Signed-off-by: Peter Müller peter.mueller@ipfire.org --- overrides/override-a1.txt | 48 ---------------- overrides/override-other.txt | 104 ++++++++++++++++++++++------------- overrides/override-xd.txt | 50 +++++++++++++++++ 3 files changed, 117 insertions(+), 85 deletions(-)
diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 5734c08..5fce4d9 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -82,11 +82,6 @@ descr: Asiamax Ltd. VPN remarks: VPN provider is-anonymous-proxy: yes
-aut-num: AS39770 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS43233 descr: VPS 404 Ltd. remarks: VPN provider [high confidence, but not proofed] located in ES @@ -114,12 +109,6 @@ descr: BeeVPN ApS remarks: VPN provider is-anonymous-proxy: yes
-aut-num: AS51381 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes -country: RU - aut-num: AS51446 descr: SP Argaev Artem Sergeyevich / Foundation Respect My Privacy remarks: VPN provider [high confidence, but not proofed] @@ -142,17 +131,6 @@ remarks: Tor relay and VPN provider, traces back to SE [high confidence, but n is-anonymous-proxy: yes country: SE
-aut-num: AS55303 -descr: Eagle Sky Co., Lt[d ?] -remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity -is-anonymous-proxy: yes -country: AP - -aut-num: AS56873 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS58110 descr: IP Volume Ltd. / Epik remarks: Shady Autonomous System registered to letterbox company, possibly copycat operation of Epik registrar, many prefixes announced refer to "anonymize" infrastructure @@ -168,11 +146,6 @@ descr: Geotelco Limited remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes
-aut-num: AS60424 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - aut-num: AS60729 descr: Zwiebelfreunde e.V. remarks: Tor relay provider @@ -214,12 +187,6 @@ descr: HERN Labs AB remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes
-aut-num: AS206819 -descr: ANSON NETWORK LIMITED -remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW -is-anonymous-proxy: yes -country: TW - aut-num: AS207688 descr: DataHome S.A. remarks: VPN provider located in BR [high confidence, but not proofed] @@ -1430,11 +1397,6 @@ descr: Tredinvest LLC / bestwest[.]host remarks: VPN provider or offering similar services [high confidence, but not proofed] is-anonymous-proxy: yes
-net: 185.215.113.0/24 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes - net: 185.220.100.0/22 descr: Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute remarks: Tor relay provider @@ -1692,11 +1654,6 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie remarks: Hijacked AfriNIC IP chunk mostly used by VPN providers is-anonymous-proxy: yes
-net: 196.61.192.0/20 -descr: Inspiring Networks LTD -remarks: hijacked (?) IP network owned by an offshore company [high confidence, but not proofed] -is-anonymous-proxy: yes - net: 197.221.161.0/24 descr: VPNClientPublics remarks: VPN provider @@ -2031,8 +1988,3 @@ net: 2c0f:f930::/32 descr: Cyberdyne S.A. remarks: Tor relay provider is-anonymous-proxy: yes - -net: 2a10:9700::/29 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 7d76534..ca9dbad 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -85,6 +85,11 @@ descr: Tianhai InfoTech remarks: IP hijacker located somewhere in AP, massively tampers with RIR data country: AP
+aut-num: AS5408 +descr: Greek Research and Technology Network (GRNET) S.A. +remarks: ... located in GR +country: GR + aut-num: AS6134 descr: XNNET LLC remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data @@ -363,6 +368,11 @@ descr: CNSERVERS LLC remarks: Shady ISP located in US, tampers with RIR data country: US
+aut-num: AS41047 +descr: MLAB Open Source Community +remarks: traces back to DE +country: DE + aut-num: AS41466 descr: Treidinvest LLC remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data @@ -408,6 +418,11 @@ descr: DGN TEKNOLOJI A.S. remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage country: TR
+aut-num: AS43092 +descr: Kirin Communication Limited +remarks: tampers with RIR data, traces back to AP area +country: AP + aut-num: AS43310 descr: TOV "LVS" remarks: ISP located in UA, but some RIR data for announced prefixes contain garbage @@ -498,11 +513,6 @@ descr: LLC Baxet remarks: tampers with RIR data, traces back to RU country: RU
-aut-num: AS49447 -descr: Nice IT Services Group Inc. -remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage -country: CH - aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -748,6 +758,11 @@ descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL country: NL
+aut-num: AS131685 +descr: Sun Network (Hong Kong) Limited +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP + aut-num: AS132369 descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED remarks: ISP located in HK, tampers with RIR data @@ -758,9 +773,14 @@ descr: POWER LINE DATACENTER remarks: ISP and/or IP hijacker located in HK, tampers with RIR data country: HK
+aut-num: AS133201 +descr: ABCDE GROUP COMPANY LIMITED +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP + aut-num: AS133441 descr: CloudITIDC Global -remarks: ISP and/or IP hijacker located somehwere in AP +remarks: ISP and/or IP hijacker located somewhere in AP country: AP
