Specific Network Querying

Christopher Morrow morrowc.lists at gmail.com
Thu Dec 30 02:16:07 UTC 2010


On Wed, Dec 29, 2010 at 2:01 PM, John Adams <jna at retina.net> wrote:
> On Wed, Dec 29, 2010 at 6:01 AM, J. Oquendo <sil at infiltrated.net> wrote:
>>
>> Good morning and happy holidays all. I'm in the process of creating an
>> automated filtering application and would like to know if anyone can
>> point me to the right place. I'd like to be able to query a
>> site/db/etc., and pull out specific netblocks to create fw rules.
> [...]
>> But this just gives me entire blocks, not who is behind them. Is there
>> any site I could use to query specifics? E.g., for a gov client: wget
>> -qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}'
>>

given an ASN you can query their announcements from RouteViews DNS no?
(or rsync that and do the lookup locally in whatever form you feel is
helpful)

That probably has some whois data easily tied to it as well...

>
> Given the current IPv4 climiate, this sounds like a terrible idea. The
> landscape has changed dramatically from what it once was. Large

if you are updating filters 'quickly' it shouldn't matter, right?
you'll catch things (presuming whois is updated and/or BGP is and you
can tie things back through asn/netblock  relationships, oh...
RPKI...) pretty quickly as they move.

> volumes of mobile carriers use NAT, many IPv6 to IPv4 gateways are out
> there routing traffic, and we'll soon see a time in which entire
> countries are transiting over small chunks of IPv4 space.  Never mind

I don't recall the OP saying 'ipv4' only?

> the fact that applications on services like Google App Engine have a
> different IP nearly every time they connect because of outbound proxy
> pools.

it's probably not 'every time they connect' there's probably some
sensible reasoning behind the decision process.. like your query that
triggers it comes into "METRO-X" and thus outbound queries come from a
netblock for NAT things inside "METRO-X", my query goes to "METRO-Y"
so ... diff netblock.

Inside a set of queries (10-100?) you'll see a repeated set of ips, I suspect.

-chris




More information about the NANOG mailing list