From 45c894f2dd4f3875af4d3e80e3810d8436265e64 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Peter=20M=C3=BCller?= <peter.mueller@ipfire.org>
Date: Sat, 9 Jul 2022 19:19:37 +0000
Subject: [PATCH] override-{a1,a3,other,xd}: Regular batch of various overrides
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 overrides/override-a1.txt    |  15 ++--
 overrides/override-a3.txt    |   5 ++
 overrides/override-other.txt | 136 +++++++++++++++++++++++++++--------
 overrides/override-xd.txt    | 100 ++++++++++++++++++++++----
 4 files changed, 208 insertions(+), 48 deletions(-)

diff --git a/overrides/override-a1.txt b/overrides/override-a1.txt
index 1ebf645..f56d3b6 100644
--- a/overrides/override-a1.txt
+++ b/overrides/override-a1.txt
@@ -25,7 +25,7 @@
 #
 
 aut-num:			AS4224
-descr:				The Calyx Institue
+name:				The Calyx Institue
 remarks:			Tor relay provider
 is-anonymous-proxy:		yes
 
@@ -152,7 +152,7 @@ remarks:			Tor relay provider
 is-anonymous-proxy:		yes
 
 aut-num:			AS62744
-descr:				Quintex Alliance Consulting
+name:				Quintex Alliance Consulting
 remarks:			Tor relay provider
 is-anonymous-proxy:		yes
 
@@ -690,11 +690,6 @@ descr:				Secure Internet Limited
 remarks:			VPN provider
 is-anonymous-proxy:		yes
 
-net:				45.231.206.0/23
-descr:				SENTRIGLOBAL LTD
-remarks:			VPN provider [high confidence, but not proofed]
-is-anonymous-proxy:		yes
-
 net:				46.36.200.0/22
 descr:				IAPS Security Services, L.L.C.
 remarks:			VPN provider, see also: https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/
@@ -1332,6 +1327,12 @@ descr:				NordVPN
 remarks:			VPN provider
 is-anonymous-proxy:		yes
 
+net:				179.60.147.0/24
+descr:				Cloud Solutions S.A.
+remarks:			Attack network, rogue VPN operator?
+is-anonymous-proxy:		yes
+drop:				yes
+
 net:				179.61.220.0/24
 descr:				GZ Systems Limited / PureVPN
 remarks:			VPN provider
diff --git a/overrides/override-a3.txt b/overrides/override-a3.txt
index 2d607c8..b36fbfe 100644
--- a/overrides/override-a3.txt
+++ b/overrides/override-a3.txt
@@ -1259,6 +1259,11 @@ descr:		HOSTERION SRL
 remarks:	Generic anycast network
 is-anycast:	yes
 
+net:		185.130.46.0/24
+descr:		Privex Inc.
+remarks:	Generic anycast network
+is-anycast:	yes
+
 net:		185.130.160.0/22
 descr:		mono solutions ApS
 remarks:	Generic anycast network
diff --git a/overrides/override-other.txt b/overrides/override-other.txt
index b0cef90..0d6abcc 100644
--- a/overrides/override-other.txt
+++ b/overrides/override-other.txt
@@ -164,6 +164,11 @@ descr:		ZeXoTeK IT-Services GmbH
 remarks:	ISP located in DE, but some RIR data for announced prefixes contain garbage
 country:	DE
 
+aut-num:	AS8708
+name:		RCS & RDS SA
+remarks:	ISP located in RO, but some RIR data for announced prefixes contain garbage
+country:	RO
+
 aut-num:	AS9304
 descr:		HGC Global Communications Limited
 remarks:	Jurisdiction is HK, pinning the location there
@@ -239,11 +244,6 @@ descr:		Iranian Research Organization for Science & Technology
 remarks:	ISP located in IR, but some RIR data for announced prefixes contain garbage
 country:	IR
 
-aut-num:	AS15828
-descr:		Blue Diamond Network Co., Ltd.
-remarks:	Shady ISP, claims GB or IR for it's prefixes, but they all end up near Vilnius, LT
-country:	LT
-
 aut-num:	AS16262
 descr:		Datacheap Ltd.
 remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
@@ -398,6 +398,11 @@ descr:		Virtual Systems LLC
 remarks:	ISP located in UA, but some RIR data for announced prefixes contain garbage
 country:	UA
 