aut-num: AS133752 @@ -810,7 +830,7 @@ country: AP
aut-num: AS136800 descr: ICIDC NETWORK -remarks: IP hijacker located somehwere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data +remarks: IP hijacker located somewhere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: AP
aut-num: AS136933 @@ -923,6 +943,11 @@ descr: Incomparable(HK)Network Co., Limited remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data country: AP
+aut-num: AS141746 +descr: Orenji Server +remarks: IP hijacker located somewhere in AP area (JP?) +country: AP + aut-num: AS196682 descr: FLP Kochenov Aleksej Vladislavovich remarks: ISP located in UA, but RIR data for announced prefixes all say EU @@ -933,11 +958,6 @@ descr: ALEXHOST SRL remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network country: MD
-aut-num: AS200391 -descr: KREZ 999 EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS200699 descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL @@ -1028,6 +1048,11 @@ descr: Genius Guard / Genius Security Ltd. remarks: another shady customer of "DDoS Guard Ltd.", probably located in RU country: RU
+aut-num: AS206819 +descr: ANSON NETWORK LIMITED +remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW +country: TW + aut-num: AS206898 descr: Server Hosting Pty Ltd remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -1063,11 +1088,6 @@ descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL country: EU
-aut-num: AS207812 -descr: DM AUTO EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG - aut-num: AS208046 descr: Maximilian Kutzner trading as HostSlick remarks: traces back to NL, but some RIR data for announced prefixes contain garbage @@ -1248,6 +1268,11 @@ descr: Sun Network Company Limited remarks: IP hijacker, traces back to AP region country: AP
+aut-num: AS328608 +descr: Africa on Cloud +remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes +country: AP + aut-num: AS328703 descr: Seven Network Inc. remarks: traces back to ZA @@ -1313,25 +1338,25 @@ descr: Wolverine Trading, LLC remarks: IP hijacker located in US, tampers with RIR data country: US
-net: 5.1.68.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.68.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.69.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.69.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.83.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.83.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.88.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.88.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
net: 5.252.32.0/22 descr: StormWall s.r.o. @@ -1413,6 +1438,11 @@ descr: Golden Internet LLC remarks: fake location (KP), WHOIS contact points to RU country: RU
+net: 91.90.120.0/24 +descr: M247 LTD, Greenland Infrastructure +remarks: ... traces back to CA +country: CA + net: 91.149.194.0/24 descr: IP Volume Ltd. / Epik remarks: fake location (CH), traces back to SE @@ -1488,10 +1518,10 @@ descr: Intelcom Group Ltd remarks: fake offshore location (SC), traces back to RU country: RU
-net: 185.140.204.0/22 -descr: Hornetsecurity GmbH -remarks: all suballocations are used in DE, but are assigned to US -country: DE +net: 185.140.204.0/22 +descr: Hornetsecurity GmbH +remarks: all suballocations are used in DE, but are assigned to US +country: DE
net: 185.175.93.0/24 descr: Perfect Hosting Solutions diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 7df6188..29057d9 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,24 +26,57 @@ # Please keep this file sorted. #
+aut-num: AS39770 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS48090 descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL country: NL drop: yes
+aut-num: AS49447 +descr: Nice IT Services Group Inc. +remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage +country: CH +drop: yes + +aut-num: AS51381 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +country: RU +drop: yes + +aut-num: AS55303 +descr: Eagle Sky Co., Lt[d ?] +remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity +country: AP +drop: yes + aut-num: AS56611 descr: REBA Communications BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes
+aut-num: AS56873 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS57717 descr: FiberXpress BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes
+aut-num: AS60424 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes + aut-num: AS62068 descr: SpectraIP B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL @@ -62,6 +95,12 @@ remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL drop: yes
+aut-num: AS200391 +descr: KREZ 999 EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes + aut-num: AS202425 descr: IP Volume Inc. remarks: bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL @@ -74,6 +113,12 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes
+aut-num: AS207812 +descr: DM AUTO EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes + aut-num: AS204655 descr: Novogara Ltd. remarks: bulletproof ISP (strongly linked to AS202425) located in NL @@ -85,3 +130,8 @@ descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes + +net: 2a10:9700::/29 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes
Thank you. Merged.
