who_is_using_this_ip_address
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
who_is_using_this_ip_address [2014/01/11 05:29] – external edit 127.0.0.1 | who_is_using_this_ip_address [2014/02/09 00:23] – [2.2- Riswhois Server] samer | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address// | + | ====== Who is Using This IP Address? ===== |
- | ==== Limitations of the whois Information ==== | + | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information can be utilized for instance to perform user localization and enable location-based services or user access control. In this context, a main technical challenge is to associate |
- | A typical method to identify the AS that announces a specific IP address is to use the whois protocol. A whois command is available on main OSes and enables to query the databases of regional registries such as ARIN, RIPE, LACNINC, ... A very interesting [[http:// | + | ===== -- Limitations of the whois Information ===== |
- | <code shell>$ whois -h whois.ripe.net 148.60.0.0/ | + | A typical method to identify the AS that announces a specific IP prefix is to use the whois protocol. A whois command is available on main OSes and enables to query the databases of regional registries such as ARIN, RIPE, LACNINC, ... A very interesting [[http:// |
- | origin: | + | |
+ | $ whois -h whois.ripe.net 148.60.0.0/ | ||
+ | origin: | ||
+ | |||
+ | However things get complicated very rapidly since the route object information is not always provided or may be outdated. Trying for example to identify the AS announcing '' | ||
+ | |||
+ | $ whois -h whois.apnic.net 203.178.141.194 | grep origin | ||
+ | |||
+ | ===== -- Using BGP Information ===== | ||
+ | |||
+ | An alternative method for identifying the AS that announces a specific IP prefix consists in studying the BGP routing information. Typically, each BGP speaking router stores in a BGP table the routing announcements received for each prefix together with some protocol attributes such as the AS-PATH. This attribute contains the list of ASes traversed by the BGP announcement, | ||
+ | |||
+ | [{{ : | ||
+ | |||
+ | However, having access to a DFZ BGP router is not easy in practice. Alternatively, | ||
+ | Let us try for example to log on the Allstream route server in Canada and identify the origin AS of '' | ||
+ | |||
+ | $ telnet route-server.east.bb.allstream.net | ||
+ | route-server.east> | ||
+ | BGP routing table entry for 148.60.0.0/ | ||
+ | Paths: (4 available, best #4, table default) | ||
+ | Not advertised to any peer | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.69 from 199.212.162.69 (199.212.162.69) | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.68 from 199.212.162.68 (199.212.162.68) | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.66 from 199.212.162.66 (199.212.162.66) | ||
+ | Origin IGP, localpref 100, valid, external | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | 15290 3356 1273 2200 | ||
+ | 199.212.162.67 from 199.212.162.67 (199.212.162.67) | ||
+ | Origin IGP, localpref 100, valid, external, best | ||
+ | Community: 15290:3356 15290:64995 15290:65050 15290: | ||
+ | |||
+ | Despite its availability, | ||
+ | |||
+ | ==== -- Team Cymru whois Server ==== | ||
+ | |||
+ | Team Cymru implements the '' | ||
+ | |||
+ | < | ||
+ | $ whois -h whois.cymru.com 148.60.0.0/ | ||
+ | AS | IP | AS Name | ||
+ | 2200 | 148.60.0.0 | ||
</ | </ | ||
- | However things get complicated very rapidly since the route object information is not always provided or may be outdated. | + | and another example that demonstrates |
- | Another method is by looking at the actual BGP route table for the origin AS of a prefix. You could do this on your own BGP speaking routers or on a public route server with the "show ip bgp" command (or equivalent), | + | < |
+ | $ whois -h whois.cymru.com | ||
+ | AS | IP | AS Name | ||
+ | 2200 | 148.60.0.0 | FR-RENATER Reseau National de telecommunications pour la Technologie | ||
+ | AS | IP | AS Name | ||
+ | 2500 | 203.178.141.194 | WIDE-BB WIDE Project | ||
+ | </ | ||
- | ==== Using BGP Information | + | ==== -- Riswhois Server |
+ | RIPE NCC implements a similar whois service named RISwhois by providing a higher level view over the most recently collected set of routing tables from the Remote Route Collectors (RRCs) at different [[http:// | ||
- | <code shell>simurgh$ whois -h riswhois.ripe.net 217.70.180.132 | + | <WRAP info> |
- | % This is RIPE NCC's Routing Information Service | + | As mentioned on the [[http:// |
- | % whois gateway to collected BGP Routing Tables | + | </ |
- | % IPv4 or IPv6 address to origin prefix match | + | |
- | % | + | |
- | % For more information visit http:// | + | |
- | route: | + | In the following, a simple example shows the output of a Riswhois query: '' |
- | origin: | + | |
- | descr: | + | < |
- | lastupd-frst: | + | $ whois -h riswhois.ripe.net 203.178.141.194 |
- | lastupd-last: | + | route: |
- | seen-at: | + | origin: |
- | num-rispeers: | + | descr: |
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
source: | source: | ||
+ | </ | ||
+ | |||
+ | <WRAP round important> | ||
+ | Note RRCs may receive different information for the same IP prefix. | ||
+ | that Riswhois may provide multiple matchings for IP addresses. In such case, RRCs | ||
+ | </ | ||
+ | < | ||
+ | $ whois -h riswhois.ripe.net 217.70.184.1 | ||
route: | route: | ||
origin: | origin: | ||
descr: | descr: | ||
- | lastupd-frst: | + | lastupd-frst: |
- | lastupd-last: | + | lastupd-last: |
seen-at: | seen-at: | ||
- | num-rispeers: | + | num-rispeers: |
source: | source: | ||
Line 43: | Line 107: | ||
origin: | origin: | ||
descr: | descr: | ||
- | lastupd-frst: | + | lastupd-frst: |
- | lastupd-last: | + | lastupd-last: |
seen-at: | seen-at: | ||
- | num-rispeers: | + | num-rispeers: |
source: | source: | ||
</ | </ | ||
+ | ===== -- A Do-It-Yourself BGP Query Service ===== | ||
- | ==== A Do-It-Yourself BGP Query Service ==== | + | Start by downloading multiple routing tables for routeviews or RIPE RIS servers. Transform these tables into parsable format bu using bgpdump. Use any scripting language to perform a best prefix match and output the origin AS of your desired IP prefix. |
who_is_using_this_ip_address.txt · Last modified: 2014/02/15 23:31 by samer