December 2021 - Location - lists.ipfire.org

ASNs without AS name information (LACNIC and JPNIC)
by nusenu 19 Jan '22

19 Jan '22

Hi, I'm currently evaluating whether I should use ipfire or RIPEstat for AS information. (low number of lookups, lookup latency is not an issue) For tor relay IPs I found 54 ASNs where ipfire's DB has no AS name information. These are likely related to LACNIC and JPNIC. Are there plans to add AS names for these regions as well or will this not improve in the near future (before 2022)? kind regards, nusenu +-----------+---------+ | as_number | country | +-----------+---------+ | AS61493 | ar | | AS7303 | ar | | AS18881 | br | | AS19182 | br | | AS262287 | br | | AS264381 | br | | AS267436 | br | | AS268207 | br | | AS269070 | br | | AS27699 | br | | AS27715 | br | | AS28126 | br | | AS28271 | br | | AS28573 | br | | AS28668 | br | | AS53024 | br | | AS53111 | br | | AS53187 | br | | AS7162 | br | | AS7738 | br | | AS8167 | br | | AS22047 | cl | | AS265831 | cl | | AS270013 | cl | | AS27651 | cl | | AS52368 | cl | | AS64111 | cl | | AS7418 | cl | | AS13489 | co | | AS11830 | cr | | AS3790 | cr | | AS52423 | cr | | AS28118 | do | | AS10010 | jp | | AS17676 | jp | | AS18126 | jp | | AS2510 | jp | | AS2514 | jp | | AS2516 | jp | | AS2527 | jp | | AS4685 | jp | | AS4694 | jp | | AS4713 | jp | | AS4725 | jp | | AS59103 | jp | | AS7506 | jp | | AS7684 | jp | | AS9370 | jp | | AS9371 | jp | | AS13999 | mx | | AS278 | mx | | AS6503 | mx | | AS8151 | mx | | AS27956 | pa | +-----------+---------+

3 11

[PATCH] overrides-{a1,other,xd}: Regular batch of various overrides
by Peter Müller 27 Dec '21

