Dec 19, 2016

Quickly grasp what an Autonomous System is up to

With some filtering, the solution to an issue was presented to me in a obvious way.

Online Databases publishing AS (Autonomous System) IP Blocks, rgxg cidr - a tool to convert these blocks into greppable regex - , some bash loop to combine them and finally goaccess, a ncurses tool to aggregate information gathered from accesslogs. Last one takes input from a pipe as well, so it integrated nicely into quick questions posed further up the filtering pipeline.

Copy paste list of IP Blocks into a file:

for ipblock in $(cat list); do
    echo -n "($(rgxg cidr $ipblock))|";
done | sed 's/|$//g'

and zgrep -h -E <insert generated regex> accesslogs.*.gz | goaccess -r --log-format=COMBINED --date-format='%d/%b/%Y' --time-format='%H:%M:%S' -

Lazy extra, get a valid IPv4-regex quickly: rgxg cidr 0.0.0.0/0:

(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}

Also usable to egrep the blocks from a curl to a Online Service containing the blocks, add notation for block size (/24).

So what did it help me with? Most Ebay auction tools apparently didn't follow 1-hop redirects for to be uploaded image urls when listed programmatically. Seeing the whole AS of Ebay on the image url paths with only one HTTP 200 on every three 301s it seemed clear the links can't be handed over in a manner that would trigger a redirect (in path or schema). You could have seen this behaviour from only a handful of requests, but the 1:3 distribution on a few thousands made it obvious.

Another possible explanation is that some ebay crawlers were based on java 1.6 at that time and couldn't negotiate the ssl connection. But as far as I remember the host didn't have a modern tls config.

AS62955-eBayBackbone

Example

for ipblock in 209.140.188.0/22 216.113.188.0/22 74.120.181.0/24 8.42.112.0/20 8.42.112.0/24 8.42.113.0/24 8.42.114.0/24 8.42.115.0/24 8.42.116.0/24 8.42.117.0/24 8.42.123.0/24 8.45.64.0/20; do
  echo -n "($(rgxg cidr $ipblock))|";
done | sed 's/|$//g'
(209\.140\.(19[01]|18[89])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(216\.113\.(19[01]|18[89])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(74\.120\.181\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.(12[0-7]|11[2-9])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.112\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.113\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.114\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.115\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.116\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.117\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.42\.123\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))|(8\.45\.(7[0-9]|6[4-9])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))