#Analysis Of The Internet Routing Registry Assignment Help | Explore Tumblr posts and blogs

jennifersnyderca90 · 7 years ago

Text

Notorious ‘Hijack Factory’ Shunned from Web

Score one for the good guys: Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company’s bandwidth providers chose to sever ties with the company.

Spammers and Internet service providers (ISPs) that facilitate such activity often hijack Internet address ranges that have gone unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

For years, security researchers have tracked the suspected theft of millions of IPv4 Internet addresses back to Bitcanal, which was also doing business under the name “Ebony Horizon.” Experts say shortly after obtaining a chunk of IP addresses, Bitcanal would apparently sell or lease the space to spammers, who would then begin sending junk email from those addresses — taking full advantage of the good or at least neutral Internet reputation of the previous owner to evade anti-spam blacklists.

Much of the hijacked address space routed by Bitcanal was once assigned to business entities that no longer exist. But some of the more brazen hijacks attributed to Bitcanal and its customers involved thousands of Internet addresses assigned to active organizations, such as the company’s well-documented acquisition of address space assigned to the Texas State Attorney General’s office, as well as addresses managed by the U.S. Department of Defense.

Bitcanal’s reputation finally caught up with the company late last month, when anti-spam activist and researcher Ron Guilmette documented yet another new major IP address hijack at the company and challenged Bitcanal’s upstream Internet providers to stop routing traffic for it (KrebsOnSecurity has published several stories about previous high-profile IP address hijacks involving spammers who were flagged by Guilmette).

Guilmette said Bitcanal and its proprietor — Portuguese businessman Joao Silveira — have a well-documented history of “behaving badly and coloring outside the lines for literally years.”

“His actions in absconding with other people’s IP address space, over the years, are those of either a spoiled child or else those of a sociopath, depending on one’s personal point of view,” Guilmette said. “In either case the Internet will, by and large, be glad to see his backside, and will be better off without him.”

Doug Madory, a researcher for Internet performance management firm Dyn (now owned by Oracle), published a blog post chronicling Bitcanal’s history as an address “hijack factory.” That post also documents the gradual ostracization of Bitcanal over the past week, as one major Internet exchange after another pulled the plug on the company.

Dyn’s depiction of Bitcanal’s final remaining upstream Internet provider pulling the plug on the company on July 10, effectively severing it from existence on the Web. Source: Dyn.

Reached for comment just days before Bitcanal was shunned by all of its peering providers, Mr. Silveira expressed shock and surprise over what he called unfair attacks against his company’s reputation. He blamed the besmirchment on one or two “bad” customers who abused his service over the years.

“My thought is that one or two customer in my network maybe [imitated] people acting like a client and force the errors or injecting bad network space,” Silveira said in an emailed response to KrebsOnSecurity. “I am not the problem and this public trial and conviction will not solve the prefix hijacking matter. If these questions remain without solution, those actors will keep doing it.”

Another business tied to Mr. Silveira suggests that Bitcanal/Ebony Horizon has long been actively involved in obtaining sizable chunks of Internet address space on behalf of its clients. The same contact phone number that once existed on the (now unreachable) home page of Bitcanal.com also appears on the homepage of ip4transfer.net, a company that advertises the ability to lease large chunks of Internet address space.

Bitcanal owner Joao Silveira.

The current WHOIS registration records for ip4transfer.net are mostly redacted by domain registrar GoDaddy, but the name Ebony Horizon appears as the current business name, and Mr. Silveira’s name is on the original domain registration records from 2016, according to historic WHOIS records maintained by DomainTools [full disclosure: DomainTools is an advertiser on this blog].

Much of the content on ipv4transfer.net seeks to answer questions about what customers should expect when leasing address space from the company, including the possibility that some leased address ranges could be flagged as malicious or spammy by Spamhaus.org, an anti-spam group whose spam blacklists are relied upon by many ISPs to block large-scale spam campaigns. Prior to Bitcanal’s final disconnection this week, Spamhaus had blacklisted virtually all of Bitcanal’s address ranges as sources of spam and/or malicious email.

“Legitimate IP address space brokers don’t need to spend a lot of ink telling their customers how to avoid getting their shiny new IP address blocks listed by Spamhaus, or how to get them unlisted by Spamhaus, or what to do about it if the shiny new block they just purchased is already listed by Spamhaus,” Guilmette said.

