1. Home
  2. Networking
  3. Network security hacks

Hack 100 Find the Owner of a Network

figs/moderate.gif figs/hack100.gif

Track down network contacts using WHOIS databases.

Looking through your IDS logs, you've seen some strange traffic coming from another network across the Internet. When you look up the IP address in DNS, it resolves as something like dhcp-103.badguydomain.com. Who do you contact to help track down the person who sent this traffic? You're probably already aware that you can use the whois command to find out contact information for owners of Internet domain names. If you haven't used whois, it's as simple as typing, well, "whois":

$ whois badguydomain.com

Registrant:

   Dewey Cheatum



   Registered through: GoDaddy.com

   Domain Name: BADGUYDOMAIN.COM



   Domain servers in listed order:

      PARK13.SECURESERVER.NET

      PARK14.SECURESERVER.NET

   For complete domain details go to:

   http://whois.godaddy.com

Unfortunately, this whois entry isn't as helpful as it might be. Normally, administrative and technical contacts are listed, complete with a phone number and email and snail mail addresses. Evidently, godaddy.com has a policy of releasing this information only through their web interface, apparently to cut down on spam harvesters. But if the registrant's name is listed as "Dewey Cheatum," how accurate do you think the rest of this domain record is likely to be? Although domain registrants are "required" to give legitimate information when setting up a domain, I can tell you from experience that using whois in this way is a great tool for tracking down honest people.

Since this approach doesn't get you anywhere, what other options do you have? You can use the whois command again, this time using it to query the number registry for the IP address block of the offending address.

Number registries are entities that owners of large blocks of IP addresses must register with, and are split up according to geographic region. The main difficulty is picking the correct registry to query, but the WHOIS server for ARIN (American Registry for Internet Numbers) is generally the best bet?it will tell you the correct registry to query if the IP address is not found in its own database.

With that in mind, let's try out a query using the offending IP address:

# whois -h whois.arin.net 208.201.239.103

[Querying whois.arin.net]

[whois.arin.net]

Final results obtained from whois.arin.net.

Results:

UUNET Technologies, Inc. UUNET1996B (NET-208-192-0-0-1)

                                  208.192.0.0 - 208.255.255.255

SONIC.NET, INC. UU-208-201-224 (NET-208-201-224-0-1)

                                  208.201.224.0 - 208.201.255.255



# ARIN WHOIS database, last updated 2004-01-18 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

Our query returned multiple results, which will happen sometimes when an owner of a larger IP block has delegated a subblock to another party. In this case, UUNET has delegated a subblock to Sonic.net.

Now we'll run a query with Sonic.net's handle:

# whois -h whois.arin.net NET-208-201-224-0-1

Checking server [whois.arin.net]

Results:



OrgName:    SONIC.NET, INC.

OrgID:      SNIC

Address:    2260 Apollo Way

City:       Santa Rosa

StateProv:  CA

PostalCode: 95407

Country:    US



ReferralServer: rwhois://whois.sonic.net:43



NetRange:   208.201.224.0 - 208.201.255.255

CIDR:       208.201.224.0/19

NetName:    UU-208-201-224

NetHandle:  NET-208-201-224-0-1

Parent:     NET-208-192-0-0-1

NetType:    Reallocated

Comment:

RegDate:    1996-09-12

Updated:    2002-08-23



OrgTechHandle: NETWO144-ARIN

OrgTechName:   Network Operations

OrgTechPhone:  +1-707-522-1000

OrgTechEmail:  noc@sonic.net



# ARIN WHOIS database, last updated 2004-01-18 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

From the output, you can see that we have a contact listed with a phone number and email. This is most likely the ISP who serves the miscreant who is causing the trouble. Now you have a solid contact who should know exactly who is behind badguydomain.com. You can let them know about the suspicious traffic you're seeing, and get the situation resolved.

Incidentally, you may have trouble using whois if you are querying some of the new TLDs (such as .us, .biz, .info, etc.). One great shortcut for automatically finding the proper whois server is to use the whois proxy at geektools.com . It automatically forwards your request to the proper whois server, based on the TLD you are requesting. I specify an alias such as this in my .profile to always use the geektools proxy:

alias whois='whois -h whois.geektools.com'

Now when I run whois from the command line, I don't need to remember the address of a single whois server. The folks at geektools have a bunch of other nifty tools to make sysadmin tasks easier. Check them out at http://geektools.com .

?Rob Flickenger



    		Network Security Hacks
    		Credits
    		Preface
    		Chapter 1. Unix Host Security
    		Chapter 2. Windows Host Security
    		Chapter 3. Network Security
    		Chapter 4. Logging
    		Chapter 5. Monitoring and Trending
    		Chapter 6. Secure Tunnels
    		Chapter 7. Network Intrusion Detection
    		Chapter 8. Recovery and Response
    		Hacks #96-100
    		Hack 96 Image Mounted Filesystems
    		Hack 97 Verify File Integrity and Find Compromised Files
    		Hack 98 Find Compromised Packages with RPM
    		Hack 99 Scan for Root Kits
    		Hack 100 Find the Owner of a Network
    		Colophon