The Lost Symbol IP Address Mystery

In the Dan Brown novel The Lost Symbol a character finds an IP address but is confounded trying to figure out whose IP address it is. She enlists the help of a hacker friend who is also confounded but claims to be able to hack it in no time. Once again Dan Brown fails at technology. Tracking down who owns an IP address is a very simple matter. The IP address system is based on a model of fractal ownership. The ownership of all IP addresses can be traced using a simple whois command. Let’s start with something simple. Let’s find out who owns the IP address for the CIA’s web site.

Note, all of these examples have been done on a Mac using the Terminal.app. The should also work fine on an other UNIX distribution. If you’re still using windows they you are out of luck. Some of the basic networking commands are not supported by Windows’ cmd.

The first step is to resolve the host name from cia.gov to an IP address. For this we use the host command. Simply type the command followed by the domain name you want to resolve. Also note that www.cia.gov and cia.gov are not necessarily the same thing. The www version does not have a mail server because people typically do not send email there.

$ host cia.gov
cia.gov has address 198.81.129.125
cia.gov mail is handled by 10 mail1.ucia.gov.

$ host www.cia.gov
www.cia.gov has address 198.81.129.125

Now that we know the IP address of this server we can look up its ownership. For that we use the whois command followed by the IP address we want to research.

$ whois 198.81.129.125
ANS Communications, Inc BLK198-15-ANS (NET-198-80-0-0-1)
198.80.0.0 – 198.81.255.255
Central Intelligence Agency OIT-BLK1 (NET-198-81-128-0-1)
198.81.128.0 – 198.81.191.255

In this example the result is simple and immediate. The range of IP addresses 198.80.0.0 – 198.81.255.255 is owned by ANS Communications, Inc.. A portion of this range 198.81.128.0 – 198.81.191.255 has been delegated to the CIA.

Let’s try another example that’s a little more difficult. I can open up most any spam message and find the IP address of a server that has been compromised. The fist one I find is 61•129•51•17. The whois command on this IP does not give us a nice pretty answer. It instead gives us the name of a server that does have this information.

$ whois 61.129.51.17

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 61.0.0.0 – 61.255.255.255
[…omitted…]

So now we know that the IP address we see if somewhere in the Asia Pacific region of the world. The Asia Pacific Network Information Centre (APNIC) manages the entire 61.x.x.x range out of Australia. So you know that if you see any IP address if is is going to be somewhere in Asia. In order to find out more, we need to ask APNIC for their customer information. Fortunately, APNIC has graciously told us the name of their whois server: whois.apnic.net. (Notice that this is a .NET top-level domain name. The .NET used to mean something special to identify network providers.) No now all we need to do is repeat the whois command using APNIC as the authority instead of whois.arin.net. The way you do this is by adding the -h parameter followed by the name of the authoritative server. The whole command looks like this…

$ whois -h whois.apnic.net 61•129•51•17
inetnum: 61.128.0.0 – 61.129.255.255
netname: CHINANET-CN
descr: Data Communication Division
descr: China Telecom
country: CN
[…omitted…]

So now we know that this IP is owned by China Telecom. They own the entire range 1.128.0.0 – 61.129.255.255. Also provided in the response but omitted above is a phone number and email address of the person responsible for that range of IP addresses. Most network administrators are responsible and want to know if their network is being used for spam or worse.