who_is_using_this_ip_address
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
who_is_using_this_ip_address [2014/01/11 15:29] – [Using BGP Information] samer | who_is_using_this_ip_address [2014/02/09 13:14] – [Basic Steps] samer | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Who is Using This IP Address? ===== | ====== Who is Using This IP Address? ===== | ||
+ | |||
A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information can be utilized for instance to perform user localization and enable location-based services or user access control. In this context, a main technical challenge is to associate the IP address or prefix with its corresponding Autonomous System (AS). | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information can be utilized for instance to perform user localization and enable location-based services or user access control. In this context, a main technical challenge is to associate the IP address or prefix with its corresponding Autonomous System (AS). | ||
- | ====== Limitations of the whois Information ====== | + | ===== -- Limitations of the whois Information ===== |
- | A typical method to identify the AS that announces a specific IP prefix is to use the whois protocol. A whois command is available on main OSes and enables to query the databases of regional registries such as ARIN, RIPE, LACNINC, ... A very interesting [[http:// | + | |
+ | A typical method to identify the AS that announces a specific IP prefix is to use the whois protocol. A whois command is available on main OSes and enables to query the databases of regional registries such as ARIN, RIPE, LACNINC, ... A very interesting [[http:// | ||
$ whois -h whois.ripe.net 148.60.0.0/ | $ whois -h whois.ripe.net 148.60.0.0/ | ||
origin: | origin: | ||
- | However things get complicated very rapidly since the route object information is not always provided or may be outdated. Trying for example to identify the AS announcing 203.178.141.194 (corresponding to the famous www.kame.net), | + | However things get complicated very rapidly since the route object information is not always provided or may be outdated. Trying for example to identify the AS announcing |
$ whois -h whois.apnic.net 203.178.141.194 | grep origin | $ whois -h whois.apnic.net 203.178.141.194 | grep origin | ||
- | ====== Using BGP Information | + | ===== -- Using BGP Information ===== |
- | An alternative method for identifying the AS that announces a specific IP prefix consists in studying the BGP routing information. Typically, each BGP speaking router stores in a BGP table the routing announcements received for each prefix together with some protocol attributes such as the AS-PATH. This attribute contains the list of ASes traversed by the BGP announcement, | + | An alternative method for identifying the AS that announces a specific IP prefix consists in studying the BGP routing information. Typically, each BGP speaking router stores in a BGP table the routing announcements received for each prefix together with some protocol attributes such as the AS-PATH. This attribute contains the list of ASes traversed by the BGP announcement, |
[{{ : | [{{ : | ||
- | However, having access to a DFZ BGP router is not easy in practice. Alternatively, | + | However, having access to a DFZ BGP router is not easy in practice. Alternatively, |
- | Let us try for example to log on the Allstream route server in Canada and identify the origin AS of 148.60.0.0/ | + | Let us try for example to log on the Allstream route server in Canada and identify the origin AS of '' |
$ telnet route-server.east.bb.allstream.net | $ telnet route-server.east.bb.allstream.net | ||
Line 43: | Line 45: | ||
Community: 15290:3356 15290:64995 15290:65050 15290:65506 | Community: 15290:3356 15290:64995 15290:65050 15290:65506 | ||
- | Despite its availability, | + | Despite its availability, |
+ | |||
+ | ==== -- Team Cymru whois Server ==== | ||
+ | |||
+ | Team Cymru implements the '' | ||
+ | |||
+ | < | ||
+ | $ whois -h whois.cymru.com 148.60.0.0/ | ||
+ | AS | IP | AS Name | ||
+ | 2200 | 148.60.0.0 | ||
+ | </ | ||
+ | |||
+ | and another example that demonstrates the possibility of sending multiple prefixes in the same query: | ||
+ | |||
+ | < | ||
+ | $ whois -h whois.cymru.com 148.60.0.0/ | ||
+ | AS | IP | AS Name | ||
+ | 2200 | 148.60.0.0 | ||