+aut-num:	AS30938
+descr:		ahbr company limited
+remarks:	... trackes back to GB
+country:	GB
+
 aut-num:	AS30982
 descr:		CAFE Informatique et telecommunications (defunct)
 remarks:	spamming bogon located in TG - formerly allocated to CAFE Informatique et telecommunications
@@ -608,6 +613,11 @@ descr:		Bunea TELECOM SRL
 remarks:	ISP located in RO, but some RIR data for announced prefixes contain garbage
 country:	RO
 
+aut-num:	AS42675
+descr:		Obehosting AB
+remarks:	ISP located in SE, but some RIR data for announced prefixes contain garbage
+country:	SE
+
 aut-num:	AS42745
 descr:		Safe Value Limited
 remarks:	tampers with RIR data, traces back to somewhere in central Europe
@@ -683,6 +693,11 @@ descr:		xTom GmbH
 remarks:	ISP located in JP, but some RIR data for announced prefixes contain garbage
 country:	JP
 
+aut-num:	AS43993
+descr:		IronTelecom OU
+remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
+country:	RU
+
 aut-num:	AS44066
 descr:		diva-e Datacenters GmbH
 remarks:	ISP located in DE, but some RIR data for announced prefixes contain garbage
@@ -708,6 +723,11 @@ descr:		UAProstir Ltd.
 remarks:	ISP located in UA, but some RIR data for announced prefixes contain garbage
 country:	UA
 
+aut-num:	AS44676
+descr:		Perviy TSOD LLC
+remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
+country:	RU
+
 aut-num:	AS44735
 descr:		Nova hf
 remarks:	ISP located in IS, but some RIR data for announced prefixes contain garbage
@@ -753,6 +773,11 @@ descr:		Quick Packet, LLC
 remarks:	ISP located in US, but some RIR data for announced prefixes contain garbage
 country:	US
 
+aut-num:	AS46573
+descr:		LayerHost
+remarks:	According to its website, this ISP hosts in US datacenters, pinning location
+country:	US
+
 aut-num:	AS46841
 descr:		Fork Networking, LLC
 remarks:	ISP located in US, but some RIR data for announced prefixes contain garbage
@@ -773,6 +798,11 @@ descr:		TOSE'EH ERTEBATAT NOVIN ARIA CO PJS
 remarks:	ISP located in IR, but some RIR data for announced prefixes contain garbage
 country:	IR
 
+aut-num:	AS47890
+descr:		UNMANAGED LTD
+remarks:	ISP located in RO, but some RIR data for announced prefixes contain garbage
+country:	RO
+
 aut-num:	AS48024
 descr:		NEROCLOUD Ltd.
 remarks:	RIR data faked/incorrect, cannot trust this network
@@ -808,11 +838,6 @@ descr:		LLC Baxet
 remarks:	tampers with RIR data, traces back to RU
 country:	RU
 
-aut-num:	AS49466
-descr:		KLAYER LLC
-remarks:	part of the "Asline" IP hijacking gang, traces back to AP region
-country:	AP
-
 aut-num:	AS49453
 descr:		Global Layer BV
 remarks:	ISP located in NL, but some RIR data for announced prefixes contain garbage
@@ -825,7 +850,7 @@ country:	RU
 
 aut-num:	AS49581
 descr:		Ferdinand Zink trading as Tube-Hosting
-remarks:	hosted at the Skylink DC in NL
+remarks:	According to https://tube-hosting.com/datacenter, this ISP hosts out of the SkyLink DC in NL
 country:	NL
 
 aut-num:	AS49612
@@ -833,11 +858,6 @@ descr:		DDoS Guard Ltd. / Cognitive Cloud LLP
 remarks:	another shady customer or branch of "DDoS Guard Ltd.", jurisdiction is probably RU, but traceroutes dead-end somewhere else in EU
 country:	EU
 
