Project

General

Profile

Actions

Bug #13360

open

Not All AS Prefixes are returned by WHOIS

Added by Alex Knop 2 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.6.0
Affected Plus Version:
Affected Architecture:

Description

If you set up a rule to do WHOIS on AS4917, these are the prefixes returned by pfBlockerNG:

•    12.187.160.0/24
• 12.187.160.0/21
• 12.187.161.0/24
• 12.187.162.0/24
• 12.187.163.0/24
• 12.187.164.0/24
• 12.187.165.0/24
• 12.187.166.0/24
• 12.187.167.0/24
• 66.138.158.0/24
• 69.150.24.0/24
• 69.150.24.0/21
• 69.150.25.0/24
• 69.150.26.0/24
• 69.150.27.0/24
• 69.150.28.0/24
• 160.19.24.0/24
• 160.19.24.0/22
• 160.19.25.0/24
• 160.19.26.0/23
• 160.19.27.0/24

However if you visit https://asn.cymru.com/cgi-bin/whois.cgi and query 12.232.86.1, you'll see that also belongs to AS4917. It looks like 12.232.86.0/24 (and possibly some others) are missing from the pfBlockerNG results.

Actions #1

Updated by Kris Phillips 2 months ago

I can confirm that subnet should be part of that ASN. However, I cannot recreate this in pfBlockerNG. Are you running the stable or -devel branch?

Actions #2

Updated by Alex Knop 2 months ago

Kris Phillips wrote in #note-1:

I can confirm that subnet should be part of that ASN. However, I cannot recreate this in pfBlockerNG. Are you running the stable or -devel branch?

I am running the stable branch. 2.6.0

Actions #3

Updated by Danilo Zrenjanin 2 months ago

I recommend trying with the pfBlockerNG-devel. Here is the list I got on the devel version:

PfB_AS4917_v4 Table
IP Address     
12.18.187.0/24     
12.187.160.0/21     
12.200.76.0/24     
12.232.86.0/24     
66.138.158.0/24     
69.150.24.0/21     
146.88.30.0/24     
160.19.24.0/24     
160.19.24.0/23     
160.19.25.0/24     
160.19.26.0/24     
160.19.26.0/23     
160.19.27.0/24     
209.37.217.0/24     
216.99.194.0/24 
Actions #4

Updated by Alex Knop 2 months ago

Danilo Zrenjanin wrote in #note-3:

I recommend trying with the pfBlockerNG-devel. Here is the list I got on the devel version:

[...]

Hi,

That worked for AS4917 however the problem exists for an IP in AS16509.
AS | IP | AS Name
16509 | 108.139.38.181 | AMAZON-02, US

However 108.139.38.181 is not one that is returned by a whois on AS16509.......

Actions

Also available in: Atom PDF