Re: Finding out who owns particular IP addresses

[Bob Hillery <[EMAIL PROTECTED]>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Seamus,
  Careful with VR (and NeoTrace) -- they're susceptible to GIGO
(garbage in...).  They're based on the POC input of the various
ISP/NSP routers (from ARIN, etc., dB) along the way and while the geo
stuff looks cool, it may not be where the box really is sitting in a
rack...conversely, just because an "owner" is in San Mateo doesn't
preclude the web-host, for example, from being in Paramus...
  The "one stop shop" I really like is http://combat.uxn.com which is
basically a front-end linking several registration bureaus & search
options on one page.  Includes ARIN, European RIPE, GEEKTOOLS whois
front end, & some other tools all on a single webpage.  Very handy.
BTW, it's sometimes useful to check more than one registry...I
recently detected either a 1. "in process" change-over of ISP/NSP
number assignments or 2. a DNS zone-transfer hack in progress.  (See
SANS http://www.sans.org/y2k/010201.htm )


Prof. Bob Hillery
Chair, Info Systems Dept.
NHCTC Pease
Portsmouth NH

> -----Original Message-----
> From: Incidents Mailing List [mailto:[EMAIL PROTECTED]
> Behalf Of Hartmann, Seamus
> Sent: Monday, 08 January, 2001 16:29 PM
> To:
> Subject: Re: Finding out who owns particular IP addresses
>
>
> as an addendium to this wonderful tract on using whois....
>
> For those of us stuck in Wintel world, there's a great tool
> for doing all
> these steps in one fell swoop. With pretty pictures to boot!
>
> http://www.visualroute.com
>
> and, no, i don't earn any money for promoting the software. It's
GREAT
>
> Seamus Hartmann
> Systems Administrator
> Logisoft Interactive
>
> -----Original Message-----
> From: Russell Fulton [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 08, 2001 3:46 PM
> To: [EMAIL PROTECTED]
> Subject: Finding out who owns particular IP addresses
>
>
> Moderator: Please use your discretion :)
>
> Greetings All,
> 	      I received this request for clarification about how one
> finds out who 'owns' particular IP addresses.  After having spent
some
> time composing a response I thought that there might be other
> neophytes
> on the list who will find this useful.
>
> To the old hands Hit delete now ;-)
>
>
> On Mon, 8 Jan 2001 14:02:31 +0100  "Licher, Ansgar"
<[EMAIL PROTECTED]>
> wrote:
>
> > Hi Russell,
> >
> > I read your contribution regarding that stuff about the
> probable port
> > scanning on port 12345.
> >
> > Since I am not a security expert yet, I am seriously
> working to increase
> my
> > knowledge to the max. What I just want to know is, where or
> how can I
> > resolve, what you were wrting about:
> >
> > "Source IPs were all dialup or cable/dsl belonging to major
> ISPs with a
> lot
> > in Korea (210.0.0.0/7) as you observered, but also with a
> sprinkling from
> > big North American providers. "
> >
> > How do you know, that 210.0.0.0/7 is Korea??? Where do you know
that
> several
> > addresses came from major ISPs???
>
> The IP address space is managed by a group of Network Information
> Centres (NICs) with ARIN (American -- I forget exactly what
> the rest of
> the acronym is) at the top.  All the NICs maintain searchable
> databases
> which you access via whois (most now also have web interfaces too --
> surprise)  Unfortunately these databases are not as well
> coordinated as
> one might hope and to find the owner of a particular address you
have
> to search the various whois databases starting with ARIN.
>
> So for 210.96.87.189
>
> bluebottle:~ >whois -h whois.arin.net 210.96.87.189
> Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
>    These addresses have been further assigned to Asia-Pacific users.
>    Contact information can be found in the APNIC database,
>    at WHOIS.APNIC.NET or http://www.apnic.net/
>    Please do not send spam complaints to APNIC.
>
>    Netname: APNIC-CIDR-BLK2
>    Netblock: 210.0.0.0 - 211.255.255.255
>
>    Coordinator:
>       Administrator, System  (SA90-ARIN)  [EMAIL PROTECTED]
>       +61-7-3367-0490
>
>    Domain System inverse mapping provided by:
>
>    NS.APNIC.NET                 203.37.255.97
>    SVC00.APNIC.NET              202.12.28.131
>    NS.TELSTRA.NET               203.50.0.137
>    NS.RIPE.NET                  193.0.0.193
>
>    Regional Internet Registry for the Asia-Pacific Region.
>
>    *** Use whois -h whois.apnic.net <object>                     ***
>
>    *** or see http://www.apnic.net/db/ for database assistance   ***
>
>
>    Record last updated on 03-May-2000.
>    Database last updated on 8-Jan-2001 06:20:22 EDT.
>
> and we see that 210/7 is allocated to APNIC (Asia Pacific) so
> we repeat
> the search at apnic.
>
> bluebottle:~ >whois -h whois.apnic.net 210.96.87.189
>
> % Rights restricted by copyright. See
> http://www.apnic.net/db/dbcopyright.html
>
> inetnum:     210.96.0.0 - 210.97.191.255
> netname:     KRNIC-KR-14
> descr:       National Computerization Agency
> descr:       Korea Network Information Center
> country:     KR
> admin-c:     WK1-AP
> tech-c:      SH3-KR
> tech-c:      SL40-AP
> remarks:     National NIC
> remarks:     These addresses have been assigned to organisations in
> KoRea.
> remarks:     Further information can be obtained from
whois.krnic.net
> mnt-by:      MAINT-APNIC-AP
> changed:     [EMAIL PROTECTED] 19980521
> changed:     [EMAIL PROTECTED] 20000216
> source:      APNIC
>
> person:      Weon Kim
> address:     Korea Network Information Center (KRNIC)
> address:     **************** Important Notice
