Including location pinning for various LeaseWeb AS, as their customers seem to tamper with RIR data a lot. Fortunately for use, they use one AS per PoP, so we can trace back locations quite easy. :-)
AS209242 is especially - um - interesting. Given Cloudflare's nature, it is impossible to tell where these shady prefixes announced by it are located. Most of them point to letterbox companies, hosting questionable services at best.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- overrides/override-a1.txt | 32 +++++++++- overrides/override-a3.txt | 30 ++++++++++ overrides/override-other.txt | 112 ++++++++++++++++++++++++++++++++++- 3 files changed, 172 insertions(+), 2 deletions(-)
diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 3a65232..b884c5d 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -44,6 +44,11 @@ descr: VPN de Mexico, S.A. de C.V. remarks: VPN provider is-anonymous-proxy: yes
+aut-num: AS32781 +descr: Defender cloud international LLC +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + aut-num: AS34962 descr: Epik Network remarks: Shady ISP and registrar, many prefixes announced refer to "anonymize" infrastructure @@ -236,6 +241,11 @@ descr: Business VPN LLC remarks: VPN provider is-anonymous-proxy: yes
+aut-num: AS398271 +descr: HardenedVPN[.]com LLC +remarks: VPN provider +is-anonymous-proxy: yes + net: 2.57.171.0/24 descr: VPN Consumer Network remarks: VPN provider @@ -476,6 +486,11 @@ descr: Shtrauh Andrey remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes
+net: 45.147.56.0/23 +descr: OLMERA GROUP LTD +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 45.151.115.0/24 descr: ikoProxies [high confidence, but not proofed] remarks: VPN provider located in NL @@ -489,7 +504,7 @@ is-anonymous-proxy: yes
net: 45.192.0.0/12 descr: Cloud Innovation Ltd. -remarks: hijacked AFRINIC IP chunk owned by an offshore company, routed to several dirty networks worldwide, cannot tell what is going on here +remarks: hijacked (?) AFRINIC IP chunk owned by an offshore company, routed to several dirty networks worldwide, cannot tell what is going on here is-anonymous-proxy: yes
net: 45.220.72.0/22 @@ -1131,6 +1146,11 @@ remarks: (Rogue) VPN provider is-anonymous-proxy: yes country: EU
+net: 185.164.59.0/24 +descr: Buyproxies / Yuli Azarch +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 185.165.153.0/24 descr: Privacy Matters VPN service / nVPN / David Craig remarks: (Rogue) VPN provider @@ -1384,6 +1404,11 @@ descr: VPNClientPublics remarks: VPN provider is-anonymous-proxy: yes
+net: 198.44.224.0/19 +descr: Defender cloud international LLC +remarks: VPN provider [high confidence, but not proofed] +is-anonymous-proxy: yes + net: 199.249.223.0/24 descr: Quintex Alliance Consulting remarks: Tor relay provider @@ -1454,6 +1479,11 @@ descr: SecuredConnectivity remarks: VPN provider is-anonymous-proxy: yes
+net: 206.123.128.0/19 +descr: Secure Internet LLC +remarks: VPN provider +is-anonymous-proxy: yes + net: 209.107.176.0/20 descr: Google VPN remarks: VPN provider diff --git a/overrides/override-a3.txt b/overrides/override-a3.txt index ec246c1..daacc95 100644 --- a/overrides/override-a3.txt +++ b/overrides/override-a3.txt @@ -30,11 +30,21 @@ descr: Akamai Technologies, Inc. remarks: Worldwide CDN, does not make sense to assign their networks to a specific country is-anycast: yes
+aut-num: AS20577 +descr: TRADEWEB EUROPE LIMITED +remarks: Generic anycast network [high confidence, but not proofed] +is-anycast: yes + aut-num: AS20940 descr: Akamai International BV remarks: Worldwide CDN, does not make sense to assign their networks to a specific country is-anycast: yes
+aut-num: AS28064 +descr: Smart Data Center S.A. +remarks: Generic anycast network [high confidence, but not proofed] +is-anycast: yes + aut-num: AS31529 descr: DENIC eG remarks: TLD operator's anycast network @@ -45,6 +55,11 @@ descr: Citigroup remarks: Public anycast DNS resolver network [high confidence, but not proofed] is-anycast: yes
