Contact Us!

16W361 S. Frontage Road
Suite 100
Burr Ridge, IL 60527
US
Phone: +1 312 924 4000
Fax: +1 630 887 8651
team-cymru@cymru.com

Team Cymru is a specialized Internet security research firm dedicated to making the Internet more secure. By researching the 'who' and 'why' of malicious Internet activity worldwide, Team Cymru helps organizations identify and eradicate problems in their networks.

IP to ASN Mapping

If you are planning on implenting the use of this service in any software, application, or device PLEASE let us know in advance. We would like to adequately plan for capacity and make sure that we can adequately handle the load. If at all possible, PLEASE use the DNS based service since it is faster and more efficient, particularly for larger deployments of individual IP based queries.

We have had instances where large deployments are put in place without informing us in advance, making it difficult to maintain a stable service for the rest of the community.

Introduction

Team Cymru is happy to announce the availability of various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. These services come in various flavors, including:

• Whois (TCP 43)
• DNS (UDP 53)
• HTTP (TCP 80)
• HTTPS (TCP 443)

Each of the services is based on the same BGP feeds from 50+ BGP peers, and is updated at 4 hour intervals.

Using the above services one can obtain all of the following information:

• BGP Origin ASN
• BGP Peer ASN
• BGP Prefix
• Prefix Country Code (assigned)
• Prefix Registry (assigned)
• Prefix Allocation date
• ASN Country Code (assigned)
• ASN Registry (assigned)
• ASN Allocation date
• ASN Description

The country code, registry, and allocation date are all based off of data obtained directly from the regional registries including: ARIN, RIPE, AFRINIC, APNIC, LACNIC. The information returned relating to these categories will only be as accurate as the data present in the RIR databases. The exact links for each of the datasets are as follows:

• ftp.arin.net/pub/stats/arin/delegated-arin-latest
• ftp.ripe.net/ripe/stats/delegated-ripencc-latest
• ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
• ftp.apnic.net/pub/stats/apnic/delegated-apnic-latest
• ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest

The ASN descriptions are based on data obtained from cidr-report.

Following is a brief summary on how to use each of the services.

Whois

The whois daemon acts like a standard whois server would, but with some added functionality. It accepts arguments on the command-line for single whois queries, and it also supports BULK IP submissions when combined with GNU's netcat for those who wish to optimize their queries. When issuing requests for two or more IPs we strongly suggest you use netcat for BULK IP submissions, or DNS since there is less overhead. As a measure of speed, queries of approximately 100,000 IPs should return in less than a minute given a moderately sized Internet link.

WARNING: IPs that are seen abusing the whois server with large numbers of individual queries instead of using the bulk netcat interface will be null routed. If at all possible you should consider using the DNS based query interface since it is much more efficient for individual queries. The netcat interface should be used for large groups of IP lists at a time in one single TCP query.

There are presently two whois servers available:

• whois.cymru.com (v4.whois.cymru.com)
• peer.whois.cymru.com (v4-peer.whois.cymru.com)

The v4.whois.cymru.com server is primarily designed to map an IP address to a BGP Origin ASN and prefix.

The v4-peer.whois.cymru.com server is designed to map an IP address to the possible BGP peer ASNs that are one AS hop away from the BGP Origin ASN's prefix. This can be useful at times when you're looking for a quick view into who an IP's upstreams might be. Note that this method of finding peers is FAR from perfect and not an exact science. When the Origin ASN is a Tier 1 any concept of 'upstream' tends to lose its meaning.

The syntax for whois and netcat whois IP queries is as follows:

 Whois   Netcat          Action
         begin           enable bulk input mode          (netcat only)
         end             exit the whois/netcat client    (netcat only)
 -p      prefix          include matching prefix
 -q      noprefix        disable matching prefix (default)
 -c      countrycode     include matching country code
 -d      nocountrycode   disable country codes (default)
 -n      asname          include asnames (default)
 -o      noasname        disable asnames
 -r      registry        display matching registry
 -s      noregistry      disable registry display (default)
 -a      allocdate       enable allocation date
 -b      noallocdate     disable allocation date (default)
 -t      truncate        truncate asnames (default)
 -u      notruncate      do not truncate asnames
 -v      verbose         enable all flags (-c -r -p -a -u -a)
 -e      header          enable column headings (default)
 -f      noheader        disable column headings 
 -w      asnumber        include asnumber column (default)
 -x      noasnumber      disable asnumber column (will not work for IP mappings)
 -h      help            this help message

To use the command-line arguments on a single IP query, be sure to enclose the request in quotes and to have a space before the first argument so that your whois client will not try to interpret the flags locally.

