4 # This file contains Autonomous Systems and IP networks strongly believed or proofed to be hostile,
5 # posing a _technical_ threat against libloc users in general and/or IPFire users in particular.
7 # libloc neither was intended to be an "opinionated" database, nor should it become that way. Please
8 # refer to commit 69b3d894fbee6e94afc2a79593f7f6b300b88c10 for the rationale of implementing a special
9 # flag for hostile networks.
11 # Technical threats cover publicly routable network infrastructure solely dedicated or massively abused to
12 # host phishing, malware, C&C servers, non-benign vulnerability scanners, or being used as a "bulletproof"
13 # hosting space for cybercrime infrastructure.
15 # This file should not contain short-lived threats being hosted within legitimate infrastructures, as
16 # libloc it neither intended nor suitable to protect against such threats in a timely manner - by default,
17 # clients download a new database once a week.
19 # Networks posing non-technical threats - i. e. not covered by the definition above - must not be listed
22 # Improvement suggestions are appreciated, please submit them as patches to the location mailing
23 # list. Refer to https://lists.ipfire.org/mailman/listinfo/location and https://wiki.ipfire.org/devel/contact
24 # for further information.
26 # Please keep this file sorted.
31 remarks: part of the "Asline" IP hijacking gang
35 descr: Blue Diamond Network Co., Ltd.
36 remarks: Shady ISP hosting brute-force login attempt machines galore, claims GB or IR for it's prefixes, but they all end up near Vilnius, LT
42 remarks: IP hijacker, traces back to HK
48 remarks: IP hijacker operating out of AP area (HK or TW?)
59 descr: 1337TEAM LIMITED / eliteteam[.]to
60 remarks: Bulletproof ISP
64 descr: Trit Networks, LLC
65 remarks: all cybercrime hosting, all the time
70 descr: Orion Network Limited
71 remarks: shady uplink for a bunch of dirty ISPs, routing stolen AfriNIC networks
76 remarks: all cybercrime hosting, all the time
81 descr: Kirin Communication Limited
82 remarks: Hijacks IP space and tampers with RIR data, traces back to JP
87 descr: OOO SibirInvest
88 remarks: bulletproof ISP (related to AS202425 and AS57717) located in NL
93 descr: STARK INDUSTRIES SOLUTIONS LTD
94 remarks: Rogue ISP in multiple locations, some RIR data contain garbage
98 descr: HUSAM A. H. HIJAZI
99 remarks: Rogue ISP located in NL
104 descr: PPTECHNOLOGY LIMITED
105 remarks: bulletproof ISP (related to AS204655) located in NL
110 descr: GLOBAL COLOCATION LIMITED
111 remarks: Part of the "Fiber Grid" IP hijacking / dirty hosting operation, RIR data cannot be trusted
116 descr: Nice IT Services Group Inc.
122 remarks: Shady ISP (related to AS204655 et al., same postal address) located in NL, but some RIR data for announced prefixes contain garbage
128 remarks: part of the "Asline" IP hijacking gang, traces back to San Jose, CR
133 descr: IT Resheniya LLC
138 descr: 1337TEAM LIMITED / eliteteam[.]to
139 remarks: Bulletproof ISP
144 descr: Netsys Global Telecom Limited (?)
145 remarks: Hijacked AS announced out of some location in AP, possibly HK
151 remarks: ISP and IP hijacker located in US this time, tampers with RIR data
157 remarks: part of the "Asline" IP hijacking gang (?), tampers with RIR data, traces back to HK
162 descr: Eagle Sky Co., Lt[d ?]
163 remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, address says "0 Market Square, P.O. Box 364, Belize", seems to trace to some location in AP vicinity
168 descr: Cloudie Limited
169 remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to HK
174 descr: L&L Investment Ltd.
175 remarks: another shady customer of "Tamatiya EOOD / 4Vendeta"
180 descr: REBA Communications BV
181 remarks: bulletproof ISP (related to AS202425) located in NL
186 descr: 1337TEAM LIMITED / eliteteam[.]to
187 remarks: Bulletproof ISP
191 descr: LLC South Internet
192 remarks: Bulletproof ISP
196 descr: Chang Way Technologies Co. Limited
197 remarks: Bulletproof ISP
202 descr: FiberXpress BV
203 remarks: bulletproof ISP (related to AS202425) located in NL
208 descr: Inter Connects Inc.
209 remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking stolen AfriNIC networks, massively tampers with RIR data
214 descr: Inter Connects Inc.