-aut-num:	AS49870
-descr:		Alsycon BV
-remarks:	Shady ISP located in NL, but some RIR data for announced prefixes contain garbage
-country:	NL
-
 aut-num:	AS49921
 descr:		F.I.H. FORMULA INVESTMENT HOUSE CLEARING LIMITED
 remarks:	claims GR for announced prefixes, but traceroutes dead-end somewhere else in EU
@@ -963,11 +983,21 @@ descr:		Cloud 9 Ltd.
 remarks:	ISP located in GE, but many RIR data for announced prefixes contain garbage
 country:	GE
 
+aut-num:	AS57818
+descr:		SKTV Ltd.
+remarks:	ISP located in RU, but many RIR data for announced prefixes contain garbage
+country:	RU
+
 aut-num:	AS57844
 descr:		SPDNet Telekomunikasyon Hizmetleri Bilgi Teknolojileri Taahhut Sanayi Ve Ticaret A.S.
 remarks:	ISP located in TR, but some RIR data for announced prefixes contain garbage
 country:	TR
 
+aut-num:	AS57866
+descr:		Fusix Network BV
+remarks:	ISP located in NL, but some RIR data for announced prefixes contain garbage
+country:	NL
+
 aut-num:	AS58057
 descr:		Securebit AG
 remarks:	... who thinks messing with country codes galore is fun. We can do that, too, and pin their location to CH, since this at least is their accurate jurisdiction.
@@ -1037,6 +1067,11 @@ descr:		Leaseweb Asia Pacific pte. ltd.
 remarks:	ISP located in SG, but some RIR data for announced prefixes contain garbage
 country:	SG
 
+aut-num:	AS59432
+descr:		GINERNET S.L.
+remarks:	ISP located in ES, but some RIR data for announced prefixes contain garbage
+country:	ES
+
 aut-num:	AS59580
 descr:		Batterflyai Media Ltd.
 remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
@@ -1197,6 +1232,11 @@ descr:		Leaseweb Asia Pacific pte. ltd.
 remarks:	ISP located in HK, some RIR data for announced prefixes contain garbage
 country:	HK
 
+aut-num:	AS133948
+descr:		DONGFONG INC LIMITED
+remarks:	ISP located in HK, some RIR data for announced prefixes contain default APNIC data
+country:	HK
+
 aut-num:	AS134121
 descr:		rainbow network limited
 remarks:	Shady ISP located somewhere in AP area (HK? TW? ???), RIR data contain garbage
@@ -1287,11 +1327,6 @@ descr:		Leaseweb Australia Pty. Ltd.
 remarks:	ISP located in AU, some RIR data for announced prefixes contain garbage
 country:	AU
 
-aut-num:	AS137443
-descr:		Anchnet Asia Limited
-remarks:	IP hijacker located in HK, tampers with RIR data
-country:	HK
-
 aut-num:	AS138195
 descr:		MOACK.Co.LTD
 remarks:	ISP located in KR, some RIR data for announced prefixes contain garbage
@@ -1363,9 +1398,9 @@ remarks:	Shady ISP located in HK
 country:	HK
 
 aut-num:	AS140224
-descr:		White-Sand Cloud Computing(HK) Co., LIMITED
-remarks:	part of the "Asline" IP hijacking gang, tampers with RIR data, traces back to AP region
-country:	AP
+descr:		STARCLOUD GLOBAL PTE., LTD.
+remarks:	part of the "Asline" IP hijacking gang, tampers with RIR data, hosted in HK according to its website
+country:	HK
 
 aut-num:	AS140641
 descr:		YOTTA NETWORK SERVICES PRIVATE LIMITED
@@ -1402,6 +1437,11 @@ descr:		YISU CLOUD LTD
 remarks:	... located in HK
 country:	HK
 
+aut-num:	AS142430
+descr:		DIGI VPS
+remarks:	ISP located in IN, but some RIR data for announced prefixes contain garbage
+country:	IN
+
 aut-num:	AS142578
 descr:		E-Large (HongKong)
 remarks:	traceroutes dead-end in US, and measurements could not proof that this AS is being located elsewhere
@@ -1482,6 +1522,11 @@ descr:		Luxoft Professional Romania S.R.L.
 remarks:	serivces hosted in RU
 country:	RU
 