27 Dec '21

Swiss company Securebit AG continues to think messing with country codes is funny... :-/ Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- overrides/override-a1.txt | 5 -- overrides/override-other.txt | 140 ++++++++++++++++++++--------------- overrides/override-xd.txt | 74 +++++++++++++++--- 3 files changed, 144 insertions(+), 75 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 5fce4d9..7365738 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -285,11 +285,6 @@ remarks: VPN provider located in ES is-anonymous-proxy: yes country: ES -aut-num: AS213224 -descr: Blue Black Squared Limited -remarks: Owned by an offshore letterbox company, claims NL, but dead-ends in DE - hard to tell what is going on here -is-anonymous-proxy: yes - aut-num: AS394087 descr: Secure Internet LLC / PureVPN remarks: VPN provider diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 05901f6..8b228af 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -149,11 +149,6 @@ descr: Blue Diamond Network Co., Ltd. remarks: Hiding behind fake ISP Navitgo LLC (AS59721), tampers with RIR data country: NL -aut-num: AS18013 -descr: ASLINE LIMITED -remarks: IP hijacker, traces back to AP region -country: AP - aut-num: AS18185 name: Northern Taiwan Community University remarks: has no sane AS name set in APNIC DB @@ -173,31 +168,16 @@ descr: EGIHosting remarks: ISP located in US, but some RIR data for announced prefixes contain garbage country: US -aut-num: AS207711 -descr: Inteldome Corporation -remarks: ... whose location we are unable to determine precisely, but its definitely not MH :-/ -country: EU - aut-num: AS21100 descr: ITL LLC remarks: ISP headquatered in BG and/or UA, physically located in NL, some RIR data for announced prefixes contain inaccurate data country: NL -aut-num: AS22769 -descr: DDOSING NETWORK -remarks: IP hijacker located somewhere in AP, massively tampers with RIR data -country: AP - aut-num: AS23858 descr: xTom Pty. Ltd. remarks: ISP located in AU, RIR data for announced prefixes contain garbage country: AU -aut-num: AS24009 -descr: HK UNITE TELECOMMUNICATIONS DEVELOPMENT LIMITED -remarks: IP hijacker (?) located in HK, tampers with RIR data -country: HK - aut-num: AS24700 descr: Yes Networks Unlimited Ltd remarks: traces to UA, but some RIR entries seem to contain garbage (VG) @@ -218,6 +198,11 @@ descr: Unicycle, LLC remarks: traces back to NL country: NL +aut-num: AS26636 +descr: GBTCloud, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS27411 descr: Leaseweb USA, Inc. remarks: ISP located in US, but some RIR data for announced prefixes contain garbage @@ -358,6 +343,11 @@ descr: Rack Sphere Hosting S.A. remarks: claims PA for some prefixes, but they are all hosted in CH country: CH +aut-num: AS40021 +descr: Contabo Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS40034 descr: Confluence Networks Inc. remarks: fake offshore location (VG), traces back to Austin, TX, US @@ -373,13 +363,8 @@ descr: MLAB Open Source Community remarks: traces back to DE country: DE -aut-num: AS41466 -descr: Treidinvest LLC -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS41564 -descr: Packet Exchange Limited +descr: Orion Network Limited remarks: shady uplink for a bunch of dirty ISPs in SE (and likely elsewhere in EU), routing stolen AfriNIC networks, RIR data of prefixes announced by this AS cannot be trusted country: SE @@ -409,7 +394,7 @@ remarks: ISP located in GB, but some RIR data for announced prefixes contain gar country: GB aut-num: AS42960 -descr: Cloud Management LLC +descr: VH Global Limited remarks: tampers with RIR data, traces back to AP area country: AP @@ -418,11 +403,6 @@ descr: DGN TEKNOLOJI A.S. remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage country: TR -aut-num: AS43092 -descr: Kirin Communication Limited -remarks: tampers with RIR data, traces back to AP area -country: AP - aut-num: AS43310 descr: TOV "LVS" remarks: ISP located in UA, but some RIR data for announced prefixes contain garbage @@ -453,11 +433,6 @@ descr: NbIServ remarks: ISP located in DE, but some RIR data for announced prefixes contain garbage country: DE -aut-num: AS44015 -descr: Landgard Management Inc. -remarks: bulletproof ISP with strong links to RU -country: RU - aut-num: AS44477 descr: IP Oleinichenko Denis remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -468,6 +443,11 @@ descr: Skylink Data Center BV remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage country: NL +aut-num: AS44901 +descr: Belcloud LTD +remarks: ISP located in BG, but some RIR data for announced prefixes contain garbage +country: BG + aut-num: AS44992 descr: KeonWoo PARK remarks: claims US for its prefixes announced, but traces back to KR @@ -493,6 +473,11 @@ descr: Spectre Operations BV remarks: ISP located in NL, but some RIR data for suballocations of announced prefixes contain garbage country: NL +aut-num: AS48024 +descr: NEROCLOUD Ltd. +remarks: RIR data faked/incorrect, cannot trust this network +country: EU + aut-num: AS48158 descr: DigitalOne AG remarks: Services appear to be hosted in RU, RIR data faked/incorrect @@ -545,7 +530,7 @@ country: NL aut-num: AS50360 descr: Tamatiya EOOD / 4Vendeta -remarks: Questionable (at best) ISP located in BG, clients massively tamper with RIR data +remarks: Questionable ISP located in BG, clients massively tamper with RIR data country: BG aut-num: AS50673 @@ -553,6 +538,11 @@ descr: Serverius Holding B.V. remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage country: NL +aut-num: AS51167 +descr: Contabo GmbH +remarks: ISP located in DE, but some RIR data for announced prefixes contain garbage +country: DE + aut-num: AS51089 descr: SALTYFISH TECH LTD remarks: traceroutes dead-end somewhere near HK @@ -638,11 +628,6 @@ descr: ULTRANEX LTD remarks: fake offshore location (CY), hosted in NL country: NL -aut-num: AS58271 -descr: FOP Gubina Lubov Petrivna -remarks: bulletproof ISP operating from a war zone in eastern UA -country: UA - aut-num: AS58294 descr: CloudWall Ltd. remarks: RIR data neither contain a postal address nor a phone number, traceroutes end in Sofia, BG @@ -1080,14 +1065,24 @@ country: US aut-num: AS207569 descr: Network Management Ltd. -remarks: traceroutes dead-end somewhere in or near RU -country: RU +remarks: traceroutes dead-end somewhere in or near CZ +country: CZ aut-num: AS207616 descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL country: EU +aut-num: AS207711 +descr: Inteldome Corporation +remarks: ... whose location we are unable to determine precisely, but its definitely not MH :-/ +country: EU + +aut-num: AS207968 +descr: Internetservice Hahn +remarks: AQ != DE, you know +country: DE + aut-num: AS208046 descr: Maximilian Kutzner trading as HostSlick remarks: traces back to NL, but