Re: [PATCH] override-{a1,other,xd}: Regular batch of various overrides

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 15958 bytes --]

Hello Michael,

thanks for your reply.

No, they are all still alive and kicking, but fit the "XD" category better. Some of them,
to the best of my knowledge, recently stopped using proxy/VPN services, so I removed them
from the A1 override file for improved accuracy.

Thanks, and best regards,
Peter Müller


> Thank you. Merged.
> 
> All those networks that were removed, did they just cease to exist?
> 
> -Michael
> 
>> On 10 Dec 2021, at 07:07, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> overrides/override-a1.txt    |  48 ----------------
>> overrides/override-other.txt | 104 ++++++++++++++++++++++-------------
>> overrides/override-xd.txt    |  50 +++++++++++++++++
>> 3 files changed, 117 insertions(+), 85 deletions(-)
>>
>> diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt
>> index 5734c08..5fce4d9 100644
>> --- a/overrides/override-a1.txt
>> +++ b/overrides/override-a1.txt
>> @@ -82,11 +82,6 @@ descr:				Asiamax Ltd. VPN
>> remarks:			VPN provider
>> is-anonymous-proxy:		yes
>>
>> -aut-num:			AS39770
>> -descr:				1337TEAM LIMITED / eliteteam[.]to
>> -remarks:			Owned by an offshore letterbox company, suspected rogue ISP
>> -is-anonymous-proxy:		yes
>> -
>> aut-num:			AS43233
>> descr:				VPS 404 Ltd.
>> remarks:			VPN provider [high confidence, but not proofed] located in ES
>> @@ -114,12 +109,6 @@ descr:				BeeVPN ApS
>> remarks:			VPN provider
>> is-anonymous-proxy:		yes
>>
>> -aut-num:			AS51381
>> -descr:				1337TEAM LIMITED / eliteteam[.]to
>> -remarks:			Owned by an offshore letterbox company, suspected rogue ISP
>> -is-anonymous-proxy:		yes
>> -country:			RU
>> -
>> aut-num:			AS51446
>> descr:				SP Argaev Artem Sergeyevich / Foundation Respect My Privacy
>> remarks:			VPN provider [high confidence, but not proofed]
>> @@ -142,17 +131,6 @@ remarks:			Tor relay and VPN provider, traces back to SE [high confidence, but n
>> is-anonymous-proxy:		yes
>> country:			SE
>>
>> -aut-num:			AS55303
>> -descr:				Eagle Sky Co., Lt[d ?]
>> -remarks:			Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity
>> -is-anonymous-proxy:		yes
>> -country:			AP
>> -
>> -aut-num:			AS56873
>> -descr:				1337TEAM LIMITED / eliteteam[.]to
>> -remarks:			Owned by an offshore letterbox company, suspected rogue ISP
>> -is-anonymous-proxy:		yes
>> -
>> aut-num:			AS58110
>> descr:				IP Volume Ltd. / Epik
>> remarks:			Shady Autonomous System registered to letterbox company, possibly copycat operation of Epik registrar, many prefixes announced refer to "anonymize" infrastructure
>> @@ -168,11 +146,6 @@ descr:				Geotelco Limited
>> remarks:			VPN provider [high confidence, but not proofed]
>> is-anonymous-proxy:		yes
>>
>> -aut-num:			AS60424
>> -descr:				1337TEAM LIMITED / eliteteam[.]to
>> -remarks:			Owned by an offshore letterbox company, suspected rogue ISP
>> -is-anonymous-proxy:		yes
>> -
>> aut-num:			AS60729
>> descr:				Zwiebelfreunde e.V.
>> remarks:			Tor relay provider
>> @@ -214,12 +187,6 @@ descr:				HERN Labs AB
>> remarks:			VPN provider [high confidence, but not proofed]
>> is-anonymous-proxy:		yes
>>
>> -aut-num:			AS206819
>> -descr:				ANSON NETWORK LIMITED
>> -remarks:			Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW
>> -is-anonymous-proxy:		yes
>> -country:			TW
>> -
>> aut-num:			AS207688
>> descr:				DataHome S.A.
