Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Knowing where to look for the owner of an offending IP address - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Knowing where to look for the owner of an offending IP address

We often see how attackers try to exploit our information assets in our company, coming from inside and outside the company. When you locate an internal IP address trying to affect things, it's easy to locate if you have information security controls like Network Access Control (NAC), Dynamic Host Configuration Protocol (DHCP), Firewalls and Network IPS. Problem is: what should we do if the offending ip address is outside in the Internet?

There are five Regional Internet Registry (RIR) entities in the world. For their region, they assign IP address for IPV4, IPV6 and  autonomous system numbers:

IANA RIRSource: IANA web site

  • AfriNIC: Covers the Africa Region
  • APNIC: Covers the Asia Pacific Region
  • ARIN: Covers the North American Region
  • LACNIC: Covers Latin America and some caribbean islands
  • RIPE NCC: Covers Europa, the middle east and central asia

All RIR provides a tool called whois. This tool is able to tell you who is the owner of an IP address or a netblock. All contacts listed in RIR are required to provide an abuse contact. This contact is meant to provide point of contact for any required actions of stopping an attacker or to request evidence for a criminal investigation if you are a law enforcement agency.

Let's see an example. If we look for ip address 66.35.59.202, we can start using ARIN to look up for it. In the main ARIN website (http://www.arin.net), there is a text box after the "Search Whois" string. After entering 66.35.59.202, you obtain the following:

SANS Whois Information

The Abuse contact  information is a URL following the contact ID pointing to the specific information needed to contact the SANS Institute regarding abuse from their IP address range.

Let's see another example. If we look for IP address 200.13.232.33, we find the following:

EPM ARIN Information

This information means that the IP address is not within the ARIN scope and the information must be looked up at the LACNIC RIR. After looking the information into the LACNIC whois, we obtain the following:

EPM LACNIC Information

Using google to lookup information for owership of an specific ip address is definitely not a good idea, as it looks for the IP address string inside all webpages indexed. The information google will give you will provide a lot of false positives and will delay you in your incident response process execution and / or your criminal investigation.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
A very useful combined whois service can be found at www.kloth.net - saves trying to work out which RIR to use.
Peter Bance

9 Posts
another useful resource (and not just for whois) is www.dnsstuff.com
AlfredP

5 Posts
another good site is http://whois.domaintools.com/ does more than just whois lookups.
Or if you are looking for all kinds of tools try this site http://mxtoolbox.com/NetworkTools.aspx
PW

63 Posts
I have been reporting abuse to Fortatrust for a couple of weeks now and never heard anything back from any of the emails I have sent them.
So I went to their website and started a live chat.

Here is how that went...

--------
Me:
I have been reporting abuse for a couple of weeks now and haven't heard anything back from you guys....and the abuse continues.
I sent the abuse emails to 'ipadmin@fortatrust.com'; 'abuse@fortatrust.com'; 'postmaster@fortatrust.com'
The abuse is coming from 198.154.63.238

Them:
Sir, just because you haven’t heard anything back doesn’t mean that we aren’t working on it

Me:
Well that’s usually what it means, and it has been happening since the middle of May, but if you are working on it, then thanks

Them:
Sorry it has taken this long, but we are working on it.
--------

I’m very skeptical. Is there anywhere else I can report this?
Is it worth reporting it to their parent ISP?...(How can I find out who that is BTW?)
K-Dee

63 Posts
K-Dee, sometimes, you can use the RIR's whois to tell you the upstream provider. In many cases, it's listed as the "parent" network. In this case, though, this address is part of a directly assigned block. You can use traceroute to help find the upstream provider. But before you complain to the upstream, remember that the 3 addresses you used are general mailboxes that get loads of spam and other junk mixed with a large number of notices, complaints, etc. The admins there may well take a while to dig through it before they find your note. Attempting another means of contact, like the chat, can go far in making yourself heard, but it doesn't work all of the time.
AndrewB

24 Posts
Thanks AndrewB.

FYI, I haven't heard back from that bad IP address since the chat session. :-)

I am still a little put off by their first response to me, but at least it appears it is taken care of.
K-Dee

63 Posts

Sign Up for Free or Log In to start participating in the conversation!