some RIR data for announced prefixes contain garbage @@ -1098,11 +1093,6 @@ descr: Access2.IT Group B.V. remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage country: NL -aut-num: AS208410 -descr: Internet Hosting Ltd. -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS208485 descr: Nese Mala / Moon DC remarks: shady ISP located in TR, but many RIR data for announced prefixes contain garbage @@ -1118,11 +1108,6 @@ descr: Miti 2000 EOOD remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data country: BG -aut-num: AS209272 -descr: Alviva Holding Limited -remarks: bulletproof ISP operating from a war zone in eastern UA -country: UA - aut-num: AS209366 descr: SEMrush CY LTD remarks: claims CY for announced prefixes, but they are all hosted in NL @@ -1148,6 +1133,11 @@ descr: VPSSC Networks LTD remarks: ISP located in UA, but RIR data for announced prefixes contain garbage country: UA +aut-num: AS210654 +descr: Des Capital B.V. +remarks: Shady ISP located in NL, but RIR data for announced prefixes contain garbage +country: NL + aut-num: AS210848 descr: Telkom Internet LTD remarks: shady ISP currently located in NL @@ -1203,6 +1193,11 @@ descr: MILEGROUP LTD remarks: traceroutes dead-end somewhere in Central Europe country: EU +aut-num: AS212552 +descr: BitCommand LLC +remarks: Hides behind a CDN ISP, traceroutes dead-end somewhere in Central Europe +country: EU + aut-num: AS212667 descr: RECONN LLC remarks: ISP located in RU, but RIR data for announced prefixes contain garbage @@ -1218,11 +1213,6 @@ descr: Serverion BV remarks: ISP located in NL, but RIR data for most announced prefixes contain garbage country: NL -aut-num: AS213058 -descr: Private Internet Hosting LTD -remarks: bulletproof ISP located in RU -country: RU - aut-num: AS213194 descr: Alfa Web Solutions Ltd. remarks: shady ISP located in NL @@ -1263,6 +1253,11 @@ descr: xTom Limited remarks: ISP located in ZA, RIR data for announced prefixes contain garbage country: ZA +aut-num: AS328227 +descr: Xhostserver LLC +remarks: ISP located in ZA, many RIR data for announced prefixes contain garbage +country: ZA + aut-num: AS328543 descr: Sun Network Company Limited remarks: IP hijacker, traces back to AP region @@ -1398,6 +1393,11 @@ descr: IPv4 Superhub Limited remarks: network owned by an HK company, traces back to HK as well - but is assigned to DE. Nice try... country: HK +net: 45.129.136.0/24 +descr: Flyservers S.A. +remarks: fake offshore location (PA), traces back to NL +country: NL + net: 45.134.12.0/24 descr: MS Network LTD remarks: fake offshore location (SC), traces back to NL @@ -1493,6 +1493,21 @@ descr: PSINet, Inc. (PSI) / Cogent Communications remarks: Cogent IP range used in Europe, according to ARIN whois ("COGENT-EUROPEAN-OPERATIONS-001") country: EU +net: 141.98.82.0/24 +descr: Flyservers S.A. +remarks: fake offshore location (PA), traces back to RO +country: RO + +net: 141.98.83.0/24 +descr: Flyservers S.A. +remarks: fake offshore location (PA), traces back to RO +country: RO + +net: 146.19.102.0/24 +descr: Norbert Miczuga +remarks: ... who thinks messing with country codes is funny :-/ +country: CH + net: 149.22.96.0/19 descr: Manx Telecom Limited remarks: Suballocation of Cogent, country code missing due to ARIN DB situation (https://community.ipfire.org/t/location-database-update-error-country-code/…) @@ -1608,6 +1623,11 @@ descr: Openfactory GmbH remarks: ... who thinks assigning networks to AQ is funny :-/ country: EU +net: 2a10:ccc0::/29 +descr: Securebit AG +remarks: ... who thinks assigning networks to AQ is funny :-/ +country: CH + net: 2402:e940:f00::/48 descr: Wind Cloud Network Technology Co Ltd. remarks: appears to be used out of Tokyo, JP diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 29057d9..b669621 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,11 +26,41 @@ # Please keep this file sorted. # +aut-num: AS18013 +descr: ASLINE LIMITED +remarks: IP hijacker, traces back to AP region +country: AP +drop: yes + +aut-num: AS22769 +descr: DDOSING NETWORK +remarks: IP hijacker located somewhere in AP, massively tampers with RIR data +country: AP +drop: yes + +aut-num: AS24009 +descr: LANLIAN INTERNATIONAL HOLDING GROUP LIMITED +remarks: IP hijacker located in HK, tampers with RIR data +country: HK +drop: yes + aut-num: AS39770 descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Owned by an offshore letterbox company, suspected rogue ISP drop: yes +aut-num: AS43092 +descr: Kirin Communication Limited +remarks: Hijacks IP space and tampers with RIR data, traces back to JP +country: JP +drop: yes + +aut-num: AS44015 +descr: Landgard Management Inc. +remarks: bulletproof ISP with strong links to RU +country: RU +drop: yes + aut-num: AS48090 descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL @@ -72,6 +102,18 @@ remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes +aut-num: AS58271 +descr: FOP Gubina Lubov Petrivna +remarks: bulletproof ISP operating from a war zone in eastern UA +country: UA +drop: yes + +aut-num: AS58810 +descr: iZus Co., Ltd +remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, seems to trace to some location in AP vicinity +country: AP +drop: yes + aut-num: AS60424 descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Owned by an offshore letterbox company, suspected rogue ISP @@ -83,12 +125,6 @@ remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL drop: yes -aut-num: AS62355 -descr: Network Dedicated SAS -remarks: bulletproof ISP and IP hijacker, claims to be located in CH, but traces to NL -country: NL -drop: yes - aut-num: AS64425 descr: SKB Enterprise B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL @@ -113,16 +149,28 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes +aut-num: AS204655 +descr: Novogara Ltd. +remarks: bulletproof ISP (strongly linked to AS202425) located in NL +country: NL +drop: yes + aut-num: AS207812 descr: DM AUTO EOOD remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data country: BG drop: yes -aut-num: AS204655 -descr: Novogara Ltd. -remarks: bulletproof ISP (strongly linked to AS202425) located in NL -country: NL +aut-num: AS209272 +descr: Alviva Holding Limited +remarks: bulletproof ISP operating from a war zone in eastern UA +country: UA +drop: yes + +aut-num: AS213058 +descr: Private Internet Hosting LTD +remarks: bulletproof ISP located in RU +country: RU drop: yes aut-num: AS328671 @@ -131,7 +179,13 @@ remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes +net: 2a0e:b107:d10::/44 +descr: NZB.si Enterprises +remarks: Tampers with RIR data, not a safe place to route traffic to +drop: yes + net: 2a10:9700::/29 descr: 1337TEAM LIMITED / eliteteam[.]to remarks: Owned by an offshore letterbox company, suspected rogue ISP +country: RU drop: yes -- 2.26.2

