Re: Specific Network Querying

[John Adams <jna () retina net>]

On Wed, Dec 29, 2010 at 6:01 AM, J. Oquendo <sil () infiltrated net> wrote:
> Good morning and happy holidays all. I'm in the process of creating an
> automated filtering application and would like to know if anyone can
> point me to the right place. I'd like to be able to query a
> site/db/etc., and pull out specific netblocks to create fw rules.
[...]
> But this just gives me entire blocks, not who is behind them. Is there
> any site I could use to query specifics? E.g., for a gov client: wget
> -qO - this.site.org | grep "\.gov" | parse_with_awk '{print "fw_rule"}'

Given the current IPv4 climiate, this sounds like a terrible idea. The
landscape has changed dramatically from what it once was. Large
volumes of mobile carriers use NAT, many IPv6 to IPv4 gateways are out
there routing traffic, and we'll soon see a time in which entire
countries are transiting over small chunks of IPv4 space.  Never mind
the fact that applications on services like Google App Engine have a
different IP nearly every time they connect because of outbound proxy
pools.

I think you're going to have a very difficult time resolving an IP to
the appropriate owner. Coarse calculation of who might be in charge of
a block is possible but fine-grained discovery and classification of
an owner is a difficult task.

That being said, the tools that I'm using on a daily basis to figure
out who actually owns an IP block (or is sending traffic over it) are:

- Senderbase (Cisco)
- cymru whois (whois.cymru.com - good for fast bgp lookups and geo)
- http://multirbl.valli.org/dnsbl-lookup (multi-rbl lookup , good for
finding abusers and other issues)
- SmartViper (Website ownership) http://www.markosweb.com/

-John