Security Incidents mailing list archives
Re: Finding out who owns particular IP addresses
From: "Hartmann, Seamus" <Seamus () LOGISOFT NET>
Date: Mon, 8 Jan 2001 16:28:45 -0500
as an addendium to this wonderful tract on using whois.... For those of us stuck in Wintel world, there's a great tool for doing all these steps in one fell swoop. With pretty pictures to boot! http://www.visualroute.com and, no, i don't earn any money for promoting the software. It's GREAT Seamus Hartmann Systems Administrator Logisoft Interactive -----Original Message----- From: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ] Sent: Monday, January 08, 2001 3:46 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Finding out who owns particular IP addresses Moderator: Please use your discretion :) Greetings All, I received this request for clarification about how one finds out who 'owns' particular IP addresses. After having spent some time composing a response I thought that there might be other neophytes on the list who will find this useful. To the old hands Hit delete now ;-) On Mon, 8 Jan 2001 14:02:31 +0100 "Licher, Ansgar" <A.Licher () mbn de> wrote:
Hi Russell, I read your contribution regarding that stuff about the probable port scanning on port 12345. Since I am not a security expert yet, I am seriously working to increase
my
knowledge to the max. What I just want to know is, where or how can I resolve, what you were wrting about: "Source IPs were all dialup or cable/dsl belonging to major ISPs with a
lot
in Korea (210.0.0.0/7) as you observered, but also with a sprinkling from big North American providers. " How do you know, that 210.0.0.0/7 is Korea??? Where do you know that
several
addresses came from major ISPs???
The IP address space is managed by a group of Network Information Centres (NICs) with ARIN (American -- I forget exactly what the rest of the acronym is) at the top. All the NICs maintain searchable databases which you access via whois (most now also have web interfaces too -- surprise) Unfortunately these databases are not as well coordinated as one might hope and to find the owner of a particular address you have to search the various whois databases starting with ARIN. So for 210.96.87.189 bluebottle:~ >whois -h whois.arin.net 210.96.87.189 Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK) These addresses have been further assigned to Asia-Pacific users. Contact information can be found in the APNIC database, at WHOIS.APNIC.NET or http://www.apnic.net/ Please do not send spam complaints to APNIC. Netname: APNIC-CIDR-BLK2 Netblock: 210.0.0.0 - 211.255.255.255 Coordinator: Administrator, System (SA90-ARIN) sysadm () APNIC NET +61-7-3367-0490 Domain System inverse mapping provided by: NS.APNIC.NET 203.37.255.97 SVC00.APNIC.NET 202.12.28.131 NS.TELSTRA.NET 203.50.0.137 NS.RIPE.NET 193.0.0.193 Regional Internet Registry for the Asia-Pacific Region. *** Use whois -h whois.apnic.net <object> *** *** or see http://www.apnic.net/db/ for database assistance *** Record last updated on 03-May-2000. Database last updated on 8-Jan-2001 06:20:22 EDT. and we see that 210/7 is allocated to APNIC (Asia Pacific) so we repeat the search at apnic. bluebottle:~ >whois -h whois.apnic.net 210.96.87.189 % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html inetnum: 210.96.0.0 - 210.97.191.255 netname: KRNIC-KR-14 descr: National Computerization Agency descr: Korea Network Information Center country: KR admin-c: WK1-AP tech-c: SH3-KR tech-c: SL40-AP remarks: National NIC remarks: These addresses have been assigned to organisations in KoRea. remarks: Further information can be obtained from whois.krnic.net mnt-by: MAINT-APNIC-AP changed: hostmaster () apnic net 19980521 changed: apnic-dbm () apnic net 20000216 source: APNIC person: Weon Kim address: Korea Network Information Center (KRNIC) address: **************** Important Notice ********************** address: KRNIC is the National Internet Registry. address: If you want to find detail assignment information address: about above IP address, please use "http://whois.nic.or.kr" address: ***************************************************** address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku address: Seoul, 137-070, Republic of Korea phone: +82-2-2186-4500 fax-no: +82-2-2186-4496 country: KR e-mail: hostmaster () nic or kr nic-hdl: WK1-AP mnt-by: MNT-KRNIC-AP changed: hostmaster () nic or kr 20000927 source: APNIC person: Sangyong Ha address: Korea Network Information Center address: National Computerization Agency address: 128, Jukjun-lee, Suji-myun, Yongin-gun, Kyonggi-do, Korea address: 449-840 phone: +82 331 289 1674 fax-no: +82 331 284 2753 e-mail: syha () rs krnic net nic-hdl: SH3-KR notify: hostmaster () rs krnic net mnt-by: MAINT-NULL changed: syha () rs krnic net 19960419 source: APNIC person: Seungmin Lee address: Korea Network Information Center (KRNIC) address: **************** Important Notice ********************** address: KRNIC is the National Internet Registry address: If you want to find detail assignment information address: about above IP address, please use ?http://whois.nic.or.kr" address: ***************************************************** address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku address: Seoul, 137-070, Republic of Korea phone: +82-2-2186-4500 fax-no: +82-2-2186-4496 country: KR e-mail: hostmaster () nic or kr nic-hdl: SL40-AP mnt-by: MNT-KRNIC-AP changed: hostmaster () nic or kr 20000928 source: APNIC Which tells us that 210.96.0.0/15 is allocated to KRNIC bluebottle:~ >whois -h whois.nic.or.kr 210.96.87.189 Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 ) query: 210.96.87.189 # ENGLISH IP Address : 210.96.87.128-210.96.87.191 Connect ISP Name : PUBNET Connect Date : 98804 Registration Date : 19980808 Network Name : CHANGSOO-E [ Organization Information ] Orgnization ID : ORG30441 Name : Chang-su Elementary School State : KYONGGI Address : 117-2 Choodong-li Changsu-myun Pochun-gun Zip Code : 487-920 [ Admin Contact Information] Name : Dongil Lim Org Name : Chang-su Elementary School State : KYONGGI Address : 117-2 Choodong-li Changsu-myun Pochun-gun Zip Code : 487-920 Phone : 0357-33-0009 Fax : 0357-33-0120 E-Mail : kgromc () soback kornet ne kr [ Technical Contact Information ] Name : Dongil Lim Org Name : Chang-su Elementary School Address : 117-2 Choodong-li Changsu-myun Pochun-gun Zip Code : 487-920 Phone : 0357-33-0009 Fax : 0357-33-0120 E-Mail : kgromc () soback kornet ne kr No the good folk at geektools.com have automated this process so you can: bluebottle:~ >whois -h whois.geektools.com 210.96.87.189 Query: 210.96.87.189 Registry: whois.nic.or.kr Results: Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 ) query: 210.96.87.189 # ENGLISH IP Address : 210.96.87.128-210.96.87.191 Connect ISP Name : PUBNET Connect Date : 98804 Registration Date : 19980808 Network Name : CHANGSOO-E [ Organization Information ] Orgnization ID : ORG30441 Name : Chang-su Elementary School State : KYONGGI Address : 117-2 Choodong-li Changsu-myun Pochun-gun Zip Code : 487-920 [ Admin Contact Information] Name : Dongil Lim Org Name : Chang-su Elementary School State : KYONGGI Address : 117-2 Choodong-li Changsu-myun Pochun-gun Zip Code : 487-920 Phone : 0357-33-0009 Fax : 0357-33-0120 E-Mail : kgromc () soback kornet ne kr which gets you the information in one go -- most of the time. Sometimes it comes unstuck because various NICs are not entirely consistent in how they format the entries in their own databases so automated tools like the geektools proxy hit sometimes hit dead ends. I know this because I wrote my own recursive whois lookup in perl before someone kindly pointed me to geektools. Anyway the point is that even with clever tools like those supplied by geektools you still need to know how to drill down through the whois databases by hand. One can also use whois for finding out information about who owns domain names, but coverage is much more patchy (I don't think that there is a whois server for .nz domain for example). However if you give a domain name to whois.geektools.com it will try to find a database to search. As you have no doubt noticed my assertion that 210/7 is Korea was inaccurate, it is, in fact, Asia Pacific. I happen to know (for doing two or three lookups a day that large chunks of 210/7 are allocated to Korea and that if we get an incident from this range then the odds are good that it is Korea. (In fact other parts of 210/7 are allocated to many other countries including Japan and China and possibly even New Zealand. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Finding out who owns particular IP addresses Russell Fulton (Jan 08)
- Re: Finding out who owns particular IP addresses maillist (Jan 08)
- Re: Finding out who owns particular IP addresses Marco d'Itri (Jan 09)
- Re: Finding out who owns particular IP addresses Devon Null (Jan 19)
- <Possible follow-ups>
- Re: Finding out who owns particular IP addresses Hartmann, Seamus (Jan 08)
- Re: Finding out who owns particular IP addresses Nexus (Jan 08)
- Re: Finding out who owns particular IP addresses Bob Hillery (Jan 08)
- Re: Finding out who owns particular IP addresses Robert G. Ferrell (Jan 09)
- Re: Finding out who owns particular IP addresses Martin H Hoz-Salvador (Jan 09)
- Re: Finding out who owns particular IP addresses Smith, Lonnie (Jan 11)
- Re: Finding out who owns particular IP addresses Koaps (Jan 11)
- Re: Finding out who owns particular IP addresses Bjorn Djupvik (Jan 11)
- Re: Finding out who owns particular IP addresses Crist Clark (Jan 11)
- Re: Finding out who owns particular IP addresses Octavian Popescu (Jan 11)
- Re: Finding out who owns particular IP addresses Koaps (Jan 11)
- Re: Finding out who owns particular IP addresses Grant Parkinson (Jan 11)
(Thread continues...)