[PATCH 1/4] override-other: Clarify file description and fix typos

[PATCH 1/4] override-other: Clarify file description and fix typos

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1954 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 overrides/override-other.txt | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/overrides/override-other.txt b/overrides/override-other.txt
index dab86a0..1d8d1d1 100644
--- a/overrides/override-other.txt
+++ b/overrides/override-other.txt
@@ -1,5 +1,5 @@
 #
-# override-a3 [.txt]
+# override-other [.txt]
 #
 # This file contains Autonomous Systems and IP networks whose RIR data are believed to be inaccurate,
 # incomplete, or bogus on purpose and by chance. A small subset of its entries applies to AS descriptions,
@@ -9,13 +9,17 @@
 # therefore pose a security threat to these users, especially if being set intentionally to circumvent such
 # filters.
 #
-# The term "Location" may refer to the actual, physical location of a network (usually hard to enumerate
+# The term "location" may refer to the actual, physical location of a network (usually hard to enumerate
 # beyond a country-level), or its jurisdiction. To the best of our knowledge, the contents of "country"-fields
-# in RIR databases were never clarified in this conext.
+# in RIR databases were never clarified in this context.
 #
 # When in doubt, the physical location of a network will be used below, especially if the jurisdiction of a
 # network appears to be not helpful at all, such as offshore letterbox companies on the other end of the world.
 #
+# In case an AS or IP network is also flagged (A[1-3], XD), the necessary directives should not go into
+# this file, but rather into overrides-{a[1-3],xd}.txt - overrides-other.txt should always be the last
+# preference, to keep things tidy.
+#
 # Improvement suggestions are appreciated, please submit them as patches to the location mailing
 # list. Refer to https://lists.ipfire.org/mailman/listinfo/location and https://wiki.ipfire.org/devel/contact
 # for further information.
-- 
2.26.2

[PATCH 2/4] override-xd: Initial commit

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1821 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 overrides/override-xd.txt | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 overrides/override-xd.txt

diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt
new file mode 100644
index 0000000..8318b49
--- /dev/null
+++ b/overrides/override-xd.txt
@@ -0,0 +1,27 @@
+#
+# override-xd [.txt]
+#
+# This file contains Autonomous Systems and IP networks strongly believed or proofed to be hostile,
+# posing a _technical_ threat against libloc users in general and/or IPFire users in particular.
+#
+# libloc neither was intended to be an "opinionated" database, nor should it become that way. Please
+# refer to commit 69b3d894fbee6e94afc2a79593f7f6b300b88c10 for the rationale of implementing a special
+# flag for hostile networks.
+#
+# Technical threats cover publicly routable network infrastructure solely dedicated or massively abused to
+# host phishing, malware, C&C servers, non-benign vulnerability scanners, or being used as a "bulletproof"
+# hosting space for cybercrime infrastructure.
+#
+# This file should not contain short-lived threats being hosted within legitimate infrastructures, as
+# libloc it neither intended nor suitable to protect against such threats in a timely manner - by default,
+# clients download a new database once a week.
+#
+# Networks posing non-technical threats - i. e. not covered by the definition above - must not be listed
+# here.
+#
+# Improvement suggestions are appreciated, please submit them as patches to the location mailing
+# list. Refer to https://lists.ipfire.org/mailman/listinfo/location and https://wiki.ipfire.org/devel/contact
+# for further information.
+#
+# Please keep this file sorted.
+#
-- 
2.26.2

[PATCH 3/4] override-other: Regular batch of various overrides

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2441 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 overrides/override-other.txt | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/overrides/override-other.txt b/overrides/override-other.txt
index 1d8d1d1..6d2aa52 100644
--- a/overrides/override-other.txt
+++ b/overrides/override-other.txt
@@ -433,6 +433,11 @@ descr:		Digital Energy LLC
 remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
 country:	RU
 
+aut-num:	AS43847
+descr:		NbIServ
+remarks:	ISP located in DE, but some RIR data for announced prefixes contain garbage
+country:	DE
+
 aut-num:	AS44015
 descr:		Landgard Management Inc.
 remarks:	bulletproof ISP with strong links to RU
@@ -488,6 +493,11 @@ descr:		ADM Service Ltd.
 remarks:	traces back to Vilnius, LT
 country:	LT
 
