netsecurity database

A friend of mine asked me a very basic but fundemental question that I had not addressed until now: "what is netscdb all about?". Here is my understanding:

This is how the Internet looks most of the time to us:

and this is the perspective from netsecdb:

[UPDATE]: finished

this will lead to performance decrease of firewall generating scripts.

[Update]: finished

this will lead to performance decrease of firewall generating scripts.

[Update]: finished.

this will lead to performance decrease of firewall generating scripts.

dear sirs,
dear madams,

IPv4 database is nearly complete. Only BRNIC Bulk whois access misses.
netsecdb only imported data from offending networks.

current stats:
2010-08-31 23:17:39
known nets: 7667564
bgp-routes: 7074043

networks from DE, CH, AT, BE, NL, FR, GB, LU, LI, IE, IT,
CZ, SE, GR, PT, NO, PL, IS, FI, ES, DK, SK, HU, RO, BG,
LT, LV, EE, US, CA, IL, RU and defined customer nets don't
get blocked but get tickets instead. If a netrange's
abuse-email is invalid/non-functional, range gets blocked.

Today, we opened turkish networks.

This affected 1329 locked netranges - 145 remain blocked.

They will be handled like DE, CH, AT, BE, NL, FR, GB, LU, LI, IE, IT, CZ, SE, GR, PT, NO, PL, IS, FI, ES, DK, SK, HU, RO, BG, LT, LV, EE, US, CA, IL and RU now.

After importing millions of records from different whois registries it's time to validate the content.

This affects approx. 7,7 Million records - but runs silent in the background.

Had a request from a german ISP to give full report about status of all his registered network-segments.

Cause netsecdb does not contain any AS records (NO AS, no POC, no ORG - see documentation) routines work on base of netname and org_id and reports any security related information for all networks in ascending order.

structure:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RESULT START
IP : starting IP of segment
ID : id in database
NAME : network name
PARENT :
SIZE : how many ips in segment
Range : startip - endip
CIDR : net in CIDR notation

regdate: explains itself
Org-ID : Organization Name
blocked: is blocked?

Worm-Hosts :
List of conficker Wormdestinations

Bot Hosts :
List of IPs hacking/portscanning

Mailer-BotHosts :
List of spamming IPs

Open Proxies:
List of IPs with proxies public usable

...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RESULT END

[UPDATE]: is finished.

this will lead to performance decrease of firewall generating scripts.

Due to a complete backup-job of the moved content we took the complete server from the net and synced. This was planned for only a few hours .... but finally ended approx. @ 9:00 MEST this morning.

successfully synced with AUNIC whois db today.

[Update]: finished.

this will lead to performance decrease of firewall generating scripts.

Successfully synced with jpnic last night.

netsecdb moved to new server i.e. statistic crons will have a lack of information from the past hours.

Today, we successfully synced with AFRINIC whois database.

Thanks for their support.

[Update] finished.

this will lead to performance decrease of firewall generating scripts.

this will lead to performance decrease of firewall generating scripts.

done.

[UPDATE] successfully finished.
[UPDATE] truncated POC and ORG tables, now parsing nethandles ...
[UPDATE] successfully tested parser in devunits - going productive.

this will lead to performance decrease of firewall generating scripts.

There was enough time to implement protection schemes into proxies like tor and jad.

We'd stopped protection of known tor exit nodes.