Whois at the CLI: get all IP ranges from an AS number

Mattias Geniar, Saturday, April 26, 2014 - last modified: Sunday, April 26, 2015

Just a note to my future self, in case I ever need it again. All you need is the AS number.

$ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'
route:          1.2.3.0/24
...

For instance, all Facebook's IP addresses in use.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
route:      204.15.20.0/22
route:      69.63.176.0/20
...

Or all their IPv6 ranges.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route6:'
route6:     2620:0:1c00::/40
route6:     2a03:2880::/32
...

Very useful if you want to write scripts that uses these IP ranges as filters.

Think of scripts to quickly ban all Facebook traffic (you know, in case the Facebook content scrapers are performing a DoS on your site), check Google IP ranges vs. the User-Agents used in your webserver access logs, ...


Hi! My name is Mattias Geniar. If you're interested in keeping up with me, have a look at my podcast and weekly newsletter. For more updates, follow me on Twitter as @mattiasgeniar.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Stéphan Monday, May 12, 2014 at 14:09

Is this using jwhois?

With jwhois-4.0-19.el6.x86_64.rpm I get:

# whois -h whois.radb.net — ‘-i origin AS32934’ | grep ‘route:’
whois: invalid option — ‘ ‘
whois: invalid option — ‘o’
whois: invalid option — ‘g’
whois: invalid option — ‘ ‘
whois: invalid option — ‘A’
whois: invalid option — ‘S’
whois: invalid option — ‘3’
whois: invalid option — ‘2’
whois: invalid option — ‘9’
whois: invalid option — ‘3’
whois: invalid option — ‘4’

Reply


    Mattias Geniar Monday, May 12, 2014 at 14:22

    jwhois works, but WordPress has screwed up the formatting. It’s a double dash in the middle;
    $ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'

    I’ve updated the article with HTML codes to avoid that default formatting, should be more obvious now. ;-)

    Reply


Stéphan Monday, May 12, 2014 at 14:26

Aha,

a double dash breaker :)

Makes perfect sense.
Thanks!

I also see what WP did
it converted — to —
which is not the same as –

Reply


Stéphan Monday, August 18, 2014 at 22:16

And again, it was wise to copy this little snippet into my own cheat sheet.
Just had an attack from one specific ISP.

Blocked it using the basics of this post and some extra Command Line Fu:

ip=201.243.7.136
as=$(whois -h whois.radb.net $ip | awk '$1 ~ /origin:/{print $2}')
ranges=$(whois -h whois.radb.net -- "-i origin $as" | awk '$1 ~ /route:/{print $2}')
for range in $ranges; do iptables -I INPUT -s $range -j DROP; done
service iptables save

No Más, Venezuela!

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links