>> remarks:			VPN provider located in BR [high confidence, but not proofed]
>> @@ -1430,11 +1397,6 @@ descr:				Tredinvest LLC / bestwest[.]host
>> remarks:			VPN provider or offering similar services [high confidence, but not proofed]
>> is-anonymous-proxy:		yes
>>
>> -net:				185.215.113.0/24
>> -descr:				1337TEAM LIMITED / eliteteam[.]to
>> -remarks:			Owned by an offshore letterbox company, suspected rogue ISP
>> -is-anonymous-proxy:		yes
>> -
>> net:				185.220.100.0/22
>> descr:				Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute
>> remarks:			Tor relay provider
>> @@ -1692,11 +1654,6 @@ descr:				LogicWeb Inc. / BGRVPN / Private Internet Access / VPNetworks / Cookie
>> remarks:			Hijacked AfriNIC IP chunk mostly used by VPN providers
>> is-anonymous-proxy:		yes
>>
>> -net:				196.61.192.0/20
>> -descr:				Inspiring Networks LTD
>> -remarks:			hijacked (?) IP network owned by an offshore company [high confidence, but not proofed]
>> -is-anonymous-proxy:		yes
>> -
>> net:				197.221.161.0/24
>> descr:				VPNClientPublics
>> remarks:			VPN provider
>> @@ -2031,8 +1988,3 @@ net:				2c0f:f930::/32
>> descr:				Cyberdyne S.A.
>> remarks:			Tor relay provider
>> is-anonymous-proxy:		yes
>> -
>> -net:				2a10:9700::/29
>> -descr:				1337TEAM LIMITED / eliteteam[.]to
>> -remarks:			Owned by an offshore letterbox company, suspected rogue ISP
>> -is-anonymous-proxy:		yes
>> diff --git a/overrides/override-other.txt b/overrides/override-other.txt
>> index 7d76534..ca9dbad 100644
>> --- a/overrides/override-other.txt
>> +++ b/overrides/override-other.txt
>> @@ -85,6 +85,11 @@ descr:		Tianhai InfoTech
>> remarks:	IP hijacker located somewhere in AP, massively tampers with RIR data
>> country:	AP
>>
>> +aut-num:	AS5408
>> +descr:		Greek Research and Technology Network (GRNET) S.A.
>> +remarks:	... located in GR
>> +country:	GR
>> +
>> aut-num:	AS6134
>> descr:		XNNET LLC
>> remarks:	traces back to an unknown oversea location (HK?), seems to tamper with RIR data
>> @@ -363,6 +368,11 @@ descr:		CNSERVERS LLC
>> remarks:	Shady ISP located in US, tampers with RIR data
>> country:	US
>>
>> +aut-num:	AS41047
>> +descr:		MLAB Open Source Community
>> +remarks:	traces back to DE
>> +country:	DE
>> +
>> aut-num:	AS41466
>> descr:		Treidinvest LLC
>> remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
>> @@ -408,6 +418,11 @@ descr:		DGN TEKNOLOJI A.S.
>> remarks:	ISP located in TR, but many RIR data for announced prefixes contain garbage
>> country:	TR
>>
>> +aut-num:	AS43092
>> +descr:		Kirin Communication Limited
>> +remarks:	tampers with RIR data, traces back to AP area
>> +country:	AP
>> +
>> aut-num:	AS43310
>> descr:		TOV "LVS"
>> remarks:	ISP located in UA, but some RIR data for announced prefixes contain garbage
>> @@ -498,11 +513,6 @@ descr:		LLC Baxet
>> remarks:	tampers with RIR data, traces back to RU
>> country:	RU
>>
>> -aut-num:	AS49447
>> -descr:		Nice IT Services Group Inc.
>> -remarks:	Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage
>> -country:	CH
>> -
>> aut-num:	AS49466
>> descr:		KLAYER LLC
>> remarks:	part of the "Asline" IP hijacking gang, traces back to AP region
>> @@ -748,6 +758,11 @@ descr:		NForce Entertainment BV
>> remarks:	currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in NL
>> country:	NL
>>
>> +aut-num:	AS131685
>> +descr:		Sun Network (Hong Kong) Limited
>> +remarks:	ISP and/or IP hijacker located somewhere in AP
>> +country:	AP
>> +
>> aut-num:	AS132369
>> descr:		XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED
>> remarks:	ISP located in HK, tampers with RIR data
>> @@ -758,9 +773,14 @@ descr:		POWER LINE DATACENTER
>> remarks:	ISP and/or IP hijacker located in HK, tampers with RIR data
>> country:	HK
>>
>> +aut-num:	AS133201
>> +descr:		ABCDE GROUP COMPANY LIMITED
>> +remarks:	ISP and/or IP hijacker located somewhere in AP
>> +country:	AP
>> +
>> aut-num:	AS133441
>> descr:		CloudITIDC Global
>> -remarks:	ISP and/or IP hijacker located somehwere in AP
>> +remarks:	ISP and/or IP hijacker located somewhere in AP
>> country:	AP
>>
>> aut-num:	AS133752
>> @@ -810,7 +830,7 @@ country:	AP
>>
>> aut-num:	AS136800
>> descr:		ICIDC NETWORK
>> -remarks:	IP hijacker located somehwere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data
>> +remarks:	IP hijacker located somewhere in AP, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data
>> country:	AP
>>
>> aut-num:	AS136933
>> @@ -923,6 +943,11 @@ descr:		Incomparable(HK)Network Co., Limited
>> remarks:	ISP and/or IP hijacker located in AP area, tampers with RIR data
>> country:	AP
>>
>> +aut-num:	AS141746
>> +descr:		Orenji Server
>> +remarks:	IP hijacker located somewhere in AP area (JP?)
