In the Dan Brown novel The Lost Symbol
a character finds an IP address but is confounded trying to figure out whose IP address it is. She enlists the help of a hacker friend who is also confounded but claims to be able to hack it in no time. Once again Dan Brown fails at technology. Tracking down who owns an IP address is a very simple matter. The IP address system is based on a model of fractal ownership. The ownership of all IP addresses can be traced using a simple whois
command. Let’s start with something simple. Let’s find out who owns the IP address for the CIA’s web site
Note, all of these examples have been done on a Mac using the Terminal.app. The should also work fine on an other UNIX distribution. If you’re still using windows they you are out of luck. Some of the basic networking commands are not supported by Windows’ cmd.
The first step is to resolve the host name from cia.gov to an IP address. For this we use the host command. Simply type the command followed by the domain name you want to resolve. Also note that www.cia.gov and cia.gov are not necessarily the same thing. The www version does not have a mail server because people typically do not send email there.
$ host cia.gov
cia.gov has address 220.127.116.11
cia.gov mail is handled by 10 mail1.ucia.gov.
$ host www.cia.gov
www.cia.gov has address 18.104.22.168
Now that we know the IP address of this server we can look up its ownership. For that we use the whois command followed by the IP address we want to research.
$ whois 22.214.171.124
ANS Communications, Inc BLK198-15-ANS (NET-198-80-0-0-1)
126.96.36.199 – 188.8.131.52
Central Intelligence Agency OIT-BLK1 (NET-198-81-128-0-1)
184.108.40.206 – 220.127.116.11
In this example the result is simple and immediate. The range of IP addresses 18.104.22.168 – 22.214.171.124 is owned by ANS Communications, Inc.. A portion of this range 126.96.36.199 – 188.8.131.52 has been delegated to the CIA.
Let’s try another example that’s a little more difficult. I can open up most any spam message and find the IP address of a server that has been compromised. The fist one I find is 61•129•51•17. The whois command on this IP does not give us a nice pretty answer. It instead gives us the name of a server that does have this information.
$ whois 184.108.40.206
OrgName: Asia Pacific Network Information Centre
Address: PO Box 2131
NetRange: 220.127.116.11 – 18.104.22.168
So now we know that the IP address we see if somewhere in the Asia Pacific region of the world. The Asia Pacific Network Information Centre (APNIC) manages the entire 61.x.x.x range out of Australia. So you know that if you see any IP address if is is going to be somewhere in Asia. In order to find out more, we need to ask APNIC for their customer information. Fortunately, APNIC has graciously told us the name of their whois server: whois.apnic.net. (Notice that this is a .NET top-level domain name. The .NET used to mean something special to identify network providers.) No now all we need to do is repeat the whois command using APNIC as the authority instead of whois.arin.net. The way you do this is by adding the -h parameter followed by the name of the authoritative server. The whole command looks like this…
$ whois -h whois.apnic.net 61•129•51•17
inetnum: 22.214.171.124 – 126.96.36.199
descr: Data Communication Division
descr: China Telecom
So now we know that this IP is owned by China Telecom. They own the entire range 188.8.131.52 – 184.108.40.206. Also provided in the response but omitted above is a phone number and email address of the person responsible for that range of IP addresses. Most network administrators are responsible and want to know if their network is being used for spam or worse.