For example, to enable the verbose mode (all flags) one would use:

 $ whois -h whois.cymru.com " -v 216.90.108.31 2005-12-25 13:23:01 GMT"

 AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | Info                    | AS Name
 23028   | 216.90.108.31    | 216.90.108.0/24     | US | arin     | 1998-09-25 | 2005-12-25 13:23:01 GMT | TEAMCYMRU - SAUNET

You may also query for some basic AS information directly:

 $ whois -h whois.cymru.com " -v AS23028"

 AS      | CC | Registry | Allocated  | AS Name
 23028   | US | arin     | 2002-01-04 | TEAMCYMRU - SAUNET

We recommend the use GNU's version of netcat, not nc. (nc has been known to cause buffering problems with our server and will not always return the full output for larger IP lists). GNU netcat can be downloaded from http://netcat.sourceforge.net. This is the same as gnetcat in FreeBSD ports.

To issue bulk queries, follow these steps:

1. Create a file with a list of IPs, one per line. Add the word begin at the top of the file and the word end at the bottom.

Example of list01:

 begin
 68.22.187.5
 207.229.165.18
 ...
 198.6.1.65
 end

Remember: you can add comments and other flags per the table above if you'd like.

 begin
 verbose
 68.22.187.5 2005-06-30 05:05:05 GMT
 207.229.165.18 2005-06-30 05:05:05 GMT
 ...
 198.6.1.65 2005-06-30 05:05:05 GMT
 end

2. Run the list through GNU netcat (NOT the venerable nc).

 $ netcat whois.cymru.com 43 < list01 | sort -n > list02

The file list02 will be sorted by origin AS, and should appear as:

 Bulk mode; one IP per line. [2005-06-30 15:37:07 GMT]
 701     | 198.6.1.65       | UU UUNET Technologies, Inc.
 6079    | 207.229.165.18   | RCN RCN Corporation
 23028   | 68.22.187.5      | SAUNET SAUNET

Additional help can be obtained by issuing the help command.

 $ whois -h whois.cymru.com help

DNS

The DNS daemon is designed for rapid reverse lookups, much in the same way as RBL lookups are done. DNS has the added advantage of being cacheable and based on UDP so there is much less overhead. Similar to the whois TCP based daemon, there are three primary zones available:

• origin.asn.cymru.com
• peer.asn.cymru.com
• asn.cymru.com

The origin.asn.cymru.com zone is used to map an IP address or prefix to a corresponding BGP Origin ASN.

The peer.asn.cymru.com zone is used to map an IP address or prefix to the possible BGP peer ASNs that are one AS hop away from the BGP Origin ASN's prefix.

The asn.cymru.com zone is used to determine the AS description of a given BGP ASN.

The format for DNS based queries is as follows:

 $ dig +short 31.108.90.216.origin.asn.cymru.com TXT
 "23028 | 216.90.108.0/24 | US | arin | 1998-09-25"

The same query could be expressed as:

 $ dig +short 108.90.216.origin.asn.cymru.com TXT
 "23028 | 216.90.108.0/24 | US | arin | 1998-09-25"

To query for a given IP/prefix peer ASNs, one would use the peer.asn.cymru.com zone as follows:

 $ dig +short 31.108.90.216.peer.asn.cymru.com TXT
 "701 1239 3549 3561 7132 | 216.90.108.0/24 | US | arin | 1998-09-25"

When there are multiple Origin ASNs or Peer ASNs, they will all be included in the same TXT record such as in the example above.

Notice that the format is very similar to the data returned in the verbose whois based query. The major difference is that the AS Description information has been omitted. In order to return the ASN Description and additional info, one use:

 $ dig +short AS23028.asn.cymru.com TXT
 "23028 | US | arin | 2002-01-04 | TEAMCYMRU - SAUNET"

If a given prefix does not exist in the table, the daemon will return a standard NXDOMAIN response (domain does not exist).

HTTP/HTTPS

The HTTP and HTTPS daemons act as a web based proxy to the whois based service. You can reach the service directly by browsing to:

http://asn.cymru.com or https://asn.cymru.com

Simply click on one of the above links and follow the onscreen instructions on how translate IPs to their corresponding BGP ASNs.

References

Following is a collection of public projects and sites that have incorporated these tools:

• Net::Abuse::Utils
• CyberAbuse Whois
• Scam-Grey
• Azureus
• Paris Traceroute
• ourmon
• xoozoo.com DNS reporting tool

Copyright © 2008 Team Cymru, Inc. Site design by SavvyByte LLC.