Moderator: Please use your discretion :)

Greetings All,
              I received this request for clarification about how one
finds out who 'owns' particular IP addresses. After having spent some
time composing a response I thought that there might be other neophytes
on the list who will find this useful.

To the old hands Hit delete now ;-)

On Mon, 8 Jan 2001 14:02:31 +0100 "Licher, Ansgar" <A.Lichermbn.de>
wrote:

> Hi Russell,
>
> I read your contribution regarding that stuff about the probable port
> scanning on port 12345.
>
> Since I am not a security expert yet, I am seriously working to increase my
> knowledge to the max. What I just want to know is, where or how can I
> resolve, what you were wrting about:
>
> "Source IPs were all dialup or cable/dsl belonging to major ISPs with a lot
> in Korea (210.0.0.0/7) as you observered, but also with a sprinkling from
> big North American providers. "
>
> How do you know, that 210.0.0.0/7 is Korea??? Where do you know that several
> addresses came from major ISPs???

The IP address space is managed by a group of Network Information
Centres (NICs) with ARIN (American -- I forget exactly what the rest of
the acronym is) at the top. All the NICs maintain searchable databases
which you access via whois (most now also have web interfaces too --
surprise) Unfortunately these databases are not as well coordinated as
one might hope and to find the owner of a particular address you have
to search the various whois databases starting with ARIN.

So for 210.96.87.189

bluebottle:~ >whois -h whois.arin.net 210.96.87.189
Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
   These addresses have been further assigned to Asia-Pacific users.
   Contact information can be found in the APNIC database,
   at WHOIS.APNIC.NET or http://www.apnic.net/
   Please do not send spam complaints to APNIC.

   Netname: APNIC-CIDR-BLK2
   Netblock: 210.0.0.0 - 211.255.255.255

   Coordinator:
      Administrator, System (SA90-ARIN) sysadmAPNIC.NET
      +61-7-3367-0490

   Domain System inverse mapping provided by:

   NS.APNIC.NET 203.37.255.97
   SVC00.APNIC.NET 202.12.28.131
   NS.TELSTRA.NET 203.50.0.137
   NS.RIPE.NET 193.0.0.193

   Regional Internet Registry for the Asia-Pacific Region.

   *** Use whois -h whois.apnic.net <object> ***

   *** or see http://www.apnic.net/db/ for database assistance ***

   Record last updated on 03-May-2000.
   Database last updated on 8-Jan-2001 06:20:22 EDT.

and we see that 210/7 is allocated to APNIC (Asia Pacific) so we repeat
the search at apnic.

bluebottle:~ >whois -h whois.apnic.net 210.96.87.189

% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html

inetnum: 210.96.0.0 - 210.97.191.255
netname: KRNIC-KR-14
descr: National Computerization Agency
descr: Korea Network Information Center
country: KR
admin-c: WK1-AP
tech-c: SH3-KR
tech-c: SL40-AP
remarks: National NIC
remarks: These addresses have been assigned to organisations in
KoRea.
remarks: Further information can be obtained from whois.krnic.net
mnt-by: MAINT-APNIC-AP
changed: hostmasterapnic.net 19980521
changed: apnic-dbmapnic.net 20000216
source: APNIC

person: Weon Kim
address: Korea Network Information Center (KRNIC)
address: **************** Important Notice **********************
address: KRNIC is the National Internet Registry.
address: If you want to find detail assignment information
address: about above IP address, please use "http://whois.nic.or.kr"
address: *****************************************************
address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
address: Seoul, 137-070, Republic of Korea
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
country: KR
e-mail: hostmasternic.or.kr
nic-hdl: WK1-AP
mnt-by: MNT-KRNIC-AP
changed: hostmasternic.or.kr 20000927
source: APNIC

person: Sangyong Ha
address: Korea Network Information Center
address: National Computerization Agency
address: 128, Jukjun-lee, Suji-myun, Yongin-gun, Kyonggi-do, Korea
address: 449-840
phone: +82 331 289 1674
fax-no: +82 331 284 2753
e-mail: syhars.krnic.net
nic-hdl: SH3-KR
notify: hostmasterrs.krnic.net
mnt-by: MAINT-NULL
changed: syhars.krnic.net 19960419
source: APNIC

