From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: location@lists.ipfire.org Subject: Re: [PATCH] override-{a1,other,xd}: Regular batch of various overrides Date: Fri, 10 Dec 2021 10:36:29 +0100 Message-ID: <2c338278-0411-103c-5d0c-71abff2f42c8@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4942576075738717718==" List-Id: --===============4942576075738717718== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. No, they are all still alive and kicking, but fit the "XD" category better. S= ome of them, to the best of my knowledge, recently stopped using proxy/VPN services, so I = removed them from the A1 override file for improved accuracy. Thanks, and best regards, Peter M=C3=BCller > Thank you. Merged. >=20 > All those networks that were removed, did they just cease to exist? >=20 > -Michael >=20 >> On 10 Dec 2021, at 07:07, Peter M=C3=BCller w= rote: >> >> Signed-off-by: Peter M=C3=BCller >> --- >> overrides/override-a1.txt | 48 ---------------- >> overrides/override-other.txt | 104 ++++++++++++++++++++++------------- >> overrides/override-xd.txt | 50 +++++++++++++++++ >> 3 files changed, 117 insertions(+), 85 deletions(-) >> >> diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt >> index 5734c08..5fce4d9 100644 >> --- a/overrides/override-a1.txt >> +++ b/overrides/override-a1.txt >> @@ -82,11 +82,6 @@ descr: Asiamax Ltd. VPN >> remarks: VPN provider >> is-anonymous-proxy: yes >> >> -aut-num: AS39770 >> -descr: 1337TEAM LIMITED / eliteteam[.]to >> -remarks: Owned by an offshore letterbox company, suspected rogue ISP >> -is-anonymous-proxy: yes >> - >> aut-num: AS43233 >> descr: VPS 404 Ltd. >> remarks: VPN provider [high confidence, but not proofed] located in ES >> @@ -114,12 +109,6 @@ descr: BeeVPN ApS >> remarks: VPN provider >> is-anonymous-proxy: yes >> >> -aut-num: AS51381 >> -descr: 1337TEAM LIMITED / eliteteam[.]to >> -remarks: Owned by an offshore letterbox company, suspected rogue ISP >> -is-anonymous-proxy: yes >> -country: RU >> - >> aut-num: AS51446 >> descr: SP Argaev Artem Sergeyevich / Foundation Respect My Privacy >> remarks: VPN provider [high confidence, but not proofed] >> @@ -142,17 +131,6 @@ remarks: Tor relay and VPN provider, traces back to= SE [high confidence, but n >> is-anonymous-proxy: yes >> country: SE >> >> -aut-num: AS55303 >> -descr: Eagle Sky Co., Lt[d ?] >> -remarks: Autonomous System registered to offshore company, abuse contac= t is a freemail address, address says "0 Market Square, P.O. Box 364, Belize"= , seems to trace to some location in AP vicinity >> -is-anonymous-proxy: yes >> -country: AP >> - >> -aut-num: AS56873 >> -descr: 1337TEAM LIMITED / eliteteam[.]to >> -remarks: Owned by an offshore letterbox company, suspected rogue ISP >> -is-anonymous-proxy: yes >> - >> aut-num: AS58110 >> descr: IP Volume Ltd. / Epik >> remarks: Shady Autonomous System registered to letterbox company, possib= ly copycat operation of Epik registrar, many prefixes announced refer to "ano= nymize" infrastructure >> @@ -168,11 +146,6 @@ descr: Geotelco Limited >> remarks: VPN provider [high confidence, but not proofed] >> is-anonymous-proxy: yes >> >> -aut-num: AS60424 >> -descr: 1337TEAM LIMITED / eliteteam[.]to >> -remarks: Owned by an offshore letterbox company, suspected rogue ISP >> -is-anonymous-proxy: yes >> - >> aut-num: AS60729 >> descr: Zwiebelfreunde e.V. >> remarks: Tor relay provider >> @@ -214,12 +187,6 @@ descr: HERN Labs AB >> remarks: VPN provider [high confidence, but not proofed] >> is-anonymous-proxy: yes >> >> -aut-num: AS206819 >> -descr: ANSON NETWORK LIMITED >> -remarks: Autonomous System registered to UK letterbox company, traces b= ack through shady ISPs to TW >> -is-anonymous-proxy: yes >> -country: TW >> - >> aut-num: AS207688 >> descr: DataHome S.A. >> remarks: VPN provider located in BR [high confidence, but not