Fighting Network Abuse

Team Cymru

Example

$ dig +short 98.146.1.85.origin.asn.cymru.com TXT
"3303 | 85.0.0.0/15 | CH | ripencc | 2005-01-25"
"3303 | 85.0.0.0/13 | CH | ripencc | 2005-01-25"
"3303 | 85.0.0.0/14 | CH | ripencc | 2005-01-25"

General Usage Hints

  • Use your/a local DNS cache to cache lookup results.
  • Caching is much more efficient if you only do /24 (IPv4) or /64 (IPv6) lookups instead of full IP address lookups

Network::Abuse::Utils

Bugs fixed, but fixes not released

  • Can’t handle AS results without a date (mostly affects old AS with small numbers. (Fixed in the Debian package though.) Example:
$ dig +short 17.origin.asn.cymru.com TXT
"714 | 17.0.0.0/8 | US | arin |"
$ dig +short 0.18.origin.asn.cymru.com TXT
"3 | 18.0.0.0/16 | US | arin |"

Our Vision — IP Addresses as Object

Our Vision — Lean, but Moo-compatible

Example

  • First a local module checks my own IP range and my own local DB
  • If that plugin returns DUNNO, the next plugin checks for RFC 1918 IP addresses (192.168.0.0/16, 10.0.0.0/8, etc.)
  • If that plugin returns DUNNO, the next plugin e.g. uses Team-Cymru DNS lookups.
  • etc.

NetObj:: Hierachy

Already Existing

(deprecated; will likely become obsolete)

  • NetObj::IPv4Address
  • NetObj::MacAddress

Current Idea

Transition to four new second-level module hierachies:

  • NetObj::IPv4::
  • NetObj::IPv6::
  • NetObj::MAC::
  • NetObj::ASN::

NetObj::IPv4:: + NetObj::IPv6::

NetObj::MAC:: + NetObj::ASN::

Links

Slides

Thanks for listening!