Re: Google SoC Ideas - Feature Creep?

[doug () hcsw org]

Hi kx,

I really like your idea of ASN lookups! Although it hadn't occured to me
to gather this information with Nmap, after thinking about it I now believe
this information would complement Nmap's rDNS information extremely well!

I definitley think we should integrate ASN into Nmap one way or another.
Using the many available whois servers is definitley an option. As it turns out,
It might even be possible to integrate this ASN lookup into the rDNS system. The company
you mentioned, Cymru, seems to also offer this same information through a DNS
TXT record. The resolution system is even designed similar to the in-addr.arpa domain!

Here's a proof of concept:

perl -ne 'chomp; $ip=join(".", reverse(split(/\./, $_))); print `host -t TXT $ip.origin.asn.cymru.com`;

It reads IPs from stdin, resolves them using cymru.com's service, and
prints out their BGP Origin ASNs and even a "country" code:

196.2.1.6 (ns.jm) gives

6.1.2.196.origin.asn.cymru.com text "3586 | 196.2.1.0/24 | JM | arin | 1993-02-11"

213.200.94.13 (tradesports.com - Irish book) gives

13.94.200.213.origin.asn.cymru.com text "3257 | 213.200.64.0/18 | EU | ripencc | 2000-11-14"


Dsylexic hackers might prefer to use host directly:

$ host -t TXT 13.94.200.213.origin.asn.cymru.com
13.94.200.213.origin.asn.cymru.com text "3257 | 213.200.64.0/18 | EU | ripencc | 2000-11-14"


I don't know if other providers offer this service or if we'd be comfortable
relying on a single provider. If not, whois might still be a better bet since
it looks as though there are many companies offering that. Whois querying should
then NOT be done by the rDNS framework but rather by the upcoming "NASL" framework.

Using Cymru's DNS system would be very much ideal performance-wise because we
could combine the queries with the rDNS framework and do both at the same time.
Especially when dealing with super-high rtt queries like our recursive DNS requests,
we do well to exploit parallelism as much as we can! 

If we're going to look for information on an IP outside of the DNS system, we
might even want to consider things like more specific geo-location, RBL entries,
maybe even deeper BGP information. It would be really cool if we could determine
if the target is multi-homed and has many paths into its network. This information
could be immediatley useful for things like, well, messing with IDS fragment reassembly.

Doug




On Mon, May 22, 2006 at 09:32:07PM -0400 or thereabouts, kx wrote:
> All of the whois servers I listed are well-respected sources.
>
> More info on the cymru service is here:
>
> http://www.cymru.com/BGP/asnlookup.html
>
> That page also lists their preferred method for bulk lookups.
>
> Cheers,
>   kx
>
> On 5/22/06, Fyodor <fyodor () insecure org> wrote:
> > On Sat, May 20, 2006 at 12:56:41AM -0400, kx wrote:
> > > Just some ideas, not sure what the user base thinks.
> > >
> > > AS lookup modeled on the rDNS architecture - asynchronous, parallel,
> > > with caching.  Option to hit whois databases like whois.cymru.com,
> > > whois.radb.net , riswhois.ripe.net, etc... for ASN to IP mapping.
> > > Might consider registration and geo data as well.
> >
> > That is a good idea.  And I can see how the AS number might be useful
> > for the Nmap diagram project.  Perhaps there could be circles
> > containing all of the hosts in a single AS to represent organization
> > boundaries.  I will add this to the list of possible tasks.  Does
> > anyone have suggestions as to the best way to obtain this data?
> >
> > Also, you could probably do this with a simple Nmap Scripting Engine
> > script.  If such an infrastructure existed yet :).  See my next email.
> >
> > Cheers,
> > -F
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev