[PATCH 1/3] override-other: mitigate tampered RIR data from customers of Tamatiya EOOD / 4Vendeta

[PATCH 1/3] override-other: mitigate tampered RIR data from customers of Tamatiya EOOD / 4Vendeta

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 4670 bytes --]

AS50360 has an impressive history on providing IP transit services to
shady Autonomous Systems, and continues to do so. While the amount of
prefixes with tampered RIR data announced by AS50360 itself has ceased
within the past years, it's customers continue to propagate IP space
with faked country information.

We cannot trust these networks, which is why we pin them on BG
altogether, as they are all hosted in Sofia, Bulgaria:

 1. X
 2. X
 3. AS9002   ae5-10.RT.TLP.SOF.BG.retn.net (87.245.232.164)	<= RETN infrastructure in Telehouse Sofia, BG
 4. AS9002   GW-Tamatiya.retn.net (87.245.240.159)		<= Gateway to Tamatiya / 4Vendeta
 5. AS50360  ip-25-22.4vendeta.com (195.230.25.22)		<= And BOOM goes the dynamite...
 6. (waiting for reply)

 1. X
 2. X
 3. AS???    ge0-3.ams.OTEglobe.net (80.249.208.179)
 4. AS???    62.75.27.82 (62.75.27.82)
 5. AS12713  62.75.3.2 (62.75.3.2)
 6. AS57344  185.148.160.77 (185.148.160.77)
 7. AS50360  ip-25-22.4vendeta.com (195.230.25.22)
 8. (waiting for reply)

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 overrides/override-other.txt | 42 ++++++++++++++++++++++++++++++------
 1 file changed, 36 insertions(+), 6 deletions(-)

diff --git a/overrides/override-other.txt b/overrides/override-other.txt
index 0ec8fa2..f750da0 100644
--- a/overrides/override-other.txt
+++ b/overrides/override-other.txt
@@ -105,8 +105,8 @@ country:	US
 
 aut-num:	AS41466
 descr:		Treidinvest LLC
-remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
-country:	RU
+remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country:	BG
 
 aut-num:	AS41564
 descr:		Packet Exchange Limited
@@ -173,6 +173,11 @@ descr:		F.I.H. FORMULA INVESTMENT HOUSE CLEARING LIMITED
 remarks:	claims GR for announced prefixes, but traceroutes dead-end somewhere else in EU
 country:	EU
 
+aut-num:	AS50360
+descr:		Tamatiya EOOD / 4Vendeta
+remarks:	Questionable (at best) ISP located in BG, clients massively tamper with RIR data
+country:	BG
+
 aut-num:	AS51558
 descr:		Smart Telecom S.A.R.L
 remarks:	tampers with RIR data, traces back to RU
@@ -288,6 +293,11 @@ descr:		ALEXHOST SRL
 remarks:	ISP located in MD, majority of RIR data for announced prefixes contain garbage, we cannot trust this network
 country:	MD
 
+aut-num:	AS200391
+descr:		KREZ 999 EOOD
+remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country:	BG
+
 aut-num:	AS200699
 descr:		Datashield, Inc.
 remarks:	fake offshore location (SC), traces back to NL
@@ -313,10 +323,10 @@ descr:		FutureNow Incorporated
 remarks:	ISP located in BG, but RIR data for announced prefixes contain garbage
 country:	BG
 
-aut-num:	AS202920
-descr:		DataClub S.A.
-remarks:	another shady customer of "DDoS Guard Ltd."
-country:	RU
+aut-num:	AS202325
+descr:		4Media Ltd.
+remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country:	BG
 
 aut-num:	AS202425
 descr:		IP Volume Inc.
@@ -333,6 +343,11 @@ descr:		Cooperative Investments LLC
 remarks:	bulletproof ISP and IP hijacker, related to AS202425 and AS62355, traces to NL
 country:	NL
 
+aut-num:	AS202920
+descr:		DataClub S.A.
+remarks:	another shady customer of "DDoS Guard Ltd."
+country:	RU
+
 aut-num:	AS204136
 descr:		Kevin Holly trading as Silent Ghost e.U.
 remarks:	AS run by someone who thinks allocating IP networks to AQ is funny (it is not, kid) :-/
@@ -368,16 +383,31 @@ descr:		Altrosky Technology Ltd.
 remarks:	fake offshore location (SC), traces back to CZ and NL
 country:	EU
 
+aut-num:	AS207812
+descr:		DM AUTO EOOD
+remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country:	BG
+
 aut-num:	AS208046
 descr:		Maximilian Kutzner trading as HostSlick
 remarks:	traces back to NL, but some RIR data for announced prefixes contain garbage
 country:	NL
 
+aut-num:	AS208410
+descr:		Internet Hosting Ltd.
+remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country:	BG
+
 aut-num:	AS209132
 descr:		Alviva Holding Limited
 remarks:	ISP located in BG, but RIR data for announced prefixes contain garbage
 country:	BG
 
+aut-num:	AS209160
+descr:		Miti 2000 EOOD
+remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
+country:	BG
+
 aut-num:	AS209272
 descr:		Alviva Holding Limited
 remarks:	bulletproof ISP operating from a war zone in eastern UA
-- 
2.26.2

[PATCH 2/3] override-other: DignusData LLC thinks messing with countries is funny

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1597 bytes --]

According to RIPE database, IP networks announced by AS60412 are located
in Argentinia, Belgium, USA, Estonia, United Arab Emirates, and Serbia.

Nothing of that is true. These all trace back to PL:

 1. X
 2. X
 3. X
 4. X
 5. AS3320   80.156.160.126 (80.156.160.126)
 6. AS9002   ae5-9.RT.LIM.WAW.PL.retn.net (87.245.233.46)
 7. AS9002   GW-SkyTech.retn.net (87.245.249.83)
 8. AS201814 r2w.skynode.pl (185.16.37.12)
 9. (no route to host)

 1. X
 2. X
 3. AS???    amsix-200gbps.core1.ams1.he.net (80.249.209.150)
 4. AS6939   100ge0-33.core2.ber1.he.net (184.105.65.18)
 5. AS6939   100ge10-2.core1.waw1.he.net (184.105.65.25)
 6. AS6939   meverywhere-sp-z-o-o.e0-2.switch1.waw1.he.net (216.66.87.22)
 7. AS201814 r2w.skynode.pl (185.16.37.12)
 8. (no route to host)

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 overrides/override-other.txt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/overrides/override-other.txt b/overrides/override-other.txt
index f750da0..e56a208 100644
--- a/overrides/override-other.txt
+++ b/overrides/override-other.txt
@@ -233,6 +233,11 @@ descr:		Batterflyai Media Ltd.
 remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
 country:	RU
 
+aut-num:	AS60412
+descr:		DignusData LLC
+remarks:	ISP located in PL, but _all_ RIR data for announced prefixes contain garbage
+country:	PL
+
 aut-num:	AS60485
 descr:		Inter Connects Inc. / Jing Yun
 remarks:	part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks
-- 
2.26.2

[PATCH 3/3] override-a1: weekly batch of various overrides

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1141 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 overrides/override-a1.txt | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt
index bfe480e..06d2d20 100644
--- a/overrides/override-a1.txt
+++ b/overrides/override-a1.txt
@@ -28,6 +28,12 @@ descr:				Maginfo
 remarks:			VPN provider
 is-anonymous-proxy:	yes
 
+aut-num:			AS16255
+descr:				IRIDIUM PROVIDER LTD
+remarks:			VPN provider [high confidence, but not proofed] located in RU
+is-anonymous-proxy:	yes
+country:			RU
+
 aut-num:			AS23762
 descr:				VPNsolutions Pty Ltd
 remarks:			VPN provider
@@ -1136,6 +1142,11 @@ descr:				Wicked Technology Limited
 remarks:			VPN provider [high confidence, but not proofed]
 is-anonymous-proxy:	yes
 
+net:				185.214.164.0/22
+descr:				Tredinvest LLC / bestwest[.]host
+remarks:			VPN provider or offering similar services [high confidence, but not proofed]
+is-anonymous-proxy:	yes
+
 net:				185.220.100.0/22
 descr:				Zwiebelfreunde e.V. / F3 Netze e.V. / The Calyx Institute
 remarks:			Tor relay provider
-- 
2.26.2