+aut-num:	AS49017
+descr:		GAIJIN NETWORK LTD
+remarks:	fake offshore location (CY), traces back to RU
+country:	RU
+
 aut-num:	AS49392
 descr:		LLC Baxet
 remarks:	tampers with RIR data, traces back to RU
@@ -628,6 +638,11 @@ descr:		YISP BV
 remarks:	ISP located in NL, but some RIR data for announced prefixes contain garbage
 country:	NL
 
+aut-num:	AS58181
+descr:		ULTRANEX LTD
+remarks:	fake offshore location (CY), hosted in NL
+country:   	NL
+
 aut-num:	AS58271
 descr:		FOP Gubina Lubov Petrivna
 remarks:	bulletproof ISP operating from a war zone in eastern UA
@@ -688,6 +703,11 @@ descr:		Inter Connects Inc. / Jing Yun
 remarks:	part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks
 country:	SE
 
+aut-num:	AS60546
+descr:		EU Routing Ltd
+remarks:	fake offshore location (CY), hosted in NL
+country:   	NL
+
 aut-num:	AS60721
 descr:		Bursabil Teknoloji A.S.
 remarks:	ISP located in TR, but many RIR data for announced prefixes contain garbage
@@ -908,6 +928,11 @@ descr:		Galaxy Broadband
 remarks:	ISP located in PK, but announces 204.137.128.0/18, which is ARIN space, assigned to "AGIS" / Cogent - odd...
 country:	PK
 
+aut-num:	AS140224
+descr:		White-Sand Cloud Computing(HK) Co., LIMITED
+remarks:	part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region
+country:	AP
+
 aut-num:	AS140227
 descr:		Hong Kong Communications International Co., Limited
 remarks:	part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region
-- 
2.26.2

[PATCH 4/4] overrides-xd: Add ASNs of Dutch bulletproof ISP conglomerate "Ecatel"

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 6180 bytes --]

See: https://www.nrc.nl/nieuws/2021/04/02/the-cesspool-of-the-internet-is-to-be-found-in-a-village-in-north-holland-a4038369

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 overrides/override-other.txt | 50 ------------------------------
 overrides/override-xd.txt    | 60 ++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 50 deletions(-)

diff --git a/overrides/override-other.txt b/overrides/override-other.txt
index 6d2aa52..7d76534 100644
--- a/overrides/override-other.txt
+++ b/overrides/override-other.txt
@@ -478,11 +478,6 @@ descr:		Spectre Operations BV
 remarks:	ISP located in NL, but some RIR data for suballocations of announced prefixes contain garbage
 country:	NL
 
-aut-num:	AS48090
-descr:		PPTECHNOLOGY LIMITED
-remarks:	bulletproof ISP (related to AS204655) located in NL
-country:	NL
-
 aut-num:	AS48158
 descr:		DigitalOne AG
 remarks:	Services appear to be hosted in RU, RIR data faked/incorrect
@@ -593,11 +588,6 @@ descr:		vServer.site LTD
 remarks:	ISP located in DE, but some RIR data for announced prefixes contain garbage
 country:	DE
 
-aut-num:	AS56611
-descr:		REBA Communications BV
-remarks:	bulletproof ISP (related to AS202425) located in NL
-country:	NL
-
 aut-num:	AS56851
 descr:		PE Skurykhin Mukola Volodumurovuch
 remarks:	tampers with RIR data, traces back to UA
@@ -608,11 +598,6 @@ descr:		Hostkey B.V.
 remarks:	ISP located in NL, but some RIR data for announced prefixes contain garbage
 country:	NL
 
-aut-num:	AS57717
-descr:		FiberXpress BV
-remarks:	bulletproof ISP (related to AS202425) located in NL
-country:	NL
-
 aut-num:	AS57756
 descr:		Telefonica LLC
 remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
@@ -728,21 +713,11 @@ descr:		Vivo Trade L.P.
 remarks:	another shady customer of "DDoS Guard Ltd."
 country:	RU
 
-aut-num:	AS62068
-descr:		SpectraIP B.V.
-remarks:	bulletproof ISP (linked to AS202425 et al.) located in NL
-country:	NL
-
 aut-num:	AS62079
 descr:		Ibernap Management S.L.
 remarks:	traces back to various locations in US
 country:   	US
 
-aut-num:	AS62355
-descr:		Network Dedicated SAS
-remarks:	bulletproof ISP and IP hijacker, claims to be located in CH, but traces to NL
-country:	NL
-
 aut-num:	AS62468
 descr:		VpsQuan L.L.C.
 remarks:	claims to be located in US, but traces to HK
@@ -768,11 +743,6 @@ descr:		SWISS GLOBAL SERVICES S.A.S.
 remarks:	... surprisingly, all of their prefixes are hosted in CH, yet they claim CO or PA for them
 country:	CH
 