+aut-num: AS34738 +descr: WEBHOST LIMITED +remarks: Generic anycast network [high confidence, but not proofed] +is-anycast: yes + aut-num: AS34868 descr: wasted.io Ltd. remarks: Generic anycast network @@ -80,6 +95,11 @@ descr: coreIT.pl remarks: Generic anycast network is-anycast: yes
+aut-num: AS60626 +descr: Leaseweb CDN B.V. +remarks: Generic anycast network +is-anycast: yes + aut-num: AS60890 descr: CentralNic Ltd remarks: Generic anycast network @@ -95,6 +115,11 @@ descr: OpenTLD BV remarks: TLD operator's anycast network is-anycast: yes
+aut-num: AS61072 +descr: EZNet LIMITED +remarks: Generic anycast network +is-anycast: yes + aut-num: AS62766 descr: SJB Communications remarks: Generic anycast network @@ -160,6 +185,11 @@ descr: ipcom GmbH remarks: Generic anycast network is-anycast: yes
+aut-num: AS209242 +descr: Cloudflare London, LLC / Cloudflare Spectrum +remarks: CFs' "bring your own IP networks and we will announce it" AS, lots of shady announcements originated from there, clients are located worldwide as single peer is CF's main AS +is-anycast: yes + aut-num: AS209813 descr: Fast Content Delivery Ltd. remarks: Generic anycast network diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 0b521d1..e387dbd 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -13,6 +13,11 @@ # Please keep this file sorted. #
+aut-num: AS1820 +descr: WNET TELECOM USA Corp. +remarks: traces back to various locations in UA, seems to tamper with RIR data +country: UA + aut-num: AS3216 descr: PJSC "Vimpelcom" remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -23,6 +28,11 @@ descr: XNNET LLC remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data country: HK
+aut-num: AS7203 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS8359 descr: MTS PJSC remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -58,16 +68,36 @@ descr: Yes Networks Unlimited Ltd remarks: traces to UA, but some RIR entries seem to contain garbage (VG) country: UA
+aut-num: AS24961 +descr: myLoc managed IT AG +remarks: ISP located in DE, but some RIR data for announced prefixes contain garbage +country: DE + aut-num: AS25098 descr: Netcalibre Ltd. -remarks: ISP located in GB, but some RIR data for announced prefixes contain garbage/ +remarks: ISP located in GB, but some RIR data for announced prefixes contain garbage country: GB
+aut-num: AS27411 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS28098 descr: ABGON Comunicaciones remarks: ISP located in CL, but some RIR data for announced prefixes contain garbage (BZ) country: CL
+aut-num: AS28753 +descr: Leaseweb Deutschland GmbH +remarks: ISP located in Frankfurt/Main, DE, but many RIR data for announced prefixes contain garbage +country: DE + +aut-num: AS30633 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage (BZ) +country: US + aut-num: AS35042 descr: IP Interactive UG (haftungsbeschraenkt) remarks: ISP located in BG, but RIR data for announced prefixes contain garbage @@ -163,6 +193,11 @@ descr: Global Colocation Limited remarks: part of a dirty ISP conglomerate most likely operating out of SE country: SE
+aut-num: AS48721 +descr: ADM Service Ltd. +remarks: traces back to Vilnius, LT +country: LT + aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -233,6 +268,11 @@ descr: INNETRA PC remarks: another shady customer of "DDoS Guard Ltd.", jurisdiction is probably RU, but traceroutes dead-end somewhere else in EU country: EU
+aut-num: AS59253 +descr: Leaseweb Asia Pacific pte. ltd. +remarks: ISP located in SG, but some RIR data for announced prefixes contain garbage +country: SG + aut-num: AS59580 descr: Batterflyai Media Ltd. remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage @@ -248,6 +288,11 @@ descr: Inter Connects Inc. / Jing Yun remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks country: SE
