Re: [PATCH] override-{a[1, 3}, other}: add overrides for Akamai and some AP-based IP hijackers

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2629 bytes --]

Hi Gisle,

>> +net:                45.192.0.0/12
>> +descr:                Cloud Innovation Ltd.
>> +remarks:            hijacked AFRINIC IP chunk owned by an offshore 
>> company,
>> routed to several dirty networks worldwide, cannot tell what is going 
>> on here
> 
> Would it be possible to make 'py -3 location lookup' etc.
> return these important 'remarks'? Maybe a '--verbose' lookup
> flags could return this?
> 

while it would be certainly possible to do so in technical terms 
(although it requires some changes to the libloc database format, as 
Michael pointed out), I prefer to not do so:

libloc is not intended to be a reputation database for IP addresses. 
There are more sources available for this purpose than I can list, each 
of them satisfying a different need. One needs to fight spam at the SMTP 
level, another worries about login attempts from infected PCs, and so 
on. One size never fits all.

In retrospective, my remark regarding this network is therefore 
misguiding. Personally, I strongly recommend against accepting any 
traffic from or to (!) IP space owned by "Cloud Innovation Ltd." et al., 
but libloc should not reflect that.

Our override policies - if I may put it that way - are explained at the 
beginning of each override file. While it is impossible to assign 
45.192.0.0/12 a different and more meaningful country code than SC 
(Seychelles) due to the fact that some chunks _are_ correctly flagged, 
flagging it as a source for anonymous traffic seems to be justified.

Needless to say, there are good reasons to let an offshore letterbox 
company run a business, especially when it comes to hosting high-risk 
content (positive examples are investigative journalism and 
whistle-blowing, while we are all aware of the negative ones). "Cloud 
Innovation Ltd." strongly reminds me of an ongoing AFRINIC IP hijacking 
operation similar to these:

- 
https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html
- 
https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

IP address space owned by them is a virtual no man's land. Do not 
process any traffic related to it, but please do not rely on libloc to 
provide you with a list of such IP networks or Autonomous Systems.

Something like Spamhaus DROP (https://www.spamhaus.org/drop/) might be a 
better choice - these lists are explicitly compiled and provided for a 
"drop all traffic" purpose.

Thanks, and best regards,
Peter Müller