All those networks that were removed, did they just cease to exist?
-Michael
On 10 Dec 2021, at 07:07, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
overrides/override-a1.txt | 48 ---------------- overrides/override-other.txt | 104 ++++++++++++++++++++++------------- overrides/override-xd.txt | 50 +++++++++++++++++ 3 files changed, 117 insertions(+), 85 deletions(-)
diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 5734c08..5fce4d9 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -82,11 +82,6 @@ descr: Asiamax Ltd. VPN remarks: VPN provider is-anonymous-proxy: yes
-aut-num: AS39770 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
aut-num: AS43233 descr: VPS 404 Ltd. remarks: VPN provider [high confidence, but not proofed] located in ES @@ -114,12 +109,6 @@ descr: BeeVPN ApS remarks: VPN provider is-anonymous-proxy: yes
-aut-num: AS51381 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes -country: RU
aut-num: AS51446 descr: SP Argaev Artem Sergeyevich / Foundation Respect My Privacy remarks: VPN provider [high confidence, but not proofed] @@ -142,17 +131,6 @@ remarks: Tor relay and VPN provider, traces back to SE [high confidence, but n is-anonymous-proxy: yes country: SE
-aut-num: AS55303 -descr: Eagle Sky Co., Lt[d ?] -remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity -is-anonymous-proxy: yes -country: AP
-aut-num: AS56873 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
aut-num: AS58110 descr: IP Volume Ltd. / Epik remarks: Shady Autonomous System registered to letterbox company, possibly copycat operation of Epik registrar, many prefixes announced refer to "anonymize" infrastructure @@ -168,11 +146,6 @@ descr: Geotelco Limited remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes
-aut-num: AS60424 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
aut-num: AS60729 descr: Zwiebelfreunde e.V. remarks: Tor relay provider @@ -214,12 +187,6 @@ descr: HERN Labs AB remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes
-aut-num: AS206819 -descr: ANSON NETWORK LIMITED -remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW -is-anonymous-proxy: yes -country: TW
aut-num: AS207688 descr: DataHome S.A. remarks: VPN provider located in BR [high confidence, but not proofed] @@ -1430,11 +1397,6 @@ descr: Tredinvest LLC / bestwest[.]host remarks: VPN provider or offering similar services [high confidence, but not proofed] is-anonymous-proxy: yes
-net: 185.215.113.0/24 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
net: 185.220.100.0/22 descr: Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute remarks: Tor relay provider @@ -1692,11 +1654,6 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie remarks: Hijacked AfriNIC IP chunk mostly used by VPN providers is-anonymous-proxy: yes
-net: 196.61.192.0/20 -descr: Inspiring Networks LTD -remarks: hijacked (?) IP network owned by an offshore company [high confidence, but not proofed] -is-anonymous-proxy: yes
net: 197.221.161.0/24 descr: VPNClientPublics remarks: VPN provider @@ -2031,8 +1988,3 @@ net: 2c0f:f930::/32 descr: Cyberdyne S.A. remarks: Tor relay provider is-anonymous-proxy: yes
-net: 2a10:9700::/29 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 7d76534..ca9dbad 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -85,6 +85,11 @@ descr: Tianhai InfoTech remarks: IP hijacker located somewhere in AP, massively tampers with RIR data country: AP
+aut-num: AS5408 +descr: Greek Research and Technology Network (GRNET) S.A. +remarks: ... located in GR +country: GR
aut-num: AS6134 descr: XNNET LLC remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data @@ -363,6 +368,11 @@ descr: CNSERVERS LLC remarks: Shady ISP located in US, tampers with RIR data country: US
+aut-num: AS41047 +descr: MLAB Open Source Community +remarks: traces back to DE +country: DE
aut-num: AS41466 descr: Treidinvest LLC remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data @@ -408,6 +418,11 @@ descr: DGN TEKNOLOJI A.S. remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage country: TR
+aut-num: AS43092 +descr: Kirin Communication Limited +remarks: tampers with RIR data, traces back to AP area +country: AP
aut-num: AS43310 descr: TOV "LVS" remarks: ISP located in UA, but some RIR data for announced prefixes contain garbage @@ -498,11 +513,6 @@ descr: LLC Baxet remarks: tampers with RIR data, traces back to RU country: RU
-aut-num: AS49447 -descr: Nice IT Services Group Inc. -remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage -country: CH
aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -748,6 +758,11 @@ descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL country: NL
+aut-num: AS131685 +descr: Sun Network (Hong Kong) Limited +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP
aut-num: AS132369 descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED remarks: ISP located in HK, tampers with RIR data @@ -758,9 +773,14 @@ descr: POWER LINE DATACENTER remarks: ISP and/or IP hijacker located in HK, tampers with RIR data country: HK
+aut-num: AS133201 +descr: ABCDE GROUP COMPANY LIMITED +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP
aut-num: AS133441 descr: CloudITIDC Global -remarks: ISP and/or IP hijacker located somehwere in AP +remarks: ISP and/or IP hijacker located somewhere in AP country: AP
