From patchwork Thu Aug 19 09:36:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4633 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Gr05Z1z1dz3xJJ for ; Thu, 19 Aug 2021 09:36:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Gr05Y54Zzz4hM; Thu, 19 Aug 2021 09:36:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Gr05Y3Klcz2xNt; Thu, 19 Aug 2021 09:36:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Gr05W35Jkz2xs0 for ; Thu, 19 Aug 2021 09:36:31 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Gr05T5vTgzhP for ; Thu, 19 Aug 2021 09:36:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1629365790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=h8ZwfApLkaoLEN00Ma70P6rMyStyWJCMYIK2PnxmweE=; b=ErNsg0uUh1cnhcsA44vmlrpmv13RKhKgtDIYKt9/9499hLFqQTeGQ+0BQd/LHJAHCuQaf5 4r5eBxMfxzzCKfCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1629365790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=h8ZwfApLkaoLEN00Ma70P6rMyStyWJCMYIK2PnxmweE=; b=bw73GJSKvVPV+vxBreZnbSLIfoSSYUq7o5UrrCPw53Lg3XJkJk0FC65ImX2VmRiCMeLkK4 E8gsYUvhAnaACz3ptyNlu9YEzgyEMgyYN5QSFWlNkcn9w/+oP049UvvTa9XUyAT7dK+Wcr gVynRIcmOV2Kzei+QfAnm3y6Aqz5nWQQqCkRkXKXDrMpFbdz/puP/DUocxlznlOCktnHbZ 8L7z758zOv9mJ4IuQWl/mDRN7revsZGEwNtdJbCd1u+oq7M7oaP9RqryIyGrNxNooHT4MB hplCsXfO+WSYeEi8IYOpedf8bFtIjf5628d7Cii1IQXtcHprlP5bHLgnofXX+A== To: "IPFire: Location" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] override-{a1,other}: regular batch of various overrides Message-ID: <7c5604a2-a37c-cf53-9f2b-b06f5fa0fdd1@ipfire.org> Date: Thu, 19 Aug 2021 11:36:25 +0200 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" This one removes networks owned by Cloud Innovation Ltd. from the "anonymous proxy" category, since the majority of them does not appear to host anonymous proxies after all. Same goes for 145.249.104.0/22; all of these are shady areas, however. They might go into an "XD" category one day, since we do not consider routing traffic from and to these is a good idea. At the time of writing, there are still some technical and political (Should libloc become an opinionated database? Where would we cut the line?) issues to be solved. Apart from that, this patch adds some more ASNs hijacking IPv4 space out of Hong Kong in particular and the Asia/Pacific area in general. Given the current situation at AfriNIC (whose IPv4 networks are most affected) and the political environment in this area, cleaning up this dump would be a tricky and tedious task to do. Signed-off-by: Peter Müller --- overrides/override-a1.txt | 15 ----- overrides/override-other.txt | 105 +++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+), 15 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 7cd0359..b4940b2 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -573,11 +573,6 @@ descr: Express VPN International Ltd remarks: VPN provider is-anonymous-proxy: yes -net: 45.192.0.0/12 -descr: Cloud Innovation Ltd. -remarks: hijacked (?) AFRINIC IP chunk owned by an offshore company, routed to several dirty networks worldwide, cannot tell what is going on here -is-anonymous-proxy: yes - net: 45.220.72.0/22 descr: Low budget VPN service remarks: VPN provider @@ -1053,11 +1048,6 @@ descr: Hurricane VPN remarks: VPN provider is-anonymous-proxy: yes -net: 145.249.104.0/22 -descr: Liberty Services / IP Volume Inc. -remarks: VPN provider [high confidence, but not proofed] -is-anonymous-proxy: yes - net: 154.0.24.0/24 descr: WIFI and PROXY NET / Atlantique Telecom remarks: VPN provider [high confidence, but not proofed] @@ -1069,11 +1059,6 @@ remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes country: FR -net: 154.192.0.0/11 -descr: Cloud Innovation Ltd. -remarks: hijacked AFRINIC IP chunk, owned by suspicous offshore company, scattered across dirty networks worldwide - not a safe place to go -is-anonymous-proxy: yes - net: 156.0.200.0/22 descr: xTom Limited remarks: ... network operator thinks messing with countries and having an offshore company for it is funny :-/ diff --git