Crowdsec's country data and proposal for collaboration

General
1

I saw an LinkedIn post of Philippe Humeau, CEO of Crowdsec. Although I do not believe Crowdsec currently uses our data, they are an important institution working to keep the internet safe.

image
image701×285 23.9 KB

I was quite keen on trying out Ipdex today as I saw they provided IP to Country data:

image
image659×740 48.6 KB

I host a simple honeypot on my server using fail2ban. So, I thought it would be nice to explore them using actual malicious IP addresses. If I make my intentions clear, the country value in the ipdex is what I want to check.

103.187.147.35

image
image1195×336 32.2 KB

Crowdsec: Indonesia
IPinfo: Singapore

{
  "ip": "103.187.147.35",
  "asn": "AS138608",
  "as_name": "Cloud Host Pte Ltd",
  "as_domain": "cloudhost.asia",
  "country_code": "SG",
  "country": "Singapore",
  "continent_code": "AS",
  "continent": "Asia"
}

How do we know that this IP address is located in Singapore? Here are all the active measurement-based hints we have for this IP address. The recurring theme is routing data and traceroute.

image
image764×359 43.4 KB

193.221.201.95

image
image1277×418 44.9 KB

Crowdsec: Russia
IPinfo: Germany

{
  "ip": "193.221.201.95",
  "asn": "AS215826",
  "as_name": "Partner Hosting LTD",
  "as_domain": "altawk.com",
  "country_code": "DE",
  "country": "Germany",
  "continent_code": "EU",
  "continent": "Europe"
}

From a Probe Server we have in Franfurt, we can see the traceroute behavior that points the IP address in Germany:

  3. AS???    62255-fr7-ix.equinix.com (185.1.102.75)                    0.0%     3    0.6   0.7   0.6   0.8   0.1
  4. AS???    bimajlink.7060cx-1.eqx8.fra.as49418.net (109.206.242.35)   0.0%     3    0.6   0.6   0.6   0.6   0.0
  5. AS???    po6.ar7280qr-1.tornado.fra.as49418.net (109.206.242.61)    0.0%     3    1.6   1.5   1.5   1.6   0.0
  6. AS???    waicore-gw.trd-fra.netshield.de (109.206.242.59)           0.0%     3    2.3   2.2   1.9   2.3   0.2
  7. AS215826 193.221.201.95                                            33.3%     3    6.6   7.6   6.6   8.6   1.

103.144.247.233

image
image1282×600 55.6 KB

Crowdsec: Hong Kong
IPinfo: United States

{
  "ip": "103.144.247.233",
  "asn": "AS138152",
  "as_name": "YISU CLOUD LTD",
  "as_domain": "yisu.com",
  "country_code": "US",
  "country": "United States",
  "continent_code": "NA",
  "continent": "North America"
}

From a probe server traceroute we can see that the IP address is in Los Angeles.

 14. AS174    be9322.agr61.b004747-3.lax05.atlas.cogentco.com (154.54.6.218)    0.0%     3  153.9 153.9 153.9 154.0   0.0
 15. AS174    38.19.141.58                                                      0.0%     3  155.3 155.8 155.3 156.0   0.4
 16. AS???    10.255.1.26                                                       0.0%     3  151.2 151.1 151.0 151.2   0.1
 17. AS???    ???                                                              100.0     3    0.0   0.0   0.0   0.0   0.0