From patchwork Sun Jan 9 12:48:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4959 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JWxZl5Cbhz3wcH for ; Sun, 9 Jan 2022 12:48:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JWxZl20pLzFq; Sun, 9 Jan 2022 12:48:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JWxZl132Zz2yRy; Sun, 9 Jan 2022 12:48:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JWxZk3fg3z2ydr for ; Sun, 9 Jan 2022 12:48:14 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JWxZj59pLzFq for ; Sun, 9 Jan 2022 12:48:13 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1641732494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YXoO92WyWjqDziDiljcWxAdsvI/59DYjMf4Wby19R+Q=; b=a3E88zX8Qp7bpwSDqORgkH4/LfMDAJIkTwwDuQaSGR9FpYLt2adwkCUfdoHdd/cSX9r8Pk tZZs6t52Vd3DosAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1641732494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YXoO92WyWjqDziDiljcWxAdsvI/59DYjMf4Wby19R+Q=; b=KHgE60HkZtn2X30p2q7ncDPMlU6ndjCCgsnoswzoW62wWee414LI30l1i8ENL+qazcMkFG Nu4M5VOhjtR/9Xa2V9dYINUVzT3XmqHJWaBhxJljU2w3ASf5gyeF/neICnRqL/EmQP/dzg i81MBb9KDIb/dS5tdoXQ52Gm723uEz1/M/U7XQhK3YBrwhYJInpJ/mrm/3SM7Za6WIRdp6 so6i879aIo5/O2H4LcrjJfa0EGQlQOLAgFGWs1PiuihR1PI+xq+bvLnRpBqEY++70eLSh0 2UNS6qtZR+H4DByHiCdM3RoFmkk0n/ol5fma97BPdozD4STDHEHWP3ge397njw== Message-ID: <9a04b48b-ae17-2af4-8076-3fe738983710@ipfire.org> Date: Sun, 9 Jan 2022 13:48:09 +0100 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Location" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] override-{a1,other,xd}: Regular batch of various overrides X-BeenThere: location@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: location-bounces@lists.ipfire.org Sender: "Location" Signed-off-by: Peter Müller --- overrides/override-a1.txt | 37 +------------- overrides/override-other.txt | 95 ++++++++++++++++++++++++++++-------- overrides/override-xd.txt | 34 ++++++++++++- 3 files changed, 108 insertions(+), 58 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 5b620fe..43e0174 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -729,21 +729,6 @@ descr: GZ Systems Limited / PureVPN remarks: VPN provider is-anonymous-proxy: yes -net: 62.73.7.0/24 -descr: Privax LTD / AVAST s.r.o. -remarks: VPN provider -is-anonymous-proxy: yes - -net: 62.73.8.0/23 -descr: Privax LTD / AVAST s.r.o. -remarks: VPN provider -is-anonymous-proxy: yes - -net: 62.73.10.0/24 -descr: Privax LTD / AVAST s.r.o. -remarks: VPN provider -is-anonymous-proxy: yes - net: 62.149.160.0/20 descr: Aruba VPN remarks: VPN provider @@ -835,7 +820,7 @@ is-anonymous-proxy: yes net: 80.254.74.0/20 descr: Monzoon / SwissVPN -remarks: VPN provider [high confidence, but not proofed] +remarks: VPN provider is-anonymous-proxy: yes net: 82.199.130.0/24 @@ -1135,11 +1120,6 @@ remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes country: FR -net: 156.0.200.0/22 -descr: xTom Limited -remarks: ... network operator thinks messing with countries and having an offshore company for it is funny :-/ -is-anonymous-proxy: yes - net: 159.197.128.0/17 descr: Nationwide Computer Systems, Inc. trading as IPTrading.com remarks: Hijacked and loaded with proxies, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ @@ -1236,16 +1216,6 @@ descr: Private Internet Access remarks: VPN provider is-anonymous-proxy: yes -net: 173.239.252.0/24 -descr: OculusProxies -remarks: VPN provider [high confidence, but not proofed] -is-anonymous-proxy: yes - -net: 173.239.252.0/24 -descr: BGRVPN -remarks: VPN provider -is-anonymous-proxy: yes - net: 173.244.32.0/19 descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / CookieProxy / etc. pp. remarks: large IP chunk mostly used by VPN providers @@ -1505,11 +1475,6 @@ descr: GZ Systems Limited / PureVPN remarks: VPN provider is-anonymous-proxy: yes -net: 190.115.16.0/20 -descr: DDOS-GUARD CORP. -remarks: IP chunk owned by an offshore company, abuse contact is a freemail address, address says "1/2 Miles Northern Highway, Belize" -is-anonymous-proxy: yes - net: 191.96.1.0/23 descr: GZ Systems Limited / PureVPN remarks: VPN provider diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 56bb12e..89ad8e0 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -92,8 +92,8 @@ country: GR aut-num: AS6134 descr: XNNET LLC -remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data -country: AP +remarks: traces back to HK, seems to tamper with RIR data +country: HK aut-num: