> On Nov 17, 2020, at 1:32 PM, Philip Prindeville <philipp_subx@xxxxxxxxxxxxxxxxxxxxx> wrote: > > >> On Nov 17, 2020, at 12:20 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote: >> >> On Tuesday 2020-11-17 19:08, Philip Prindeville wrote: >>>>> Many known blocks owned by Chinanet for instance, don’t show up as /11 or /13 >>>>> networks, but as dozens of /23 networks instead in China, the US, Japan, and >>>>> Canada. Clearly not correct. >>> >>> 183.128.0.0/11 is supposedly a single block of Chinanet, but the database >>> shows it as being 329 subnets (164 supposedly in the US), again mostly /23’s >>> and /22’s: >>> 183.136.192.0,183.136.193.99,CN >>> 183.136.193.100,183.136.193.255,US >> >> 100 is not "nicely divisible" along a bit boundary, that's already a giveaway >> that something is atypical. >> Maybe it's a set of VPN endpoints (into China) for external >> companies registered with MIIT/PSB or something. > > > So, what to do? How to move forward? > > I sent them a question about this over the weekend and I’m still waiting to hear back. > > Given that people might use this data to block APT’s, I think the data should be something that doesn’t raise more questions than it answers... > > >> >>> 212.174.0.0/15 supposedly is a single block of TurkTelecom, but the database >>> shows it as being 296 subnets, mostly /23’s. >> >> and to add icing, WHOIS has four entries for it. >> 212.174.0.0/17 212.174.128.0/17 212.175.0.0/17 212.175.128.0/17 > > > Yeah, I don’t get that either. > If anyone else is feeling uneasy about the reliability of the dbip-country-lite data, I’ve branched master of xtables-addons (on SF.net) and reverted the changes that made it use that database: https://sourceforge.net/u/pprindeville/xtables-addons/ci/revert-to-maxmind/tree/ So you can use that until the dust settles and we figure out the discrepancies. Thanks. -Philip