proofed] >> @@ -1430,11 +1397,6 @@ descr: Tredinvest LLC / bestwest[.]host >> remarks: VPN provider or offering similar services [high confidence, but= not proofed] >> is-anonymous-proxy: yes >> >> -net: 185.215.113.0/24 >> -descr: 1337TEAM LIMITED / eliteteam[.]to >> -remarks: Owned by an offshore letterbox company, suspected rogue ISP >> -is-anonymous-proxy: yes >> - >> net: 185.220.100.0/22 >> descr: Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute >> remarks: Tor relay provider >> @@ -1692,11 +1654,6 @@ descr: LogicWeb Inc. / BGRVPN / Private Internet= Access / VPNetworks / Cookie >> remarks: Hijacked AfriNIC IP chunk mostly used by VPN providers >> is-anonymous-proxy: yes >> >> -net: 196.61.192.0/20 >> -descr: Inspiring Networks LTD >> -remarks: hijacked (?) IP network owned by an offshore company [high con= fidence, but not proofed] >> -is-anonymous-proxy: yes >> - >> net: 197.221.161.0/24 >> descr: VPNClientPublics >> remarks: VPN provider >> @@ -2031,8 +1988,3 @@ net: 2c0f:f930::/32 >> descr: Cyberdyne S.A. >> remarks: Tor relay provider >> is-anonymous-proxy: yes >> - >> -net: 2a10:9700::/29 >> -descr: 1337TEAM LIMITED / eliteteam[.]to >> -remarks: Owned by an offshore letterbox company, suspected rogue ISP >> -is-anonymous-proxy: yes >> diff --git a/overrides/override-other.txt b/overrides/override-other.txt >> index 7d76534..ca9dbad 100644 >> --- a/overrides/override-other.txt >> +++ b/overrides/override-other.txt >> @@ -85,6 +85,11 @@ descr: Tianhai InfoTech >> remarks: IP hijacker located somewhere in AP, massively tampers with RIR d= ata >> country: AP >> >> +aut-num: AS5408 >> +descr: Greek Research and Technology Network (GRNET) S.A. >> +remarks: ... located in GR >> +country: GR >> + >> aut-num: AS6134 >> descr: XNNET LLC >> remarks: traces back to an unknown oversea location (HK?), seems to tamper= with RIR data >> @@ -363,6 +368,11 @@ descr: CNSERVERS LLC >> remarks: Shady ISP located in US, tampers with RIR data >> country: US >> >> +aut-num: AS41047 >> +descr: MLAB Open Source Community >> +remarks: traces back to DE >> +country: DE >> + >> aut-num: AS41466 >> descr: Treidinvest LLC >> remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in = BG, tampers with RIR data >> @@ -408,6 +418,11 @@ descr: DGN TEKNOLOJI A.S. >> remarks: ISP located in TR, but many RIR data for announced prefixes conta= in garbage >> country: TR >> >> +aut-num: AS43092 >> +descr: Kirin Communication Limited >> +remarks: tampers with RIR data, traces back to AP area >> +country: AP >> + >> aut-num: AS43310 >> descr: TOV "LVS" >> remarks: ISP located in UA, but some RIR data for announced prefixes conta= in garbage >> @@ -498,11 +513,6 @@ descr: LLC Baxet >> remarks: tampers with RIR data, traces back to RU >> country: RU >> >> -aut-num: AS49447 >> -descr: Nice IT Services Group Inc. >> -remarks: Rogue ISP located in CH, but some RIR data for announced prefixe= s contain garbage >> -country: CH >> - >> aut-num: AS49466 >> descr: KLAYER LLC >> remarks: part of the "Asline" IP hijacking gang, traces back to AP region >> @@ -748,6 +758,11 @@ descr: NForce Entertainment BV >> remarks: currently hijacks a single stolen /20 AfriNIC IPv4 net, hosted in= NL >> country: NL >> >> +aut-num: AS131685 >> +descr: Sun Network (Hong Kong) Limited >> +remarks: ISP and/or IP hijacker located somewhere in AP >> +country: AP >> + >> aut-num: AS132369 >> descr: XIANGAO INTERNATIONAL TELECOMMUNICATION LIMITED >> remarks: ISP located in HK, tampers with RIR data >> @@ -758,9 +773,14 @@ descr: POWER LINE DATACENTER >> remarks: ISP and/or IP hijacker located in HK, tampers with RIR data >> country: HK >> >> +aut-num: AS133201 >> +descr: ABCDE GROUP COMPANY LIMITED >> +remarks: ISP and/or IP hijacker located somewhere in AP >> +country: AP >> + >> aut-num: AS133441 >> descr: CloudITIDC Global >> -remarks: ISP and/or IP