Re: [NSE] New script dns-blacklist

[Patrik Karlsson <patrik () cqure net>]

On Sun, Jan 8, 2012 at 2:43 PM, Duarte Silva <duarte.silva () serializing me>wrote:

> On Sunday 08 January 2012 10:24:37 Patrik Karlsson wrote:
> > On Sun, Jan 8, 2012 at 4:05 AM, David Fifield <david () bamsoftware com>
> wrote:
> > > On Mon, Jan 02, 2012 at 11:31:09AM +0000, Duarte Silva wrote:
> > > > Hi Patrik,
> > > >
> > > > I added two new DNSBL providers, one for TOR nodes [1]
> > > >
> > > > [1] https://www.dan.me.uk/dnsbl
> > >
> > > For Tor, let's see if we can use the Tor Project's exit list directly,
> > > rather than some third party that is just querying them anyway.
> > >
> > > https://www.torproject.org/projects/tordnsel.html
>
> I don't think they are only querying TorDNSEL. I'm pretty sure they're
> using
> the servers descriptors directory directly [1][2] (that's what I would).
>
> > > The main difference is whether an address can be considered an exit
> node
> > > depends on the address and port you are relaying to, so those are part
> > > of the query. Apparently TorDNSEL also does active probing to find out
> > > if relays' behaviour actually matches their stated exit policy.
>
> From the documentation of the service:
>
> "Previous DNSELs scraped Tor's network directory for exit node IP
> addresses,
> but this method fails to list nodes that don't advertise their exit
> address in
> the directory. TorDNSEL actively tests through these nodes to provide a
> more
> accurate list."
>
> I think it's quite uninformative service compared to the third party one,
> even
> though, it does actually check if the relay is a exit node and it may be
> able
> to find nodes that aren't listed.
>
> > As far as I can tell the first service also allows us to query for entry
> > nodes. I'm not sure what we want/need and leave that up to the Tor
> experts.
> > If we only want exit nodes, the official Tor Project service is
> obviously a
> > better source.
>
> It depends on what you want. If you want to know, "my corporate <insert
> resource name here> was attacked, should I have blocked that IP address?",
> then the exit nodes, is in part only what you want to know. If you want to
> perform deeper investigations, then it might also be interesting to check
> for
> relays.
>
> > > Another possibly more efficient way is to download the whole relay list
> > > once, and then compare each target address against the list. This also
> > > has the advantage of not needing to disclose the target's address to
> the
> > > exit list operator.
> https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=74.207.254.18
>
> You are disclosing the target IP address in all the DNSBL's. If one cares
> about it, then he really shouldn't be using the script =P
>
> > > David FIfield
> >
> > While I agree with it being more efficient it should probably go into
> it's
> > own script as it's not DNSBL?
>
> I agree.
>
> > Cheers,
> > Patrik
>
> In the attachments follows a patch with some minor changes/fixes and the
> added
> TorDNSEL provider has specified in [3].
>
> [1] https://www.torproject.org/docs/tor-doc-relay.html.en#check
> [2] http://194.109.206.212/tor/status-vote/current/consensus
> [3] https://www.torproject.org/projects/tordnsel.html.en
>
> Regards,
> Duarte Silva


I've applied this patch and another one that I was working on. Thanks for
the contribution!
The change I made was to change the library to use a worker thread for each
provider which increased speed a lot.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/