wikiroute

networking recipes

User Tools

Site Tools

Trace:
who_is_using_this_ip_address

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
who_is_using_this_ip_address [2014/02/08 22:38] samerwho_is_using_this_ip_address [2014/02/09 00:31] – [2.2- Riswhois Server] samer
Line 45: Line 45:
        Community: 15290:3356 15290:64995 15290:65050 15290:65506        Community: 15290:3356 15290:64995 15290:65050 15290:65506
  
-Despite its availability, this method remains cumbersome, especially if you want to quickly look up something or if you have a large number of addresses that you want to analyze with a script. Fortunately, RIPE NCC and Team Cymru have already answered these questions: they provide solutions that combine the versatility of the whois protocol with the accuracy of the BGP information. In other words, you keep on using the legacy whois command but you get BGP-based results. Let us examine these solutions: +Despite its availability, this method remains cumbersome, especially if you want to quickly look up something or if you have a large number of prefixes that you want to analyse with a script. Fortunately, RIPE NCC and Team Cymru have already answered these questions: they provide solutions that combine the versatility of the whois protocol with the accuracy of the BGP information. In other words, you keep on using the legacy whois command but you get BGP-based results. Let us examine these solutions: 
  
 ==== -- Team Cymru whois Server ==== ==== -- Team Cymru whois Server ====
  
-Team Cymru implements the ''whois.cymru.com'' server which provides the announcing AS number and name for any given IP address. The information in its database is based on the BGP feeds from 50+ BGP peers, and is updated at 4 hour intervals. Here is a simple example for using the cymru service:+Team Cymru implements the ''whois.cymru.com'' server which provides the announcing AS number and name for any given IP prefix. The information in its database is based on the BGP feeds from 50+ BGP peers, and is updated at 4 hour intervals. Here is a simple example for using the cymru service:
  
 <code> <code>
Line 57: Line 57:
 </code> </code>
  
-and another example that demonstrates the possibility of sending multiple addresses in the same query:+and another example that demonstrates the possibility of sending multiple prefixes in the same query:
  
 <code> <code>
Line 68: Line 68:
  
 ==== -- Riswhois Server ==== ==== -- Riswhois Server ====
-RIPE NCC implements a similar whois service named RISwhois by providing a higher level view over the most recently collected set of routing tables from the Remote Route Collectors (RRCs). Given an IPv4 or IPv6 address, RISwhois will tell which prefixes and origin ASes on which RRCs match that particular IP.+RIPE NCC implements a similar whois service named RISwhois by providing a higher level view over the most recently collected set of routing tables from the Remote Route Collectors (RRCs) at different [[http://www.ripe.net/data-tools/stats/ris/ris-peering-policy | locations]] in the world. Given an IPv4 or IPv6 prefix, RISwhois will tell which prefixes and origin ASes on which RRCs match that particular IP.
  
 <WRAP info> <WRAP info>
-As mentioned on the [[http://www.ripe.net/data-tools/stats/ris/riswhois | Riswhois]] website, BGP information is more accurate than that contained in the databases of the regional registries: 21% of a set of unique IPs unmatched when using the routing registry vs. only 1% unmatched when using RIS data.+As mentioned on the [[http://www.ripe.net/data-tools/stats/ris/riswhois | Riswhois]] website, BGP information is more accurate than that contained in the databases of the regional registries: 21% of a set of unique IPs were unmatched when using the routing registry vs. only 1% unmatched when using RIS data.
 </WRAP> </WRAP>
  
-In the following, a simple example that shows the output of a riswhois query.+In the following, a simple example shows the output of a Riswhois query: ''203.178.141.194'' is originated by AS ''2500'' as seen by 16 RRCs.
  
- $ whois -h riswhois.ripe.net 217.70.180.132 +<code> 
- % This is RIPE NCC's Routing Information Service +$ whois -h riswhois.ripe.net 203.178.141.194 
- % whois gateway to collected BGP Routing Tables +route:        203.178.128.0/17 
- % IPv4 or IPv6 address to origin prefix match +origin:       AS2500 
-+descr:        WIDE-BB WIDE Project 
- % For more information visit http://www.ripe.net/ris/riswhois.html +lastupd-frst: 2014-01-23 12:42Z  202.249.2.185@rrc06 
-  +lastupd-last: 2014-02-08 13:26Z  187.16.218.21@rrc15 
- route:        192.0.0.0/3 +seen-at:      rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15 
- origin:       AS3303 +num-rispeers: 105 
- descr:        SWISSCOM Swisscom (Switzerland) Ltd +source:       RISWHOIS 
- lastupd-frst: 2013-11-09 23:48Z  192.65.185.140@rrc04 +</code>
- lastupd-last: 2013-11-09 23:48Z  192.65.185.243@rrc04 +
- seen-at:      rrc04 +
- num-rispeers:+
- source:       RISWHOIS +
-  +
- route:        217.0.0.0/+
- origin:       AS3303 +
- descr:        SWISSCOM Swisscom (Switzerland) Ltd +
- lastupd-frst: 2013-09-24 09:23Z  217.29.66.120@rrc10 +
- lastupd-last: 2013-11-09 23:48Z  192.65.185.243@rrc04 +
- seen-at:      rrc04,rrc10 +
- num-rispeers:+
- source:       RISWHOIS +
-  +
- route:        217.70.176.0/20 +
- origin:       AS29169 +
- descr:        GANDI-AS Gandi SAS +
- lastupd-frst: 2013-07-04 02:06Z  198.32.176.24@rrc14 +
- lastupd-last2013-11-11 15:53Z  195.69.146.99@rrc03 +
- seen-at:      rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15 +
- num-rispeers: 114 +
- source:       RISWHOIS+
  
 +<WRAP round important>
 +Due to BGP policies between ASes in the Internet, RRCs may receive different BGP information for the same IP prefix. Therefore, Riswhois provides multiple matchings for the IP prefix, as in the following example. In such cases, a longest prefix matching may help in choosing a single originating AS.    
 +</WRAP>
 +
 +<code>
 +$ whois -h riswhois.ripe.net 217.70.184.1
 +route:        217.0.0.0/8
 +origin:       AS3303
 +descr:        SWISSCOM Swisscom (Switzerland) Ltd
 +lastupd-frst: 2014-01-30 00:20Z  217.29.66.120@rrc10
 +lastupd-last: 2014-02-04 14:36Z  192.65.185.243@rrc04
 +seen-at:      rrc04,rrc10
 +num-rispeers: 2
 +source:       RISWHOIS
 +
 +route:        217.70.176.0/20
 +origin:       AS29169
 +descr:        GANDI-AS Gandi SAS
 +lastupd-frst: 2013-10-21 08:55Z  202.249.2.185@rrc06
 +lastupd-last: 2014-02-08 13:28Z  187.16.218.21@rrc15
 +seen-at:      rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15
 +num-rispeers: 111
 +source:       RISWHOIS
 +</code>
 ===== -- A Do-It-Yourself BGP Query Service ===== ===== -- A Do-It-Yourself BGP Query Service =====
  
 Start by downloading multiple routing tables for routeviews or RIPE RIS servers. Transform these tables into parsable format bu using bgpdump. Use any scripting language to perform a best prefix match and output the origin AS of your desired IP prefix. Start by downloading multiple routing tables for routeviews or RIPE RIS servers. Transform these tables into parsable format bu using bgpdump. Use any scripting language to perform a best prefix match and output the origin AS of your desired IP prefix.
who_is_using_this_ip_address.txt · Last modified: 2014/02/15 23:31 by samer