**********************
> address:     KRNIC is the National Internet Registry.
> address:     If you want to find detail assignment information
> address:     about above IP address, please use
> "http://whois.nic.or.kr";
> address:     *****************************************************
> address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
> address:     Seoul, 137-070, Republic of Korea
> phone:       +82-2-2186-4500
> fax-no:      +82-2-2186-4496
> country:     KR
> e-mail:      [EMAIL PROTECTED]
> nic-hdl:     WK1-AP
> mnt-by:      MNT-KRNIC-AP
> changed:     [EMAIL PROTECTED] 20000927
> source:      APNIC
>
> person:      Sangyong Ha
> address:     Korea Network Information Center
> address:     National Computerization Agency
> address:     128, Jukjun-lee, Suji-myun, Yongin-gun, Kyonggi-do,
Korea
> address:     449-840
> phone:       +82 331 289 1674
> fax-no:      +82 331 284 2753
> e-mail:      [EMAIL PROTECTED]
> nic-hdl:     SH3-KR
> notify:      [EMAIL PROTECTED]
> mnt-by:      MAINT-NULL
> changed:     [EMAIL PROTECTED] 19960419
> source:      APNIC
>
> person:      Seungmin Lee
> address:     Korea Network Information Center (KRNIC)
> address:     **************** Important Notice
**********************
> address:     KRNIC is the National Internet Registry
> address:     If you want to find detail assignment information
> address:     about above IP address, please use
> ?http://whois.nic.or.kr";
> address:     *****************************************************
> address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
> address:     Seoul, 137-070, Republic of Korea
> phone:       +82-2-2186-4500
> fax-no:      +82-2-2186-4496
> country:     KR
> e-mail:      [EMAIL PROTECTED]
> nic-hdl:     SL40-AP
> mnt-by:      MNT-KRNIC-AP
> changed:     [EMAIL PROTECTED] 20000928
> source:      APNIC
>
> Which tells us that 210.96.0.0/15 is allocated to KRNIC
>
> bluebottle:~ >whois -h whois.nic.or.kr 210.96.87.189
>
> Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )
>
> query: 210.96.87.189
>
> # ENGLISH
>
> IP Address         : 210.96.87.128-210.96.87.191
> Connect ISP Name   : PUBNET
> Connect Date       : 98804
> Registration Date  : 19980808
> Network Name       : CHANGSOO-E
>
> [ Organization Information ]
> Orgnization ID     : ORG30441
> Name               : Chang-su Elementary School
> State              : KYONGGI
> Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code           : 487-920
>
> [ Admin Contact Information]
> Name               : Dongil Lim
> Org Name           : Chang-su Elementary School
> State              : KYONGGI
> Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code           : 487-920
> Phone              : 0357-33-0009
> Fax                : 0357-33-0120
> E-Mail             : [EMAIL PROTECTED]
>
> [ Technical Contact Information ]
> Name               : Dongil Lim
> Org Name           : Chang-su Elementary School
> Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code           : 487-920
> Phone              : 0357-33-0009
> Fax                : 0357-33-0120
> E-Mail             : [EMAIL PROTECTED]
>
> No the good folk at geektools.com have automated this process so you
> can:
>
> bluebottle:~ >whois -h whois.geektools.com 210.96.87.189
> Query:     210.96.87.189
> Registry:  whois.nic.or.kr
> Results:
>
> Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )
>
> query: 210.96.87.189
>
>
> # ENGLISH
>
> IP Address         : 210.96.87.128-210.96.87.191
> Connect ISP Name   : PUBNET
> Connect Date       : 98804
> Registration Date  : 19980808
> Network Name       : CHANGSOO-E
>
> [ Organization Information ]
> Orgnization ID     : ORG30441
> Name               : Chang-su Elementary School
> State              : KYONGGI
> Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code           : 487-920
>
> [ Admin Contact Information]
> Name               : Dongil Lim
> Org Name           : Chang-su Elementary School
> State              : KYONGGI
> Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
> Zip Code           : 487-920
> Phone              : 0357-33-0009
> Fax                : 0357-33-0120
> E-Mail             : [EMAIL PROTECTED]
>
>
> which gets you the information in one go -- most of the time.
> Sometimes it comes unstuck because various NICs are not entirely
> consistent in how they format the entries in their own databases  so
> automated tools like the geektools proxy hit sometimes hit dead
ends.
> I know this because I wrote my own recursive whois lookup in perl
> before someone kindly pointed me to geektools.  Anyway the point is
> that even with clever tools like those supplied by geektools you
still
> need to know how to drill down through the whois databases by hand.
>
> One can also use whois for finding out information about who owns
> domain names, but coverage is much more patchy (I don't think that
> there is a whois server for .nz domain for example).  However if you
> give a domain name to whois.geektools.com it will try to find a
> database to search.
>
> As you have no doubt noticed my assertion that 210/7 is Korea was
> inaccurate, it is,  in fact, Asia Pacific.  I happen to know
> (for doing
> two or three lookups a day that large chunks of 210/7 are allocated
to
> Korea and that if we get an incident from this range then the odds
are
> good that it is Korea.  (In fact other parts of 210/7 are allocated
to
> many other countries including Japan and China and possibly even New
> Zealand.
>
>
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBOlpCi+J71YwUI+1rEQLZ/gCg4ydJmY9ZFyu18E1pBRjex07eqJMAoLbg
woqDV8M26JAlCrMxweFJTXwx
=YqGv
-----END PGP SIGNATURE-----