aut-num: AS133752 @@ -810,7 +830,7 @@ country: AP
aut-num: AS136800 descr: ICIDC NETWORK -remarks: IP hijacker located somehwere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data +remarks: IP hijacker located somewhere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: AP
aut-num: AS136933 @@ -923,6 +943,11 @@ descr: Incomparable(HK)Network Co., Limited remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data country: AP
+aut-num: AS141746 +descr: Orenji Server +remarks: IP hijacker located somewhere in AP area (JP?) +country: AP
aut-num: AS196682 descr: FLP Kochenov Aleksej Vladislavovich remarks: ISP located in UA, but RIR data for announced prefixes all say EU @@ -933,11 +958,6 @@ descr: ALEXHOST SRL remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network country: MD
-aut-num: AS200391 -descr: KREZ 999 EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG
aut-num: AS200699 descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL @@ -1028,6 +1048,11 @@ descr: Genius Guard / Genius Security Ltd. remarks: another shady customer of "DDoS Guard Ltd.", probably located in RU country: RU
+aut-num: AS206819 +descr: ANSON NETWORK LIMITED +remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW +country: TW
aut-num: AS206898 descr: Server Hosting Pty Ltd remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -1063,11 +1088,6 @@ descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL country: EU
-aut-num: AS207812 -descr: DM AUTO EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG
aut-num: AS208046 descr: Maximilian Kutzner trading as HostSlick remarks: traces back to NL, but some RIR data for announced prefixes contain garbage @@ -1248,6 +1268,11 @@ descr: Sun Network Company Limited remarks: IP hijacker, traces back to AP region country: AP
+aut-num: AS328608 +descr: Africa on Cloud +remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes +country: AP
aut-num: AS328703 descr: Seven Network Inc. remarks: traces back to ZA @@ -1313,25 +1338,25 @@ descr: Wolverine Trading, LLC remarks: IP hijacker located in US, tampers with RIR data country: US
-net: 5.1.68.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.68.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.69.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.69.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.83.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.83.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.88.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.88.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
net: 5.252.32.0/22 descr: StormWall s.r.o. @@ -1413,6 +1438,11 @@ descr: Golden Internet LLC remarks: fake location (KP), WHOIS contact points to RU country: RU
+net: 91.90.120.0/24 +descr: M247 LTD, Greenland Infrastructure +remarks: ... traces back to CA +country: CA
net: 91.149.194.0/24 descr: IP Volume Ltd. / Epik remarks: fake location (CH), traces back to SE @@ -1488,10 +1518,10 @@ descr: Intelcom Group Ltd remarks: fake offshore location (SC), traces back to RU country: RU
-net: 185.140.204.0/22 -descr: Hornetsecurity GmbH -remarks: all suballocations are used in DE, but are assigned to US -country: DE +net: 185.140.204.0/22 +descr: Hornetsecurity GmbH +remarks: all suballocations are used in DE, but are assigned to US +country: DE
net: 185.175.93.0/24 descr: Perfect Hosting Solutions diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 7df6188..29057d9 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,24 +26,57 @@ # Please keep this file sorted. #
+aut-num: AS39770 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes
aut-num: AS48090 descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL country: NL drop: yes
+aut-num: AS49447 +descr: Nice IT Services Group Inc. +remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage +country: CH +drop: yes
+aut-num: AS51381 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +country: RU +drop: yes
+aut-num: AS55303 +descr: Eagle Sky Co., Lt[d ?] +remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity +country: AP +drop: yes
aut-num: AS56611 descr: REBA Communications BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes
+aut-num: AS56873 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes
aut-num: AS57717 descr: FiberXpress BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes
+aut-num: AS60424 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes
aut-num: AS62068 descr: SpectraIP B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL @@ -62,6 +95,12 @@ remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL drop: yes
+aut-num: AS200391 +descr: KREZ 999 EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes
aut-num: AS202425 descr: IP Volume Inc. remarks: bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL @@ -74,6 +113,12 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes
+aut-num: AS207812 +descr: DM AUTO EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes
aut-num: AS204655 descr: Novogara Ltd. remarks: bulletproof ISP (strongly linked to AS202425) located in NL @@ -85,3 +130,8 @@ descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes
+net: 2a10:9700::/29 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP
+drop: yes
2.26.2
Hello Michael,
thanks for your reply.