AS6412 name: Zajil International Telecom Company @@ -144,6 +144,11 @@ descr: Nexril remarks: ISP located in US, but some RIR data for announced prefixes contain garbage country: US +aut-num: AS15611 +descr: Iranian Research Organization for Science & Technology +remarks: ISP located in IR, but some RIR data for announced prefixes contain garbage +country: IR + aut-num: AS15828 descr: Blue Diamond Network Co., Ltd. remarks: Shady ISP located somewhere in AP @@ -268,6 +273,11 @@ descr: ASLINE LIMITED remarks: ... located in HK country: HK +aut-num: AS34837 +descr: Institute for Research in Fundamental Sciences +remarks: ISP located in IR, but some RIR data for announced prefixes contain garbage +country: IR + aut-num: AS34985 descr: Kirin Communication Limited remarks: ISP located in JP, but some RIR data for announced prefixes contain garbage @@ -468,6 +478,11 @@ descr: KeonWoo PARK remarks: claims US for its prefixes announced, but traces back to KR country: KR +aut-num: AS45250 +descr: Vocom International Telecommunications AP Area +remarks: ISP located in AP area, some RIR data for announced prefixes contain garbage +country: AP + aut-num: AS45671 descr: Servers Australia Pty. Ltd. remarks: ISP located in AU, but some RIR data for announced prefixes contain garbage @@ -578,11 +593,6 @@ descr: WhiteHat Inc. remarks: tampers with RIR data country: EU -aut-num: AS54600 -descr: PEG TECH INC -remarks: ISP and/or IP hijacker located in US this time, tampers with RIR data -country: US - aut-num: AS55330 descr: AFGHANTELECOM GOVERNMENT COMMUNICATION NETWORK remarks: For some reason, some "Airbus Defence and Space AS" prefixes are announced by this one... @@ -658,6 +668,21 @@ descr: INNETRA PC remarks: another shady customer of "DDoS Guard Ltd.", jurisdiction is probably RU, but traceroutes dead-end somewhere else in EU country: EU +aut-num: AS58879 +descr: Shanghai Anchang Network Security Technology Co.,Ltd. +remarks: ... network infrastructure is believed to be located in HK, has some links to ASLINE hijacking gang +country: HK + +aut-num: AS59043 +descr: Guangzhou LanDong Information technology co., LTD +remarks: ... network infrastructure is believed to be located in HK +country: HK + +aut-num: AS59117 +descr: DREAM CLOUD INNOVATION PTE. LTD. +remarks: Claims to be located in JP or SG, but is likely located in HK +country: HK + aut-num: AS59253 descr: Leaseweb Asia Pacific pte. ltd. remarks: ISP located in SG, but some RIR data for announced prefixes contain garbage @@ -773,6 +798,11 @@ descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED remarks: ISP located in HK, tampers with RIR data country: HK +aut-num: AS132813 +descr: HK AISI CLOUD COMPUTING LIMITED +remarks: ISP and/or IP hijacker located in HK, tampers with RIR data +country: HK + aut-num: AS132839 descr: POWER LINE DATACENTER remarks: ISP and/or IP hijacker located in HK, tampers with RIR data @@ -799,7 +829,7 @@ remarks: IP hijacker located somewhere in AP area, suspected to be part of the " country: AP aut-num: AS134196 -descr: Cloudie Limited +descr: ANYUN INTERNET TECHNOLOGY (HK) CO.,LIMITED remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region (HK? CN?) country: AP @@ -818,6 +848,11 @@ descr: Sky Digital Co., Ltd. remarks: IP hijacker located in TW, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: TW +aut-num: AS135097 +descr: LUOGELANG (FRANCE) LIMITED +remarks: Shady ISP located in HK, RIR data for announced prefixes contain garbage +country: HK + aut-num: AS136274 descr: Cloud Servers Pvt Ltd remarks: ISP located in NL, all RIR data for announced prefixes contain garbage @@ -828,11 +863,26 @@ descr: Optix Pakistan (Pvt.) Limited remarks: ISP located in PK, some RIR data for announced prefixes (bogons?) contain garbage country: PK +aut-num: AS136744 +descr: DREAM POWER TECHNOLOGY LIMITED +remarks: Located somewhere in AP (HK? KR?), tampers with RIR data a lot +country: AP + +aut-num: AS136746 +descr: XRCLOUD.NET INC. +remarks: ... located in HK +country: HK + aut-num: AS136933 descr: Gigabitbank Global / Anchnet Asia Limited (?) remarks: IP hijacker located somewhere in AP area, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: AP +aut-num: AS136950 +descr: Hong Kong FireLine Network LTD +remarks: ... located in HK (surprise!), but thinks allocating things to random countries worldwide is funny +country: HK + aut-num: AS136988 descr: Leaseweb Australia