1 0

[PATCH] location-importer.in: Do not make things more complicated than they are
by Peter Müller 20 Dec '21

20 Dec '21

Suggested-by: Michael Tremer <michael.tremer(a)ipfire.org> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- src/python/location-importer.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/python/location-importer.in b/src/python/location-importer.in index 118b0de..f39a42b 100644 --- a/src/python/location-importer.in +++ b/src/python/location-importer.in @@ -687,7 +687,7 @@ class CLI(object): start_address = ipaddress.ip_network(start_address, strict=False) except ValueError: start_address = start_address.split("/") - ldigits = len(start_address[0].split(".")) + ldigits = start_address[0].count(".") # How many octets do we need to add? # (LACNIC does not seem to have a /8 or greater assigned, so the following should suffice.) -- 2.26.2

2 1

[PATCH] override-other: 98.97.128.0/21 is located in CA
by Peter Müller 18 Dec '21

18 Dec '21

Fixes: #12746 Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- overrides/override-other.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/overrides/override-other.txt b/overrides/override-other.txt index ca9dbad..05901f6 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -1478,6 +1478,11 @@ descr: QWARTA LLC remarks: fake location (US), WHOIS contact and traceroutes point to RU country: RU +net: 98.97.128.0/21 +descr: SpaceX Canada Corp. +remarks: Accurate country code missing due to ARIN DB situation, see also: #12746 +country: CA + net: 103.197.148.0/22 descr: I.C.S. Trabia-Network S.R.L. remarks: fake offshore location (HK), traces back to MD -- 2.26.2