>> +country:	AP
>> +
>> aut-num:	AS196682
>> descr:		FLP Kochenov Aleksej Vladislavovich
>> remarks:	ISP located in UA, but RIR data for announced prefixes all say EU
>> @@ -933,11 +958,6 @@ descr:		ALEXHOST SRL
>> remarks:	ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network
>> country:	MD
>>
>> -aut-num:	AS200391
>> -descr:		KREZ 999 EOOD
>> -remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
>> -country:	BG
>> -
>> aut-num:	AS200699
>> descr:		Datashield, Inc.
>> remarks:	fake offshore location (SC), traces back to NL
>> @@ -1028,6 +1048,11 @@ descr:		Genius Guard / Genius Security Ltd.
>> remarks:	another shady customer of "DDoS Guard Ltd.", probably located in RU
>> country:	RU
>>
>> +aut-num:	AS206819
>> +descr:		ANSON NETWORK LIMITED
>> +remarks:	Autonomous System registered to UK letterbox company, traces back through shady ISPs to TW
>> +country:	TW
>> +
>> aut-num:	AS206898
>> descr:		Server Hosting Pty Ltd
>> remarks:	ISP located in NL, but some RIR data for announced prefixes contain garbage
>> @@ -1063,11 +1088,6 @@ descr:		Altrosky Technology Ltd.
>> remarks:	fake offshore location (SC), traces back to CZ and NL
>> country:	EU
>>
>> -aut-num:	AS207812
>> -descr:		DM AUTO EOOD
>> -remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
>> -country:	BG
>> -
>> aut-num:	AS208046
>> descr:		Maximilian Kutzner trading as HostSlick
>> remarks:	traces back to NL, but some RIR data for announced prefixes contain garbage
>> @@ -1248,6 +1268,11 @@ descr:		Sun Network Company Limited
>> remarks:	IP hijacker, traces back to AP region
>> country:	AP
>>
>> +aut-num:	AS328608
>> +descr:		Africa on Cloud
>> +remarks:	... for some reason, I doubt a _real_ African ISP would announce solely hijacked prefixes
>> +country:	AP
>> +
>> aut-num:	AS328703
>> descr:		Seven Network Inc.
>> remarks:	traces back to ZA
>> @@ -1313,25 +1338,25 @@ descr:		Wolverine Trading, LLC
>> remarks:	IP hijacker located in US, tampers with RIR data
>> country:	US
>>
>> -net:        5.1.68.0/24
>> -descr:      GaiacomLC
>> -remarks:    routed to DE, inaccurate RIR data
>> -country:    DE
>> +net:		5.1.68.0/24
>> +descr:		GaiacomLC
>> +remarks:	routed to DE, inaccurate RIR data
>> +country:	DE
>>
>> -net:        5.1.69.0/24
>> -descr:      GaiacomLC
>> -remarks:    routed to DE, inaccurate RIR data
>> -country:    DE
>> +net:		5.1.69.0/24
>> +descr:		GaiacomLC
>> +remarks:	routed to DE, inaccurate RIR data
>> +country:	DE
>>
>> -net:        5.1.83.0/24
>> -descr:      GaiacomLC
>> -remarks:    routed to DE, inaccurate RIR data
>> -country:    DE
>> +net:		5.1.83.0/24
>> +descr:		GaiacomLC
>> +remarks:	routed to DE, inaccurate RIR data
>> +country:	DE
>>
>> -net:        5.1.88.0/24
>> -descr:      GaiacomLC
>> -remarks:    routed to DE, inaccurate RIR data
>> -country:    DE
>> +net:		5.1.88.0/24
>> +descr:		GaiacomLC
>> +remarks:	routed to DE, inaccurate RIR data
>> +country:	DE
>>
>> net:		5.252.32.0/22
>> descr:		StormWall s.r.o.
