What Criteria Does PeerGuardian Use?

Discussion in 'other security issues & news' started by Escalader, Sep 4, 2007.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I have been using PeerGuardian 2 for some weeks now. It purports to block
    742,928,052 ip's as of todays updates. I asked their forum if it blocks incoming and outgoing packets to my PC and the answer was yes.

    That is by way of background only for my fellow members. I also have a FW In/Out, a real time AV and ASW's the vendors don't matter here in this thread.

    The question is "What Criteria Does PeerGuardian Use in selecting ip's to block?"

    Or if you don't like that question replace "Does" with "Should" .

    Or if you don't like PeerGuardian replace it with your vendor's name.


    How can this project known as Blocklist.org know what rules to use for you or me or anybody?

    I know that I can create my own block list and I have done that but again what does everybody think?
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi all :)

    Good question indeed !

    PeerGuardian blocked millions of IPs but who and how it's decided?

    I understand that PG2 was for P2P users and they blocked some IP from RIAA
    but why blocking "General electric", Pickaway county, Intel, Proskower Rose (o_O), Canadian Broadcasting Corp., and many other ...

    How it's related to confidentiality with P2P programs?

    In the BLM list you'll find also may Tor exit nodes. Why ?

    Second question: is it possible to used PG2 as security program in general not only for P2P ?

    Hope somebody here have some hints about this.

    Thank you.

    :)
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    Yes; there are many other lists (besides p2p) you can use. There are lists to block ads, govt sites, spyware, and you can also use any of teh bluetack lists.
     
  5. acknsyn

    acknsyn Registered Member

    Joined:
    Aug 10, 2007
    Posts:
    27
    I wouldnt be too suprised if the exit nodes contain govt, spyware...
     
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi acknsyn :)


    Yes ... possible after all.

    But this include Tor nodes like:

    Tor.moria1:18.244.0.188-18.244.0.188
    Tor.moria2:18.244.0.114-18.244.0.114
    of
    moria.csail.mit.edu !!!

    Ref.:
    https://torstat.xenobite.eu/index.php?SearchText=moria&CC=&Directory=tor26

    That's why I was very suprised to found these nodes in the BLM list...
    How to rely on such lists ? That's my question.

    If I'm using PG2 to block "bad guys" IPs I don't want to block the other...

    I give you that tor nodes in BLM list here.

    :)
     

    Attached Files:

  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes, I'm using PG2 that way as well, you can turn off these lists and just use 1 off them. The less lists the quicker but I have to say I haven't seen any noticable slow downs with PG2.

    Second question: is it possible to used PG2 as security program in general not only for P2P ? Yes, you could even use none of their lists and build your own.

    But forgive me I get OT on my own thread!

    The theme is what criteria do they use, so far it seems the criteria comes from others in the form of this list Blocklist.org. Maybe the question should be put to them?

    Hey WSFuser, what is this Bluetack list group? Your post says they have categories and descriptions but do they to your knowledge reveal their criteria? If we think about it a bit, maybe they shouldn't reveal their criteria?:doubt:
     
  8. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    Bluetack - they have their own blocklists and they are teh developers of several programs including Blocklist Manager, Protowall (competitor to PeerGuardian), and Hosts Manager.

    I dont really know about their specific criteria, but you could ask in their forum.
     
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi WSFuser and fellow threaders!

    Here is the reply from a guy over at Phoenixlabs!

    Seems all roads lead to bluetack.co.uk. I'm in a lot of forums so IF you are a member there could you ask the criteria question? I'm getting keyboard seize up!:D

    Dear Escalader,

    You are subscribed to the thread "Selection Criteria" by Escalader,
    there have been 2 post(s) to this thread, the last poster was fakhir.
    http://forums.phoenixlabs.org/showthread.php?t=15052

    These following posts were made to the thread:
    ************
    Selection Criteria
    http://forums.phoenixlabs.org/showthread.php?p=107510#post107510
    Posted by: Escalader
    On: 09-04-2007 04:29 PM

    How do you guy's select which ip's to include in the block lists?

