Yes traceroute is something where approximate rough estimate where IP perhaps could be as up to ISP level hosting it, but traceorgute isn't usually allowed pass firewalls and seldom reaches target IP on networks where clients really are.
One possibility is BGP advertised and known information like https://www.cidr-report.org provides could be used. But like I wrote commercial GeoIP data providers are not allowed to use WHOIS information from RIR registries. It's their ToS generally prevent it being collected and resold why MaxMind told me that they don't use it.
Thus the LOC information I had updated RIPE DB in our records LOC or any other information there were not used by MaxMind. Or at least that's what they claim. True or not I don't know, but that's what they tell if you ask from them.
Also apparently they did not use LOC records from the organization domain I maintained DNS LOC records either. And I got no answer why nor what they use as their sources of information. As it's more likely some kind of trade secret of them.
Agreed. I feel that a lookup table can probably map all emojis possible to a uint32 (maybe optimistically uint16, [1] says there's about 4k emojis, does that include skin variations?). And you can add new ones sequentially after so IDs remain stable.
Someone mentioned this as well in another comment. Turns out most of this could’ve been done as an extension after all :-)
edit: actually, wouldn’t you still need to override the global you’d like to instrument? At that point, the toString of the modified function would leak your hook.
Of course. But if I had to care about things on that level, and I was willing to sit through the C++ compilation process (and everything else that goes along with that), I wouldn't be using Python in the first place.
Probably some sort of command and control for a botnet.
They calculate a random domain name based on the timestamp (so it’s constantly changing every X days in case it gets seized), and have some validation to make sure commands are signed (to prevent someone name squatting to control their botnet).
Wow, that's smart. I was wondering whether there is a way for the bots to generate "unpredictable" domains such that security researchers could not predict them efficiently (even with source code), but the botnet controller can.
Time-lock puzzles come close, but but it requires that the bots have computing power comparable to the security researchers.
> Wow, that's smart. I was wondering whether there is a way for the bots to generate "unpredictable" domains such that security researchers could not predict them efficiently (even with source code), but the botnet controller can.
There is a fairly simple method which achieves the same advantage for a botnet controller.
1. Use a hash of the current day to derive, for that day, an infinite stream of domain names. This could be something as simple as `to_human_readable_domain(sha256(daily_hash + i))`.
2. A botnet slave attempts to access servers in a diagonal order over (days, domains), starting at the first domain for today and working backwards in days and forwards in domains. An image best describes what I mean by this: https://i.imgur.com/lcEbHwz.png
3. So long as one of those domains is controlled by the botnet operator (which can be verified using a signed response from the server), they can control the botnet.
This means that the botnet operator only needs to purchase one domain every couple of days to keep controlling their botnet, while someone trying to stop them will have to buy thousands and thousands every day.
And when you successfully purchase a domain you can publish the new domain to any connected slaves, so this scheme is only necessary for recruitment into the network, not continued control.
Imgur has been inaccessible for me for months, they're one of those organizations that consider it proper to block whole countries to counter bot abuse.
I've definitely heard of cnc using a plural of domains for this reason. the bots have a list of domains they reach out to, searching for one that is valid.
I believe one issue with this strategy is many corporate VPNs block fresh domains. I guess if the software was pinned to use encrypted DNS instead of whatever the OS recommends, then the DNS blocking could be avoided...
My employer uses Zscaler. I don't know exactly how they implement this, but my educated guess is the corporate DNS server doesn't resolve domains that were created recently.
In technical terms, the device asks the private corporate DNS server for the IP address of the hostname. The private DNS server checks the requested domain against a threat intelligence feed that tracks domain registration dates (and security risks). If the domain is deemed a threat, either return an IP address which points at a server that shows a warning message (if http traffic) or return an invalid IP (0.0.0.0).
there are tools pretty good at detecting DGAs these days, but not often implemented.
the best thing to do afaik is use services normal user shave access to, and communicate via those. its hard to tell for anyone who's extracting the data from the third party so the server is hidden. (e.g bot posts images to twitter, and server scrapes the images from twitter, this is also already old news but easier and more likely to sail through that next gen firewall -_-)
i'd say having ur 'own' servers and domains is maybe even a bit dated ( though sadly still very effective!)
It's one of many possible strategies. Any one strategy can be blocked if it's used by enough malicious actors (e.g. Twitter can be forced to block base64 tweets); if they all use different strategies, it becomes harder to justify blocking each individual one.
If I’m remembering correctly, Conficker was the first major use of this technique. They used a relatively small domain pool (250) so the registries were able to lock them up preemptively.
I remember a couple legitimate sites getting slammed by accidental DDOS because the algorithm happened to generate their domain, but having a hard time finding a reference to that.
That might work for the current generation of bots, but it will become infeasible when the domain names are generated in such a way that they overlap with spellable and existing domain names.
You could do that, actually. I brought up AI because it could result in slightly cleaner output than just the naive de-tagging, and because you can use it for general purpose text tasks - not just HTML to plaintext but also semantic message labelling/search, suggestion of task items in a to-do list, maybe some other things too.
For some cases, they might just lookup who owns that IP range and put their address as the IP location.