Whois at the CLI: get all IP ranges from an AS number

Mattias Geniar, Saturday, April 26, 2014 - last modified: Sunday, April 26, 2015

Just a note to my future self, in case I ever need it again. All you need is the AS number.

$ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'
route:          1.2.3.0/24
...

For instance, all Facebook's IP addresses in use.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
route:      204.15.20.0/22
route:      69.63.176.0/20
...

Or all their IPv6 ranges.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route6:'
route6:     2620:0:1c00::/40
route6:     2a03:2880::/32
...

Very useful if you want to write scripts that uses these IP ranges as filters.

Think of scripts to quickly ban all Facebook traffic (you know, in case the Facebook content scrapers are performing a DoS on your site), check Google IP ranges vs. the User-Agents used in your webserver access logs, ...



Hi! My name is Mattias Geniar. 👋 I'm an independent software developer ⌨️ & Linux sysadmin 👨‍💻, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear! Follow me on Twitter as @mattiasgeniar 🐦.

🔥 If you're stuck with a technical problem, I'm available for hire to help you fix it!

Share this post

Did you like this post? Help me share it on social media! Thanks. 🤗

Have feedback?

New comments have been disabled on this blog, existing comments will remain as-is. Want to give feedback? Is there a mistake in the post?

Send me a tweet on @mattiasgeniar!

Comments

Stéphan Monday, May 12, 2014 at 14:09 -

Is this using jwhois?

With jwhois-4.0-19.el6.x86_64.rpm I get:

# whois -h whois.radb.net — ‘-i origin AS32934’ | grep ‘route:’
whois: invalid option — ‘ ‘
whois: invalid option — ‘o’
whois: invalid option — ‘g’
whois: invalid option — ‘ ‘
whois: invalid option — ‘A’
whois: invalid option — ‘S’
whois: invalid option — ‘3’
whois: invalid option — ‘2’
whois: invalid option — ‘9’
whois: invalid option — ‘3’
whois: invalid option — ‘4’


    Mattias Geniar Monday, May 12, 2014 at 14:22 -

    jwhois works, but WordPress has screwed up the formatting. It’s a double dash in the middle;
    $ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'

    I’ve updated the article with HTML codes to avoid that default formatting, should be more obvious now. ;-)


Stéphan Monday, May 12, 2014 at 14:26 -

Aha,

a double dash breaker :)

Makes perfect sense.
Thanks!

I also see what WP did
it converted — to —
which is not the same as –


Stéphan Monday, August 18, 2014 at 22:16 -

And again, it was wise to copy this little snippet into my own cheat sheet.
Just had an attack from one specific ISP.

Blocked it using the basics of this post and some extra Command Line Fu:

ip=201.243.7.136
as=$(whois -h whois.radb.net $ip | awk '$1 ~ /origin:/{print $2}')
ranges=$(whois -h whois.radb.net -- "-i origin $as" | awk '$1 ~ /route:/{print $2}')
for range in $ranges; do iptables -I INPUT -s $range -j DROP; done
service iptables save

No Más, Venezuela!


venkyhack Tuesday, August 2, 2016 at 09:26 -

Hi Matt,

May i please know the format of the command? what was the — used for and also why the – i was under the single quote? Thanks for your help


fj Friday, August 12, 2016 at 21:03 -

Script to block all of facebook:

#!/bin/bash

ACTION="DROP"
FACEBOOK_AS="AS32934"

# flush (clear) the tables and clear the counters
     iptables -F
     iptables -Z
     ip6tables -F
     ip6tables -Z

for AS in ${FACEBOOK_AS}
do

  IPs=`whois -h whois.radb.net \!g${AS} | grep /`
  for IP in ${IPs}
  do
    for TARGET in INPUT OUTPUT FORWARD
    do
           iptables  -A ${TARGET} -p all -d ${IP} -j ${ACTION}
    done
  done

  IPs=`whois -h whois.radb.net \!6${AS} | grep /`
  for IP in ${IPs}
  do
    for TARGET in INPUT OUTPUT FORWARD
    do
           ip6tables  -A ${TARGET} -p all -d ${IP} -j ${ACTION}
    done
  done
done

ash Tuesday, November 13, 2018 at 06:47 -

How can we pull all the routes under as-set?
Please advise


oldfart Tuesday, August 20, 2019 at 09:59 -

This doesn’t see to work as of today


Mattias Geniar Tuesday, August 20, 2019 at 19:16 -

Hm the examples in the original post still work for me. Try this one?

$ whois -h whois.radb.net -- '-i origin AS32934' 

oldfart Tuesday, August 20, 2019 at 19:50 -

True, it will work but not with jwhois, only with whois.md

jwhois returns:
[IDN encoding of ‘-i origin AS32934’ failed: string start/ends with forbidden hyphen)]

I had to switch my alternatives to use /usr/bin/whois.md instead of /usr/bin/jwhois


Inbound links