215 remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking stolen AfriNIC networks, massively tampers with RIR data
220 descr: FOP Gubina Lubov Petrivna
221 remarks: bulletproof ISP operating from a war zone in eastern UA
227 remarks: Autonomous System registered to offshore company, abuse contact is a freemail address, seems to trace to some location in AP vicinity
232 descr: 24.hk global BGP
233 remarks: Part of the "ASLINE" IP hijacking operation
243 descr: Vault Dweller OU
244 remarks: bulletproof ISP (related to AS57717) located in NL
254 descr: 1337TEAM LIMITED / eliteteam[.]to
255 remarks: Owned by an offshore letterbox company, suspected rogue ISP
259 descr: Inter Connects Inc. / Jing Yun
260 remarks: part of a dirty ISP conglomerate operating most likely out of SE, hijacking AfriNIC networks
266 remarks: leaf AS with upstream to other dirty hosters, brute-force attacks galore
271 descr: TOV VAIZ PARTNER
276 descr: SpectraIP B.V.
277 remarks: bulletproof ISP (linked to AS202425 et al.) located in NL
282 descr: SKB Enterprise B.V.
283 remarks: bulletproof ISP (linked to AS202425 et al.) located in NL
288 descr: ABCDE GROUP COMPANY LIMITED
289 remarks: ISP and/or IP hijacker located in HK
294 descr: LUOGELANG (FRANCE) LIMITED
295 remarks: Shady ISP located in HK, RIR data for announced prefixes contain garbage, solely announcing "Cloud Innovation Ltd." space - no one will miss it
300 descr: Blue Data Center
301 remarks: IP hijacker located somewhere in AP area, tampers with RIR data
307 remarks: IP hijacker located in HK, suspected to be part of the "Asline" IP hijacking gang, tampers with RIR data
312 descr: Anchnet Asia Limited
313 remarks: IP hijacker located in HK, tampers with RIR data
318 descr: HONGKONG CLOUD NETWORK TECHNOLOGY CO., LIMITED
319 remarks: ISP and IP hijacker located in HK, tampers with RIR data
324 descr: Clayer Limited
325 remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to HK
330 descr: ASLINE Global Exchange
331 remarks: IP hijacker located in HK
336 descr: SANREN DATA LIMITED
337 remarks: IP hijacker located somewhere in AP region, tampers with RIR data
342 descr: CITIS CLOUD GROUP LIMITED
343 remarks: part of the "Asline" IP hijacking gang, tampers with RIR data
348 descr: Hong Kong Communications International Co., Limited
349 remarks: part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region
354 descr: Incomparable(HK)Network Co., Limited
355 remarks: ISP and IP hijacker located in HK, tampers with RIR data
361 remarks: IP hijacker located somewhere in AP area (JP?)
366 descr: HONGKONG XING TONG HUI TECHNOLOGY CO.,LIMITED
367 remarks: Dirty ISP located in NL
373 remarks: All bulletproof/cybercrime hosting, all the time, not a safe AS to connect to
378 remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
384 remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
389 descr: IP Volume Inc.
390 remarks: bulletproof ISP (aka: AS29073 / Ecatel Ltd. / Quasi Networks Ltd.) located in NL
395 descr: NETSTYLE A. LTD
396 remarks: bulletproof ISP and IP hijacker, related to AS202425 and AS62355, traces to NL
401 descr: Global Offshore Limited
402 remarks: part of a dirty ISP conglomerate with links to SE, RIR data of prefixes announced by this AS cannot be trusted
408 remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
413 descr: Partner LLC / LetHost LLC
414 remarks: Bulletproof ISP
419 remarks: bulletproof ISP (strongly linked to AS202425) located in NL
424 descr: Media Land LLC
425 remarks: bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/
430 descr: Chang Way Technologies Co. Limited
436 descr: Miti 2000 EOOD
437 remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
442 descr: Alviva Holding Limited
443 remarks: bulletproof ISP operating from a war zone in eastern UA
448 descr: XHOST INTERNET SOLUTIONS LP
449 remarks: Rogue ISP (linked to AS202425) located in NL
455 remarks: All cybercrime hosting, all the time
460 descr: AEZA GROUP Ltd
461 remarks: In all networks currently propagated by this AS, one is unable to find anything that has even a patina of legitimacy
466 descr: Telkom Internet LTD
467 remarks: Rogue ISP (linked to AS202425) located in NL
472 descr: Tribeka Web Advisors S.A.