Pty. Ltd. remarks: ISP located in AU, some RIR data for announced prefixes contain garbage @@ -843,11 +893,6 @@ descr: Anchnet Asia Limited remarks: IP hijacker located in HK, tampers with RIR data country: HK -aut-num: AS137523 -descr: HONGKONG CLOUD NETWORK TECHNOLOGY CO., LIMITED -remarks: ISP and IP hijacker located in HK, tampers with RIR data -country: HK - aut-num: AS138195 descr: MOACK.Co.LTD remarks: ISP located in KR, some RIR data for announced prefixes contain garbage @@ -878,6 +923,11 @@ descr: SANREN DATA LIMITED remarks: IP hijacker located somewhere in AP region, tampers with RIR data country: AP +aut-num: AS139471 +descr: HWA CENT TELECOMMUNICATIONS LIMITED +remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data +country: AP + aut-num: AS139640 descr: HK NEW CLOUD TECHNOLOGY LIMITED remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data @@ -908,6 +958,11 @@ descr: Galaxy Broadband remarks: ISP located in PK, but announces 204.137.128.0/18, which is ARIN space, assigned to "AGIS" / Cogent - odd... country: PK +aut-num: AS140214 +descr: Create Prominent Information Limited +remarks: Shady ISP located in HK +country: HK + aut-num: AS140224 descr: White-Sand Cloud Computing(HK) Co., LIMITED remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region @@ -938,6 +993,11 @@ descr: FLP Kochenov Aleksej Vladislavovich remarks: ISP located in UA, but RIR data for announced prefixes all say EU country: UA +aut-num: AS197540 +descr: netcup GmbH +remarks: ISP located in DE, some RIR data for announced prefixes contain garbage +country: DE + aut-num: AS200019 descr: ALEXHOST SRL remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network @@ -1260,8 +1320,8 @@ country: ZA aut-num: AS328608 descr: Africa on Cloud -remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes -country: AP +remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes - anyway, traces back to ZA :-/ +country: ZA aut-num: AS328703 descr: Seven Network Inc. @@ -1678,11 +1738,6 @@ descr: 4b42 UG (haftungsbeschränkt) remarks: ... who thinks assigning networks to unpopulated Bouvet Island (BV) is funny :-/ country: DE -net: 2a0f:7a80::/29 -descr: ASLINE Limited -remarks: APNIC chunk owned by a HK-based company, but assigned to DE -country: AP - net: 2a0f:e400:3000::/40 descr: Kevin Buehl remarks: ... who thinks assigning networks to unpopulated Bouvet Island (BV) is funny :-/ diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 76ceab3..738a699 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -40,8 +40,8 @@ drop: yes aut-num: AS211849 descr: Kakharov Orinbassar Maratuly -remarks: ISP and IP hijacker located in RU, many RIR data for announced prefixes contain garbage -country: RU +remarks: ISP and IP hijacker located in KZ, many RIR data for announced prefixes contain garbage +country: KZ drop: yes aut-num: AS24009 @@ -97,6 +97,12 @@ remarks: Owned by an offshore letterbox company, suspected rogue ISP country: RU drop: yes +aut-num: AS54600 +descr: PEG TECH INC +remarks: ISP and IP hijacker located in US this time, tampers with RIR data +country: US +drop: yes + aut-num: AS55303 descr: Eagle Sky Co., Lt[d ?] remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity @@ -166,6 +172,12 @@ remarks: IP hijacker located in HK, suspected to be part of the "Asline" IP hija country: HK drop: yes +aut-num: AS137523 +descr: HONGKONG CLOUD NETWORK TECHNOLOGY CO., LIMITED +remarks: ISP and IP hijacker located in HK, tampers with RIR data +country: HK +drop: yes + aut-num: AS137951 descr: Clayer Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to HK @@ -261,6 +273,18 @@ remarks: ISP located in HK, tampers with RIR data country: HK drop: yes +aut-num: AS398993 +descr: PEG TECH INC +remarks: ISP located in JP, tampers with RIR data +country: JP +drop: yes + +aut-num: AS399195 +descr: PEG TECH INC +remarks: ISP located in KR, tampers with RIR data +country: KR +drop: yes + net: 196.11.32.0/20 descr: Sanlam Life Insurance Limited remarks: Stolen AfriNIC IPv4 space announced from NL @@ -272,6 +296,12 @@ descr: NZB.si Enterprises remarks: Tampers with RIR data, not a safe place to route traffic to drop: yes +net: 2a0f:7a80::/29 +descr: ASLINE Limited +remarks: APNIC chunk owned by a HK-based IP hijacker, but assigned to DE +country: HK +drop: yes + net: 2a10:9700::/29 descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Owned by an offshore letterbox company, suspected rogue ISP