What Criteria Does PeerGuardian Use?

I have been using PeerGuardian 2 for some weeks now. It purports to block
742,928,052 ip's as of todays updates. I asked their forum if it blocks incoming and outgoing packets to my PC and the answer was yes.

That is by way of background only for my fellow members. I also have a FW In/Out, a real time AV and ASW's the vendors don't matter here in this thread.

The question is "What Criteria Does PeerGuardian Use in selecting ip's to block?"

Or if you don't like that question replace "Does" with "Should" .

Or if you don't like PeerGuardian replace it with your vendor's name.


How can this project known as Blocklist.org know what rules to use for you or me or anybody?

I know that I can create my own block list and I have done that but again what does everybody think?

 

Well Bluetack/Peerguardian's IP lists are separated into categories based on affiliation or behavior.

The download section for bluetack's lists includes brief descriptions. Some lists like "Microsoft list" are more self explanatory than others.

 

Hi all

Good question indeed !

PeerGuardian blocked millions of IPs but who and how it's decided?

I understand that PG2 was for P2P users and they blocked some IP from RIAA
but why blocking "General electric", Pickaway county, Intel, Proskower Rose (), Canadian Broadcasting Corp., and many other ...

How it's related to confidentiality with P2P programs?

In the BLM list you'll find also may Tor exit nodes. Why ?

Second question: is it possible to used PG2 as security program in general not only for P2P ?

Hope somebody here have some hints about this.

Thank you.

 

Yes; there are many other lists (besides p2p) you can use. There are lists to block ads, govt sites, spyware, and you can also use any of teh bluetack lists.

 

I wouldnt be too suprised if the exit nodes contain govt, spyware...

 

Hi acknsyn

Yes ... possible after all.

But this include Tor nodes like:

Tor.moria1:18.244.0.188-18.244.0.188
Tor.moria2:18.244.0.114-18.244.0.114
of
moria.csail.mit.edu !!!

Ref.:
https://torstat.xenobite.eu/index.php?SearchText=moria&CC=&Directory=tor26

That's why I was very suprised to found these nodes in the BLM list...
How to rely on such lists ? That's my question.

If I'm using PG2 to block "bad guys" IPs I don't want to block the other...

I give you that tor nodes in BLM list here.

 

Yes, I'm using PG2 that way as well, you can turn off these lists and just use 1 off them. The less lists the quicker but I have to say I haven't seen any noticable slow downs with PG2.

Second question: is it possible to used PG2 as security program in general not only for P2P ? Yes, you could even use none of their lists and build your own.

But forgive me I get OT on my own thread!

The theme is what criteria do they use, so far it seems the criteria comes from others in the form of this list Blocklist.org. Maybe the question should be put to them?

Hey WSFuser, what is this Bluetack list group? Your post says they have categories and descriptions but do they to your knowledge reveal their criteria? If we think about it a bit, maybe they shouldn't reveal their criteria?

 

Bluetack - they have their own blocklists and they are teh developers of several programs including Blocklist Manager, Protowall (competitor to PeerGuardian), and Hosts Manager.

I dont really know about their specific criteria, but you could ask in their forum.

 

Hi WSFuser and fellow threaders!

Here is the reply from a guy over at Phoenixlabs!

Seems all roads lead to bluetack.co.uk. I'm in a lot of forums so IF you are a member there could you ask the criteria question? I'm getting keyboard seize up!

Dear Escalader,

You are subscribed to the thread "Selection Criteria" by Escalader,
there have been 2 post(s) to this thread, the last poster was fakhir.
http://forums.phoenixlabs.org/showthread.php?t=15052

These following posts were made to the thread:
************
Selection Criteria
http://forums.phoenixlabs.org/showthread.php?p=107510#post107510
Posted by: Escalader
On: 09-04-2007 04:29 PM

How do you guy's select which ip's to include in the block lists?

Is their a general criteria used?
************
Re: Selection Criteria
http://forums.phoenixlabs.org/showthread.php?p=107511#post107511
Posted by: fakhir
On: 09-04-2007 04:33 PM

we dont produce or have direct control over what is or is not included
in a particular IP list
the PG2 default lists are produced by a group called bluetack
http://bluetack.co.uk


All the best,
Phoenix Labs

 

And now I have this! Seems the potential for duplication is real!

What now guys? One simple question on selection criteria (still ?) has led to this duplication issue?

When in doubt (and I am) I will do nothing!

For the moment

Re: Selection Criteria
Quote:
Originally Posted by Escalader View Post
How do you guy's select which ip's to include in the block lists?

Is their a general criteria used?
Bluetack has many more lists available than just the Sourceforge default lists, P2P, EDU, SPY, and ADS, that come with PG2.

You can take a look at most of them on this page of their forums. This gives a description of each of them. Of course, we don't recommend adding lists without knowing what they are used for. Nor do we recommend adding lists that you don't have a need for.

And, remember that Bluetack also has duplicates of our Sourceforge default lists and shouldn't be used in addition to our lists. This just wastes bandwidth at BT.

http://www.bluetack.co.uk/forums/ind...ewcat&cat_id=4
__________________
Pepsi One

 

Hi Escalader and WSFuser

I search for a better list and I found this:

http://www.completewhois.com/bogons/

but

the last update of this site is October 18, 2003 ...

I guess the best way to used PG2 is to built our own list.

 

Do you mean how reliable is the list or how it was chosen? Maybe someone using these nodes did something fishy. Or if you mean how to use such a list? you can make your own exit nodes and excludes those on the list. But I dont really care as I dont use tor for anything of importance.