1 0

[PATCH] Process LACNIC geofeed as well
by Peter Müller 13 Dec '21

13 Dec '21

This improves country code accurarcy for suballocations within IP space managed by LACNIC, as the delegated-extended-latest file only provides country code information at the top level of an allocated network. Sadly, lacnic.db.gz does not contain descriptions or names of Autonomous Systems within the space maintained by LACNIC. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- src/python/importer.py | 4 ++- src/python/location-importer.in | 43 +++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/src/python/importer.py b/src/python/importer.py index de340b4..dee36ed 100644 --- a/src/python/importer.py +++ b/src/python/importer.py @@ -53,7 +53,9 @@ WHOIS_SOURCES = { ], # Latin America and Caribbean Network Information Centre - # XXX ??? + "LACNIC": [ + "https://ftp.lacnic.net/lacnic/dbase/lacnic.db.gz" + ], # Réseaux IP Européens "RIPE": [ diff --git a/src/python/location-importer.in b/src/python/location-importer.in index b791b4d..78bb846 100644 --- a/src/python/location-importer.in +++ b/src/python/location-importer.in @@ -681,13 +681,42 @@ class CLI(object): # Strip any excess space start_address, end_address = start_address.rstrip(), end_address.strip() - # Convert to IP address - try: - start_address = ipaddress.ip_address(start_address) - end_address = ipaddress.ip_address(end_address) - except ValueError: - log.warning("Could not parse line: %s" % line) - return + # Handle "inetnum" formatting in LACNIC DB (e.g. "24.152.8/22" instead of "24.152.8.0/22") + if start_address and not (delim or end_address): + try: + start_address = ipaddress.ip_network(start_address, strict=False) + except ValueError: + start_address = start_address.split("/") + ldigits = len(start_address[0].split(".")) + + # How many octets do we need to add? + # (LACNIC does not seem to have a /8 or greater assigned, so the following should suffice.) + if ldigits == 2: + start_address = start_address[0] + ".0.0/" + start_address[1] + elif ldigits == 3: + start_address = start_address[0] + ".0/" + start_address[1] + else: + log.warning("Could not recover IPv4 address from line in LACNIC DB format: %s" % line) + return + + try: + start_address = ipaddress.ip_network(start_address, strict=False) + except ValueError: + log.warning("Could not parse line in LACNIC DB format: %s" % line) + return + + # Enumerate first and last IP address of this network + end_address = start_address[-1] + start_address = start_address[0] + + else: + # Convert to IP address + try: + start_address = ipaddress.ip_address(start_address) + end_address = ipaddress.ip_address(end_address) + except ValueError: + log.warning("Could not parse line: %s" % line) + return inetnum["inetnum"] = list(ipaddress.summarize_address_range(start_address, end_address)) -- 2.26.2

2 1

[PATCH] location-importer: Replace "UK" with "GB"
by Peter Müller 12 Dec '21

12 Dec '21

Apparently, LACNIC does not to proper input validation on supplied country codes, so people can use "UK", while they probably mean "GB" instead. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- src/python/location-importer.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/python/location-importer.in b/src/python/location-importer.in index b791b4d..099af55 100644 --- a/src/python/location-importer.in +++ b/src/python/location-importer.in @@ -705,6 +705,10 @@ class CLI(object): # ... but keep this list distinct... continue + # When people set country codes to "UK", they actually mean "GB" + if val == "UK": + val = "GB" + inetnum[key].append(val) # Skip empty objects -- 2.26.2

1 0

[PATCH] location-importer: Improve regex for catching historic/orphaned data
by Peter Müller 12 Dec '21