-aut-num:	AS64425
-descr:		SKB Enterprise B.V.
-remarks:	bulletproof ISP (linked to AS202425 et al.) located in NL
-country:	NL
-
 aut-num:	AS64437
 descr:		NForce Entertainment BV
 remarks:	currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL
@@ -1008,21 +978,11 @@ descr:		4Media Ltd.
 remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
 country:	BG
 
-aut-num:	AS202425
-descr:		IP Volume Inc.
-remarks:	bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL
-country:	NL
-
 aut-num:	AS202492
 descr:		SILVERHILL GROUP HOLDING LTD / SAKIS POLUNIGIS
 remarks:	fake offshore location (SC), traces back to RU
 country:	RU
 
-aut-num:	AS202769
-descr:		Cooperative Investments LLC
-remarks:	bulletproof ISP and IP hijacker, related to AS202425 and AS62355, traces to NL
-country:	NL
-
 aut-num:	AS202920
 descr:		DataClub S.A.
 remarks:	another shady customer of "DDoS Guard Ltd."
@@ -1053,11 +1013,6 @@ descr:		Global Offshore Limited
 remarks:	part of a dirty ISP conglomerate with links to SE, RIR data of prefixes announced by this AS cannot be trusted
 country:	EU
 
-aut-num:	AS204655
-descr:		Novogara Ltd.
-remarks:	bulletproof ISP (strongly linked to AS202425) located in NL
-country:	NL
-
 aut-num:	AS205026
 descr:		Hauer Hosting Services Limited
 remarks:	ISP located in ES, but some RIR data for announced prefixes contain garbage
@@ -1293,11 +1248,6 @@ descr:		Sun Network Company Limited
 remarks:	IP hijacker, traces back to AP region
 country:	AP
 
-aut-num:	AS328671
-descr:		Datapacket Maroc SARL
-remarks:	bulletproof ISP (strongly linked to AS202425) located in NL
-country:	NL
-
 aut-num:	AS328703
 descr:		Seven Network Inc.
 remarks:	traces back to ZA
diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt
index 8318b49..7df6188 100644
--- a/overrides/override-xd.txt
+++ b/overrides/override-xd.txt
@@ -25,3 +25,63 @@
 #
 # Please keep this file sorted.
 #
+
+aut-num:	AS48090
+descr:		PPTECHNOLOGY LIMITED
+remarks:	bulletproof ISP (related to AS204655) located in NL
+country:	NL
+drop:		yes
+
+aut-num:	AS56611
+descr:		REBA Communications BV
+remarks:	bulletproof ISP (related to AS202425) located in NL
+country:	NL
+drop:		yes
+
+aut-num:	AS57717
+descr:		FiberXpress BV
+remarks:	bulletproof ISP (related to AS202425) located in NL
+country:	NL
+drop:		yes
+
+aut-num:	AS62068
+descr:		SpectraIP B.V.
+remarks:	bulletproof ISP (linked to AS202425 et al.) located in NL
+country:	NL
+drop:		yes
+
+aut-num:	AS62355
+descr:		Network Dedicated SAS
+remarks:	bulletproof ISP and IP hijacker, claims to be located in CH, but traces to NL
+country:	NL
+drop:		yes
+
+aut-num:	AS64425
+descr:		SKB Enterprise B.V.
+remarks:	bulletproof ISP (linked to AS202425 et al.) located in NL
+country:	NL
+drop:		yes
+
+aut-num:	AS202425
+descr:		IP Volume Inc.
+remarks:	bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL
+country:	NL
+drop:		yes
+
+aut-num:	AS202769
+descr:		Cooperative Investments LLC
+remarks:	bulletproof ISP and IP hijacker, related to AS202425 and AS62355, traces to NL
+country:	NL
+drop:		yes
+
+aut-num:	AS204655
+descr:		Novogara Ltd.
+remarks:	bulletproof ISP (strongly linked to AS202425) located in NL
+country:	NL
+drop:		yes
+
+aut-num:	AS328671
+descr:		Datapacket Maroc SARL
+remarks:	bulletproof ISP (strongly linked to AS202425) located in NL
+country:	NL
+drop:		yes
-- 
2.26.2