# Domain Analysis

In [1]:
%load_ext autoreload
%autoreload 2
%matplotlib notebook

import sys
sys.path.append("../..")

In [2]:
from collections import defaultdict
import ipaddress
import os.path

import matplotlib
import networkx as nx

matplotlib.rcParams['figure.figsize'] = (9.5, 8)

## Load Full DNS Graph

In [3]:
from netanalysis.analysis.analysis_app import AnalysisApp

app = AnalysisApp(os.path.join(os.getcwd(), "..", "..", "ooni_data"))

## Create Domain Graph

In [4]:
domain_app = app.domain_app("www.youtube.com")
print("Graph nodes: %s" % ", ".join(sorted(domain_app.domain_graph.nodes)))
print("Parent domains: %s" % (set(nx.dfs_preorder_nodes(app.dns_graph.reverse(copy=False), domain_app.domain)) - set([domain_app.domain])))

Graph nodes: 10.10.34.0/24, 108.177.14.0/24, 108.177.15.0/24, 172.217.0.0/24, 172.217.1.0/24, 172.217.10.0/24, 172.217.11.0/24, 172.217.12.0/24, 172.217.13.0/24, 172.217.14.0/24, 172.217.15.0/24, 172.217.16.0/24, 172.217.160.0/24, 172.217.161.0/24, 172.217.164.0/24, 172.217.166.0/24, 172.217.17.0/24, 172.217.18.0/24, 172.217.19.0/24, 172.217.2.0/24, 172.217.20.0/24, 172.217.21.0/24, 172.217.22.0/24, 172.217.23.0/24, 172.217.24.0/24, 172.217.25.0/24, 172.217.26.0/24, 172.217.27.0/24, 172.217.28.0/24, 172.217.29.0/24, 172.217.3.0/24, 172.217.30.0/24, 172.217.31.0/24, 172.217.4.0/24, 172.217.5.0/24, 172.217.6.0/24, 172.217.7.0/24, 172.217.8.0/24, 172.217.9.0/24, 173.194.220.0/24, 173.194.221.0/24, 173.194.73.0/24, 173.194.76.0/24, 209.85.144.0/24, 209.85.202.0/24, 209.85.203.0/24, 209.85.233.0/24, 216.58.192.0/24, 216.58.193.0/24, 216.58.194.0/24, 216.58.195.0/24, 216.58.196.0/24, 216.58.197.0/24, 216.58.198.0/24, 216.58.199.0/24, 216.58.200.0/24, 216.58.201.0/24, 216.58.202.0/24, 216.58.

## Classify Edges

In [5]:
domain_app.display_graph()

<IPython.core.display.Javascript object>

## Use TLS to verify UNKNOWNs

At this stage we use TLS validation of certificates to check if an IP is valid for a domain

In [6]:
domain_app.tls_verify_unknowns()
domain_app.display_graph()

Checking IPs for www.youtube.com - 108.177.15.0/24
    Validating 108.177.15.91: VALID
Checking IPs for www.youtube.com - 172.217.0.0/24
    Validating 172.217.0.46: VALID
Checking IPs for www.youtube.com - 172.217.1.0/24
    Validating 172.217.1.238: VALID
Checking IPs for www.youtube.com - 172.217.10.0/24
    Validating 172.217.10.14: VALID
Checking IPs for www.youtube.com - 172.217.11.0/24
    Validating 172.217.11.238: VALID
Checking IPs for www.youtube.com - 172.217.14.0/24
    Validating 172.217.14.174: VALID
Checking IPs for www.youtube.com - 172.217.16.0/24
    Validating 172.217.16.14: VALID
Checking IPs for www.youtube.com - 172.217.160.0/24
    Validating 172.217.160.174: VALID
Checking IPs for www.youtube.com - 172.217.161.0/24
    Validating 172.217.161.142: VALID
Checking IPs for www.youtube.com - 172.217.164.0/24
    Validating 172.217.164.110: VALID
Checking IPs for www.youtube.com - 172.217.166.0/24
    Validating 172.217.166.78: VALID
Checking IPs for www.youtube.com 

<IPython.core.display.Javascript object>

## Classify Measurements

In [7]:
from netanalysis.dns import classifier as dc

def analyze_measurements(domain: str, domain_graph, class_graph, results=None):
    measurements = dict()  # type: Dict[str, dns.DnsMeasurement]
    for u, v, data in domain_graph.edges(data=True):
        measurement = data.get("measurement")
        if not measurement:
            continue
        if measurement.trust_reason:
            continue
        if measurement.records[0].name.lower() != domain:
            continue
        measurements[measurement.measurement_id] = measurement


    for measurement in sorted(measurements.values(), key=lambda m: m.time):
        measurement_eval = dc.Evaluation(dc.EdgeClass.UNKNOWN, None)
        ips = []
        for record in measurement.records:
            try:
                ip = record.data.ip
                ips.append(ip)
            except AttributeError:
                continue
            
        for ip in ips:
            net = str(ipaddress.ip_network(ip).supernet(new_prefix=24))
            evaluation = class_graph[domain][net]["eval"]
            if evaluation.classification != dc.EdgeClass.UNKNOWN:
                measurement_eval = evaluation
                break
        if not results or measurement_eval.classification in results:
            print("{} {} {}, IPs: [{}] (DNS: {})".format(
                measurement.time,
                measurement.client_country,
                measurement_eval.classification.name,
                ", ".join(str(ip) for ip in ips),
                measurement.resolver_ip
            ))

analyze_measurements(domain_app.domain,
                     domain_app.domain_graph,
                     domain_app.classifier.class_graph,
                     results=[dc.EdgeClass.UNKNOWN, dc.EdgeClass.BAD])

2018-02-26 01:02:42 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 74.125.46.5)
2018-02-26 01:17:10 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 74.125.46.6)
2018-02-26 01:35:20 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 74.125.46.4)
2018-02-26 01:35:27 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 74.125.46.4)
2018-02-26 03:46:26 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 173.194.98.14)
2018-02-26 04:00:09 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 173.194.98.10)
2018-02-26 04:00:16 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 173.194.98.10)
2018-02-26 04:19:55 IR BAD, IPs: [10.10.34.35] (DNS: 74.125.47.136)
2018-02-26 05:03:38 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 173.194.98.10)
2018-02-26 05:21:35 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 173.194.98.13)
2018-02-26 05:21:41 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 173.194.98.13)
2018-02-26 05:33:13 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 188.43.29.2)
2018-02-26 05:57:20 RU UNKNOWN, IPs: [64.233.162.198] (DNS: 173.194.98.15)
2018-02-26 05:57:22 RU UNKNOWN, IPs: [64.2

## Analyze a country

In [8]:
domain_app.display_graph(country="RU")

<IPython.core.display.Javascript object>

## Investigate an IP Address

In [9]:
from IPython.display import display
import ipywidgets as widgets
from netanalysis.analysis import ip_info_widget
import netanalysis.analysis.simple_autonomous_system as sas

as_repo = sas.create_default_as_repo()
ip_tab = ip_info_widget.create_ip_info_widget(as_repo)
tabs = widgets.Tab()
tabs.set_title(0, "IP Info")
tabs.children = [ip_tab]
tabs