a/overrides/override-other.txt b/overrides/override-other.txt index b0ee0ca..2c7caaa 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -110,6 +110,11 @@ descr: PJSC Rostelecom remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU +aut-num: AS12679 +descr: Sokolov Dmitry Nikolaevich +remarks: ISP located in RU, but many RIR data for announced prefixes contain garbage +country: RU + aut-num: AS12722 descr: RECONN LLC remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -134,11 +139,21 @@ descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region country: AP +aut-num: AS18530 +descr: Isomedia, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS18779 descr: EGIHosting remarks: ISP located in US, but some RIR data for announced prefixes contain garbage country: US +aut-num: AS207711 +descr: Inteldome Corporation +remarks: ... whose location we are unable to determine precisely, but its definitely not MH :-/ +country: EU + aut-num: AS21100 descr: ITL LLC remarks: ISP headquatered in BG and/or UA, physically located in NL, some RIR data for announced prefixes contain inaccurate data @@ -204,6 +219,11 @@ descr: combahton GmbH remarks: ISP located in DE, but some RIR data for announced prefixes contain garbage country: DE +aut-num: AS30860 +descr: Virtual Systems LLC +remarks: ISP located in UA, but some RIR data for announced prefixes contain garbage +country: UA + aut-num: AS30982 descr: CAFE Informatique et telecommunications (defunct) remarks: spamming bogon located in TG - formerly allocated to CAFE Informatique et telecommunications @@ -234,6 +254,11 @@ descr: IP Interactive UG (haftungsbeschraenkt) remarks: ISP located in BG, but RIR data for announced prefixes contain garbage country: BG +aut-num: AS35196 +descr: Ihor Hosting LLC +remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage +country: RU + aut-num: AS35251 descr: NetLab remarks: tampers with RIR data, most probably located in HK @@ -264,6 +289,11 @@ descr: Silverstar Invest Limited remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage country: RU +aut-num: AS35913 +descr: DediPath LLC +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS37155 descr: NetOne Telecomunicacoes (defunct) remarks: spamming bogon located in or near Luanda, AO - formerly allocated to NetOne Telecomunicacoes @@ -579,6 +609,11 @@ descr: Vault Dweller OU remarks: traceroutes dead-end somewhere in or near RU country: RU +aut-num: AS59796 +descr: Stormwall s.r.o +remarks: appears to scatter across EU at least, RIR data contain garbage, might be an A3 candidate +country: EU + aut-num: AS60144 descr: 3W Infra B.V. remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -624,6 +659,11 @@ descr: SpectraIP B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL +aut-num: AS62079 +descr: Ibernap Management S.L. +remarks: traces back to various locations in US +country: US + aut-num: AS62355 descr: Network Dedicated SAS remarks: bulletproof ISP and IP hijacker, claims to be located in CH, but traces to NL @@ -714,11 +754,21 @@ descr: Optix Pakistan (Pvt.) Limited remarks: ISP located in PK, some RIR data for announced prefixes (bogons?) contain garbage country: PK +aut-num: AS136545 +descr: Blue Data Center +remarks: IP hijacker located somewhere in AP area, tampers with RIR data +country: AP + aut-num: AS136800 descr: ICIDC NETWORK remarks: IP hijacker located somehwere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: AP +aut-num: AS136933 +descr: Gigabitbank Global / Anchnet Asia Limited (?) +remarks: IP hijacker located somewhere in AP area, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data +country: AP + aut-num: AS136988 descr: Leaseweb Australia Pty. Ltd. remarks: ISP located in AU, some RIR data for announced prefixes contain garbage @@ -729,6 +779,11 @@ descr: Anchnet Asia Limited remarks: IP hijacker located in HK, tampers with RIR data country: HK +aut-num: AS137523 +descr: HONGKONG CLOUD NETWORK TECHNOLOGY CO., LIMITED +remarks: IP hijacker located in