+aut-num: AS60781 +descr: LeaseWeb Netherlands B.V. +remarks: ISP located in Amsterdam, NL, but many RIR data for announced prefixes contain garbage +country: NL + aut-num: AS61977 descr: Vivo Trade L.P. remarks: another shady customer of "DDoS Guard Ltd." @@ -283,11 +328,31 @@ descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL country: NL
+aut-num: AS132369 +descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED +remarks: ISP located in HK, tampers with RIR data +country: HK + +aut-num: AS133752 +descr: Leaseweb Asia Pacific pte. ltd. +remarks: ISP located in HK, some RIR data for announced prefixes contain garbage +country: HK + +aut-num: AS134351 +descr: Leaseweb Japan K.K. +remarks: ISP located in JP, some RIR data for announced prefixes contain garbage +country: JP + aut-num: AS134548 descr: DXTL Tseung Kwan O Service remarks: tampers with RIR data, traces back to AP region country: AP
+aut-num: AS136988 +descr: Leaseweb Australia Pty. Ltd. +remarks: ISP located in AU, some RIR data for announced prefixes contain garbage +country: AU + aut-num: AS137443 descr: Anchnet Asia Limited remarks: IP hijacker located in HK, tampers with RIR data @@ -298,11 +363,26 @@ descr: Clayer Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region country: AP
+aut-num: AS138571 +descr: SUPERCLOUDS LIMITED +remarks: ISP located in HK, tampers with RIR data +country: HK + +aut-num: AS139242 +descr: Cloudflare Sydney, LLC +remarks: ... but CF failed to set the country for announced prefixes to AU as well :-/ +country: AU + aut-num: AS139330 descr: SANREN DATA LIMITED remarks: IP hijacker located somewhere in AP region, tampers with RIR data country: AP
+aut-num: AS139811 +descr: ANLIAN NETWORK TECHNOLOGY CO., LIMITED +remarks: ISP located in HK, tampers with RIR data +country: HK + aut-num: AS140733 descr: Wujidun Network Limited remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region @@ -323,6 +403,11 @@ descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL country: NL
+aut-num: AS200740 +descr: Network Management Ltd. +remarks: traceroutes dead-end somewhere in or near RU +country: RU + aut-num: AS200845 descr: AVATEL TELECOM remarks: ISP located in ES, but some RIR data for announced prefixes contain garbage @@ -388,6 +473,11 @@ descr: Hauer Hosting Services Limited remarks: ISP located in ES, but some RIR data for announced prefixes contain garbage country: ES
+aut-num: AS205544 +descr: LEASEWEB UK LIMITED +remarks: ISP located in London, GB, but many RIR data for announced prefixes contain garbage +country: GB + aut-num: AS206397 descr: Genius Guard / Genius Security Ltd. remarks: another shady customer of "DDoS Guard Ltd.", probably located in RU @@ -403,6 +493,11 @@ descr: Xtudio Networks S.L.U. remarks: ISP located in ES, but some RIR data for announced prefixes contain garbage country: ES
+aut-num: AS207569 +descr: Network Management Ltd. +remarks: traceroutes dead-end somewhere in or near RU +country: RU + aut-num: AS207616 descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL @@ -458,6 +553,11 @@ descr: Harry Dowd remarks: ISP located in GB, but RIR data for announced prefixes contain garbage country: GB
+aut-num: AS212962 +descr: Quality Area Ltd. +remarks: traceroutes dead-end somewhere near Crimera, UA +country: UA + aut-num: AS213035 descr: Serverion BV remarks: ISP located in NL, but RIR data for most announced prefixes contain garbage @@ -488,6 +588,16 @@ descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL
+aut-num: AS394380 +descr: Leaseweb USA, Inc. +remarks: ISP located in Dallas, TX, US, but some RIR data for announced prefixes contain garbage +country: US + +aut-num: AS395954 +descr: Leaseweb USA, Inc. +remarks: ISP located in US, but some RIR data for announced prefixes contain garbage +country: US + aut-num: AS398478 descr: PEG TECH INC remarks: ISP located in HK, tampers with RIR data