+ | AS | IP | AS Name | ||
+ | 2500 | 203.178.141.194 | ||
+ | </ | ||
+ | |||
+ | ==== -- Riswhois Server ==== | ||
+ | RIPE NCC implements a similar whois service named RISwhois by providing a higher level view over the most recently collected set of routing tables from the Remote Route Collectors (RRCs) at different [[http:// | ||
+ | |||
+ | <WRAP info> | ||
+ | As mentioned on the [[http:// | ||
+ | </ | ||
+ | |||
+ | In the following, a simple example shows the output of a Riswhois query: '' | ||
+ | |||
+ | < | ||
+ | $ whois -h riswhois.ripe.net 203.178.141.194 | ||
+ | route: | ||
+ | origin: | ||
+ | descr: | ||
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
+ | source: | ||
+ | </ | ||
+ | |||
+ | <WRAP round important> | ||
+ | Due to BGP policies between ASes in the Internet, RRCs may receive different BGP information for the same IP prefix. Therefore, Riswhois provides multiple matchings for the IP prefix, as in the following example. In such cases, a longest prefix matching may help in choosing a single originating AS. | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | $ whois -h riswhois.ripe.net 217.70.184.1 | ||
+ | route: | ||
+ | origin: | ||
+ | descr: | ||
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
+ | source: | ||
+ | |||
+ | route: | ||
+ | origin: | ||
+ | descr: | ||
+ | lastupd-frst: | ||
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
+ | source: | ||
+ | </ | ||
+ | ===== -- A Do-It-Yourself BGP Query Service ===== | ||
+ | |||
+ | When accessing the online servers (Riswhois, Cymru or legacy whois servers) is not possible or not recommended, | ||
+ | Here are some hints and recipes to implement a server that maps IP prefixes with AS numbers based on BGP information. | ||
- | 1- Team Cymru implements the `whois.cymru.com` server | + | ==== Basic Steps ==== |
- | has made a whois server available which provides the announcing AS number and name for any given IP address. The information in its database is based on 17 BGP feeds and is updated twice per hour. If your operating system has a command-line whois client, simply type `whois | + | Start by downloading raw BGP data collected by RIPE NCC servers from http:// |
- | 2- A similar service was announced by the RIPE RIS project. Their whois server can be queried using "whois -h riswhois.ripe.net", and returns results in RPSL like format (as used by the RIPE whois database itself). The data is gathered from route collector boxes in various locations. For more information about this service, see this web page. | + | < |
+ | $ wget http://data.ris.ripe.net/ | ||
+ | </ | ||
- | $ whois -h riswhois.ripe.net 217.70.180.132 | + | As raw data is written in MRT format, you need to install [[https://bitbucket.org/ripencc/bgpdump/wiki/Home | bgpdump]] in order to parse it easily. |
- | % This is RIPE NCC's Routing Information Service | + | |
- | % whois gateway | + | |
- | % IPv4 or IPv6 address to origin prefix match | + | |
- | % | + | |
- | % For more information visit http://www.ripe.net/ris/riswhois.html | + | |
- | + | ||
- | route: | + | |
- | origin: | + | |
- | descr: | + | |
- | lastupd-frst: | + | |
- | lastupd-last: | + | |
- | seen-at: | + | |
- | num-rispeers: | + | |
- | source: | + | |
- | + | ||
- | route: | + | |
- | origin: | + | |
- | descr: | + | |
- | lastupd-frst: | + | |
- | lastupd-last: | + | |
- | seen-at: | + | |
- | num-rispeers: | + | |
- | source: | + | |
- | + | ||
- | route: | + | |
- | origin: | + | |
- | descr: | + | |
- | lastupd-frst: | + | |
- | lastupd-last: | + | |
- | seen-at: | + | |
- | num-rispeers: | + | |
- | source: | + | |
+ | < | ||
+ | $ zcat latest-bview.gz | bgpdump -m - > latest-bview-parsed.txt | ||
+ | </ | ||
- | ===== A Do-It-Yourself BGP Query Service ===== | + | Here is a typical line in the dumped file, where you can see the prefix '' |
+ | < | ||
+ | TABLE_DUMP2|1389513606|B|85.132.60.10|29049|148.60.0.0/ | ||
+ | .132.60.10|0|0|1273: | ||
+ | </ | ||
- | Start by downloading multiple routing tables for routeviews or RIPE RIS servers. Transform these tables into parsable format bu using bgpdump. Use any scripting language to perform a best prefix match and output the origin AS of your desired IP prefix. | + | Now you can use your favorite |
who_is_using_this_ip_address.txt · Last modified: 2014/02/15 23:31 by samer