Because the global routing of Internet address space is largely based on trust relationships between and among network operators, those operators have an obligation to ensure they’re not inadvertently facilitating the hijacking of Internet address space.

Perhaps coincidentally to the disconnection of Bitcanal, the RIPE Network Coordination Centre — one of the five global Regional Internet Registries (RIRs) providing Internet address allocations — on July 10 published an analysis of route hijacking activity across the Internet. The analysis includes a set of tips for network operators to help avoid contributing to the overall problem.

from https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/

0 notes

okal · 7 years ago

Text

Adventures in Python static analysis

I had an opportunity, in mid-2017, to work on tooling to weed out dead code from one of the codebases I work on at Jumo¹. We use an in-house framework for building USSD² applications, the main mode of interaction users have with our lending platform.

There isn’t much of a FOSS USSD ecosystem, so the framework had to solve a lot of basic problems in novel ways. Some of the most interesting aspects of it have to do with session management - USSD being a stateless protocol without any widely adopted session management standards, and a metaclass³ based routing model. We experienced some growing pains around this, as both the team, and the product pipeline expanded. Debugging, for instance, often proved difficult as we had entire user journeys left behind by feature development. The routing registry uses string based keys, rather than actual references, making it difficult for automated tools to tell apart dead from “living” code. You could rely on grep to an extent to naively check which handler classes - somewhat analogous to a view/controller hybrid in a typical MVC model - are linked to by others, but that didn’t reveal end-to-end flow information.

This set of problems proved to be a headache for feature development, as modules grew to unmanageable sizes, slowing down delivery.

Having had some prior experience building parsers in Python, this seemed as good a chance as any to exercise what little knowledge I had lingering from Compilers 101.

Tool survey

During an internship with Wezatele, one of the predecessor companies to Jumo, I had a chance to work on a pseudo-natural language driven SMS-based ordering system. I don’t know if it ever went into production, but it was some of the most technically fulfilling work I had done (and have done) up until now. The “pseudo” is important. It was actually just a constrained DSL allowing customers to place orders without access to an Internet connected device. This was a time before wide smartphone penetration in Kenya, so it was essential to target low tech devices.⁴ I still remember my prized Nokia N97, then, to my young mind, the pinnacle of technical refinement, before the infamous burning platform memo that presaged the downfall of Nokia. But I digress…

For that particular problem, the CTO suggested PyParsing⁵, a library for - you guessed it - building parsers in Python. With that background, my first thought was to build a parser that understood the intricacies of the USSD framework routing protocol. I quickly realised that it would have been a fool’s errand to attempt to write a full blown Python parser, as several already existed, but whatever solution there was had to have high-level semantics for me to work with it comfortably. That’s when I stumbled upon the Python ast⁶ module. It ships with the standard library, and is essentially a wrapper around the lower level _ast module. (Note the underscore).

Static analysis enables you to inspect code without actually running it, which helps keep build times short.

The approach I took boiled down, in essence, to

1. Reading source files into strings. 2. Parsing the source into a high level Abstract Syntax Tree representation using ast.parse. 3. Filtering to only subclasses of the base handler class, which were the most affected by the dead code scourge. 4. Flattening the AST nodes nested within each class to pull out the routing information. There were multiple different ways, each suited to different contexts, for doing this. These were, thankfully, widely understood within the team. As a precursor to this line of work, I worked on a document detailing the internals of the framework. One did not exist yet, as development had been driven organically by product needs up until that point. 5. The code would then construct all possible routes from each handler, and use that to build a tree detailing, from start to finish, all possible user journeys supported by the handlers in question. 6. Given these possible paths, the correct one would be determined by filtering out those that didn’t start from the known correct starting point. These would then be returned as a list of “dead handlers”. 7. I then wrote a Django⁷ management command that would accept as parameters, the file path to a module containing handlers, and the starting point. This led to a great reduction in dead code, though some of the checks resulted in false positives. Our CI⁸ tool would flag any dead code with a broken build, allowing reviewers to add false positives to a whitelist to reduce noise.