hijacker located somehwere in AP >> +remarks: ISP and/or IP hijacker located somewhere in AP >> country: AP >> >> aut-num: AS133752 >> @@ -810,7 +830,7 @@ country: AP >> >> aut-num: AS136800 >> descr: ICIDC NETWORK >> -remarks: IP hijacker located somehwere in AP, suspected to be part of the= "Asline" IP hijacking gang, tampers with RIR data >> +remarks: IP hijacker located somewhere in AP, suspected to be part of the= "Asline" IP hijacking gang, tampers with RIR data >> country: AP >> >> aut-num: AS136933 >> @@ -923,6 +943,11 @@ descr: Incomparable(HK)Network Co., Limited >> remarks: ISP and/or IP hijacker located in AP area, tampers with RIR data >> country: AP >> >> +aut-num: AS141746 >> +descr: Orenji Server >> +remarks: IP hijacker located somewhere in AP area (JP?) >> +country: AP >> + >> aut-num: AS196682 >> descr: FLP Kochenov Aleksej Vladislavovich >> remarks: ISP located in UA, but RIR data for announced prefixes all say EU >> @@ -933,11 +958,6 @@ descr: ALEXHOST SRL >> remarks: ISP located in MD, majority of RIR data for announced prefixes co= ntain garbage, we cannot trust this network >> country: MD >> >> -aut-num: AS200391 >> -descr: KREZ 999 EOOD >> -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in= BG, tampers with RIR data >> -country: BG >> - >> aut-num: AS200699 >> descr: Datashield, Inc. >> remarks: fake offshore location (SC), traces back to NL >> @@ -1028,6 +1048,11 @@ descr: Genius Guard / Genius Security Ltd. >> remarks: another shady customer of "DDoS Guard Ltd.", probably located in = RU >> country: RU >> >> +aut-num: AS206819 >> +descr: ANSON NETWORK LIMITED >> +remarks: Autonomous System registered to UK letterbox company, traces bac= k through shady ISPs to TW >> +country: TW >> + >> aut-num: AS206898 >> descr: Server Hosting Pty Ltd >> remarks: ISP located in NL, but some RIR data for announced prefixes conta= in garbage >> @@ -1063,11 +1088,6 @@ descr: Altrosky Technology Ltd. >> remarks: fake offshore location (SC), traces back to CZ and NL >> country: EU >> >> -aut-num: AS207812 >> -descr: DM AUTO EOOD >> -remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in= BG, tampers with RIR data >> -country: BG >> - >> aut-num: AS208046 >> descr: Maximilian Kutzner trading as HostSlick >> remarks: traces back to NL, but some RIR data for announced prefixes conta= in garbage >> @@ -1248,6 +1268,11 @@ descr: Sun Network Company Limited >> remarks: IP hijacker, traces back to AP region >> country: AP >> >> +aut-num: AS328608 >> +descr: Africa on Cloud >> +remarks: ... for some reason, I doubt a _real_ African ISP would announce= solely hijacked prefixes >> +country: AP >> + >> aut-num: AS328703 >> descr: Seven Network Inc. >> remarks: traces back to ZA >> @@ -1313,25 +1338,25 @@ descr: Wolverine Trading, LLC >> remarks: IP hijacker located in US, tampers with RIR data >> country: US >> >> -net: 5.1.68.0/24 >> -descr: GaiacomLC >> -remarks: routed to DE, inaccurate RIR data >> -country: DE >> +net: 5.1.68.0/24 >> +descr: GaiacomLC >> +remarks: routed to DE, inaccurate RIR data >> +country: DE >> >> -net: 5.1.69.0/24 >> -descr: GaiacomLC >> -remarks: routed to DE, inaccurate RIR data >> -country: DE >> +net: 5.1.69.0/24 >> +descr: GaiacomLC >> +remarks: routed to DE, inaccurate RIR data >> +country: DE >> >> -net: 5.1.83.0/24 >> -descr: GaiacomLC >> -remarks: routed to DE, inaccurate RIR data >> -country: DE >> +net: 5.1.83.0/24 >> +descr: GaiacomLC >> +remarks: routed to DE, inaccurate RIR data >> +country: DE >> >> -net: 5.1.88.0/24 >> -descr: GaiacomLC >> -remarks: routed to DE, inaccurate RIR data >> -country: DE >> +net: 5.1.88.0/24 >> +descr: GaiacomLC >> +remarks: routed to DE, inaccurate RIR data >> +country: DE >> >> net: 5.252.32.0/22 >> descr: StormWall s.r.o. >> @@ -1413,6 +1438,11 @@ descr: Golden Internet LLC >> remarks: fake location (KP), WHOIS contact