>> @@ -1413,6 +1438,11 @@ descr:		Golden Internet LLC
>> remarks:	fake location (KP), WHOIS contact points to RU
>> country:   	RU
>>
>> +net:		91.90.120.0/24
>> +descr:		M247 LTD, Greenland Infrastructure
>> +remarks:	... traces back to CA
>> +country:   	CA
>> +
>> net:		91.149.194.0/24
>> descr:		IP Volume Ltd. / Epik
>> remarks:	fake location (CH), traces back to SE
>> @@ -1488,10 +1518,10 @@ descr:		Intelcom Group Ltd
>> remarks:	fake offshore location (SC), traces back to RU
>> country:   	RU
>>
>> -net:        185.140.204.0/22
>> -descr:      Hornetsecurity GmbH
>> -remarks:    all suballocations are used in DE, but are assigned to US
>> -country:    DE
>> +net:		185.140.204.0/22
>> +descr:		Hornetsecurity GmbH
>> +remarks:	all suballocations are used in DE, but are assigned to US
>> +country:	DE
>>
>> net:		185.175.93.0/24
>> descr:		Perfect Hosting Solutions
>> diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt
>> index 7df6188..29057d9 100644
>> --- a/overrides/override-xd.txt
>> +++ b/overrides/override-xd.txt
>> @@ -26,24 +26,57 @@
>> # Please keep this file sorted.
>> #
>>
>> +aut-num:	AS39770
>> +descr:		1337TEAM LIMITED / eliteteam[.]to
>> +remarks:	Owned by an offshore letterbox company, suspected rogue ISP
>> +drop:		yes
>> +
>> aut-num:	AS48090
>> descr:		PPTECHNOLOGY LIMITED
>> remarks:	bulletproof ISP (related to AS204655) located in NL
>> country:	NL
>> drop:		yes
>>
>> +aut-num:	AS49447
>> +descr:		Nice IT Services Group Inc.
>> +remarks:	Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage
>> +country:	CH
>> +drop:		yes
>> +
>> +aut-num:	AS51381
>> +descr:		1337TEAM LIMITED / eliteteam[.]to
>> +remarks:	Owned by an offshore letterbox company, suspected rogue ISP
>> +country:	RU
>> +drop:		yes
>> +
>> +aut-num:	AS55303
>> +descr:		Eagle Sky Co., Lt[d ?]
>> +remarks:	Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity
>> +country:	AP
>> +drop:		yes
>> +
>> aut-num:	AS56611
>> descr:		REBA Communications BV
>> remarks:	bulletproof ISP (related to AS202425) located in NL
>> country:	NL
>> drop:		yes
>>
>> +aut-num:	AS56873
>> +descr:		1337TEAM LIMITED / eliteteam[.]to
>> +remarks:	Owned by an offshore letterbox company, suspected rogue ISP
>> +drop:		yes
>> +
>> aut-num:	AS57717
>> descr:		FiberXpress BV
>> remarks:	bulletproof ISP (related to AS202425) located in NL
>> country:	NL
>> drop:		yes
>>
>> +aut-num:	AS60424
>> +descr:		1337TEAM LIMITED / eliteteam[.]to
>> +remarks:	Owned by an offshore letterbox company, suspected rogue ISP
>> +drop:		yes
>> +
>> aut-num:	AS62068
>> descr:		SpectraIP B.V.
>> remarks:	bulletproof ISP (linked to AS202425 et al.) located in NL
>> @@ -62,6 +95,12 @@ remarks:	bulletproof ISP (linked to AS202425 et al.) located in NL
>> country:	NL
>> drop:		yes
>>
>> +aut-num:	AS200391
>> +descr:		KREZ 999 EOOD
>> +remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
>> +country:	BG
>> +drop:		yes
>> +
>> aut-num:	AS202425
>> descr:		IP Volume Inc.
>> remarks:	bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL
>> @@ -74,6 +113,12 @@ remarks:	bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace
>> country:	NL
>> drop:		yes
>>
>> +aut-num:	AS207812
>> +descr:		DM AUTO EOOD
>> +remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
>> +country:	BG
>> +drop:		yes
>> +
>> aut-num:	AS204655
>> descr:		Novogara Ltd.
>> remarks:	bulletproof ISP (strongly linked to AS202425) located in NL
>> @@ -85,3 +130,8 @@ descr:		Datapacket Maroc SARL
>> remarks:	bulletproof ISP (strongly linked to AS202425) located in NL
>> country:	NL
>> drop:		yes
>> +
>> +net:		2a10:9700::/29
>> +descr:		1337TEAM LIMITED / eliteteam[.]to
>> +remarks:	Owned by an offshore letterbox company, suspected rogue ISP
>> +drop:		yes
>> -- 
>> 2.26.2
>