473 remarks: Dirty ISP, see individual network entries below
477 descr: ABDILAZIZ UULU ZHUSUP
478 remarks: bulletproof ISP and IP hijacker, traces to RU
484 remarks: Bulletproof Serverion customer in NL, many RIR data for announced prefixes contain garbage
489 descr: Private-Hosting di Cipriano Oscar
490 remarks: Bulletproof combahton GmbH customer in DE
495 descr: Media Land LLC
496 remarks: bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/
501 descr: Kakharov Orinbassar Maratuly
502 remarks: ISP and IP hijacker located in KZ, many RIR data for announced prefixes contain garbage
507 descr: ROZA HOLIDAYS EOOD
508 remarks: another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG
513 descr: BitCommand LLC
514 remarks: Dirty ISP located somewhere in EU, cannot trust RIR data of this network
519 descr: GigaHostingServices OU
520 remarks: Does not appear to host any legitimate infrastructure whatsoever, just mass brute-force login attempts
525 descr: Private Internet Hosting LTD
526 remarks: bulletproof ISP located in RU
531 descr: Alfa Web Solutions Ltd
532 remarks: Rogue ISP (linked to AS57717) located in NL
537 descr: OOO RAIT TELECOM
538 remarks: Bulletproof connectivity procurer for AS51381
543 descr: Sun Network Company Limited
544 remarks: IP hijacker, traces back to AP region
549 descr: Datapacket Maroc SARL
550 remarks: bulletproof ISP (strongly linked to AS202425) located in NL
555 descr: EightJoy Network LLC
556 remarks: Most likely hijacked or criminal AS
562 remarks: ISP located in HK, part of the ASLINE IP hijacking gang (?), tampers with RIR data
568 remarks: ISP located in JP, tampers with RIR data
574 remarks: ISP located in KR, tampers with RIR data
579 descr: INTERNET HOSTSPACE GLOBAL INC
580 remarks: Shady ISP located in US, solely announcing "Cloud Innovation Ltd." space - no one will miss it
585 descr: Academy of Internet Research Limited Liability Company
586 remarks: Mass-scanning, apparently without legitimate intention
591 remarks: Solely announces hijacked prefixes out of JP, no legitimate infrastructure
596 descr: TOV VAIZ PARTNER
597 remarks: Attack network tracing back to NL
602 descr: CHINANET jiangsu province network
603 remarks: Since July 27, 2022, this network conducts mass brute-force attacks galore
607 descr: Media Land LLC / abuse-server[.]su
608 remarks: bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/
612 descr: Media Land LLC
613 remarks: bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/
617 descr: TOV VAIZ PARTNER / Perfect Hosting Solutions
618 remarks: Attack network tracing back to NL
623 descr: GIAP BICH NGOC COMMUNICATION COMPANY LIMITED
624 remarks: Brute-force attack network
627 net: 109.206.241.0/24
628 descr: Serverion B.V.
629 remarks: Leased to Neterra, all cybercrime, all the time
633 descr: China Mobile Communications Corporation
634 remarks: Brute-force attack network
638 descr: China Unicom Beijing province network
639 remarks: Brute-force attack network
643 descr: CHINANET Guangdong province network
644 remarks: Brute-force attack network
648 descr: China Education and Research Network
649 remarks: Brute-force attack network
652 net: 123.160.220.0/22
653 descr: CHINANET henan province network
654 remarks: Brute-force attack network
658 descr: Agotoz HK Limited
659 remarks: Brute-force attack network
663 descr: TOV VAIZ PARTNER / InterHost
664 remarks: Attack network tracing back to UA
668 net: 185.196.220.0/24
669 descr: Makut Investments
670 remarks: Brute-force attack network
675 remarks: Based on domains ending up there, this network is entirely malicious
679 descr: Tribeka Web Advisors S.A.
680 remarks: Tampers with RIR data, traces back to NL, not a safe place to route traffic to
685 descr: Tribeka Web Advisors S.A.
686 remarks: Tampers with RIR data, traces back to US, not a safe place to route traffic to
691 descr: Sanlam Life Insurance Limited
692 remarks: Stolen AfriNIC IPv4 space announced from NL?
696 net: 2a0e:b107:17fe::/47
697 descr: Amarai-Network - Location Test @ Antarctic
698 remarks: Tampers with RIR data, not a safe place to route traffic to
701 net: 2a0e:b107:d10::/44
702 descr: NZB.si Enterprises
703 remarks: Tampers with RIR data, not a safe place to route traffic to
707 descr: ASLINE Limited
708 remarks: APNIC chunk owned by a HK-based IP hijacker, but assigned to DE
713 descr: 1337TEAM LIMITED / eliteteam[.]to
714 remarks: Owned by an offshore letterbox company, suspected rogue ISP