points to RU >> country: RU >> >> +net: 91.90.120.0/24 >> +descr: M247 LTD, Greenland Infrastructure >> +remarks: ... traces back to CA >> +country: CA >> + >> net: 91.149.194.0/24 >> descr: IP Volume Ltd. / Epik >> remarks: fake location (CH), traces back to SE >> @@ -1488,10 +1518,10 @@ descr: Intelcom Group Ltd >> remarks: fake offshore location (SC), traces back to RU >> country: RU >> >> -net: 185.140.204.0/22 >> -descr: Hornetsecurity GmbH >> -remarks: all suballocations are used in DE, but are assigned to US >> -country: DE >> +net: 185.140.204.0/22 >> +descr: Hornetsecurity GmbH >> +remarks: all suballocations are used in DE, but are assigned to US >> +country: DE >> >> net: 185.175.93.0/24 >> descr: Perfect Hosting Solutions >> diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt >> index 7df6188..29057d9 100644 >> --- a/overrides/override-xd.txt >> +++ b/overrides/override-xd.txt >> @@ -26,24 +26,57 @@ >> # Please keep this file sorted. >> # >> >> +aut-num: AS39770 >> +descr: 1337TEAM LIMITED / eliteteam[.]to >> +remarks: Owned by an offshore letterbox company, suspected rogue ISP >> +drop: yes >> + >> aut-num: AS48090 >> descr: PPTECHNOLOGY LIMITED >> remarks: bulletproof ISP (related to AS204655) located in NL >> country: NL >> drop: yes >> >> +aut-num: AS49447 >> +descr: Nice IT Services Group Inc. >> +remarks: Rogue ISP located in CH, but some RIR data for announced prefixe= s contain garbage >> +country: CH >> +drop: yes >> + >> +aut-num: AS51381 >> +descr: 1337TEAM LIMITED / eliteteam[.]to >> +remarks: Owned by an offshore letterbox company, suspected rogue ISP >> +country: RU >> +drop: yes >> + >> +aut-num: AS55303 >> +descr: Eagle Sky Co., Lt[d ?] >> +remarks: Autonomous System registered to offshore company, abuse contact = is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", = seems to trace to some location in AP vicinity >> +country: AP >> +drop: yes >> + >> aut-num: AS56611 >> descr: REBA Communications BV >> remarks: bulletproof ISP (related to AS202425) located in NL >> country: NL >> drop: yes >> >> +aut-num: AS56873 >> +descr: 1337TEAM LIMITED / eliteteam[.]to >> +remarks: Owned by an offshore letterbox company, suspected rogue ISP >> +drop: yes >> + >> aut-num: AS57717 >> descr: FiberXpress BV >> remarks: bulletproof ISP (related to AS202425) located in NL >> country: NL >> drop: yes >> >> +aut-num: AS60424 >> +descr: 1337TEAM LIMITED / eliteteam[.]to >> +remarks: Owned by an offshore letterbox company, suspected rogue ISP >> +drop: yes >> + >> aut-num: AS62068 >> descr: SpectraIP B.V. >> remarks: bulletproof ISP (linked to AS202425 et al.) located in NL >> @@ -62,6 +95,12 @@ remarks: bulletproof ISP (linked to AS202425 et al.) lo= cated in NL >> country: NL >> drop: yes >> >> +aut-num: AS200391 >> +descr: KREZ 999 EOOD >> +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in= BG, tampers with RIR data >> +country: BG >> +drop: yes >> + >> aut-num: AS202425 >> descr: IP Volume Inc. >> remarks: bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.= ) located in NL >> @@ -74,6 +113,12 @@ remarks: bulletproof ISP and IP hijacker, related to A= S202425 and AS62355, trace >> country: NL >> drop: yes >> >> +aut-num: AS207812 >> +descr: DM AUTO EOOD >> +remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in= BG, tampers with RIR data >> +country: BG >> +drop: yes >> + >> aut-num: AS204655 >> descr: Novogara Ltd. >> remarks: bulletproof ISP (strongly linked to AS202425) located in NL >> @@ -85,3 +130,8 @@ descr: Datapacket Maroc SARL >> remarks: bulletproof ISP (strongly linked to AS202425) located in NL >> country: NL >> drop: yes >> + >> +net: 2a10:9700::/29 >> +descr: 1337TEAM LIMITED / eliteteam[.]to >> +remarks: Owned by an offshore letterbox company, suspected rogue ISP >> +drop: yes >> --=20 >> 2.26.2 >=20 --===============4942576075738717718==--