No, they are all still alive and kicking, but fit the "XD" category better. Some of them, to the best of my knowledge, recently stopped using proxy/VPN services, so I removed them from the A1 override file for improved accuracy.
Thanks, and best regards, Peter Müller
Thank you. Merged.
All those networks that were removed, did they just cease to exist?
-Michael
On 10 Dec 2021, at 07:07, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
overrides/override-a1.txt | 48 ---------------- overrides/override-other.txt | 104 ++++++++++++++++++++++------------- overrides/override-xd.txt | 50 +++++++++++++++++ 3 files changed, 117 insertions(+), 85 deletions(-)
diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt index 5734c08..5fce4d9 100644 --- a/overrides/override-a1.txt +++ b/overrides/override-a1.txt @@ -82,11 +82,6 @@ descr: Asiamax Ltd. VPN remarks: VPN provider is-anonymous-proxy: yes
-aut-num: AS39770 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
aut-num: AS43233 descr: VPS 404 Ltd. remarks: VPN provider [high confidence, but not proofed] located in ES @@ -114,12 +109,6 @@ descr: BeeVPN ApS remarks: VPN provider is-anonymous-proxy: yes
-aut-num: AS51381 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes -country: RU
aut-num: AS51446 descr: SP Argaev Artem Sergeyevich / Foundation Respect My Privacy remarks: VPN provider [high confidence, but not proofed] @@ -142,17 +131,6 @@ remarks: Tor relay and VPN provider, traces back to SE [high confidence, but n is-anonymous-proxy: yes country: SE
-aut-num: AS55303 -descr: Eagle Sky Co., Lt[d ?] -remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity -is-anonymous-proxy: yes -country: AP
-aut-num: AS56873 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
aut-num: AS58110 descr: IP Volume Ltd. / Epik remarks: Shady Autonomous System registered to letterbox company, possibly copycat operation of Epik registrar, many prefixes announced refer to "anonymize" infrastructure @@ -168,11 +146,6 @@ descr: Geotelco Limited remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes
-aut-num: AS60424 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
aut-num: AS60729 descr: Zwiebelfreunde e.V. remarks: Tor relay provider @@ -214,12 +187,6 @@ descr: HERN Labs AB remarks: VPN provider [high confidence, but not proofed] is-anonymous-proxy: yes
-aut-num: AS206819 -descr: ANSON NETWORK LIMITED -remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW -is-anonymous-proxy: yes -country: TW
aut-num: AS207688 descr: DataHome S.A. remarks: VPN provider located in BR [high confidence, but not proofed] @@ -1430,11 +1397,6 @@ descr: Tredinvest LLC / bestwest[.]host remarks: VPN provider or offering similar services [high confidence, but not proofed] is-anonymous-proxy: yes
-net: 185.215.113.0/24 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes
net: 185.220.100.0/22 descr: Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute remarks: Tor relay provider @@ -1692,11 +1654,6 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie remarks: Hijacked AfriNIC IP chunk mostly used by VPN providers is-anonymous-proxy: yes
-net: 196.61.192.0/20 -descr: Inspiring Networks LTD -remarks: hijacked (?) IP network owned by an offshore company [high confidence, but not proofed] -is-anonymous-proxy: yes
net: 197.221.161.0/24 descr: VPNClientPublics remarks: VPN provider @@ -2031,8 +1988,3 @@ net: 2c0f:f930::/32 descr: Cyberdyne S.A. remarks: Tor relay provider is-anonymous-proxy: yes
-net: 2a10:9700::/29 -descr: 1337TEAM LIMITED / eliteteam[.]to -remarks: Owned by an offshore letterbox company, suspected rogue ISP -is-anonymous-proxy: yes diff --git a/overrides/override-other.txt b/overrides/override-other.txt index 7d76534..ca9dbad 100644 --- a/overrides/override-other.txt +++ b/overrides/override-other.txt @@ -85,6 +85,11 @@ descr: Tianhai InfoTech remarks: IP hijacker located somewhere in AP, massively tampers with RIR data country: AP