12 Dec '21

This silences a bunch of warnings due to allocations at APNIC having country code set to "ZZ", which are completely irrelevant to us. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- src/python/location-importer.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/python/location-importer.in b/src/python/location-importer.in index b791b4d..b066ac6 100644 --- a/src/python/location-importer.in +++ b/src/python/location-importer.in @@ -671,7 +671,7 @@ class CLI(object): # Filter any inetnum records which are only referring to IP space # not managed by that specific RIR... if key == "netname": - if re.match(r"(ERX-NETBLOCK|(AFRINIC|ARIN|LACNIC|RIPE)-CIDR-BLOCK|IANA-NETBLOCK-\d{1,3}|NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK)", val.strip()): + if re.match(r"^(ERX-NETBLOCK|(AFRINIC|ARIN|LACNIC|RIPE)-CIDR-BLOCK|IANA-NETBLOCK-\d{1,3}|NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK|STUB-[\d-]{3,}SLASH\d{1,2})", val.strip()): log.debug("Skipping record indicating historic/orphaned data: %s" % val.strip()) return -- 2.26.2

1 0

[PATCH] location-importer: Set "is_drop" to "True" even in case of conflicts
by Peter Müller 11 Dec '21

11 Dec '21

Previously, any present override for a given network or ASN would have caused the SQL statement not to conduct anything at all. Since "is_drop" is the only flag being actually set here, it makes sense to do so in case of already present overrides as well. The effect of this is limited: Our own override files are always considered at last, so in case of conflicts they will be the ultima ratio. This is an intended behaviour, but slipped my mind when I filed bug #12728, so this patch can only be seen as a partial solution - the rest is not a bug, but a feature. :-) Partially fixes: #12728 Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- src/python/location-importer.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/python/location-importer.in b/src/python/location-importer.in index b791b4d..b3e3658 100644 --- a/src/python/location-importer.in +++ b/src/python/location-importer.in @@ -1320,7 +1320,7 @@ class CLI(object): source, is_drop ) VALUES (%s, %s, %s) - ON CONFLICT (network) DO NOTHING""", + ON CONFLICT (network) DO UPDATE SET is_drop = True""", "%s" % network, "Spamhaus DROP lists", True @@ -1368,7 +1368,7 @@ class CLI(object): source, is_drop ) VALUES (%s, %s, %s) - ON CONFLICT (number) DO NOTHING""", + ON CONFLICT (number) DO UPDATE SET is_drop = True""", "%s" % asn, "Spamhaus ASN-DROP list", True -- 2.26.2

1 0

[PATCH] override-{a1,other,xd}: Regular batch of various overrides
by Peter Müller 10 Dec '21

