From: "Peter Müller" <peter.mueller@ipfire.org>
To: location@lists.ipfire.org
Subject: [PATCH 1/3] override-other: mitigate tampered RIR data from customers of Tamatiya EOOD / 4Vendeta
Date: Thu, 29 Apr 2021 22:05:53 +0200 [thread overview]
Message-ID: <0d4f7143-439c-29fe-d15f-76f28371c2f2@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4670 bytes --]
AS50360 has an impressive history on providing IP transit services to
shady Autonomous Systems, and continues to do so. While the amount of
prefixes with tampered RIR data announced by AS50360 itself has ceased
within the past years, it's customers continue to propagate IP space
with faked country information.
We cannot trust these networks, which is why we pin them on BG
altogether, as they are all hosted in Sofia, Bulgaria:
1. X
2. X
3. AS9002 ae5-10.RT.TLP.SOF.BG.retn.net (87.245.232.164) <= RETN infrastructure in Telehouse Sofia, BG
4. AS9002 GW-Tamatiya.retn.net (87.245.240.159) <= Gateway to Tamatiya / 4Vendeta
5. AS50360 ip-25-22.4vendeta.com (195.230.25.22) <= And BOOM goes the dynamite...
6. (waiting for reply)
1. X
2. X
3. AS??? ge0-3.ams.OTEglobe.net (80.249.208.179)
4. AS??? 62.75.27.82 (62.75.27.82)
5. AS12713 62.75.3.2 (62.75.3.2)
6. AS57344 185.148.160.77 (185.148.160.77)
7. AS50360 ip-25-22.4vendeta.com (195.230.25.22)
8. (waiting for reply)
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
overrides/override-other.txt | 42 ++++++++++++++++++++++++++++++------
1 file changed, 36 insertions(+), 6 deletions(-)
diff --git a/overrides/override-other.txt b/overrides/override-other.txt
index 0ec8fa2..f750da0 100644
--- a/overrides/override-other.txt
+++ b/overrides/override-other.txt
@@ -105,8 +105,8 @@ country: US
aut-num: AS41466
descr: Treidinvest LLC
-remarks: ISP located in RU, but some RIR data for announced prefixes contain garbage
-country: RU
+remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country: BG
aut-num: AS41564
descr: Packet Exchange Limited
@@ -173,6 +173,11 @@ descr: F.I.H. FORMULA INVESTMENT HOUSE CLEARING LIMITED
remarks: claims GR for announced prefixes, but traceroutes dead-end somewhere else in EU
country: EU
+aut-num: AS50360
+descr: Tamatiya EOOD / 4Vendeta
+remarks: Questionable (at best) ISP located in BG, clients massively tamper with RIR data
+country: BG
+
aut-num: AS51558
descr: Smart Telecom S.A.R.L
remarks: tampers with RIR data, traces back to RU
@@ -288,6 +293,11 @@ descr: ALEXHOST SRL
remarks: ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network
country: MD
+aut-num: AS200391
+descr: KREZ 999 EOOD
+remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country: BG
+
aut-num: AS200699
descr: Datashield, Inc.
remarks: fake offshore location (SC), traces back to NL
@@ -313,10 +323,10 @@ descr: FutureNow Incorporated
remarks: ISP located in BG, but RIR data for announced prefixes contain garbage
country: BG
-aut-num: AS202920
-descr: DataClub S.A.
-remarks: another shady customer of "DDoS Guard Ltd."
-country: RU
+aut-num: AS202325
+descr: 4Media Ltd.
+remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country: BG
aut-num: AS202425
descr: IP Volume Inc.
@@ -333,6 +343,11 @@ descr: Cooperative Investments LLC
remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, traces to NL
country: NL
+aut-num: AS202920
+descr: DataClub S.A.
+remarks: another shady customer of "DDoS Guard Ltd."
+country: RU
+
aut-num: AS204136
descr: Kevin Holly trading as Silent Ghost e.U.
remarks: AS run by someone who thinks allocating IP networks to AQ is funny (it is not, kid) :-/
@@ -368,16 +383,31 @@ descr: Altrosky Technology Ltd.
remarks: fake offshore location (SC), traces back to CZ and NL
country: EU
+aut-num: AS207812
+descr: DM AUTO EOOD
+remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country: BG
+
aut-num: AS208046
descr: Maximilian Kutzner trading as HostSlick
remarks: traces back to NL, but some RIR data for announced prefixes contain garbage
country: NL
+aut-num: AS208410
+descr: Internet Hosting Ltd.
+remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country: BG
+
aut-num: AS209132
descr: Alviva Holding Limited
remarks: ISP located in BG, but RIR data for announced prefixes contain garbage
country: BG
+aut-num: AS209160
+descr: Miti 2000 EOOD
+remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country: BG
+
aut-num: AS209272
descr: Alviva Holding Limited
remarks: bulletproof ISP operating from a war zone in eastern UA
--
2.26.2
next reply other threads:[~2021-04-29 20:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-29 20:05 Peter Müller [this message]
2021-04-29 20:06 ` [PATCH 2/3] override-other: DignusData LLC thinks messing with countries is funny Peter Müller
2021-04-29 20:06 ` [PATCH 3/3] override-a1: weekly batch of various overrides Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d4f7143-439c-29fe-d15f-76f28371c2f2@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=location@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox