who_is_using_this_ip_address
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
who_is_using_this_ip_address [2014/02/08 22:36] – [2- Using BGP Information] samer | who_is_using_this_ip_address [2014/02/15 23:31] (current) – samer | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Who is Using This IP Address? ===== | ====== Who is Using This IP Address? ===== | ||
- | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information can be utilized for instance to perform user localization and enable location-based services or user access control. In this context, a main technical challenge is to associate | + | A frequent question that faces network administrators or application developers consists in identifying //who is using a specific public IP address//. This information can be utilized for instance to perform user localization and enable location-based services or user access control. In this context, a main technical challenge is to associate |
===== -- Limitations of the whois Information ===== | ===== -- Limitations of the whois Information ===== | ||
Line 18: | Line 18: | ||
An alternative method for identifying the AS that announces a specific IP prefix consists in studying the BGP routing information. Typically, each BGP speaking router stores in a BGP table the routing announcements received for each prefix together with some protocol attributes such as the AS-PATH. This attribute contains the list of ASes traversed by the BGP announcement, | An alternative method for identifying the AS that announces a specific IP prefix consists in studying the BGP routing information. Typically, each BGP speaking router stores in a BGP table the routing announcements received for each prefix together with some protocol attributes such as the AS-PATH. This attribute contains the list of ASes traversed by the BGP announcement, | ||
- | [{{ : | + | [{{ : |
However, having access to a DFZ BGP router is not easy in practice. Alternatively, | However, having access to a DFZ BGP router is not easy in practice. Alternatively, | ||
Line 45: | Line 45: | ||
Community: 15290:3356 15290:64995 15290:65050 15290:65506 | Community: 15290:3356 15290:64995 15290:65050 15290:65506 | ||
- | Despite its availability, | + | Despite its availability, |
- | ==== Team Cymru whois Server ==== | + | ==== -- Team Cymru whois Server ==== |
- | Team Cymru implements the '' | + | Team Cymru implements the '' |
< | < | ||
Line 57: | Line 57: | ||
</ | </ | ||
- | and another example that demonstrates the possibility of sending multiple | + | and another example that demonstrates the possibility of sending multiple |
< | < | ||
Line 67: | Line 67: | ||
</ | </ | ||
- | ==== Riswhois Server ==== | + | ==== -- Riswhois Server ==== |
- | RIPE NCC implements a similar whois service named RISwhois | + | RIPE NCC implements a similar whois service named RISwhois. This service provides |
<WRAP info> | <WRAP info> | ||
- | As mentioned on the [[http:// | + | As mentioned on the [[http:// |
</ | </ | ||
- | $ whois -h riswhois.ripe.net 217.70.180.132 | + | In the following, a simple example shows the output of a Riswhois query: as seen by 16 RRCs, the IP address '' |
- | % This is RIPE NCC's Routing Information Service | + | |
- | % whois gateway to collected BGP Routing Tables | + | < |
- | % IPv4 or IPv6 address to origin prefix match | + | $ whois -h riswhois.ripe.net |
- | % | + | route: |
- | % For more information visit http://www.ripe.net/ | + | origin: |
- | + | descr: | |
- | route: | + | lastupd-frst: |
- | origin: | + | lastupd-last: |
- | descr: | + | seen-at: |
- | lastupd-frst: | + | num-rispeers: |
- | lastupd-last: | + | source: |
- | seen-at: | + | </ |
- | num-rispeers: | + | |
- | source: | + | <WRAP round important> |
- | + | Due to BGP policies between ASes in the Internet, RRCs may receive different BGP information for the same IP prefix. Therefore, Riswhois provides multiple matchings for the IP prefix, as in the following example. In such cases, a longest prefix matching may help in choosing a single originating AS. | |
- | route: | + | </ |
- | origin: | + | |
- | descr: | + | < |
- | lastupd-frst: | + | $ whois -h riswhois.ripe.net 217.70.184.1 |
- | lastupd-last: | + | route: |
- | seen-at: | + | origin: |
- | num-rispeers: | + | descr: |
- | source: | + | lastupd-frst: |
- | + | lastupd-last: | |
- | route: | + | seen-at: |
- | origin: | + | num-rispeers: |
- | descr: | + | source: |
- | lastupd-frst: | + | |
- | lastupd-last: | + | route: |
- | seen-at: | + | origin: |
- | num-rispeers: | + | descr: |
- | source: | + | lastupd-frst: |
+ | lastupd-last: | ||
+ | seen-at: | ||
+ | num-rispeers: | ||
+ | source: | ||
+ | </ | ||
===== -- A Do-It-Yourself BGP Query Service ===== | ===== -- A Do-It-Yourself BGP Query Service ===== | ||
+ | |||
+ | When accessing the online servers (Riswhois, Cymru or legacy whois servers) is not possible or not recommended, | ||
+ | Here are some hints and recipes to implement a server that maps IP prefixes with AS numbers based on BGP information. | ||
+ | |||
+ | ==== -- Basic Steps ==== | ||
+ | |||
+ | Start by downloading raw BGP data collected by RIPE NCC servers from http:// | ||
+ | |||
+ | < | ||
+ | $ wget http:// | ||
+ | </ | ||
+ | |||
+ | As raw data is written in MRT format, you need to install [[https:// | ||
+ | |||
+ | < | ||
+ | $ zcat latest-bview.gz | bgpdump -m - > latest-bview-parsed.txt | ||
+ | </ | ||
+ | |||
+ | Here is a typical line in the dumped file, where you can see the prefix '' | ||
+ | < | ||
+ | TABLE_DUMP2|1389513606|B|85.132.60.10|29049|148.60.0.0/ | ||
+ | .132.60.10|0|0|1273: | ||
+ | </ | ||
+ | |||
+ | Now you can use your favorite scripting language to extract IP to AS mappings and perform a best prefix match. | ||
+ | |||
+ | ==== -- Software Tools ==== | ||
- | Start by downloading multiple routing tables for routeviews or RIPE RIS servers. Transform these tables into parsable format bu using bgpdump. Use any scripting language to perform | + | Fortunately, |
+ | - [[http:// | ||
+ | - [[https:// | ||
+ | - [[http:// |
who_is_using_this_ip_address.txt · Last modified: 2014/02/15 23:31 by samer