+aut-num:	AS201814
+descr:		Meverywhere sp. z o.o.
+remarks:	According to its website, all datacenters of this ISP are located in PL
+country:	PL
+
 aut-num:	AS201912
 descr:		FutureNow Incorporated
 remarks:	ISP located in BG, but RIR data for announced prefixes contain garbage
@@ -1492,11 +1537,21 @@ descr:		SILVERHILL GROUP HOLDING LTD / SAKIS POLUNIGIS
 remarks:	fake offshore location (SC), traces back to RU
 country:	RU
 
+aut-num:	AS202914
+descr:		Adeo Datacenter ApS
+remarks:	According to its website, all datacenters used by this ISP are in DK
+country:	DK
+
 aut-num:	AS202505
 descr:		NETBUDUR TELEKOMUNIKASYON LIMITED SIRKETI
 remarks:	ISP located in TR, but some RIR data for announced prefixes contain garbage
 country:	TR
 
+aut-num:	AS203020
+descr:		HostRoyale Technologies Pvt Ltd
+remarks:	Pin the location of this AS to its jurisdiction (IN) due to massive tampering with RIR data
+country:	IN
+
 aut-num:	AS203038
 descr:		QuxLabs UG
 remarks:	traces back to SE
@@ -1532,6 +1587,11 @@ descr:		Rishikeshan Lavakumar
 remarks:	Network operator thinks messing with RIR data is funny... :-/
 country:	EU
 
+aut-num:	AS204687
+descr:		A2 Networks Inc.
+remarks:	ISP located in NL, but some RIR data for announced prefixes contain garbage
+country:	NL
+
 aut-num:	AS205026
 descr:		Hauer Hosting Services Limited
 remarks:	ISP located in ES, but some RIR data for announced prefixes contain garbage
@@ -1683,7 +1743,7 @@ remarks:	ISP located in RU, but some RIR data for announced prefixes contain gar
 country:	RU
 
 aut-num:	AS210644
-descr:		Des Capital B.V.
+descr:		AEZA GROUP Ltd
 remarks:	ISP located in RU, but some RIR data for announced prefixes contain garbage
 country:	RU
 
@@ -1692,6 +1752,11 @@ descr:		Des Capital B.V.
 remarks:	Shady ISP located in NL, but RIR data for announced prefixes contain garbage
 country:	NL
 
+aut-num:	AS210718
+descr:		FIVE CYBER HOST SECURITY S.R.L.
+remarks:	ISP located in RO, but RIR data for announced prefixes contain garbage
+country:	RO
+
 aut-num:	AS211237
 descr:		FORTR TELEKOMUNIKASYON SANAYI VE TICARET LIMITED SIRKETI
 remarks:	ISP located in TR, but some RIR data for announced prefixes contain garbage
@@ -1842,14 +1907,19 @@ descr:          Wirels Connect (PTY) Ltd
 remarks:        AS being announced out of PT
 country:        PT
 
+aut-num:	AS328227
+descr:		Xhostserver LLC
+remarks:	ISP located in ZA, many RIR data for announced prefixes contain garbage
+country:	ZA
+
 aut-num:	AS328383
 descr:		xTom Limited
 remarks:	ISP located in ZA, RIR data for announced prefixes contain garbage
 country:	ZA
 
-aut-num:	AS328227
-descr:		Xhostserver LLC
-remarks:	ISP located in ZA, many RIR data for announced prefixes contain garbage
+aut-num:	AS328703
+descr:		Seven Network Inc.
+remarks:	ISP located in ZA, RIR data for announced prefixes contain garbage
 country:	ZA
 
 aut-num:	AS328608
@@ -1932,6 +2002,11 @@ descr:		Tcloudnet
 remarks:	Part of the "ASLINE" IP hijacking gang, HK vicinity seems to be part of US too for them :-/
 country:	AP
 
