Whois at the CLI: get all IP ranges from an AS number

Just a note to my future self, in case I ever need it again. All you need is the AS number.

$ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'
route:          1.2.3.0/24
...

For instance, all Facebook's IP addresses in use.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
route:      204.15.20.0/22
route:      69.63.176.0/20
...

Or all their IPv6 ranges.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route6:'
route6:     2620:0:1c00::/40
route6:     2a03:2880::/32
...

Very useful if you want to write scripts that use these IP ranges as filters. Think of scripts to quickly ban all Facebook traffic (you know, in case the Facebook content scrapers are performing a DoS on your site, for instance), check Google IP ranges vs. the User-Agent in your logs, ...

Write a Comment

Do you care about the markup if your comment? You can use the following HTML tags:

<code>command</code>: command highlighting
<pre>text</pre>: pre-formatted code, can be multi-line (black background, white letters)

example <pre> tag
<blockquote>text</blockquote> quoted text
quoted example


None of this is needed of course, I appreciated your comment nonetheless!

Comment

*

  1. Is this using jwhois?

    With jwhois-4.0-19.el6.x86_64.rpm I get:

    # whois -h whois.radb.net — ‘-i origin AS32934′ | grep ‘route:’
    whois: invalid option — ‘ ‘
    whois: invalid option — ‘o’
    whois: invalid option — ‘g’
    whois: invalid option — ‘ ‘
    whois: invalid option — ‘A’
    whois: invalid option — ‘S’
    whois: invalid option — ‘3’
    whois: invalid option — ‘2’
    whois: invalid option — ‘9’
    whois: invalid option — ‘3’
    whois: invalid option — ‘4’

    • jwhois works, but WordPress has screwed up the formatting. It’s a double dash in the middle;
      $ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'

      I’ve updated the article with HTML codes to avoid that default formatting, should be more obvious now. ;-)

  2. And again, it was wise to copy this little snippet into my own cheat sheet.
    Just had an attack from one specific ISP.

    Blocked it using the basics of this post and some extra Command Line Fu:

    ip=201.243.7.136
    as=$(whois -h whois.radb.net $ip | awk '$1 ~ /origin:/{print $2}')
    ranges=$(whois -h whois.radb.net -- "-i origin $as" | awk '$1 ~ /route:/{print $2}')
    for range in $ranges; do iptables -I INPUT -s $range -j DROP; done
    service iptables save
    

    No Más, Venezuela!