who_is_using_this_ip_address
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
who_is_using_this_ip_address [2013/12/01 11:02] – created samer | who_is_using_this_ip_address [2014/02/15 23:31] (current) – samer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address// | + | ====== Who is Using This IP Address? ===== |
- | == Limitations of the whois information | + | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information |
- | A typical method to identify the AS that announces a specific IP address is to use the whois protocol. A whois command is available on main OSes and enables to query the databases | + | ===== -- Limitations |
- | <pre class=" | + | A typical method to identify the AS that announces a specific IP prefix is to use the whois protocol. A whois command is available on main OSes and enables to query the databases of regional registries such as ARIN, RIPE, LACNINC, ... A very interesting [[http:// |
- | origin: | + | |
- | </ | + | |
- | One way to do this is by querying the whois server of a routing registry such as RADB or RIPE, and looking for the origin attribute of a route object. However, not all networks properly register their route objects, so the information might not be available or may be outdated. Another method is by looking at the actual BGP route table for the origin AS of a prefix. You could do this on your own BGP speaking routers or on a public route server with the "show ip bgp" command (or equivalent), | + | $ whois -h whois.ripe.net |
+ | origin: | ||
- | == Using BGP information | + | However things get complicated very rapidly since the route object |
- | <pre class=" | + | $ whois -h whois.apnic.net 203.178.141.194 | grep origin |
- | % This is RIPE NCC's Routing Information Service | + | |
- | % whois gateway to collected BGP Routing Tables | + | |
- | % IPv4 or IPv6 address to origin | + | |
- | % | + | |
- | % For more information visit http:// | + | |
- | route: | + | ===== -- Using BGP Information ===== |
- | origin: | + | |
- | descr: | + | An alternative method for identifying the AS that announces a specific IP prefix consists in studying the BGP routing information. Typically, each BGP speaking router stores in a BGP table the routing announcements received for each prefix together with some protocol attributes such as the AS-PATH. This attribute contains the list of ASes traversed by the BGP announcement, |
- | lastupd-frst: | + | |
- | lastupd-last: | + | [{{ : |
- | seen-at: | + | |
- | num-rispeers: | + | However, having access to a DFZ BGP router is not easy in practice. Alternatively, |
+ | Let us try for example to log on the Allstream route server in Canada and identify the origin AS of '' | ||
+ | |||
+ | $ telnet route-server.east.bb.allstream.net | ||
+ | route-server.east> | ||
+ | BGP routing table entry for 148.60.0.0/ | ||
+ | Paths: (4 available, best #4, table default) | ||
+ | Not advertised to any peer | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.69 from 199.212.162.69 (199.212.162.69) | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.68 from 199.212.162.68 (199.212.162.68) | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.66 from 199.212.162.66 (199.212.162.66) | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.67 from 199.212.162.67 (199.212.162.67) | ||
+ | Origin IGP, localpref 100, valid, external, best | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | |||
+ | Despite its availability, | ||
+ | |||
+ | ==== -- Team Cymru whois Server ==== | ||
+ | |||
+ | Team Cymru implements the '' | ||
+ | |||
+ | < | ||
+ | $ whois -h whois.cymru.com 148.60.0.0/16 | ||
+ | AS | IP | AS Name | ||
+ | 2200 | 148.60.0.0 | ||
+ | </ | ||
+ | |||
+ | and another example that demonstrates the possibility of sending multiple prefixes in the same query: | ||
+ | |||
+ | < | ||
+ | $ whois -h whois.cymru.com 148.60.0.0/ | ||
+ | AS | IP | AS Name | ||
+ | 2200 | 148.60.0.0 | ||
+ | AS | IP | AS Name | ||
+ | 2500 | 203.178.141.194 | ||
+ | </ | ||
+ | |||
+ | ==== -- Riswhois Server ==== | ||
+ | RIPE NCC implements a similar whois service named RISwhois. This service provides a higher level view over the most recently collected set of routing tables from the Remote Route Collectors (RRCs) at different [[http:// | ||
+ | |||
+ | <WRAP info> | ||
+ | As mentioned on the [[http:// | ||
+ | </ | ||
+ | |||
+ | In the following, a simple example shows the output of a Riswhois query: as seen by 16 RRCs, the IP address '' | ||
+ | |||
+ | < | ||
+ | $ whois -h riswhois.ripe.net 203.178.141.194 | ||
+ | route: | ||
+ | origin: | ||
+ | descr: | ||
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
source: | source: | ||
+ | </ | ||
+ | <WRAP round important> | ||
+ | Due to BGP policies between ASes in the Internet, RRCs may receive different BGP information for the same IP prefix. Therefore, Riswhois provides multiple matchings for the IP prefix, as in the following example. In such cases, a longest prefix matching may help in choosing a single originating AS. | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | $ whois -h riswhois.ripe.net 217.70.184.1 | ||
route: | route: | ||
origin: | origin: | ||
descr: | descr: | ||
- | lastupd-frst: | + | lastupd-frst: |
- | lastupd-last: | + | lastupd-last: |
seen-at: | seen-at: | ||
- | num-rispeers: | + | num-rispeers: |
source: | source: | ||
Line 41: | Line 106: | ||
origin: | origin: | ||
descr: | descr: | ||
- | lastupd-frst: | + | lastupd-frst: |
- | lastupd-last: | + | lastupd-last: |
seen-at: | seen-at: | ||
- | num-rispeers: | + | num-rispeers: |
source: | source: | ||
- | </pre> | + | </code> |
+ | ===== -- A Do-It-Yourself BGP Query Service ===== | ||
+ | |||
+ | When accessing the online servers (Riswhois, Cymru or legacy whois servers) is not possible or not recommended, | ||
+ | Here are some hints and recipes to implement a server that maps IP prefixes with AS numbers based on BGP information. | ||
+ | |||
+ | ==== -- Basic Steps ==== | ||
+ | |||
+ | Start by downloading raw BGP data collected by RIPE NCC servers from http:// | ||
+ | |||
+ | < | ||
+ | $ wget http:// | ||
+ | </ | ||
+ | |||
+ | As raw data is written in MRT format, you need to install [[https:// | ||
+ | |||
+ | < | ||
+ | $ zcat latest-bview.gz | bgpdump -m - > latest-bview-parsed.txt | ||
+ | </ | ||
+ | |||
+ | Here is a typical line in the dumped file, where you can see the prefix '' | ||
+ | < | ||
+ | TABLE_DUMP2|1389513606|B|85.132.60.10|29049|148.60.0.0/ | ||
+ | .132.60.10|0|0|1273: | ||
+ | </ | ||
+ | |||
+ | Now you can use your favorite scripting language to extract IP to AS mappings and perform a best prefix match. | ||
- | ## A Do-It-Yourself BGP query service | + | ==== -- Software Tools ==== |
- | [1]: http://answers.oreilly.com/topic/408-how-to-use-and-understand-whois-in-its-many-forms/ | + | Fortunately, |
+ | - [[http://cpansearch.perl.org/src/TPODER/Net-NfDump-0.12/ | ||
+ | | ||
+ | - [[http:// |
who_is_using_this_ip_address.txt · Last modified: 2014/02/15 23:31 by samer