The Lost Symbol IP Address Mystery

In the Dan Brown novel The Lost Symbol a character finds an IP address but is confounded trying to figure out whose IP address it is. She enlists the help of a hacker friend who is also confounded but claims to be able to hack it in no time. Once again Dan Brown fails at technology. Tracking down who owns an IP address is a very simple matter. The IP address system is based on a model of fractal ownership. The ownership of all IP addresses can be traced using a simple whois command. Let’s start with something simple. Let’s find out who owns the IP address for the CIA’s web site.

Note, all of these examples have been done on a Mac using the The should also work fine on an other UNIX distribution. If you’re still using windows they you are out of luck. Some of the basic networking commands are not supported by Windows’ cmd.

The first step is to resolve the host name from to an IP address. For this we use the host command. Simply type the command followed by the domain name you want to resolve. Also note that and are not necessarily the same thing. The www version does not have a mail server because people typically do not send email there.

$ host has address mail is handled by 10

$ host has address

Now that we know the IP address of this server we can look up its ownership. For that we use the whois command followed by the IP address we want to research.

$ whois
ANS Communications, Inc BLK198-15-ANS (NET-198-80-0-0-1) –
Central Intelligence Agency OIT-BLK1 (NET-198-81-128-0-1) –

In this example the result is simple and immediate. The range of IP addresses – is owned by ANS Communications, Inc.. A portion of this range – has been delegated to the CIA.

Let’s try another example that’s a little more difficult. I can open up most any spam message and find the IP address of a server that has been compromised. The fist one I find is 61•129•51•17. The whois command on this IP does not give us a nice pretty answer. It instead gives us the name of a server that does have this information.

$ whois

OrgName: Asia Pacific Network Information Centre
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://

NetRange: –

So now we know that the IP address we see if somewhere in the Asia Pacific region of the world. The Asia Pacific Network Information Centre (APNIC) manages the entire 61.x.x.x range out of Australia. So you know that if you see any IP address if is is going to be somewhere in Asia. In order to find out more, we need to ask APNIC for their customer information. Fortunately, APNIC has graciously told us the name of their whois server: (Notice that this is a .NET top-level domain name. The .NET used to mean something special to identify network providers.) No now all we need to do is repeat the whois command using APNIC as the authority instead of The way you do this is by adding the -h parameter followed by the name of the authoritative server. The whole command looks like this…

$ whois -h 61•129•51•17
inetnum: –
netname: CHINANET-CN
descr: Data Communication Division
descr: China Telecom
country: CN

So now we know that this IP is owned by China Telecom. They own the entire range – Also provided in the response but omitted above is a phone number and email address of the person responsible for that range of IP addresses. Most network administrators are responsible and want to know if their network is being used for spam or worse.

Leave a Reply