[thelist] Fwd: Finding out who owns particular IP addresses

Anthony Baratta Anthony at Baratta.com
Mon Jan 8 16:54:26 CST 2001


This is some good info, for those so inclined to track down these things.

>Greetings All,
>               I received this request for clarification about how one
>finds out who 'owns' particular IP addresses.  After having spent some
>time composing a response I thought that there might be other neophytes
>on the list who will find this useful.
>
>To the old hands Hit delete now ;-)
>
>
>On Mon, 8 Jan 2001 14:02:31 +0100  "Licher, Ansgar" <A.Licher at mbn.de>
>wrote:
>
> > Hi Russell,
> >
> > I read your contribution regarding that stuff about the probable port
> > scanning on port 12345.
> >
> > Since I am not a security expert yet, I am seriously working to increase my
> > knowledge to the max. What I just want to know is, where or how can I
> > resolve, what you were wrting about:
> >
> > "Source IPs were all dialup or cable/dsl belonging to major ISPs with a lot
> > in Korea (210.0.0.0/7) as you observered, but also with a sprinkling from
> > big North American providers. "
> >
> > How do you know, that 210.0.0.0/7 is Korea??? Where do you know that 
> several
> > addresses came from major ISPs???
>
>The IP address space is managed by a group of Network Information
>Centres (NICs) with ARIN (American -- I forget exactly what the rest of
>the acronym is) at the top.  All the NICs maintain searchable databases
>which you access via whois (most now also have web interfaces too --
>surprise)  Unfortunately these databases are not as well coordinated as
>one might hope and to find the owner of a particular address you have
>to search the various whois databases starting with ARIN.
>
>So for 210.96.87.189
>
>bluebottle:~ >whois -h whois.arin.net 210.96.87.189
>Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
>    These addresses have been further assigned to Asia-Pacific users.
>    Contact information can be found in the APNIC database,
>    at WHOIS.APNIC.NET or http://www.apnic.net/
>    Please do not send spam complaints to APNIC.
>
>    Netname: APNIC-CIDR-BLK2
>    Netblock: 210.0.0.0 - 211.255.255.255
>
>    Coordinator:
>       Administrator, System  (SA90-ARIN)  sysadm at APNIC.NET
>       +61-7-3367-0490
>
>    Domain System inverse mapping provided by:
>
>    NS.APNIC.NET                 203.37.255.97
>    SVC00.APNIC.NET              202.12.28.131
>    NS.TELSTRA.NET               203.50.0.137
>    NS.RIPE.NET                  193.0.0.193
>
>    Regional Internet Registry for the Asia-Pacific Region.
>
>    *** Use whois -h whois.apnic.net <object>                     ***
>
>    *** or see http://www.apnic.net/db/ for database assistance   ***
>
>
>    Record last updated on 03-May-2000.
>    Database last updated on 8-Jan-2001 06:20:22 EDT.
>
>and we see that 210/7 is allocated to APNIC (Asia Pacific) so we repeat
>the search at apnic.
>
>bluebottle:~ >whois -h whois.apnic.net 210.96.87.189
>
>% Rights restricted by copyright. See
>http://www.apnic.net/db/dbcopyright.html
>
>inetnum:     210.96.0.0 - 210.97.191.255
>netname:     KRNIC-KR-14
>descr:       National Computerization Agency
>descr:       Korea Network Information Center
>country:     KR
>admin-c:     WK1-AP
>tech-c:      SH3-KR
>tech-c:      SL40-AP
>remarks:     National NIC
>remarks:     These addresses have been assigned to organisations in
>KoRea.
>remarks:     Further information can be obtained from whois.krnic.net
>mnt-by:      MAINT-APNIC-AP
>changed:     hostmaster at apnic.net 19980521
>changed:     apnic-dbm at apnic.net 20000216
>source:      APNIC
>
>person:      Weon Kim
>address:     Korea Network Information Center (KRNIC)
>address:     **************** Important Notice **********************
>address:     KRNIC is the National Internet Registry.
>address:     If you want to find detail assignment information
>address:     about above IP address, please use "http://whois.nic.or.kr"
>address:     *****************************************************
>address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
>address:     Seoul, 137-070, Republic of Korea
>phone:       +82-2-2186-4500
>fax-no:      +82-2-2186-4496
>country:     KR
>e-mail:      hostmaster at nic.or.kr
>nic-hdl:     WK1-AP
>mnt-by:      MNT-KRNIC-AP
>changed:     hostmaster at nic.or.kr 20000927
>source:      APNIC
>
>person:      Sangyong Ha
>address:     Korea Network Information Center
>address:     National Computerization Agency
>address:     128, Jukjun-lee, Suji-myun, Yongin-gun, Kyonggi-do, Korea
>address:     449-840
>phone:       +82 331 289 1674
>fax-no:      +82 331 284 2753
>e-mail:      syha at rs.krnic.net
