Easy Geolocalization of IP Addresses

If there was only one annoying operation for me, it will be to search contact information about IP addresses!

Often, network administrators and security guys have to found out to who is assigned a given IP address (example: when analysis logs or doing forensics searches). Useful information linked to IP addresses are contact information (technical, abuse), country and routing information (autonomous systems).

The whole IPv4 addresses space (2^32 addresses) is split in blocks and almost all of them are assigned by an organization called IANA (Internet Assigned Numbers Authority). This address space is divided in blocks of /8 (255^3 addresses) and assigned. But IANA cannot handle all the requests for IP addresses. That’s why there is some kind of a delegation system. The Internet is divided into several geographical zones where a “sub” authority, called “Regional Internet Registry“, handles local requests and follows the good usage of its own assigned IP blocks. Finally, each ISP redistributes its assigned addresses by splitting the blocks into smaller pieces (using bigger subnet masks). Finally, we have this kind of chain of delegation:

IANA -> Regional Internet Registry -> Internet Providers -> Customers

An Internet Service Provider located in Belgium will ask to its local IANA representative for IP addresses. For Belgium, it’s the RIPE (“Réseaux IP Européens“). Once IP addresses have been assigned to this ISP, all relevant information are stored in a “whois” database and the ISP can start to distribute them to its customers. Its responsibility will be to add customers information into the same whois database. Such database is used to store information about IP addresses, domain names or autonomous systems. To query a whoid DB, you need a client which is called… “whois” on UNIX (clients are available for all operating systems). To query a database just search for information. As an example, let’s search for more information about the IP address behing www.twitter.com:

$ host www.twitter.com
www.twitter.com is an alias for twitter.com.
twitter.com has address 168.143.162.116
$ whois -h whois.ripe.net 168.143.162.116
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '168.0.0.0 - 168.255.255.255'

inetnum:      168.0.0.0 - 168.255.255.255
netname:      EU-ZZ-168
descr:        Various Registries
country:      EU # Country is really world wide
remarks:      These addresses were issued by
              The IANA before the formation of
              Regional Internet Registries.
              
org:          ORG-NCC1-RIPE
admin-c:      iana1-RIPE
tech-c:       iana1-RIPE
status:       ALLOCATED UNSPECIFIED
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    RIPE-NCC-HM-MNT
mnt-routes:   RIPE-NCC-RPSL-MNT
source:       RIPE # Filtered

organisation:   ORG-NCC1-RIPE
org-name:       RIPE NCC
org-type:       RIR
address:        RIPE Network Coordination Centre
address:        P.O. Box 10096
address:        1001 EB Amsterdam
address:        The Netherlands
phone:          +31 20 535 4444
fax-no:         +31 20 535 4445
e-mail:         hostmaster@ripe.net
admin-c:        CREW-RIPE
tech-c:         CREW-RIPE
mnt-ref:        RIPE-NCC-RIS-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

role:         Internet Assigned Numbers Authority
address:      see http://www.iana.org.
e-mail:       bitbucket@ripe.net
admin-c:      IANA1-RIPE
tech-c:       IANA1-RIPE
nic-hdl:      IANA1-RIPE
remarks:      For more information on IANA services
remarks:      go to IANA web site at http://www.iana.org.
mnt-by:       RIPE-NCC-MNT
source:       RIPE # Filtered

In the example above, we sent a whois query to whois.ripe.net and the database reported that the object has been assigned by IANA. No more information is provided. Now, you know why searching for IP addresses is so boring! Often, you don’t know which whois database to query to get the relevant information! Worst, the IANA whois database only contains domain names for which IANA is authoritative! Except for some well known blocks directly related to your business, you can’t remember for all of them which whois server to use. Let’s try another DB: whois.arin.net. Bingo! It found something:

$ whois -h whois.arin.net 168.143.162.116

OrgName:    NTT America, Inc. 
OrgID:      NTTAM-1
Address:    8005 South Chester Street
Address:    Suite 200
City:       Centennial
StateProv:  CO
PostalCode: 80112
Country:    US
<Remaining stuff deleted>

If you’re not lucky, you can now imagine the nightware to find out the right whois server! You’ll have to perform two or three queries before a successful search.

Recently, I found a nice website developed by a German company and called utrace. It allows you to enter a domain name, a host name or an IP address and will search the right whois database for you. It will also show you the IP address location on a Google map:

Once located on the map, the IP address can be re-used to perform a query against the right whois server and extra information will be displayed. As an extra, a small widget is available for your web pages as well as a PHP API. A very useful online tool! (I’m sure that other services like this one exists, feel free to share)