> On Nov 17, 2020, at 12:20 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote: > > On Tuesday 2020-11-17 19:08, Philip Prindeville wrote: >>>> Many known blocks owned by Chinanet for instance, don’t show up as /11 or /13 >>>> networks, but as dozens of /23 networks instead in China, the US, Japan, and >>>> Canada. Clearly not correct. >> >> 183.128.0.0/11 is supposedly a single block of Chinanet, but the database >> shows it as being 329 subnets (164 supposedly in the US), again mostly /23’s >> and /22’s: >> 183.136.192.0,183.136.193.99,CN >> 183.136.193.100,183.136.193.255,US > > 100 is not "nicely divisible" along a bit boundary, that's already a giveaway > that something is atypical. > Maybe it's a set of VPN endpoints (into China) for external > companies registered with MIIT/PSB or something. So, what to do? How to move forward? I sent them a question about this over the weekend and I’m still waiting to hear back. Given that people might use this data to block APT’s, I think the data should be something that doesn’t raise more questions than it answers... > >> 212.174.0.0/15 supposedly is a single block of TurkTelecom, but the database >> shows it as being 296 subnets, mostly /23’s. > > and to add icing, WHOIS has four entries for it. > 212.174.0.0/17 212.174.128.0/17 212.175.0.0/17 212.175.128.0/17 Yeah, I don’t get that either.