Firewall-busting ASN-lookups – Part 1
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.
This is a short post on one way to bust through your corporate firewall when trying to use the Team CYMRU ASN lookup facility that we presented in our book. Part 2 will show how to create a vectorized version of this code.
Most corporate networks aren’t going to allow port 43
(WHOIS
) access directly, which will make the bulk lookup routines that we presented in Data-Driven Security (the book) fail miserably. The Team CYMRU “API” also works via DNS
, and I suspect that gets out in far more places than WHOIS
does (just ask any C&C malware author).
The following is a small function that performs an IP→ASN mapping if given a character IP address (see the book for how to use the integer format in R):
#' Return ASN info in list format from a given IP address #' #' @param string input character vector for IP address (defaults to Team CYMRU example address) #' @return list with "ip", "asn", "cidr", "cn", "registry" ip2asn <- function(ip="216.90.108.31") { orig <- ip # reverse the octets ip <- paste(rev(unlist(strsplit(ip, "\\."))), sep="", collapse=".") # create the 'dig' command string dig <- sprintf("dig +short %s.origin.asn.cymru.com TXT", ip) # call 'dig' out <- system(dig, intern=TRUE) # unwrap the results (ignoring date in this example) out <- unlist(strsplit(gsub("\"", "", out), "\ *\\|\ *")) # return as a list return(list(ip=orig, asn=out[1], cidr=out[2], cn=out[3], registry=out[4])) } ip2asn() $ip [1] "216.90.108.31" $asn [1] "23028" $cidr [1] "216.90.108.0/24" $cn [1] "US" $registry [1] "arin"
Remember: you can use
?STRING
at theR
console to lookup any routine that you might not be familiar with.
As the Team CYMRU site itself says: “The DNS daemon is designed for rapid reverse lookups, much in the same way as RBL lookups are done. DNS has the added advantage of being cacheable and based on UDP so there is much less overhead.” That means this could be a very robust way to perform these lookups, especially if you setup a wicked-cool DNS caching server.
This function relies on the dig command. Readers who are running Windows might need to install dig
before using this function.
Stay tuned for Part 2!
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.