+aut-num:	AS399641
+descr:		Wolverine Trading, LLC
+remarks:	ISP located in US, many RIR data for announced prefixes contain garbage
+country:	US
+
 aut-num:	AS400039
 descr:		Wolverine Trading, LLC
 remarks:	IP hijacker located in US, tampers with RIR data
@@ -2252,6 +2327,11 @@ descr:		Intelcom Group Ltd
 remarks:	fake offshore location (SC), traces back to RU
 country:   	RU
 
+net:		185.105.0.0/22
+descr:		G-Core Innovations S.a r.l.
+remarks:	this network does not appear to have any relations to IN whatsoever, it is rather used out of central Europe (LU?)
+country:	LU
+
 net:		185.140.204.0/22
 descr:		Hornetsecurity GmbH
 remarks:	all suballocations are used in DE, but are assigned to US
diff --git a/overrides/override-xd.txt b/overrides/override-xd.txt
index 4c3312a..3f3c46f 100644
--- a/overrides/override-xd.txt
+++ b/overrides/override-xd.txt
@@ -26,10 +26,15 @@
 # Please keep this file sorted.
 #
 
+aut-num:	AS15828
+descr:		Blue Diamond Network Co., Ltd.
+remarks:	Shady ISP hosting brute-force login attempt machines galore, claims GB or IR for it's prefixes, but they all end up near Vilnius, LT
+country:	LT
+drop:		yes
+
 aut-num:	AS18254
 descr:		KLAYER LLC
-remarks:	part of the "Asline" IP hijacking gang, traces back to AP region
-country:	AP
+remarks:	part of the "Asline" IP hijacking gang
 drop:		yes
 
 aut-num:	AS18013
@@ -38,12 +43,6 @@ remarks:	IP hijacker, traces back to HK
 country:	HK
 drop:		yes
 
-aut-num:	AS22769
-descr:		DDOSING NETWORK
-remarks:	IP hijacker located in US, massively tampers with RIR data
-country:	US
-drop:		yes
-
 aut-num:	AS24567
 descr:		QT Inc.
 remarks:	IP hijacker operating out of AP area (HK or TW?)
@@ -55,10 +54,15 @@ descr:		1337TEAM LIMITED / eliteteam[.]to
 remarks:	Bulletproof ISP
 drop:		yes
 
+aut-num:	AS40193
+descr:		Trit Networks, LLC
+remarks:	all cybercrime hosting, all the time
+country:	US
+drop:		yes
+
 aut-num:	AS41564
 descr:		Orion Network Limited
-remarks:	shady uplink for a bunch of dirty ISPs in SE (and likely elsewhere in EU), routing stolen AfriNIC networks, RIR data of prefixes announced by this AS cannot be trusted
-country:	EU
+remarks:	shady uplink for a bunch of dirty ISPs, routing stolen AfriNIC networks
 drop:		yes
 
 aut-num:	AS41909
@@ -99,8 +103,19 @@ drop:		yes
 
 aut-num:	AS49447
 descr:		Nice IT Services Group Inc.
-remarks:	Rogue ISP located in CH, but some RIR data for announced prefixes contain garbage
-country:	CH
+remarks:	Rogue ISP
+drop:		yes
+
+aut-num:	AS49870
+descr:		Alsycon BV
+remarks:	Shady ISP (related to AS204655 et al., same postal address) located in NL, but some RIR data for announced prefixes contain garbage
+country:	NL
+drop:		yes
+
+aut-num:	AS49466
+descr:		KLAYER LLC
+remarks:	part of the "Asline" IP hijacking gang, traces back to San Jose, CR
+country:	CR
 drop:		yes
 
 aut-num:	AS49943
@@ -138,6 +153,12 @@ remarks:	part of the "Asline" IP hijacking gang, tampers with RIR data, traces b
 country:	HK
 drop:		yes
 