 

Hi acknsyn

I mean how the IPs are choosen... based on what ?

For many of them it's easy to know why (like music or film editor in the P2P list) but for many others I have some doubts...

1) I'm looking for a documented list but I found nothing now...

2) I'm asking if it's a good idea to use such list with PG2 or protowall
in a layered security programs. Not for P2P...

Some Firewall have an option to add IP range from "bad guys web sites": that's correct.
But how we can rely on undocumented list...

Did I waist my time with this? That's my question...

 

Climenole:

Sorry been off fishing in other forums just saw your question.

IMHO I will keep using PG's 2 lists SPY's and P2P since they must contain "bad" ip's and some false positives no doubt to borrow a term from our AV friends. There is no way we can amass such lists on our own!

If I find it blocking an ip I feel is okay using my own judgment I just use the right click feature and allow the site either temporarily or permanently. It gets added to the permanent allow list! So over time one builds up your own white list.

On my own black list I can add all those I found over time to it using whois data to verify the ranges. Again over time it gets better and better!

So I think it does add a "layer" but one you have to maintain !

What do you guys think?

 

Hi Escalader

I agree with this. A such list must be build over the time by many poeple.
Be sure I'm too lazy to do it myself !!! But a more limited list may be an option...

Yes, may be that's the best way to do after all.

I keep PG2 in my security layer but I enable only my own list partially based on BLM list and the MVP hosts list...

Is it the best way to used it? I've no idea. The time will show...

 

Thank's, let's compare notes from time to time on this thread, I feel it is a work in progress.

How does the MVP hosts lists work? I heard it doesn't deal at the ip level?
If this is OT, send reply as PM, I see it as related since we are dealing with blocking via PG yes, but it's just one blocking tool.

 

Hi Escalader

The HOSTS file exist in all Operating System and easy to understand.
This is a sinmple text file (with no extension even under Windows) with the following syntax:

[Ip address] [at least one space] [URL of the site]

127.0.0.1 localhost <<== this is the minimal entry in this file
127.0.0.1 unwanted-site.com <<== this is an example of blocked site

When a user enter an URL in the address bar of a browser the system check in the HOSTS file. If the Ip address for the site is there a connection request is sended in TCP + flag Syn to the web site.

Like this entry:

65.175.38.194 www.wilderssecurity.com

Normally there is no lines like this and the browser makes a DNS request to obtain the IP addr. of the site then makes a connection request ...

When the entry is like this

127.0.0.1 www.bad-guys-web-site.com

The request loops locally and no connection is done.
This is the easiest way to block a connection to a bad web site.

More info at Safer Networking:
Hosts file definition


1) The MVPs HOSTS file

Some lines are documented like this:

"
127.0.0.1 aaa-livedoor .net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 abcsearcher .com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 abloga .info #[Spamdexing]
127.0.0.1 abx4[/url] .com #[Adware.ABXToolbar]
127.0.0.1 acezip[/url] .net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac .com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[IE-SpyAd]
"

This is better IMHO than a blocking list with no comments as usual...

2) How to contribute

3) Criteria for detection


The main problem with the HOSTS file is there is no possiblity to enter a range like in PG2 or used wildcards or regular expression like in Proxomitron.

 

Re: Updated OP: What Criteria Does PeerGuardian Use?

Updated OP to allow technical learnings to be posted on PG 2.

 

Please see link on how to prevent PG from blocking itself.

http://forums.phoenixlabs.org/showthread.php?t=15083

Update:

I upgraded to PeerGuardian 2.0 Beta 6c (01/30/2007) today and it seems to have repaired the blocking itself glitch!

 

There are many checks made, by many, using various tools. An IP is not blocked (added to list) easily, niether once added is it removed easily.
You mention "Hosts file". This can be good, but if we compare a "Host file" with a "block list", we will see ups and downs (good and bad) to both.

Host file will rely on DNS lookups, so if a redirect is by direct IP then this is bypassed. (bad point for hosts file), we also see many inbound (or redirected outbound) from/to IP`s with no URL.

Block lists: We will see ever changing IP`s, so this needs to be looked at, updated daily. This needs much work (I know from various sites this is done, but not everything is found)

There is a mentiom of: IP block lists are only for P2P, No, the block lists have seperate cats. These being for known malware/spyware sites etc ect. I do use these blocklists myself. I actually would prefer a possible problem where a site is blocked incorrectly, than a spyware/malware site is allowed (IMHO)

 

Here is a link to a thread of interest at PG 2. It points out the impact of a proxy server on PG 2! Like it makes it useless!

http://forums.phoenixlabs.org/showpost.php?p=110203&postcount=2

The other issue there is that BlueTak in the has UK requested funds to pay their servers! So IF that group stopped updating the block lists, PG 2 would have no list maintainers, no input

I'm assuming the existing ip block list would freeze in place and users could add ip's themselves but that is not the same service at all. THis is just a FUD attack I'm suffering today.

 

Re: forum.phoenix.org DNS expired

Yesterday, when I logged into the forum.phoenixlabs.org I got a DNS service expired message.

Can someone here please check for me to see if they have the same issue or if it's my isp or config so I can track this one down. See attached jpg.

It's something stupid I've done no doubt but I've never seen a DNS expired before! Maybe someone ran out of $!

 

Re: forum.phoenix.org DNS expired

Works fine here (Argentina)

 

Re: forum.phoenix.org DNS expired

Thanks, lucas1985!

I did nothing new and now it works again! Which is good.

What was going on with DNS expired at that forum we may never know or care!

 

Re: forum.phoenix.org DNS expired

Perhaps some small glitch on their end.