person: Seungmin Lee
address: Korea Network Information Center (KRNIC)
address: **************** Important Notice **********************
address: KRNIC is the National Internet Registry
address: If you want to find detail assignment information
address: about above IP address, please use ?http://whois.nic.or.kr"
address: *****************************************************
address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
address: Seoul, 137-070, Republic of Korea
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
country: KR
e-mail: hostmasternic.or.kr
nic-hdl: SL40-AP
mnt-by: MNT-KRNIC-AP
changed: hostmasternic.or.kr 20000928
source: APNIC

Which tells us that 210.96.0.0/15 is allocated to KRNIC

bluebottle:~ >whois -h whois.nic.or.kr 210.96.87.189

Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )

query: 210.96.87.189

# ENGLISH

IP Address : 210.96.87.128-210.96.87.191
Connect ISP Name : PUBNET
Connect Date : 98804
Registration Date : 19980808
Network Name : CHANGSOO-E

[ Organization Information ]
Orgnization ID : ORG30441
Name : Chang-su Elementary School
State : KYONGGI
Address : 117-2 Choodong-li Changsu-myun Pochun-gun
Zip Code : 487-920

[ Admin Contact Information]
Name : Dongil Lim
Org Name : Chang-su Elementary School
State : KYONGGI
Address : 117-2 Choodong-li Changsu-myun Pochun-gun
Zip Code : 487-920
Phone : 0357-33-0009
Fax : 0357-33-0120
E-Mail : kgromcsoback.kornet.ne.kr

[ Technical Contact Information ]
Name : Dongil Lim
Org Name : Chang-su Elementary School
Address : 117-2 Choodong-li Changsu-myun Pochun-gun
Zip Code : 487-920
Phone : 0357-33-0009
Fax : 0357-33-0120
E-Mail : kgromcsoback.kornet.ne.kr

No the good folk at geektools.com have automated this process so you
can:

bluebottle:~ >whois -h whois.geektools.com 210.96.87.189
Query: 210.96.87.189
Registry: whois.nic.or.kr
Results:

Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )

query: 210.96.87.189

# ENGLISH

IP Address : 210.96.87.128-210.96.87.191
Connect ISP Name : PUBNET
Connect Date : 98804
Registration Date : 19980808
Network Name : CHANGSOO-E

[ Organization Information ]
Orgnization ID : ORG30441
Name : Chang-su Elementary School
State : KYONGGI
Address : 117-2 Choodong-li Changsu-myun Pochun-gun
Zip Code : 487-920

[ Admin Contact Information]
Name : Dongil Lim
Org Name : Chang-su Elementary School
State : KYONGGI
Address : 117-2 Choodong-li Changsu-myun Pochun-gun
Zip Code : 487-920
Phone : 0357-33-0009
Fax : 0357-33-0120
E-Mail : kgromcsoback.kornet.ne.kr

which gets you the information in one go -- most of the time.
Sometimes it comes unstuck because various NICs are not entirely
consistent in how they format the entries in their own databases so
automated tools like the geektools proxy hit sometimes hit dead ends.
I know this because I wrote my own recursive whois lookup in perl
before someone kindly pointed me to geektools. Anyway the point is
that even with clever tools like those supplied by geektools you still
need to know how to drill down through the whois databases by hand.

One can also use whois for finding out information about who owns
domain names, but coverage is much more patchy (I don't think that
there is a whois server for .nz domain for example). However if you
give a domain name to whois.geektools.com it will try to find a
database to search.

As you have no doubt noticed my assertion that 210/7 is Korea was
inaccurate, it is, in fact, Asia Pacific. I happen to know (for doing
two or three lookups a day that large chunks of 210/7 are allocated to
Korea and that if we get an incident from this range then the odds are
good that it is Korea. (In fact other parts of 210/7 are allocated to
many other countries including Japan and China and possibly even New
Zealand.

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]