Peter Müller [Thu, 3 Jun 2021 14:02:26 +0000 (16:02 +0200)]
overrides-{a{1,3},other}: regular batch of various overrides
Including location pinning for various LeaseWeb AS, as their customers
seem to tamper with RIR data a lot. Fortunately for use, they use one AS
per PoP, so we can trace back locations quite easy. :-)
AS209242 is especially - um - interesting. Given Cloudflare's nature, it
is impossible to tell where these shady prefixes announced by it are
located. Most of them point to letterbox companies, hosting questionable
services at best.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 29 Apr 2021 20:06:33 +0000 (22:06 +0200)]
override-other: DignusData LLC thinks messing with countries is funny
According to RIPE database, IP networks announced by AS60412 are located
in Argentinia, Belgium, USA, Estonia, United Arab Emirates, and Serbia.
Nothing of that is true. These all trace back to PL:
1. X
2. X
3. X
4. X
5. AS3320 80.156.160.126 (80.156.160.126)
6. AS9002 ae5-9.RT.LIM.WAW.PL.retn.net (87.245.233.46)
7. AS9002 GW-SkyTech.retn.net (87.245.249.83)
8. AS201814 r2w.skynode.pl (185.16.37.12)
9. (no route to host)
1. X
2. X
3. AS??? amsix-200gbps.core1.ams1.he.net (80.249.209.150)
4. AS6939 100ge0-33.core2.ber1.he.net (184.105.65.18)
5. AS6939 100ge10-2.core1.waw1.he.net (184.105.65.25)
6. AS6939 meverywhere-sp-z-o-o.e0-2.switch1.waw1.he.net (216.66.87.22)
7. AS201814 r2w.skynode.pl (185.16.37.12)
8. (no route to host)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 29 Apr 2021 20:05:53 +0000 (22:05 +0200)]
override-other: mitigate tampered RIR data from customers of Tamatiya EOOD / 4Vendeta
AS50360 has an impressive history on providing IP transit services to
shady Autonomous Systems, and continues to do so. While the amount of
prefixes with tampered RIR data announced by AS50360 itself has ceased
within the past years, it's customers continue to propagate IP space
with faked country information.
We cannot trust these networks, which is why we pin them on BG
altogether, as they are all hosted in Sofia, Bulgaria:
1. X
2. X
3. AS9002 ae5-10.RT.TLP.SOF.BG.retn.net (87.245.232.164) <= RETN infrastructure in Telehouse Sofia, BG
4. AS9002 GW-Tamatiya.retn.net (87.245.240.159) <= Gateway to Tamatiya / 4Vendeta
5. AS50360 ip-25-22.4vendeta.com (195.230.25.22) <= And BOOM goes the dynamite...
6. (waiting for reply)
1. X
2. X
3. AS??? ge0-3.ams.OTEglobe.net (80.249.208.179)
4. AS??? 62.75.27.82 (62.75.27.82)
5. AS12713 62.75.3.2 (62.75.3.2)
6. AS57344 185.148.160.77 (185.148.160.77)
7. AS50360 ip-25-22.4vendeta.com (195.230.25.22)
8. (waiting for reply)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 20 Mar 2021 20:17:12 +0000 (20:17 +0000)]
add overrides for dirty ISP conglomerate "Inter Connects Inc. & friends"
AS owned by a couple of letterbox companies in London (most notably
Inter Connects Inc. and Packet Exchange Ltd.) were found to tamper
massively with RIR data of prefixes they own or announce. Aside from
that, these AS are currently hijacking AfriNIC chunks widely believed as
being stolen - plus hosting some cybercrime stuff for good measure.
Except for AS63119, all of these networks show strong links to Sweden,
while some traceroutes dead-end at other places in Europe. As a
consequence, we cannot trust the county information published by this
actor, generously overriding them to limit damage to IPFire location
database users.
The author strongly recommends against accepting any traffic from or to
these networks (some of them have ASN-DROP listings at Spamhaus indeed),
but this aspect is out of scope for the IPFire location database. Just
mentioning it here for the sake of completeness. :-)
In addition, this patch features some IPv4 networks apparently operated
by VPN providers in US - being shady as well, just saying.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>