    Is their a general criteria used?
    ************
    Re: Selection Criteria
    http://forums.phoenixlabs.org/showthread.php?p=107511#post107511
    Posted by: fakhir
    On: 09-04-2007 04:33 PM

    we dont produce or have direct control over what is or is not included
    in a particular IP list
    the PG2 default lists are produced by a group called bluetack
    http://bluetack.co.uk


    All the best,
    Phoenix Labs
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    And now I have this! Seems the potential for duplication is real!

    What now guys? One simple question on selection criteria (still ?) has led to this duplication issue? :doubt:

    When in doubt (and I am) I will do nothing! :D

    For the moment

    Re: Selection Criteria
    Quote:
    Originally Posted by Escalader View Post
    How do you guy's select which ip's to include in the block lists?

    Is their a general criteria used?
    Bluetack has many more lists available than just the Sourceforge default lists, P2P, EDU, SPY, and ADS, that come with PG2.

    You can take a look at most of them on this page of their forums. This gives a description of each of them. Of course, we don't recommend adding lists without knowing what they are used for. Nor do we recommend adding lists that you don't have a need for.

    And, remember that Bluetack also has duplicates of our Sourceforge default lists and shouldn't be used in addition to our lists. This just wastes bandwidth at BT.

    http://www.bluetack.co.uk/forums/ind...ewcat&cat_id=4
    __________________
    Pepsi One
     
  11. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Escalader and WSFuser :)

    I search for a better list and I found this:

    http://www.completewhois.com/bogons/

    but

    the last update of this site is October 18, 2003 ... :rolleyes:

    I guess the best way to used PG2 is to built our own list. :doubt:

    :)
     
  12. acknsyn

    acknsyn Registered Member

    Joined:
    Aug 10, 2007
    Posts:
    27
    Do you mean how reliable is the list or how it was chosen? Maybe someone using these nodes did something fishy. Or if you mean how to use such a list? you can make your own exit nodes and excludes those on the list. But I dont really care as I dont use tor for anything of importance.
     
  13. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi acknsyn :)

    I mean how the IPs are choosen... based on what ?

    For many of them it's easy to know why (like music or film editor in the P2P list) but for many others I have some doubts...

    1) I'm looking for a documented list but I found nothing now...

    2) I'm asking if it's a good idea to use such list with PG2 or protowall
    in a layered security programs. Not for P2P...

    Some Firewall have an option to add IP range from "bad guys web sites": that's correct.
    But how we can rely on undocumented list...

    Did I waist my time with this? That's my question... :doubt:

    o_O
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Climenole:

    Sorry been off fishing in other forums just saw your question.

    IMHO I will keep using PG's 2 lists SPY's and P2P since they must contain "bad" ip's and some false positives no doubt to borrow a term from our AV friends. There is no way we can amass such lists on our own!

    If I find it blocking an ip I feel is okay using my own judgment I just use the right click feature and allow the site either temporarily or permanently. It gets added to the permanent allow list! So over time one builds up your own white list.

    On my own black list I can add all those I found over time to it using whois data to verify the ranges. Again over time it gets better and better!

    So I think it does add a "layer" but one you have to maintain !

    What do you guys think?
     
  15. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Escalader :)

    I agree with this. A such list must be build over the time by many poeple.
    Be sure I'm too lazy to do it myself !!! :D But a more limited list may be an option...

    Yes, may be that's the best way to do after all.

    I keep PG2 in my security layer but I enable only my own list partially based on BLM list and the MVP hosts list...

    Is it the best way to used it? I've no idea. The time will show...

    :)
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thank's, let's compare notes from time to time on this thread, I feel it is a work in progress.

    How does the MVP hosts lists work? I heard it doesn't deal at the ip level?
    If this is OT, send reply as PM, I see it as related since we are dealing with blocking via PG yes, but it's just one blocking tool.
     
