Firewall-busting ASN-lookups – Part 1

Posted on April 23, 2014 by Bob Rudis (@hrbrmstr) in R bloggers | 0 Comments

[This article was first published on Data Driven Security, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

This is a short post on one way to bust through your corporate firewall when trying to use the Team CYMRU ASN lookup facility that we presented in our book. Part 2 will show how to create a vectorized version of this code.

Most corporate networks aren’t going to allow port 43 (WHOIS) access directly, which will make the bulk lookup routines that we presented in Data-Driven Security (the book) fail miserably. The Team CYMRUAPI” also works via DNS, and I suspect that gets out in far more places than WHOIS does (just ask any C&C malware author).

The following is a small function that performs an IPASN mapping if given a character IP address (see the book for how to use the integer format in R):

#' Return ASN info in list format from a given IP address
#'
#' @param string input character vector for IP address (defaults to Team CYMRU example address)
#' @return list with "ip", "asn", "cidr", "cn", "registry"
ip2asn <- function(ip="216.90.108.31") {

  orig <- ip

  # reverse the octets
  ip <- paste(rev(unlist(strsplit(ip, "\\."))), sep="", collapse=".")

  # create the 'dig' command string
  dig <- sprintf("dig +short %s.origin.asn.cymru.com TXT", ip)

  # call 'dig'
  out <- system(dig, intern=TRUE)

  # unwrap the results (ignoring date in this example)
  out <- unlist(strsplit(gsub("\"", "", out), "\ *\\|\ *"))

  # return as a list  
  return(list(ip=orig, asn=out[1], cidr=out[2], cn=out[3], registry=out[4]))

}

ip2asn()
$ip
[1] "216.90.108.31"

$asn
[1] "23028"

$cidr
[1] "216.90.108.0/24"

$cn
[1] "US"

$registry
[1] "arin"

Remember: you can use ?STRING at the R console to lookup any routine that you might not be familiar with.

As the Team CYMRU site itself says: “The DNS daemon is designed for rapid reverse lookups, much in the same way as RBL lookups are done. DNS has the added advantage of being cacheable and based on UDP so there is much less overhead.” That means this could be a very robust way to perform these lookups, especially if you setup a wicked-cool DNS caching server.

This function relies on the dig command. Readers who are running Windows might need to install dig before using this function.

Stay tuned for Part 2!

To leave a comment for the author, please follow the link and comment on their blog: Data Driven Security.
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Copyright © 2022 | MH Corporate basic by MH Themes

Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)