ASN-Blocklist

Discussion in 'Projects' started by Mun, Aug 23, 2014.

  1. Mun

    Mun Administrator

    Links:

    https://www.enjen.net/asn-blocklist/
    Example results

    Screenshots:


    [​IMG]

    [​IMG]

    Features:
    • API
    • Json Support
    • IP Text List
    • IPtables list (with IPv6 support)
    • Nginx deny lists
    • Htaccess deny list
    • IPset hash list
    • IP route blackhole list

    Goal:


    This applet was built to quickly provide an easy and effective way of blocking an AS(number) from your servers. We also wanted this to be dynamic and always up to date, requiring little on your part to get the latest and most up to date information.

    Suggestions:

    Make sure you read the README! I can't say it enough, as you are bound to make a screw up and hurt yourself more then help.

    You can use our applet to quickly get a download of just the important info by adding &api=1 to the end of the URL.

    Help Us Improve:

    Do you have a suggestion on what we should add, or did we mess up with something? If so please make a post below and tell us exactly what you would like to see. This means give us examples and explanations, we will gladly work with you to get it accomplished.

    As always, if you have any questions please post them below!
     
  2. pisto

    pisto New Member

    Hi, I like your tool, and I have couple of question.

    I coded a tool to gather IPs, find the belonging range and classify them based on the whois information, https://github.com/pisto/kidban . The goal is to find ranges that belong not to home connections, on the assumption that the rest is servers, and probably VPNs. I decided not to use AS data, because it was not clear to me how to get all the IP ranges of a specific AS number, and also because the whois provides an actual description of what a specific range is used for. However, I would like now to include the AS method, to catch in one single action all the IPs of providers that only host servers (say, OVH or DigitalOcean). So first question is, is it ok if I scrape the web interface of the tool, or maybe I can have access to the source code?

    Second, while investigating in the various formats that a whois query would return, I found something odd: many providers, especially non American or European one, return IP ranges that are not in the form of a CIDR (an aligned IP block sized a power of two), but sometimes they are not aligned or not even powers of two. My internal structures work only on a real CIDR (for performance reasons), so to maintain the correspondence between a whois message and these weird ranges I split them up in proper CIDR blocks, which increase the complexity of the problem greatly.
    Since you work on BGP data which has to be in CIDR form, I don't think you meet this kind of oddities. However, I would like to hear a confirmation on that.

    P.S.
    The email confirmation from this board was detected as spam by gmail.
     
  3. Mun

    Mun Administrator

    First, sorry for the late response. I have been quite busy the last few days.

    Would JSON be acceptable for you? If so: https://www.enjen.net/asn-blocklist/index.php?asn=1&type=json&api=1 It has already been added as an API.

    Can you show me a few examples of non-CIDR results. Most of the data on ASN-blocklist is already being scraped from he.net, until I write the new version using the better api from ARIN.

    Im not sure on the spam detection, it is hit or miss.
     
  4. pisto

    pisto New Member

    Yes, sorry, didn't see that.
    Try for example to whois 223.64.0.0 (I use http://www.linux.it/~md/software/): you will get "inetnum: 223.64.0.0 - 223.117.255.255" which cannot be reduced to a CIDR form. I checked on he.net and they see proper (and smaller) CIDR announcements, so I think it's a non issue here. I'm not sure it's a gain to use ARIN data, I believe they don't and shouldn't track assignments to final AS numbers, so you lose in precision.
    I believe you don't have a correct MX record. Also the rDNS of munroenet.com points to dragon.munroenet.com, which is not exactly the original hostname and maybe google stumbles on that.
     
  5. Mun

    Mun Administrator

    Let me know how it works.

    The spam issue shouldn't apply to that as we use third party email services which have been white listed. Google probably unsure of it still.
     
  6. pisto

    pisto New Member

    Could you put the ipv4 and ipv6 prefixes in different fields of the json table?
     
  7. Mun

    Mun Administrator

    Let me add a secondary api for that. When do you need it by?
     
  8. Mun

    Mun Administrator

    Here is an example: https://www.enjen.net/asn-blocklist/index.php?asn=3&type=json_split&api=1

    PHP:
    results


    {
    "asn":"AS3",
    "time":1418747348,
    "ipv4s":["18.0.0.0\/8","18.3.46.0\/24","18.3.47.0\/24","18.3.49.0\/24","18.4.38.0\/24","18.4.70.0\/24","18.7.10.0\/24","18.7.21.0\/24","18.7.71.0\/24","18.9.0.0\/24","18.9.1.0\/24","18.9.21.0\/24","18.9.22.0\/24","18.9.25.0\/24","18.9.37.0\/24","18.9.46.0\/24","18.9.47.0\/24","18.9.49.0\/24","18.9.60.0\/24","18.9.62.0\/24","18.9.90.0\/24","18.72.0.0\/24","31.192.64.0\/19","91.233.204.0\/23","103.254.94.0\/24","103.254.167.0\/24","124.248.128.0\/22","124.248.132.0\/22","124.248.136.0\/22","124.248.140.0\/22","128.30.0.0\/15","128.52.0.0\/16","171.25.196.0\/22","176.103.160.0\/21","192.52.61.0\/24","192.52.62.0\/24","192.52.63.0\/24","192.52.64.0\/24","192.52.65.0\/24","192.54.222.0\/24","200.63.48.0\/22","202.27.83.0\/24","202.36.75.0\/24","202.36.154.0\/24","202.37.168.0\/24","212.69.8.0\/23","216.115.235.0\/24"],
    "ipv6s":["2001:4830:2446::\/48"]}

     
  9. pisto

    pisto New Member

    thanks, that will work.
     
  10. Mun

    Mun Administrator

    Anything you want me to change?
     
  11. pisto

    pisto New Member

    I wonder if the data you fetch is already filtered from what he.net regards as bogon?
     
  12. Mun

    Mun Administrator

    I do not think so.
     
  13. pisto

    pisto New Member

    edge likes this.
  14. Mun

    Mun Administrator

    edge likes this.
  15. Mark

    Mark New Member

    Many thanks Mun, it's a great project.

    Pisto, I'm watching your project with anticipation too. I've been looking for a solution for blocking all webhost addresses for a while, hopefully this is it.
    Do you know of any other scripts that offer the same (knowing the competetors etc)? :)
     
  16. pisto

    pisto New Member

    No, I don't know any. My needs are rather specific so that's I coded my own sorter, and building my own database. What is nice of it is that this thing is maneuverable by a single person.

    You are welcome to use my growing list, but beware that I'm probably being a bit too trigger happy as of now.
     
  17. Mark

    Mark New Member

    Thank you, I will be trying your script and database soon and definatly following along.

    How will the information from ARIN be better, and when do you plan on releasing it? :)
     
  18. Mun

    Mun Administrator

    ARIN's data is in an API and allows more queries then he.net. I am not totally sure when I will have it up, but I may make a hybrid system and use both.
     
  19. Mark

    Mark New Member

    This sounds great, and it's something I may plan to use myself if you make an API available for your service. I'll keep watching in a hope it materialises soon ;)

    Thanks.
     
  20. Mun

    Mun Administrator

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice