 Jun 2021 16:02:26 +0200 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" Including location pinning for various LeaseWeb AS, as their customers seem to tamper with RIR data a lot. Fortunately for use, they use one AS per PoP, so we can trace back locations quite easy. :-) AS209242 is especially - um - interesting. Given Cloudflare's nature, it is impossible to tell where these shady prefixes announced by it are located. Most of them point to letterbox companies, hosting questionable services at best. Signed-off-by: Peter Müller --- overrides/override-a1.txt | 32 +++++++++- overrides/override-a3.txt | 30 ++++++++++ overrides/override-other.txt | 112 ++++++++++++++++++++++++++++++++++- 3 files changed, 172 insertions(+), 2 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 3a65232..b884c5d 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -44,6 +44,11 @@ descr: VPN de Mexico, S.A. de C.V. remarks: VPN provider is-anonymous-proxy: yes +aut-num: AS32781 +descr: Defender cloud international LLC +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + aut-num: AS34962 descr: Epik Network remarks: Shady ISP and registrar, many prefixes announced refer to "anonymize" infrastructure @@ -236,6 +241,11 @@ descr: Business VPN LLC remarks: VPN provider is-anonymous-proxy: yes +aut-num: AS398271 +descr: HardenedVPN[.]com LLC +remarks: VPN provider +is-anonymous-proxy: yes + net: 2.57.171.0/24 descr: VPN Consumer Network remarks: VPN provider @@ -476,6 +486,11 @@ descr: Shtrauh Andrey remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes +net: 45.147.56.0/23 +descr: OLMERA GROUP LTD +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 45.151.115.0/24 descr: ikoProxies [high confidence, but not proofed] remarks: VPN provider located in NL @@ -489,7 +504,7 @@ is-anonymous-proxy: yes net: 45.192.0.0/12 descr: Cloud Innovation Ltd. -remarks: hijacked AFRINIC IP chunk owned by an offshore company, routed to several dirty networks worldwide, cannot tell what is going on here +remarks: hijacked (?) AFRINIC IP chunk owned by an offshore company, routed to several dirty networks worldwide, cannot tell what is going on here is-anonymous-proxy: yes net: 45.220.72.0/22 @@ -1131,6 +1146,11 @@ remarks: (Rogue) VPN provider is-anonymous-proxy: yes country: EU +net: 185.164.59.0/24 +descr: Buyproxies / Yuli Azarch +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 185.165.153.0/24 descr: Privacy Matters VPN service / nVPN / David Craig remarks: (Rogue) VPN provider @@ -1384,6 +1404,11 @@ descr: VPNClientPublics remarks: VPN provider is-anonymous-proxy: yes +net: 198.44.224.0/19 +descr: Defender cloud international LLC +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 199.249.223.0/24 descr: Quintex Alliance Consulting remarks: Tor relay provider @@ -1454,6 +1479,11 @@ descr: SecuredConnectivity remarks: VPN provider is-anonymous-proxy: yes +net: 206.123.128.0/19 +descr: Secure Internet LLC +remarks: VPN provider +is-anonymous-proxy: yes + net: 209.107.176.0/20 descr: Google VPN remarks: VPN provider diff --git a/overrides/override-a3.txt b/overrides/override-a3.txt index ec246c1..daacc95 100644 --- a/overrides/override-a3.txt +++ b/overrides/override-a3.txt @@ -30,11 +30,21 @@ descr: Akamai Technologies, Inc. remarks: Worldwide CDN, does not make sense to assign their networks to a specific country is-anycast: yes +aut-num: AS20577 +descr: TRADEWEB EUROPE LIMITED +remarks: Generic anycast network [high confidence, but not proofed] +is-anycast: yes + aut-num: AS20940 descr: Akamai International BV remarks: Worldwide CDN, does not make sense to assign their networks to a specific country is-anycast: yes +aut-num: AS28064 +descr: Smart Data Center S.A. +remarks: Generic anycast network [high confidence, but not proofed] +is-anycast: yes + aut-num: AS31529 descr: DENIC eG remarks: TLD operator's anycast network @@ -45,6 +55,11 @@ descr: Citigroup remarks: Public anycast DNS resolver network [high confidence, but not proofed] is-anycast: yes +aut-num: AS34738 +descr: WEBHOST LIMITED +remarks: Generic anycast network [high confidence, but not proofed] +is-anycast: yes + aut-num: AS34868 descr: wasted.io Ltd. remarks: Generic anycast network @@ -80,6 +95,11 @@ descr: coreIT.pl remarks: Generic anycast network is-anycast: yes +aut-num: AS60626 +descr: Leaseweb CDN B.V. +remarks: Generic anycast network +is-anycast: yes + aut-num: AS60890 descr: CentralNic Ltd remarks: Generic anycast network @@ -95,6 +115,11 @@ descr: OpenTLD BV remarks: TLD operator's anycast network is-anycast: yes +aut-num: AS61072 +descr: EZNet LIMITED +remarks: Generic anycast network +is-anycast: yes + aut-num: AS62766 descr: SJB Communications remarks: Generic anycast network @@ -160,6 +185,11 @@ descr: ipcom GmbH remarks: Generic anycast network is-anycast: yes +aut-num: AS209242 +descr: Cloudflare London, LLC / Cloudflare Spectrum +remarks: CFs' "bring your own IP networks and we will announce it" AS, lots of shady announcements originated from there, clients are located worldwide as single peer is CF's main AS +is-anycast: yes + aut-num: AS209813 descr: Fast Content Delivery Ltd. remarks: Generic anycast network diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 0b521d1..e387dbd 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -13,6 +13,11 @@ # Please keep this file sorted. # +aut-num: AS1820 +descr: WNET TELECOM USA Corp. +remarks: traces back to various locations in UA, seems to tamper with RIR data +country: UA + aut-num: AS3216 descr: PJSC "Vimpelcom" remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -23,6 +28,11 @@ descr: XNNET LLC remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data country: HK +aut-num: AS7203 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS8359 descr: MTS PJSC remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -58,16 +68,36 @@ descr: Yes Networks Unlimited Ltd remarks: traces to UA, but some RIR entries seem to contain garbage (VG) country: UA +aut-num: AS24961 +descr: myLoc managed IT AG +remarks: ISP located in DE, but some RIR data for announced prefixes contain garbage +country: DE + aut-num: AS25098 descr: Netcalibre Ltd. -remarks: ISP located in GB, but some RIR data for announced prefixes contain garbage/ +remarks: ISP located in GB, but some RIR data for announced prefixes contain garbage country: GB +aut-num: AS27411 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS28098 descr: ABGON Comunicaciones remarks: ISP located in CL, but some RIR data for announced prefixes contain garbage (BZ) country: CL +aut-num: AS28753 +descr: Leaseweb Deutschland GmbH +remarks: ISP located in Frankfurt/Main, DE, but many RIR data for announced prefixes contain garbage +country: DE + +aut-num: AS30633 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage (BZ) +country: US + aut-num: AS35042 descr: IP Interactive UG (haftungsbeschraenkt) remarks: ISP located in BG, but RIR data for announced prefixes contain garbage @@ -163,6 +193,11 @@ descr: Global Colocation Limited remarks: part of a dirty ISP conglomerate most likely operating out of SE country: SE +aut-num: AS48721 +descr: ADM Service Ltd. +remarks: traces back to Vilnius, LT +country: LT + aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -233,6 +268,11 @@ descr: INNETRA PC remarks: another shady customer of "DDoS Guard Ltd.", jurisdiction is probably RU, but traceroutes dead-end somewhere else in EU country: EU +aut-num: AS59253 +descr: Leaseweb Asia Pacific pte. ltd. +remarks: ISP located in SG, but some RIR data for announced prefixes contain garbage +country: SG + aut-num: AS59580 descr: Batterflyai Media Ltd. remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -248,6 +288,11 @@ descr: Inter Connects Inc. / Jing Yun remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks country: SE +aut-num: AS60781 +descr: LeaseWeb Netherlands B.V. +remarks: ISP located in Amsterdam, NL, but many RIR data for announced prefixes contain garbage +country: NL + aut-num: AS61977 descr: Vivo Trade L.P. remarks: another shady customer of "DDoS Guard Ltd." @@ -283,11 +328,31 @@ descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL country: NL +aut-num: AS132369 +descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED +remarks: ISP located in HK, tampers with RIR data +country: HK + +aut-num: AS133752 +descr: Leaseweb Asia Pacific pte. ltd. +remarks: ISP located in HK, some RIR data for announced prefixes contain garbage +country: HK + +aut-num: AS134351 +descr: Leaseweb Japan K.K. +remarks: ISP located in JP, some RIR data for announced prefixes contain garbage +country: JP + aut-num: AS134548 descr: DXTL Tseung Kwan O Service remarks: tampers with RIR data, traces back to AP region country: AP +aut-num: AS136988 +descr: Leaseweb Australia Pty. Ltd. +remarks: ISP located in AU, some RIR data for announced prefixes contain garbage +country: AU + aut-num: AS137443 descr: Anchnet Asia Limited remarks: IP hijacker located in HK, tampers with RIR data @@ -298,11 +363,26 @@ descr: Clayer Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region country: AP +aut-num: AS138571 +descr: SUPERCLOUDS LIMITED +remarks: ISP located in HK, tampers with RIR data +country: HK + +aut-num: AS139242 +descr: Cloudflare Sydney, LLC +remarks: ... but CF failed to set the country for announced prefixes to AU as well :-/ +country: AU + aut-num: AS139330 descr: SANREN DATA LIMITED remarks: IP hijacker located somewhere in AP region, tampers with RIR data country: AP +aut-num: AS139811 +descr: ANLIAN NETWORK TECHNOLOGY CO., LIMITED +remarks: ISP located in HK, tampers with RIR data +country: HK + aut-num: AS140733 descr: Wujidun Network Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region @@ -323,6 +403,11 @@ descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL country: NL +aut-num: AS200740 +descr: Network Management Ltd. +remarks: traceroutes dead-end somewhere in or near RU +country: RU + aut-num: AS200845 descr: AVATEL TELECOM remarks: ISP located in ES, but some RIR data for announced prefixes contain garbage @@ -388,6 +473,11 @@ descr: Hauer Hosting Services Limited remarks: ISP located in ES, but some RIR data for announced prefixes contain garbage country: ES +aut-num: AS205544 +descr: LEASEWEB UK LIMITED +remarks: ISP located in London, GB, but many RIR data for announced prefixes contain garbage +country: GB + aut-num: AS206397 descr: Genius Guard / Genius Security Ltd. remarks: another shady customer of "DDoS Guard Ltd.", probably located in RU @@ -403,6 +493,11 @@ descr: Xtudio Networks S.L.U. remarks: ISP located in ES, but some RIR data for announced prefixes contain garbage country: ES +aut-num: AS207569 +descr: Network Management Ltd. +remarks: traceroutes dead-end somewhere in or near RU +country: RU + aut-num: AS207616 descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL @@ -458,6 +553,11 @@ descr: Harry Dowd remarks: ISP located in GB, but RIR data for announced prefixes contain garbage country: GB +aut-num: AS212962 +descr: Quality Area Ltd. +remarks: traceroutes dead-end somewhere near Crimera, UA +country: UA + aut-num: AS213035 descr: Serverion BV remarks: ISP located in NL, but RIR data for most announced prefixes contain garbage @@ -488,6 +588,16 @@ descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL +aut-num: AS394380 +descr: Leaseweb USA, Inc. +remarks: ISP located in Dallas, TX, US, but some RIR data for announced prefixes contain garbage +country: US + +aut-num: AS395954 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS398478 descr: PEG TECH INC remarks: ISP located in HK, tampers with RIR data