+aut-num: AS5408 +descr: Greek Research and Technology Network (GRNET) S.A. +remarks: ... located in GR +country: GR
aut-num: AS6134 descr: XNNET LLC remarks: traces back to an unknown oversea location (HK?), seems to tamper with RIR data @@ -363,6 +368,11 @@ descr: CNSERVERS LLC remarks: Shady ISP located in US, tampers with RIR data country: US
+aut-num: AS41047 +descr: MLAB Open Source Community +remarks: traces back to DE +country: DE
aut-num: AS41466 descr: Treidinvest LLC remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data @@ -408,6 +418,11 @@ descr: DGN TEKNOLOJI A.S. remarks: ISP located in TR, but many RIR data for announced prefixes contain garbage country: TR
+aut-num: AS43092 +descr: Kirin Communication Limited +remarks: tampers with RIR data, traces back to AP area +country: AP
aut-num: AS43310 descr: TOV "LVS" remarks: ISP located in UA, but some RIR data for announced prefixes contain garbage @@ -498,11 +513,6 @@ descr: LLC Baxet remarks: tampers with RIR data, traces back to RU country: RU
-aut-num: AS49447 -descr: Nice IT Services Group Inc. -remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage -country: CH
aut-num: AS49466 descr: KLAYER LLC remarks: part of the "Asline" IP hijacking gang, traces back to AP region @@ -748,6 +758,11 @@ descr: NForce Entertainment BV remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL country: NL
+aut-num: AS131685 +descr: Sun Network (Hong Kong) Limited +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP
aut-num: AS132369 descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED remarks: ISP located in HK, tampers with RIR data @@ -758,9 +773,14 @@ descr: POWER LINE DATACENTER remarks: ISP and/or IP hijacker located in HK, tampers with RIR data country: HK
+aut-num: AS133201 +descr: ABCDE GROUP COMPANY LIMITED +remarks: ISP and/or IP hijacker located somewhere in AP +country: AP
aut-num: AS133441 descr: CloudITIDC Global -remarks: ISP and/or IP hijacker located somehwere in AP +remarks: ISP and/or IP hijacker located somewhere in AP country: AP
aut-num: AS133752 @@ -810,7 +830,7 @@ country: AP
aut-num: AS136800 descr: ICIDC NETWORK -remarks: IP hijacker located somehwere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data +remarks: IP hijacker located somewhere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data country: AP
aut-num: AS136933 @@ -923,6 +943,11 @@ descr: Incomparable(HK)Network Co., Limited remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data country: AP
+aut-num: AS141746 +descr: Orenji Server +remarks: IP hijacker located somewhere in AP area (JP?) +country: AP
aut-num: AS196682 descr: FLP Kochenov Aleksej Vladislavovich remarks: ISP located in UA, but RIR data for announced prefixes all say EU @@ -933,11 +958,6 @@ descr: ALEXHOST SRL remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network country: MD
-aut-num: AS200391 -descr: KREZ 999 EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG
aut-num: AS200699 descr: Datashield, Inc. remarks: fake offshore location (SC), traces back to NL @@ -1028,6 +1048,11 @@ descr: Genius Guard / Genius Security Ltd. remarks: another shady customer of "DDoS Guard Ltd.", probably located in RU country: RU
+aut-num: AS206819 +descr: ANSON NETWORK LIMITED +remarks: Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW +country: TW
aut-num: AS206898 descr: Server Hosting Pty Ltd remarks: ISP located in NL, but some RIR data for announced prefixes contain garbage @@ -1063,11 +1088,6 @@ descr: Altrosky Technology Ltd. remarks: fake offshore location (SC), traces back to CZ and NL country: EU
-aut-num: AS207812 -descr: DM AUTO EOOD -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data -country: BG
aut-num: AS208046 descr: Maximilian Kutzner trading as HostSlick remarks: traces back to NL, but some RIR data for announced prefixes contain garbage @@ -1248,6 +1268,11 @@ descr: Sun Network Company Limited remarks: IP hijacker, traces back to AP region country: AP
