Whois at the CLI: get all IP ranges from an AS number

Just a note to my future self, in case I ever need it again. All you need is the AS number.

$ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'
route:          1.2.3.0/24
...

For instance, all Facebook's IP addresses in use.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
route:      204.15.20.0/22
route:      69.63.176.0/20
...

Or all their IPv6 ranges.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route6:'
route6:     2620:0:1c00::/40
route6:     2a03:2880::/32
...

Very useful if you want to write scripts that uses these IP ranges as filters.

Think of scripts to quickly ban all Facebook traffic (you know, in case the Facebook content scrapers are performing a DoS on your site), check Google IP ranges vs. the User-Agents used in your webserver access logs, ...

The Social Box

You can sign up for more updates via Twitter or Facebook below. On Twitter, I regularly talk about technology or tweet about interesting stories. Topics that don't necessarily make it to this blog. Facebook contains a steady update of blogposts and some more lightweight stories.


Write a Comment

Do you care about the markup if your comment? You can use the following HTML tags:

<code>command</code>: command highlighting
<pre>text</pre>: pre-formatted code, can be multi-line (black background, white letters)

example <pre> tag
<blockquote>text</blockquote> quoted text
quoted example


None of this is needed of course, it's all optional!

Comment

*

  1. Is this using jwhois?

    With jwhois-4.0-19.el6.x86_64.rpm I get:

    # whois -h whois.radb.net — ‘-i origin AS32934′ | grep ‘route:’
    whois: invalid option — ‘ ‘
    whois: invalid option — ‘o’
    whois: invalid option — ‘g’
    whois: invalid option — ‘ ‘
    whois: invalid option — ‘A’
    whois: invalid option — ‘S’
    whois: invalid option — ‘3’
    whois: invalid option — ‘2’
    whois: invalid option — ‘9’
    whois: invalid option — ‘3’
    whois: invalid option — ‘4’

    • jwhois works, but WordPress has screwed up the formatting. It’s a double dash in the middle;
      $ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'

      I’ve updated the article with HTML codes to avoid that default formatting, should be more obvious now. ;-)

  2. And again, it was wise to copy this little snippet into my own cheat sheet.
    Just had an attack from one specific ISP.

    Blocked it using the basics of this post and some extra Command Line Fu:

    ip=201.243.7.136
    as=$(whois -h whois.radb.net $ip | awk '$1 ~ /origin:/{print $2}')
    ranges=$(whois -h whois.radb.net -- "-i origin $as" | awk '$1 ~ /route:/{print $2}')
    for range in $ranges; do iptables -I INPUT -s $range -j DROP; done
    service iptables save
    

    No Más, Venezuela!