My longest standing friend decided last year, at the end of the year, that he wanted to get me some books (thanks a great deal, by the way, Mark – it means a damn lot and I’m eternally grateful we’ve stayed in contact throughout the years). While he lives in England and I live in California, we’ve “known” each other for almost 18 years. There was a problem with Amazon.com and he was also in New York as part of his job part of this time, however, and so the gifts did not arrive until yesterday. Now, of course I could not know every detail of the book, but one of the books was a Linux networking book. It is more like a recipe book and while there is some I know (and some know very well), and some that are not useful to me, there’s going to be some I find something of interest or use. Which brings me to this post. Obviously I know of the whois protocol, but what I did not know about is the utility ‘whatmask’. There is a similar utility called ‘ipcalc’ but on CentOS it is very different from the expected and I found many problems with it. So I was looking at the book (the name fails to come to mind at this time), briefly skimming sections, and I noticed they discussed this very thing and mentioned the alternative ‘whatmask’ on CentOS and Fedora Core.
I thought this would be very interesting to see. Sure, you can do it by hand but this is much more time efficient and allows you to get a quick summary. Further, with whois, you can confirm your suspicions. Yes, I know that if whois shows a netblock as (this is of course a private block) 10.0.0.0 – 10.255.255.255 that the CIDR notation is /8. But that is besides the point and if I were to consider that, then I would have nothing to write about (and it has been quite a while since I have written anything strictly technical – something I’ve been wanting to correct since my birthday last month but have been too busy working on a project that is pretty important to me).
Now, then, about dealing with abusive networks. Firstly, there are many ways to take care of a network. I am obviously not condoning nor suggesting anything malicious nor am I condoning or suggesting anything at their end. The Linux kernel has netfilter which is what iptables (and ip6tables) uses, the IPv4 (and IPv6) firewalls (respectively). Yes, I could write out an iptables rule to stop all traffic from a certain network, but this is less efficient than simply making a blackhole route of that address. The problem was, how do you determine the entire range of IPs that they own? I seem to remember that they had different blocks. Further, a whois on the domain won’t show the network block (forget for a moment that it does when you use an IP in the netblock). Either way, the below procedure can be done for any IP.
The network in question is hinet.net and is located in Taiwan. The abuse is not so much attack attempts and it is not necessarily the owner’s fault (it is an ISP). But what it is is a lot of spam attempts (to accounts that don’t exist on my end and relay attempts to other hosts, neither of which I allow, just like all responsible administrators; indeed, running an open relay – notwithstanding an administrator who unknowingly makes a mistake or has a flaw exploited on their server – is nothing but malicious, as far as I am concerned). Since this is an ISP (I know it is in fact because I remember seeing dynamic IPs in their block or blocks, before) they don’t need anything from my network. And even if they have customers who are corporations, the fact of the matter is, I am not a customer of said corporation, I’ve never seen such corporation, and I don’t actually care: abusive networks are not something anyone on the abusive end would tolerate (just like if someone walks up behind you and hits you in the back, you would not exactly tolerate it). So, let us take an IP in their network and see the ways to determine all IPs in the block that IP is in:
One of the IPs is ’126.96.36.199′. This is one that I specifically added a blackhole route to and that means one thing and one thing only: I saw it attempt what I described, above. So what do you do? Well, firstly, I run fail2ban (one option of many) and I’m fairly restrictive on how many failures I allow (like, 1) before they are blocked. But, let’s assume you want to take care of ALL IPs in that block (because you’ve seen many over the years) and you don’t even want to give them a chance to connect to your services. Then, what you do is the following. Note that I am limiting the output here.
$ whois 188.8.131.52 | grep -E 'NetRange|inetnum|CIDR'
inetnum: 184.108.40.206 - 220.127.116.11
Note that if you see CIDR in the output then you have the network block right there. But, if however, you see NetRange or inetnum (there may be others that I’ve not seen so your mileage may vary and may be wise to not pipe the output to grep), then you don’t have the block, at least not in a notation that setting a blackhole route will allow.
Now, the inetnum output above would tell me that the CIDR notation is /16 so if I add a blackhole route for 18.104.22.168/16 then I am set. But assume for a moment that you don’t know that. Well, here is where whatmask comes handy. Sort of. It does need a CIDR notation with or without an address. So if you take the fact that /32 is one single address (which whatmask will show as 0 usable addresses because it is considering a network block which therefore includes network address and broadcast address – it assumes the address you specified IS the network and broadcast address) and /0 is every single IPv4 address (which is 2 ^ 32 much like IPv6 has 2 ^ 128 IPs), /31 is 1 address and more generally, the common network block ranges (in CIDR notation) are: /8, /16 and /24 (/8 having the most addresses, /16 having less than /8 but more than /24, /24 having the least of those), then you know that the possible CIDR numbers you can specify is between /0 and /32. It won’t be /0 and it won’t be /32, it won’t even be /31 for a network block (at least not in this way; a network needs a broadcast – in IPv4 – and network address), so you can just play around with it if you don’t know. Over time you get used to recognising the proper CIDR notation but understand this: the number after the slash is how many bits are reserved for the network portion of the address. So if it is /8 then 32 – 8 = 24 is how many bits are available to hosts which is why the higher the number after the slash, the less number of IPs that are available. When you find the right number, you can then do this:
$ whatmask 22.214.171.124/16
TCP/IP NETWORK INFORMATION
IP Entered = ..................: 126.96.36.199
CIDR = ........................: /16
Netmask = .....................: 255.255.0.0
Netmask (hex) = ...............: 0xffff0000
Wildcard Bits = ...............: 0.0.255.255
Network Address = .............: 188.8.131.52
Broadcast Address = ...........: 184.108.40.206
Usable IP Addresses = .........: 65,534
First Usable IP Address = .....: 220.127.116.11
Last Usable IP Address = ......: 18.104.22.168
Now observe the following things:
- The result of the filtered whois output shows:
22.214.171.124 - 126.96.36.199
- The Network Address line in the whatmask output is:
- The Broadcast Address line in the whatmask output is:
- The First Usable IP Address line in the whatmask output is:
- The Last Usable IP Address line in the whatmask output is:
- Add these together, and you know that the netblock IS
188.8.131.52 - 184.108.40.206which means that the proper netblock in CIDR notation IS
Putting that together, you can add to your firewall script or some other script (that starts when you boot your computer so it stays there when you reboot next) a command like so (note the # as the prompt – you need to be root to do this so either add sudo in front of it or su to root then do what you need to do, followed by logging out of root):
# ip route add blackhole 220.127.116.11/16
# ip route show
(Technically, yes, it the ip route show command will show more output but I am showing only the route we added, for sake of brevity)
After this, no IP in that range will EVER reach your box directly (I won’t get into if they breach another box in your network and connect from that box to the box you blocked it from, neither will I discuss segregating networks, because those are other issues entirely).