Created a script to get the connections every time a new node connected. Everything looked normal in the peer list until I saw many nodes from:
100.42.27.* (around 200 peers)
193.142.59.* (around 200 peers)
199.116.84.* (around 100 peers)
209.222.252.* (around 150 peers)
91.198.115.* (around 150 peers)
The 100.42.27., 199.116.84., 209.222.252., and 91.198.115. all belong to "Lionlink Networks".
These are around 600 nodes that are under that ISP and account for 20-30% of all nodes seen from a 3 day survey span.
This looks suspicious to me and the massive amounts of nodes raises many red flags and does not look natural at all.
~~If these were malicious, in concept, with the 13 default IN/OUT peers, if all connected are malicious, the innocent one would have no other data to compare it to~~.
(Edit: Updated Theory: having many nodes has the ability trace transactions and block miners easier based on timing attack)
yea and all above IP ranges are found at the top of https://github.com/Boog900/monero-ban-list/blob/main/ban_list.txt. The ban list is good but it is not enabled by default.