Where does pfBlockerNG pull ASN data from



  • What source does pfBlockerNG use for AS Number data?

    Asking bc my ASN data in pfBlockerNG -> Logs -> Original IP Files -> SpamAS_custom (Alias Native) only shows 4 CIDRs.
    There should be 23

    For AS11282, my /var/db/pfblockerng/original/SpamAS_custom.orig file has

    ### AS11282: as11282 ###
    198.44.224.0/20
    198.44.240.0/21
    198.44.252.0/22
    23.234.56.0/22
    

    I'm pretty sure the data is wrong and I'd like to query the source directly.
    (ie: 23.234.56.0/22 isn't announced by anyone. Some old records list it, though)

    I've done my best to make sure deduplication isn't a factor (list is Alias Native).
    A grep showed some missing CIDRs in other lists but most aren't anywhere.

    Thanks for any info.

    For ref:
    AS11282 actually has

    104.251.224.0/21
    104.251.232.0/22
    104.251.236.0/23
    122.10.121.0/24
    122.10.123.0/24
    192.0.16.0/20
    192.249.80.0/22
    198.1.128.0/18
    198.1.189.0/24
    198.1.190.0/24
    198.1.191.0/24
    198.15.128.0/17
    198.44.224.0/20
    198.44.252.0/23
    198.105.160.0/19
    198.177.56.0/22
    198.177.56.0/23
    198.177.58.0/23
    198.177.60.0/22
    199.231.64.0/22
    199.231.64.0/23
    199.231.66.0/23
    199.231.68.0/22
    

    http://bgp.he.net/AS11282#_prefixes


  • Moderator

    The ASN information is taken from the Merit RADb public registry of network routing information:

    http://www.radb.net/

    The following command will simulate what IPs the RADb query reports:

    mwhois -h whois.radb.net \!gAS11282 | tail -n +2 | tr -d '\nC' | tr ' ' '\n'
    

    At one time, the pkg could download from the BGP site, but they have recently blocked access for non-browser requests…



  • @BBcan177:

    The ASN information is taken from the Merit RADb public registry of network routing information:

    http://www.radb.net/

    That's helpful.
    I'm able to confirm that RADb has wrong data.  I wonder if they accept req from peons to update their database.

    I'll start tracking ASN data from RADb against other ASN record providers.
    If I start seeing a lot of errors I'll post back here about it.

    Appreciate the prompt response.



  • As a work around, you could create your an IPv4 Alias and put the CIDRs from bgp.he.net in the IPv4 Custom list section, or create a local file with the CIDRs on the FW.



  • Hello.

    A practical example for domain pfsense.org:

    [2.3.2-RELEASE][root@pfSense.mydomain]/root: host -4 pfsense.org
    pfsense.org has address 208.123.73.69
    pfsense.org has IPv6 address 2610:160:11:11::69
    pfsense.org mail is handled by 10 mail.pfsense.org.

    [2.3.2-RELEASE][root@pfSense.mydomain]/root: whois -h whois.cymru.com – "-c 208.123.73.69"
    AS      | IP              | CC | AS Name
    30312  | 208.123.73.69    | US | NETGATE - Netgate, US

    [2.3.2-RELEASE][root@pfSense.mydomain]/root: mwhois -h whois.radb.net !gAS30312 | tail -n +2 | tr -d '\nC' | tr ' ' '\n'
    192.207.126.0/24

    Maybe … Is there anything wrong in database?

    Regards



  • @javcasta:

    Hello.

    A practical example for domain pfsense.org:

    [2.3.2-RELEASE][root@pfSense.mydomain]/root: host -4 pfsense.org
    pfsense.org has address 208.123.73.69
    pfsense.org has IPv6 address 2610:160:11:11::69
    pfsense.org mail is handled by 10 mail.pfsense.org.

    [2.3.2-RELEASE][root@pfSense.mydomain]/root: whois -h whois.cymru.com – "-c 208.123.73.69"
    AS      | IP              | CC | AS Name
    30312  | 208.123.73.69    | US | NETGATE - Netgate, US

    [2.3.2-RELEASE][root@pfSense.mydomain]/root: mwhois -h whois.radb.net !gAS30312 | tail -n +2 | tr -d '\nC' | tr ' ' '\n'
    192.207.126.0/24

    Maybe … Is there anything wrong in database?

    Regards

    raddb is correct but the last tr cutting IP, this works

    mwhois -h whois.radb.net \!gAS30312 | tail -n +2 | tr -d '\nC' | tr '[:space:]' '\n'
    
    192.207.126.0/24
    208.123.73.0/24
    
    


  • Hello

    Thanks, tonymorella :)  ( the last space was my mistake )

    Regards.


Log in to reply