Track down network contacts using WHOIS databases.
Looking through your IDS logs, you've seen some strange traffic coming from another network across the Internet. When you look up the IP address in DNS, it resolves as something like dhcp-103.badguydomain.com. Who do you contact to help track down the person who sent this traffic? You're probably already aware that you can use the whois command to find out contact information for owners of Internet domain names. If you haven't used whois, it's as simple as typing, well, "whois":
$ whois badguydomain.com Registrant: Dewey Cheatum Registered through: GoDaddy.com Domain Name: BADGUYDOMAIN.COM Domain servers in listed order: PARK13.SECURESERVER.NET PARK14.SECURESERVER.NET For complete domain details go to: http://whois.godaddy.com
Unfortunately, this whois entry isn't as helpful as it might be. Normally, administrative and technical contacts are listed, complete with a phone number and email and snail mail addresses. Evidently, godaddy.com has a policy of releasing this information only through their web interface, apparently to cut down on spam harvesters. But if the registrant's name is listed as "Dewey Cheatum," how accurate do you think the rest of this domain record is likely to be? Although domain registrants are "required" to give legitimate information when setting up a domain, I can tell you from experience that using whois in this way is a great tool for tracking down honest people.
Since this approach doesn't get you anywhere, what other options do you have? You can use the whois command again, this time using it to query the number registry for the IP address block of the offending address.
Number registries are entities that owners of large blocks of IP addresses must register with, and are split up according to geographic region. The main difficulty is picking the correct registry to query, but the WHOIS server for ARIN (American Registry for Internet Numbers) is generally the best bet?it will tell you the correct registry to query if the IP address is not found in its own database.
With that in mind, let's try out a query using the offending IP address:
# whois -h whois.arin.net 18.104.22.168 [Querying whois.arin.net] [whois.arin.net] Final results obtained from whois.arin.net. Results: UUNET Technologies, Inc. UUNET1996B (NET-208-192-0-0-1) 22.214.171.124 - 126.96.36.199 SONIC.NET, INC. UU-208-201-224 (NET-208-201-224-0-1) 188.8.131.52 - 184.108.40.206 # ARIN WHOIS database, last updated 2004-01-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.
Our query returned multiple results, which will happen sometimes when an owner of a larger IP block has delegated a subblock to another party. In this case, UUNET has delegated a subblock to Sonic.net.
Now we'll run a query with Sonic.net's handle:
# whois -h whois.arin.net NET-208-201-224-0-1 Checking server [whois.arin.net] Results: OrgName: SONIC.NET, INC. OrgID: SNIC Address: 2260 Apollo Way City: Santa Rosa StateProv: CA PostalCode: 95407 Country: US ReferralServer: rwhois://whois.sonic.net:43 NetRange: 220.127.116.11 - 18.104.22.168 CIDR: 22.214.171.124/19 NetName: UU-208-201-224 NetHandle: NET-208-201-224-0-1 Parent: NET-208-192-0-0-1 NetType: Reallocated Comment: RegDate: 1996-09-12 Updated: 2002-08-23 OrgTechHandle: NETWO144-ARIN OrgTechName: Network Operations OrgTechPhone: +1-707-522-1000 OrgTechEmail: email@example.com # ARIN WHOIS database, last updated 2004-01-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.
From the output, you can see that we have a contact listed with a phone number and email. This is most likely the ISP who serves the miscreant who is causing the trouble. Now you have a solid contact who should know exactly who is behind badguydomain.com. You can let them know about the suspicious traffic you're seeing, and get the situation resolved.
Incidentally, you may have trouble using whois if you are querying some of the new TLDs (such as .us, .biz, .info, etc.). One great shortcut for automatically finding the proper whois server is to use the whois proxy at geektools.com . It automatically forwards your request to the proper whois server, based on the TLD you are requesting. I specify an alias such as this in my .profile to always use the geektools proxy:
alias whois='whois -h whois.geektools.com'
Now when I run whois from the command line, I don't need to remember the address of a single whois server. The folks at geektools have a bunch of other nifty tools to make sysadmin tasks easier. Check them out at http://geektools.com .