>nic-hdl:     SH3-KR
>notify:      hostmaster at rs.krnic.net
>mnt-by:      MAINT-NULL
>changed:     syha at rs.krnic.net 19960419
>source:      APNIC
>
>person:      Seungmin Lee
>address:     Korea Network Information Center (KRNIC)
>address:     **************** Important Notice **********************
>address:     KRNIC is the National Internet Registry
>address:     If you want to find detail assignment information
>address:     about above IP address, please use ?http://whois.nic.or.kr"
>address:     *****************************************************
>address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
>address:     Seoul, 137-070, Republic of Korea
>phone:       +82-2-2186-4500
>fax-no:      +82-2-2186-4496
>country:     KR
>e-mail:      hostmaster at nic.or.kr
>nic-hdl:     SL40-AP
>mnt-by:      MNT-KRNIC-AP
>changed:     hostmaster at nic.or.kr 20000928
>source:      APNIC
>
>Which tells us that 210.96.0.0/15 is allocated to KRNIC
>
>bluebottle:~ >whois -h whois.nic.or.kr 210.96.87.189
>
>Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )
>
>query: 210.96.87.189
>
># ENGLISH
>
>IP Address         : 210.96.87.128-210.96.87.191
>Connect ISP Name   : PUBNET
>Connect Date       : 98804
>Registration Date  : 19980808
>Network Name       : CHANGSOO-E
>
>[ Organization Information ]
>Orgnization ID     : ORG30441
>Name               : Chang-su Elementary School
>State              : KYONGGI
>Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
>Zip Code           : 487-920
>
>[ Admin Contact Information]
>Name               : Dongil Lim
>Org Name           : Chang-su Elementary School
>State              : KYONGGI
>Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
>Zip Code           : 487-920
>Phone              : 0357-33-0009
>Fax                : 0357-33-0120
>E-Mail             : kgromc at soback.kornet.ne.kr
>
>[ Technical Contact Information ]
>Name               : Dongil Lim
>Org Name           : Chang-su Elementary School
>Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
>Zip Code           : 487-920
>Phone              : 0357-33-0009
>Fax                : 0357-33-0120
>E-Mail             : kgromc at soback.kornet.ne.kr
>
>No the good folk at geektools.com have automated this process so you
>can:
>
>bluebottle:~ >whois -h whois.geektools.com 210.96.87.189
>Query:     210.96.87.189
>Registry:  whois.nic.or.kr
>Results:
>
>Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )
>
>query: 210.96.87.189
>
>
># ENGLISH
>
>IP Address         : 210.96.87.128-210.96.87.191
>Connect ISP Name   : PUBNET
>Connect Date       : 98804
>Registration Date  : 19980808
>Network Name       : CHANGSOO-E
>
>[ Organization Information ]
>Orgnization ID     : ORG30441
>Name               : Chang-su Elementary School
>State              : KYONGGI
>Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
>Zip Code           : 487-920
>
>[ Admin Contact Information]
>Name               : Dongil Lim
>Org Name           : Chang-su Elementary School
>State              : KYONGGI
>Address            : 117-2 Choodong-li Changsu-myun Pochun-gun
>Zip Code           : 487-920
>Phone              : 0357-33-0009
>Fax                : 0357-33-0120
>E-Mail             : kgromc at soback.kornet.ne.kr
>
>
>which gets you the information in one go -- most of the time.
>Sometimes it comes unstuck because various NICs are not entirely
>consistent in how they format the entries in their own databases  so
>automated tools like the geektools proxy hit sometimes hit dead ends.
>I know this because I wrote my own recursive whois lookup in perl
>before someone kindly pointed me to geektools.  Anyway the point is
>that even with clever tools like those supplied by geektools you still
>need to know how to drill down through the whois databases by hand.
>
>One can also use whois for finding out information about who owns
>domain names, but coverage is much more patchy (I don't think that
>there is a whois server for .nz domain for example).  However if you
>give a domain name to whois.geektools.com it will try to find a
>database to search.
>
>As you have no doubt noticed my assertion that 210/7 is Korea was
>inaccurate, it is,  in fact, Asia Pacific.  I happen to know (for doing
>two or three lookups a day that large chunks of 210/7 are allocated to
>Korea and that if we get an incident from this range then the odds are
>good that it is Korea.  (In fact other parts of 210/7 are allocated to
>many other countries including Japan and China and possibly even New
>Zealand.
>
>
>Russell Fulton, Computer and Network Security Officer
>The University of Auckland,  New Zealand





More information about the thelist mailing list