  17. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Escalader :)

    The HOSTS file exist in all Operating System and easy to understand.
    This is a sinmple text file (with no extension even under Windows) with the following syntax:

    [Ip address] [at least one space] [URL of the site]

    127.0.0.1 localhost <<== this is the minimal entry in this file
    127.0.0.1 unwanted-site.com <<== this is an example of blocked site

    When a user enter an URL in the address bar of a browser the system check in the HOSTS file. If the Ip address for the site is there a connection request is sended in TCP + flag Syn to the web site.

    Like this entry:

    65.175.38.194 www.wilderssecurity.com

    Normally there is no lines like this and the browser makes a DNS request to obtain the IP addr. of the site then makes a connection request ...

    When the entry is like this

    127.0.0.1 www.bad-guys-web-site.com

    The request loops locally and no connection is done.
    This is the easiest way to block a connection to a bad web site.

    More info at Safer Networking:
    Hosts file definition


    1) The MVPs HOSTS file

    Some lines are documented like this:

    "
    127.0.0.1 aaa-livedoor .net #[Trojan-PSW.Win32.Maran.ei]
    127.0.0.1 abcsearcher .com #[Spamdexing][Microsoft.Strider]
    127.0.0.1 abc-search.info
    127.0.0.1 abloga .info #[Spamdexing]
    127.0.0.1 abx4[/url] .com #[Adware.ABXToolbar]
    127.0.0.1 acezip[/url] .net #[Win32/Adware.180Solutions]
    127.0.0.1 phpadsnew.abac .com
    127.0.0.1 a.abnad.net
    127.0.0.1 b.abnad.net
    127.0.0.1 c.abnad.net #[IE-SpyAd]
    "

    This is better IMHO than a blocking list with no comments as usual...

    2) How to contribute

    3) Criteria for detection


    The main problem with the HOSTS file is there is no possiblity to enter a range like in PG2 or used wildcards or regular expression like in Proxomitron.

    :)
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: Updated OP: What Criteria Does PeerGuardian Use?

    Updated OP to allow technical learnings to be posted on PG 2.

     
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Last edited: Sep 11, 2007
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    There are many checks made, by many, using various tools. An IP is not blocked (added to list) easily, niether once added is it removed easily.
    You mention "Hosts file". This can be good, but if we compare a "Host file" with a "block list", we will see ups and downs (good and bad) to both.

    Host file will rely on DNS lookups, so if a redirect is by direct IP then this is bypassed. (bad point for hosts file), we also see many inbound (or redirected outbound) from/to IP`s with no URL.

    Block lists: We will see ever changing IP`s, so this needs to be looked at, updated daily. This needs much work (I know from various sites this is done, but not everything is found)

    There is a mentiom of: IP block lists are only for P2P, No, the block lists have seperate cats. These being for known malware/spyware sites etc ect. I do use these blocklists myself. I actually would prefer a possible problem where a site is blocked incorrectly, than a spyware/malware site is allowed (IMHO)
     
  21. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Here is a link to a thread of interest at PG 2. It points out the impact of a proxy server on PG 2! Like it makes it useless!

    http://forums.phoenixlabs.org/showpost.php?p=110203&postcount=2

    The other issue there is that BlueTak in the has UK requested funds to pay their servers! So IF that group stopped updating the block lists, PG 2 would have no list maintainers, no input :(

    I'm assuming the existing ip block list would freeze in place and users could add ip's themselves but that is not the same service at all. THis is just a FUD attack I'm suffering today.
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: forum.phoenix.org DNS expired


    Yesterday, when I logged into the forum.phoenixlabs.org I got a DNS service expired message.

    Can someone here please check for me to see if they have the same issue or if it's my isp or config so I can track this one down. See attached jpg.

    It's something stupid I've done no doubt but I've never seen a DNS expired before! Maybe someone ran out of $!
     
  23. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: forum.phoenix.org DNS expired

    Works fine here (Argentina)
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: forum.phoenix.org DNS expired

    Thanks, lucas1985!

    I did nothing new and now it works again! Which is good.

    What was going on with DNS expired at that forum we may never know or care!
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: forum.phoenix.org DNS expired

    Perhaps some small glitch on their end.
     
Loading...
Thread Status:
Not open for further replies.