+aut-num: AS328608 +descr: Africa on Cloud +remarks: ... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes +country: AP
aut-num: AS328703 descr: Seven Network Inc. remarks: traces back to ZA @@ -1313,25 +1338,25 @@ descr: Wolverine Trading, LLC remarks: IP hijacker located in US, tampers with RIR data country: US
-net: 5.1.68.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.68.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.69.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.69.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.83.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.83.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
-net: 5.1.88.0/24 -descr: GaiacomLC -remarks: routed to DE, inaccurate RIR data -country: DE +net: 5.1.88.0/24 +descr: GaiacomLC +remarks: routed to DE, inaccurate RIR data +country: DE
net: 5.252.32.0/22 descr: StormWall s.r.o. @@ -1413,6 +1438,11 @@ descr: Golden Internet LLC remarks: fake location (KP), WHOIS contact points to RU country: RU
+net: 91.90.120.0/24 +descr: M247 LTD, Greenland Infrastructure +remarks: ... traces back to CA +country: CA
net: 91.149.194.0/24 descr: IP Volume Ltd. / Epik remarks: fake location (CH), traces back to SE @@ -1488,10 +1518,10 @@ descr: Intelcom Group Ltd remarks: fake offshore location (SC), traces back to RU country: RU
-net: 185.140.204.0/22 -descr: Hornetsecurity GmbH -remarks: all suballocations are used in DE, but are assigned to US -country: DE +net: 185.140.204.0/22 +descr: Hornetsecurity GmbH +remarks: all suballocations are used in DE, but are assigned to US +country: DE
net: 185.175.93.0/24 descr: Perfect Hosting Solutions diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt index 7df6188..29057d9 100644 --- a/overrides/override-xd.txt +++ b/overrides/override-xd.txt @@ -26,24 +26,57 @@ # Please keep this file sorted. #
+aut-num: AS39770 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes
aut-num: AS48090 descr: PPTECHNOLOGY LIMITED remarks: bulletproof ISP (related to AS204655) located in NL country: NL drop: yes
+aut-num: AS49447 +descr: Nice IT Services Group Inc. +remarks: Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage +country: CH +drop: yes
+aut-num: AS51381 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +country: RU +drop: yes
+aut-num: AS55303 +descr: Eagle Sky Co., Lt[d ?] +remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity +country: AP +drop: yes
aut-num: AS56611 descr: REBA Communications BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes
+aut-num: AS56873 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes
aut-num: AS57717 descr: FiberXpress BV remarks: bulletproof ISP (related to AS202425) located in NL country: NL drop: yes
+aut-num: AS60424 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP +drop: yes
aut-num: AS62068 descr: SpectraIP B.V. remarks: bulletproof ISP (linked to AS202425 et al.) located in NL @@ -62,6 +95,12 @@ remarks: bulletproof ISP (linked to AS202425 et al.) located in NL country: NL drop: yes
+aut-num: AS200391 +descr: KREZ 999 EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes
aut-num: AS202425 descr: IP Volume Inc. remarks: bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL @@ -74,6 +113,12 @@ remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace country: NL drop: yes
+aut-num: AS207812 +descr: DM AUTO EOOD +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data +country: BG +drop: yes
aut-num: AS204655 descr: Novogara Ltd. remarks: bulletproof ISP (strongly linked to AS202425) located in NL @@ -85,3 +130,8 @@ descr: Datapacket Maroc SARL remarks: bulletproof ISP (strongly linked to AS202425) located in NL country: NL drop: yes
+net: 2a10:9700::/29 +descr: 1337TEAM LIMITED / eliteteam[.]to +remarks: Owned by an offshore letterbox company, suspected rogue ISP
+drop: yes
2.26.2
-
Michael Tremer -
Peter Müller