who_is_using_this_ip_address
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
who_is_using_this_ip_address [2014/01/11 05:29] – external edit 127.0.0.1 | who_is_using_this_ip_address [2014/01/11 15:24] – samer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information can be utilised | + | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information can be utilized |
- | ==== Limitations of the whois Information ==== | + | ====== Limitations of the whois Information ====== |
+ | A typical method to identify the AS that announces a specific IP prefix is to use the whois protocol. A whois command is available on main OSes and enables to query the databases of regional registries such as ARIN, RIPE, LACNINC, ... A very interesting [[http:// | ||
- | A typical method to identify the AS that announces a specific IP address is to use the whois protocol. A whois command is available on main OSes and enables to query the databases of regional registries such as ARIN, RIPE, LACNINC, ... A very interesting [[http:// | + | $ whois -h whois.ripe.net 148.60.0.0/ |
+ | origin: | ||
- | <code shell>$ whois -h whois.ripe.net 148.60.0.0/16 | grep origin | + | However things get complicated very rapidly since the route object information is not always provided or may be outdated. Trying for example to identify the AS announcing 203.178.141.194 (corresponding to the famous www.kame.net), |
- | origin: | + | |
- | </ | + | |
- | However things get complicated very rapidly since the route object information is not always provided or may be outdated. | + | $ whois -h whois.apnic.net 203.178.141.194 | grep origin |
- | Another method is by looking at the actual | + | ====== Using BGP Information ====== |
- | ==== Using BGP Information ==== | + | An alternative method for identifying the AS that announces a specific IP prefix consists in studying the BGP routing information. Typically, each BGP speaking router stores in a BGP table the routing announcements received for each prefix together with some protocol attributes such as the AS-PATH. This attribute contains the list of ASes traversed by the BGP announcement, |
- | <code shell> | + | [{{ :bgp-table.png? |
- | % This is RIPE NCC's Routing Information Service | + | |
- | % whois gateway to collected | + | |
- | % IPv4 or IPv6 address to origin prefix match | + | |
- | % | + | |
- | % For more information visit http:// | + | |
- | route: 192.0.0.0/3 | + | However, having access to a DFZ BGP router is not easy in practice. Alternatively, |
- | origin: | + | Let us try for example to log on the Allstream route server in Canada and identify the origin AS of 148.60.0.0/16. The output of the '' |
- | descr: | + | |
- | lastupd-frst: | + | |
- | lastupd-last: | + | |
- | seen-at: | + | |
- | num-rispeers: | + | |
- | source: | + | |
- | route: 217.0.0.0/8 | + | $ telnet |
- | origin: AS3303 | + | route-server.east> |
- | descr: | + | BGP routing table entry for 148.60.0.0/16, version 270487514 |
- | lastupd-frst: 2013-09-24 09:23Z 217.29.66.120@rrc10 | + | Paths: (4 available, best #4, table default) |
- | lastupd-last: 2013-11-09 23:48Z 192.65.185.243@rrc04 | + | Not advertised to any peer |
- | seen-at: | + | 15290 3356 1273 2200 |
- | num-rispeers: 3 | + | 199.212.162.69 from 199.212.162.69 (199.212.162.69) |
- | source: RISWHOIS | + | |
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.68 from 199.212.162.68 | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.66 from 199.212.162.66 (199.212.162.66) | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.67 from 199.212.162.67 (199.212.162.67) | ||
+ | Origin IGP, localpref 100, valid, external, best | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290:65506 | ||
- | route: | + | Despite its availabitlity, |
- | origin: AS29169 | + | |
- | descr: | + | |
- | lastupd-frst: | + | |
- | lastupd-last: 2013-11-11 15: | + | |
- | seen-at: | + | |
- | num-rispeers: | + | |
- | source: RISWHOIS | + | |
- | </ | + | |
- | ==== A Do-It-Yourself BGP Query Service ==== | + | 1- Team Cymru implements the `whois.cymru.com` server |
+ | has made a whois server available which provides the announcing AS number and name for any given IP address. The information in its database is based on 17 BGP feeds and is updated twice per hour. If your operating system has a command-line whois client, simply type `whois -h whois.cymru.com` followed on the same line by the IP address you would like to look up. In addition to simple lookups as described above, the server also supports comments and multiple addresses per query. Both of these features are especially useful if you have a script to analyze a large number of IP addresses from a script. For more information about these features, see the server' | ||
+ | |||
+ | 2- A similar service was announced by the RIPE RIS project. Their whois server can be queried using "whois -h riswhois.ripe.net", | ||
+ | |||
+ | $ whois -h riswhois.ripe.net 217.70.180.132 | ||
+ | % This is RIPE NCC's Routing Information Service | ||
+ | % whois gateway to collected BGP Routing Tables | ||
+ | % IPv4 or IPv6 address to origin prefix match | ||
+ | % | ||
+ | % For more information visit http:// | ||
+ | |||
+ | route: | ||
+ | origin: | ||
+ | descr: | ||
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
+ | source: | ||
+ | |||
+ | route: | ||
+ | origin: | ||
+ | descr: | ||
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
+ | source: | ||
+ | |||
+ | route: | ||
+ | origin: | ||
+ | descr: | ||
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
+ | source: | ||
+ | |||
+ | |||
+ | ### A Do-It-Yourself BGP Query Service | ||
+ | |||
+ | Start by downloading multiple routing tables for routeviews or RIPE RIS servers. Transform these tables into parsable format bu using bgpdump. Use any scripting language to perform a best prefix match and output the origin AS of your desired IP prefix. |
who_is_using_this_ip_address.txt · Last modified: 2014/02/15 23:31 by samer