Hack #125. Find the Owner of a Network

Track down network contacts using WHOIS databases.

Looking through your IDS logs, you’ve seen some strange traffic coming from another network across the Internet. When you look up the IP address in DNS, it resolves as something like dhcp-103.badguydomain.com. Whom do you contact to help track down the person who sent this traffic?

Getting DNS Information

You’re probably already aware that you can use the whois command to find out contact information for owners of Internet domain names. If you haven’t used whois, it’s as simple as typing, well, “whois”:

$ whois badguydomain.com
Registrant:
   Dewey Cheatum

   Registered through: GoDaddy.com
   Domain Name: BADGUYDOMAIN.COM

   Domain servers in listed order:
      PARK13.SECURESERVER.NET
      PARK14.SECURESERVER.NET
   For complete domain details go to:
   http://whois.godaddy.com

Unfortunately, this whois entry isn’t as helpful as it might be. Normally, administrative and technical contacts are listed, complete with a phone number and email and snail mail addresses. Evidently, godaddy.com has a policy of releasing this information only through its web interface, apparently to cut down on spam harvesters. But if the registrant’s name is listed as “Dewey Cheatum,” how accurate do you think the rest of this domain record is likely to be? Although domain registrants are “required” to give legitimate information when setting up domains, I can tell you from experience that using whois in this way is actually only a great way to track down honest people.

Since this approach doesn’t get you anywhere, what other options do you have? Well, you can use the whois command again, this time using it to query the number registry for the IP address block containing the offending address.

Getting Netblock Information

Number registries are entities with which owners of large blocks of IP addresses must register, and they are split up according to geographic region. The main difficulty is picking the correct registry to query. The WHOIS server for the American Registry for Internet Numbers (ARIN) is generally the best bet; it tells you the correct registry to query if the IP address is not found in its own database.

With that in mind, let’s try out a query using the offending IP address:

# whois -h whois.arin.net 208.201.239.103
[Querying whois.arin.net]
[whois.arin.net]
Final results obtained from whois.arin.net.
Results:
UUNET Technologies, Inc. UUNET1996B (NET-208-192-0-0-1)
                                  208.192.0.0 - 208.255.255.255
SONIC.NET, INC. UU-208-201-224 (NET-208-201-224-0-1)
                                  208.201.224.0 - 208.201.255.255

# ARIN WHOIS database, last updated 2004-01-18 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Our query returned multiple results, which will happen sometimes when an owner of a larger IP block has delegated a sub-block to another party. In this case, UUNET has delegated a sub-block to Sonic.net.

Now we’ll run a query with Sonic.net’s handle:

# whois -h whois.arin.net NET-208-201-224-0-1
Checking server [whois.arin.net]
Results:

OrgName:    SONIC.NET, INC.
OrgID:      SNIC
Address:    2260 Apollo Way
City:       Santa Rosa
StateProv:  CA
PostalCode: 95407
Country:    US

ReferralServer: rwhois://whois.sonic.net:43

NetRange:   208.201.224.0 - 208.201.255.255
CIDR:       208.201.224.0/19
NetName:    UU-208-201-224
NetHandle:  NET-208-201-224-0-1
Parent:     NET-208-192-0-0-1
NetType:    Reallocated
Comment:
RegDate:    1996-09-12
Updated:    2002-08-23

OrgTechHandle: NETWO144-ARIN
OrgTechName:   Network Operations
OrgTechPhone:  +1-707-522-1000
OrgTechEmail:  noc@sonic.net

# ARIN WHOIS database, last updated 2004-01-18 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

From the output, you can see that we have a contact listed with a phone number and email address. This information is most likely for the ISP that serves the miscreant who is causing the trouble. Now, you have a solid contact who should know exactly who is behind badguydomain.com. You can let them know about the suspicious traffic you’re seeing and get the situation resolved.

Incidentally, you might have trouble using whois if you are querying some of the new top-level domains (TLDs), such as .us, .biz, .info, and so on. One great shortcut for automatically finding the proper WHOIS server is to use the GeekTools Whois Proxy (http://geektools.com/tools.php). It automatically forwards your request to the proper WHOIS server, based on the TLD you are requesting. I specify an alias such as this in my .profile to always use the GeekTools proxy:

alias whois='whois -h whois.geektools.com'

Now, when I run whois from the command line, I don’t need to remember the address of a single WHOIS server. The folks at GeekTools have a bunch of other nifty tools to make sysadmin tasks easier, too. Check them out at http://geektools.com.

Rob Flickenger