amihacked: Omit strange IP addresses

Omit addresses that shouldn't be on the wide internet. This is things like local-network addresses, multicasts, etc. These just make little sense as sources of attacks and it usually means something else than attacks.

amihacked: Omit strange IP addresses
Omit addresses that shouldn't be on the wide internet. This is things like local-network addresses, multicasts, etc. These just make little sense as sources of attacks and it usually means something else than attacks.
5b5bfeb5 · Michal 'vorner' Vaner · 9b75ddfc · 5b5bfeb5
Verified Commit 5b5bfeb5 authored Nov 25, 2016 by Michal 'vorner' Vaner
--- a/src/master/amihacked/jsonize.pl
+++ b/src/master/amihacked/jsonize.pl
@@ -32,10 +32,19 @@ sub flush() {
 	undef $object;
 }

+my $ip6_strange = NetAddr::IP->new("f000::/8");
+my $ip4_strange = NetAddr::IP->new("224.0.0.0/4");
+
 while (<>) {
 	chomp;
 	my ($ip, $date, $cnt, $kind) = split /,/;
 	$ip = NetAddr::IP->new($ip) or die "Bad IP: $ip\n";
+	# Skip addresses that are not interesting:
+	# • Localhost
+	# • Private IPv4 ranges (RFC 1918)
+	# • Multicast IPv4 ranges
+	# • f* IPv6 addresses (there are several kinds of strange addresses, like fe* local ones, ff*multicast ones, etc.
+	next if $ip->is_local() or $ip->is_rfc1918() or $ip->within($ip4_strange) or $ip->within($ip6_strange);
 	if ($last_ip ne $ip) {
 		flush;
 		$last_ip = $ip;