A quick primer

Given the following code, loosely mimicking the USSD framework handler model, your task is to determine which handlers are no longer part of the user journey.

handlers.py

class Welcome(Handler): def handle(self, request): if request.user.is_logged_in: return request.redirect('Feed') else: return request.redirect('SignIn') class SignIn(Handler): next_handler = 'Feed' class Feed(Handler): next_handler = 'Quit' def handle(self, request): return self.display("What's happening") class LegacySignIn(Handler): previous_handler = 'LegacyWelcome' def handle(self, request): if request.user.has_active_subscription: return request.redirect('LegacyFeed') else: return self.display('Please supply your credentials') class LegacyFeed(Handler): next_handler = 'Quit' def handle(self, request): return self.display("What happened back then") class SomeUtilityClass: def do_useful_stuff(self): return self.done() class Quit(Handler): def handle(self, request): return self.display('Adios!') def some_utility_function(params): return do_stuff_with_the_params(params)

detectors.py

from ast import parse from _ast import ClassDef, FunctionDef, Assign, If, Expr, Call, Return from operator import concat def is_class(node): return isinstance(node, ClassDef) def is_handler(node): type_ids = map(lambda base: base.id, node.bases) return reduce( lambda type_id, id_is_Handler: type_id is 'Handler' or id_is_Handler, type_ids, None ) def get_ast(module_path): with open(module_path) as module_file: source = module_file.read() tree = parse(source).body return tree def get_handler_nodes(tree): classes = filter(lambda node: isinstance(node, ClassDef), tree) handlers = filter(is_handler, classes) return handlers def deconstruct_body(node): accumulator = [] if hasattr(node, 'body'): accumulator.extend(map(deconstruct_body, node.body)) if hasattr(node, 'orelse'): accumulator.extend(map(deconstruct_body, node.orelse)) else: accumulator.append(node) return accumulator def flatten_nodes(deconstructed_handler_body): accumulator = [] for item in deconstructed_handler_body: if isinstance(item, list): accumulator.extend(flatten_nodes(item)) else: accumulator.append(item) return accumulator def is_assignment_exit_path(node): return isinstance(node, Assign) and node.targets[0].id in ['next_handler', 'previous_handler'] def extract_exit_path(node): if isinstance(node, Assign) and node.targets[0].id in ['next_handler', 'previous_handler']: return node.value.s elif isinstance(node, Return) and isinstance(node.value, Call) and node.value.func.attr == 'redirect' and node.value.func.value.id == 'request': return node.value.args[0].s def get_handler_exit_paths(handler_class_ast): deconstructed_body = deconstruct_body(handler_class_ast) flat_node_list = flatten_nodes(deconstructed_body) return ( handler_class_ast.name, filter( lambda exit_path: exit_path is not None, reduce( lambda exit_path_list, node: [extract_exit_path(node)] + exit_path_list, flat_node_list, [] ) ) ) def is_handler_in_journey(test_handler, initial_handler, exit_path_registry): if test_handler == initial_handler: return True exit_paths = exit_path_registry[initial_handler] if len(exit_paths) == 0: return False for handler in exit_paths: if test_handler == handler: return True else: return is_handler_in_journey(test_handler, handler, exit_path_registry)

To Test

def test_handler_is_in_journey(handler_to_test, initial_handler, module_path): module_ast = get_ast(module_path) handler_nodes = get_handler_nodes(module_ast) exit_path_registry = dict( map( get_handler_exit_paths, handler_nodes ) ) assert is_handler_in_journey(handler_to_test, initial_handler, exit_path_registry)

The below code passes silently

test_handler_is_in_journey('SignIn', 'Welcome', 'handlers.py')

The below code throws an AssertionError

test_handler_is_in_journey('LegacySignIn', 'Welcome', 'handlers.py')

Last words

While this particular illustration is quite specific to the Jumo context, these same tools and approaches can be used to reduce manual effort in your development workflow. An example would be detecting unused views in a web application that uses string-based routing.

¹ https://jumo.world ² Unstructured Supplementary Service Data: https://en.wikipedia.org/wiki/Unstructured_Supplementary_Service_Data ³ http://python-3-patterns-idioms-test.readthedocs.io/en/latest/Metaprogramming.html ⁴ As a side note, it’s only now struck me that most of my career has been around targeting low tech delivery media. ⁵ PyParsing: http://pyparsing.wikispaces.com/ ⁶ https://docs.python.org/2/library/ast.html ⁷ Django: https://www.djangoproject.com/ ⁸ Continuous Integration: https://www.thoughtworks.com/continuous-integration

#python #static-analysis

1 note · View note