10 Dec '21

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- overrides/override-a1.txt | 48 ---------------- overrides/override-other.txt | 104 ++++++++++++++++++++++------------- overrides/override-xd.txt | 50 +++++++++++++++++ 3 files changed, 117 insertions(+), 85 deletions(-) diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 5734c08..5fce4d9 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -82,11 +82,6 @@ descr: Asiamax Ltd. VPN remarks: VPN provider is-anonymous-proxy: yes -aut-num: AS39770 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS43233 descr: VPS 404 Ltd. remarks: VPN provider [high confidence, but not proofed] located in ES @@ -114,12 +109,6 @@ descr: BeeVPN ApS remarks: VPN provider is-anonymous-proxy: yes -aut-num: AS51381 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes -country: RU - aut-num: AS51446 descr: SP Argaev Artem Sergeyevich / Foundation Respect My Privacy remarks: VPN provider [high confidence, but not proofed] @@ -142,17 +131,6 @@ remarks: Tor relay and VPN provider, traces back to SE [high confidence, but n is-anonymous-proxy: yes country: SE -aut-num: AS55303 -descr: Eagle Sky Co., Lt[d ?] -remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity -is-anonymous-proxy: yes -country: AP - -aut-num: AS56873 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS58110 descr: IP Volume Ltd. / Epik remarks: Shady Autonomous System registered to letterbox company, possibly copycat operation of Epik registrar, many prefixes announced refer to "anonymize" infrastructure @@ -168,11 +146,6 @@ descr: Geotelco Limited remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes -aut-num: AS60424 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS60729 descr: Zwiebelfreunde e.V. remarks: Tor relay provider @@ -214,12 +187,6 @@ descr: HERN Labs AB remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes -aut-num: AS206819 -descr: ANSON NETWORK LIMITED -remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW -is-anonymous-proxy: yes -country: TW - aut-num: AS207688 descr: DataHome S.A. remarks: VPN provider located in BR [high confidence, but not proofed] @@ -1430,11 +1397,6 @@ descr: Tredinvest LLC / bestwest[.]host remarks: VPN provider or offering similar services [high confidence, but not proofed] is-anonymous-proxy: yes -net: 185.215.113.0/24 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - net: 185.220.100.0/22 descr: Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute remarks: Tor relay provider @@ -1692,11 +1654,6 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie remarks: Hijacked AfriNIC IP chunk mostly used by VPN providers is-anonymous-proxy: yes -net: 196.61.192.0/20 -descr: Inspiring Networks LTD -remarks: hijacked (?) IP network owned by an offshore company [high confidence, but not proofed] -is-anonymous-proxy: yes - net: 197.221.161.0/24 descr: VPNClientPublics remarks: VPN provider @@ -2031,8 +1988,3 @@ net: 2c0f:f930::/32 descr: Cyberdyne S.A. remarks: Tor relay provider is-anonymous-proxy: yes - -net: 2a10:9700::/29 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 7d76534..ca9dbad 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -85,6 +85,11 @@ descr: Tianhai InfoTech remarks: IP hijacker located somewhere in AP, massively tampers with RIR data country: AP +aut-num: AS5408 +descr: Greek Research and Technology Network (GRNET) S.A. +remarks: ... located in GR +country: GR + aut-num: AS6134 descr: XNNET LLC remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data @@ -363,6 +368,11 @@ descr: CNSERVERS LLC remarks: Shady ISP located in US, tampers with RIR data country: US +aut-num: AS41047 +descr: MLAB Open Source Community +remarks: traces back to DE +country: DE + aut-num: AS41466 descr: Treidinvest LLC remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data @@ -408,6 +418,11 @@ descr: DGN TEKNOLOJI A.S. remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage country: TR +aut-num: AS43092 +descr: Kirin Communication Limited +remarks: tampers with RIR data, traces back to AP area +country: AP + aut-num: AS43310 descr: TOV "LVS" remarks: ISP located in UA, but some RIR data for announced prefixes contain garbage @@ -498,11 +513,6 @@ descr: LLC Baxet remarks: tampers with RIR data, traces back to RU country: RU -aut-num: AS49447 -descr: Nice IT Services Group Inc. -remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage -country: CH - aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -748,6 +758,11 @@ descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL country: NL +aut-num: AS131685 +descr: Sun Network (Hong Kong) Limited +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP + aut-num: AS132369 descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED remarks: ISP located in HK, tampers with RIR data @@ -758,9 +773,14 @@ descr: POWER LINE DATACENTER remarks: ISP and/or IP hijacker located in HK, tampers with RIR data country: HK +aut-num: AS133201 +descr: ABCDE GROUP COMPANY LIMITED +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP + aut-num: AS133441 descr: CloudITIDC Global -remarks: ISP and/or IP hijacker located somehwere in AP +remarks: ISP and/or IP hijacker located somewhere in AP country: AP aut-num: AS133752 @@ -810,7 +830,7 @@ country: AP aut-num: AS136800 descr: ICIDC NETWORK -remarks: IP hijacker located somehwere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data +remarks: IP hijacker located somewhere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: AP aut-num: AS136933 @@ -923,6 +943,11 @@ descr: Incomparable(HK)Network Co., Limited remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data country: AP +aut-num: AS141746 +descr: Orenji Server +remarks: IP hijacker located somewhere in AP area (JP?) +country: AP + aut-num: AS196682 descr: FLP Kochenov Aleksej Vladislavovich remarks: ISP located in UA, but RIR data for announced prefixes all say EU @@ -933,11 +958,6 @@ descr: ALEXHOST SRL remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network country: MD -aut-num: AS200391 -descr: KREZ 999 EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS200699 descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL @@ -1028,6 +1048,11 @@ descr: Genius Guard / Genius Security Ltd. remarks: another shady customer of "DDoS Guard Ltd.", probably located in RU country: RU +aut-num: AS206819 +descr: ANSON NETWORK LIMITED +remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW +country: TW + aut-num: AS206898 descr: Server Hosting Pty Ltd remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -1063,11 +1088,6 @@ descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL country: EU -aut-num: AS207812 -descr: DM AUTO EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS208046 descr: Maximilian Kutzner trading as HostSlick remarks: traces back to NL, but some RIR data for announced prefixes contain garbage @@ -1248,6 +1268,11 @@ descr: Sun Network Company Limited remarks: IP hijacker, traces back to AP region country: AP +aut-num: AS328608 +descr: Africa on Cloud +remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes +country: AP + aut-num: AS328703 descr: Seven Network Inc. remarks: traces back to ZA @@ -1313,25 +1338,25 @@ descr: Wolverine Trading, LLC remarks: IP hijacker located in US, tampers with RIR data country: US -net: 5.1.68.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.68.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE -net: 5.1.69.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.69.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE -net: 5.1.83.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.83.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE -net: 5.1.88.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.88.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE net: 5.252.32.0/22 descr: StormWall s.r.o. @@ -1413,6 +1438,11 @@ descr: Golden Internet LLC remarks: fake location (KP), WHOIS contact points to RU country: RU +net: 91.90.120.0/24 +descr: M247 LTD, Greenland Infrastructure +remarks: ... traces back to CA +country: CA + net: 91.149.194.0/24 descr: IP Volume Ltd. / Epik remarks: fake location (CH), traces back to SE @@ -1488,10 +1518,10 @@ descr: Intelcom Group Ltd remarks: fake offshore location (SC), traces back to RU country: RU -net: 185.140.204.0/22 -descr: Hornetsecurity GmbH -remarks: all suballocations are used in DE, but are assigned to US -country: DE +net: 185.140.204.0/22 +descr: Hornetsecurity GmbH +remarks: all suballocations are used in DE, but are assigned to US +country: DE net: 185.175.93.0/24 descr: Perfect Hosting Solutions diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 7df6188..29057d9 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,24 +26,57 @@ # Please keep this file sorted. # +aut-num: AS39770 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS48090 descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL country: NL drop: yes +aut-num: AS49447 +descr: Nice IT Services Group Inc. +remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage +country: CH +drop: yes + +aut-num: AS51381 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +country: RU +drop: yes + +aut-num: AS55303 +descr: Eagle Sky Co., Lt[d ?] +remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity +country: AP +drop: yes + aut-num: AS56611 descr: REBA Communications BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes +aut-num: AS56873 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS57717 descr: FiberXpress BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes +aut-num: AS60424 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS62068 descr: SpectraIP B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL @@ -62,6 +95,12 @@ remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL drop: yes +aut-num: AS200391 +descr: KREZ 999 EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes + aut-num: AS202425 descr: IP Volume Inc. remarks: bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL @@ -74,6 +113,12 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes +aut-num: AS207812 +descr: DM AUTO EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes + aut-num: AS204655 descr: Novogara Ltd. remarks: bulletproof ISP (strongly linked to AS202425) located in NL @@ -85,3 +130,8 @@ descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes + +net: 2a10:9700::/29 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes -- 2.26.2

