feat(attackers): PTR record (reverse DNS) enrichment

Resolve each attacker IP's rDNS name once at first sighting, store on Attacker.ptr_record, render on AttackerDetail under ORIGIN. Many attackers run infrastructure with forgotten rDNS that instantly identifies them once surfaced: scan-node-42.shodan.io, shady-vps.leasecloud.net, etc. Resolver lives in decnet/geoip/ptr.py — colocated with enrich_ip because the shape matches (take an IP, return supplementary metadata, never raise). Uses the OS resolver via socket.gethostbyaddr offloaded to the default executor, wrapped with asyncio.wait_for timeout=2s so a slow authoritative NS can't stall the profiler tick. Profiler side: _WorkerState grows a ptr_attempted: set[str] bounding resolution to once per worker lifetime. Cold-start batches resolve concurrently (Semaphore(_PTR_CONCURRENCY=10)) so a backlog doesn't serialize 2s ceilings. _build_record gains a keyword-only ptr_record parameter that, when _UNSET, omits the key from the record dict — upsert_attacker's attribute-merge loop then preserves whatever's stored on the row. Explicit None is a "fresh failed attempt" signal and gets written through. Env kill-switch DECNET_PTR_ENABLED=false for locked-down deploys where egress DNS is forbidden. Private / loopback / link-local / multicast / reserved addresses short-circuit before any DNS call. IPv6 reverse DNS works transparently through the stdlib resolver. Schema change — run once on upgrade: ALTER TABLE attackers ADD COLUMN ptr_record VARCHAR(256) NULL DEFAULT NULL; Or drop-and-recreate on dev boxes (db-reset's SQLModel.metadata-driven table discovery now picks it up automatically since ba155b7). tests/conftest.py disables DECNET_PTR_ENABLED globally for the same reason it disables DECNET_GEOIP_ENABLED — unit tests must never hit the network. tests/geoip/test_ptr.py re-enables explicitly via an autouse fixture.
2026-04-24 17:26:40 -04:00
parent 351a8939c3
commit 5a34371009
7 changed files with 314 additions and 2 deletions
--- a/decnet_web/src/components/AttackerDetail.tsx
+++ b/decnet_web/src/components/AttackerDetail.tsx
@@ -61,6 +61,7 @@ interface AttackerData {
  commands: { service: string; decky: string; command: string; timestamp: string }[];
  country_code: string | null;
  country_source: string | null;
+  ptr_record: string | null;
  updated_at: string;
  behavior: AttackerBehavior | null;
  service_activity?: {
@@ -1012,6 +1013,20 @@ const AttackerDetail: React.FC = () => {
              <span className="dim">unknown</span>
            )}
          </div>
+          <div>
+            <span className="dim">REVERSE DNS: </span>
+            {attacker.ptr_record ? (
+              <span
+                className="matrix-text"
+                style={{ fontFamily: 'monospace' }}
+                title="One-shot PTR record resolved at first sighting."
+              >
+                {attacker.ptr_record}
+              </span>
+            ) : (
+              <span className="dim">—</span>
+            )}
+          </div>
        </div>
      </Section>