+aut-num:	AS57509
+descr:		L&L Investment Ltd.
+remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta"
+country:	BG
+drop:		yes
+
 aut-num:	AS56447
 descr:		511 Far East Limited
 remarks:	IP hijacker, tampers with RIR data
@@ -215,11 +236,13 @@ drop:		yes
 aut-num:	AS60930
 descr:		Intem LLC
 remarks:	leaf AS with upstream to other dirty hosters, brute-force attacks galore
+country:	RU
 drop:		yes
 
 aut-num:	AS61414
 descr:		EDGENAP LTD
-remarks:	IP hijacking? Rogue ISP?
+remarks:	part of the "Asline" IP hijacking gang, the majority of announced prefixes trace back to JP
+country:	JP
 drop:		yes
 
 aut-num:	AS61432
@@ -263,6 +286,12 @@ remarks:	IP hijacker located in HK, suspected to be part of the "Asline" IP hija
 country:	HK
 drop:		yes
 
+aut-num:	AS137443
+descr:		Anchnet Asia Limited
+remarks:	IP hijacker located in HK, tampers with RIR data
+country:	HK
+drop:		yes
+
 aut-num:	AS137523
 descr:		HONGKONG CLOUD NETWORK TECHNOLOGY CO., LIMITED
 remarks:	ISP and IP hijacker located in HK, tampers with RIR data
@@ -358,6 +387,11 @@ remarks:	bulletproof ISP and IP hijacker, related to AS202425 and AS62355, trace
 country:	NL
 drop:		yes
 
+aut-num:	AS203680
+descr:		Southern Production and Technical Enterprise Ltd.
+remarks:	Hijacked?
+drop:		yes
+
 aut-num:	AS204341
 descr:		Purple Raccoon Ltd.
 remarks:	Bulletproof ISP in an extremely dirty neighborhood full of IP hijackers
@@ -394,6 +428,12 @@ remarks:	bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worl
 country:	RU
 drop:		yes
 
+aut-num:	AS207566
+descr:		Chang Way Technologies Co. Limited
+remarks:	Rogue ISP
+country:	RU
+drop:		yes
+
 aut-num:	AS209160
 descr:		Miti 2000 EOOD
 remarks:	another shady customer of "Tamatiya EOOD / 4Vendeta", located in BG, tampers with RIR data
@@ -418,6 +458,11 @@ remarks:	Shary Serverion customer and IP hijacker in NL, many RIR data for annou
 country:	NL
 drop:		yes
 
+aut-num:	AS210352
+descr:		Partner LLC
+remarks:	All cybercrime hosting, all the time
+drop:		yes
+
 aut-num:	AS210644
 descr:		AEZA GROUP Ltd
 remarks:	In all networks currently propagated by this AS, one is unable to find anything that has even a patina of legitimacy
@@ -454,6 +499,12 @@ remarks:	Dirty ISP located somewhere in EU, cannot trust RIR data of this networ
 country:	EU
 drop:		yes
 
+aut-num:	AS213010
+descr:		GigaHostingServices OU
+remarks:	Does not appear to host any legitimate infrastructure whatsoever, just mass brute-force login attempts
+country:	PL
+drop:		yes
+
 aut-num:	AS213058
 descr:		Private Internet Hosting LTD
 remarks:	bulletproof ISP located in RU
@@ -519,11 +570,34 @@ descr:		Black Apple
 remarks:	Solely announces hijacked prefixes, no legitimate infrastructure
 drop:		yes
 
+net:		45.143.203.0/24
+descr:		TOV VAIZ PARTNER
+remarks:	Attack network tracing back to NL
+country:	NL
+drop:		yes
+
 net:		46.161.27.0/24
 descr:		MEGA HOLDINGS LIMITED
 remarks:	Based on domains ending up there, this network is entirely malicious
 drop:		yes
 
+net:		91.240.243.0/24
+descr:		Media Land LLC
+remarks:	bulletproof ISP, see: https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/
+drop:		yes
+
+net:		92.63.196.0/24
+descr:		TOV VAIZ PARTNER / Perfect Hosting Solutions
+remarks:	Attack network tracing back to NL
+country:	NL
+drop:		yes
+
+net:		185.156.72.0/24
+descr:		TOV VAIZ PARTNER / InterHost
+remarks:	Attack network tracing back to UA
+country:	UA
+drop:		yes
+
 net:		185.196.220.0/24
 descr:		Makut Investments
 remarks:	Long-running brute-force attack network
-- 
2.39.5