2 2

[PATCH 1/4] override-other: Clarify file description and fix typos
by Peter Müller 03 Dec '21

03 Dec '21

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- overrides/override-other.txt | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/overrides/override-other.txt b/overrides/override-other.txt index dab86a0..1d8d1d1 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -1,5 +1,5 @@ # -# override-a3 [.txt] +# override-other [.txt] # # This file contains Autonomous Systems and IP networks whose RIR data are believed to be inaccurate, # incomplete, or bogus on purpose and by chance. A small subset of its entries applies to AS descriptions, @@ -9,13 +9,17 @@ # therefore pose a security threat to these users, especially if being set intentionally to circumvent such # filters. # -# The term "Location" may refer to the actual, physical location of a network (usually hard to enumerate +# The term "location" may refer to the actual, physical location of a network (usually hard to enumerate # beyond a country-level), or its jurisdiction. To the best of our knowledge, the contents of "country"-fields -# in RIR databases were never clarified in this conext. +# in RIR databases were never clarified in this context. # # When in doubt, the physical location of a network will be used below, especially if the jurisdiction of a # network appears to be not helpful at all, such as offshore letterbox companies on the other end of the world. # +# In case an AS or IP network is also flagged (A[1-3], XD), the necessary directives should not go into +# this file, but rather into overrides-{a[1-3],xd}.txt - overrides-other.txt should always be the last +# preference, to keep things tidy. +# # Improvement suggestions are appreciated, please submit them as patches to the location mailing # list. Refer to https://lists.ipfire.org/mailman/listinfo/location and https://wiki.ipfire.org/devel/contact # for further information. -- 2.26.2

1 3

2024

2023

2022

2021

2020

2019

2018

2017

Location December 2021