AP area, tampers with RIR data +country: AP + aut-num: AS137951 descr: Clayer Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region @@ -739,6 +794,11 @@ descr: MOACK.Co.LTD remarks: ISP located in KR, some RIR data for announced prefixes contain garbage country: KR +aut-num: AS138303 +descr: Asquare International +remarks: ... which appears to host their stuff solely in US +country: US + aut-num: AS138571 descr: SUPERCLOUDS LIMITED remarks: ISP located in HK, tampers with RIR data @@ -759,6 +819,11 @@ descr: SANREN DATA LIMITED remarks: IP hijacker located somewhere in AP region, tampers with RIR data country: AP +aut-num: AS139646 +descr: HONG KONG Megalayer Technology Co.,Limited +remarks: ISP and/or IP hijacker located in HK, tampers with RIR data +country: HK + aut-num: AS139659 descr: LUCIDACLOUD LIMITED remarks: ISP and/or IP hijacker located in HK, tampers with RIR data @@ -774,6 +839,11 @@ descr: Galaxy Broadband remarks: ISP located in PK, but announces 204.137.128.0/18, which is ARIN space, assigned to "AGIS" / Cogent - odd... country: PK +aut-num: AS140227 +descr: Hong Kong Communications International Co., Limited +remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region +country: AP + aut-num: AS140733 descr: Wujidun Network Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region @@ -784,6 +854,11 @@ descr: Full Time Hosting remarks: ISP located in DE, tampers with RIR data country: DE +aut-num: AS141159 +descr: Incomparable(HK)Network Co., Limited +remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data +country: AP + aut-num: AS196682 descr: FLP Kochenov Aleksej Vladislavovich remarks: ISP located in UA, but RIR data for announced prefixes all say EU @@ -914,6 +989,11 @@ descr: AAEX NETWORK TECHNOLOGY LTD remarks: IP hijacker located in HK country: HK +aut-num: AS207461 +descr: Liquid IO +remarks: ISP located in US, but many RIR data for announced prefixes contain garbage +country: US + aut-num: AS207569 descr: Network Management Ltd. remarks: traceroutes dead-end somewhere in or near RU @@ -1004,6 +1084,11 @@ descr: Harry Dowd remarks: ISP located in GB, but RIR data for announced prefixes contain garbage country: GB +aut-num: AS212913 +descr: FOP Hornostay Mykhaylo Ivanovych +remarks: ISP located in RU, but some RIR data are inaccurate (UA) +country: RU + aut-num: AS212477 descr: RoyaleHosting B.V. remarks: ISP located in NL, but RIR data for announced prefixes contain garbage @@ -1054,6 +1139,11 @@ descr: DDOS-GUARD CORP. remarks: fake offshore location (BZ), traces back to RU country: RU +aut-num: AS263744 +descr: Udasha S.A. +remarks: traceroutes dead-end somewhere near NYC, US +country: US + aut-num: AS267784 descr: Flyservers S.A. remarks: ISP located in NL, but RIR data for most announced prefixes contain garbage @@ -1084,6 +1174,11 @@ descr: Leaseweb USA, Inc. remarks: ISP located in Dallas, TX, US, but some RIR data for announced prefixes contain garbage country: US +aut-num: AS395886 +descr: KURUN CLOUD INC +remarks: ISP and/or IP hijacker located in US, some RIR data for announced prefixes contain garbage +country: US + aut-num: AS395954 descr: Leaseweb USA, Inc. remarks: ISP located in US, but some RIR data for announced prefixes contain garbage @@ -1204,6 +1299,11 @@ descr: Vodafone US Inc. remarks: large Vodafone IP chunk used in ES, but assigned by ARIN (inaccurate data) country: ES +net: 80.240.96.0/24 +descr: LLC RusTel +remarks: fake location (RU), traces back to HK +country: HK + net: 85.202.80.0/24 descr: Amarutu Technology Ltd. / KoDDoS / ESecurity remarks: fake offshore location (BZ), traces back to US @@ -1234,6 +1334,11 @@ descr: Petersburg Internet Network Ltd. remarks: RIR data for suballocations contain garbage, they are all located in RU country: RU +net: 92.223.90.0/24 +descr: G-Core Labs S.A. +remarks: fake location (CY), traces back to HK +country: HK + net: 95.181.152.0/21 descr: QWARTA LLC remarks: fake location (US), WHOIS contact and traceroutes point to RU