Whois at the CLI: get all IP ranges from an AS number

Mattias Geniar, Saturday, April 26, 2014 - last modified: Sunday, April 26, 2015

Just a note to my future self, in case I ever need it again. All you need is the AS number.

$ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'
route:          1.2.3.0/24
...

For instance, all Facebook's IP addresses in use.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
route:      204.15.20.0/22
route:      69.63.176.0/20
...

Or all their IPv6 ranges.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route6:'
route6:     2620:0:1c00::/40
route6:     2a03:2880::/32
...

Very useful if you want to write scripts that uses these IP ranges as filters.

Think of scripts to quickly ban all Facebook traffic (you know, in case the Facebook content scrapers are performing a DoS on your site), check Google IP ranges vs. the User-Agents used in your webserver access logs, ...


Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. If you're interested in keeping up with me, have a look at my podcast and weekly newsletter below. For more updates, follow me on Twitter as @mattiasgeniar.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Stéphan Monday, May 12, 2014 at 14:09

Is this using jwhois?

With jwhois-4.0-19.el6.x86_64.rpm I get:

# whois -h whois.radb.net — ‘-i origin AS32934’ | grep ‘route:’
whois: invalid option — ‘ ‘
whois: invalid option — ‘o’
whois: invalid option — ‘g’
whois: invalid option — ‘ ‘
whois: invalid option — ‘A’
whois: invalid option — ‘S’
whois: invalid option — ‘3’
whois: invalid option — ‘2’
whois: invalid option — ‘9’
whois: invalid option — ‘3’
whois: invalid option — ‘4’

Reply


    Mattias Geniar Monday, May 12, 2014 at 14:22

    jwhois works, but WordPress has screwed up the formatting. It’s a double dash in the middle;
    $ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'

    I’ve updated the article with HTML codes to avoid that default formatting, should be more obvious now. ;-)

    Reply


Stéphan Monday, May 12, 2014 at 14:26

Aha,

a double dash breaker :)

Makes perfect sense.
Thanks!

I also see what WP did
it converted — to —
which is not the same as –

Reply


Stéphan Monday, August 18, 2014 at 22:16

And again, it was wise to copy this little snippet into my own cheat sheet.
Just had an attack from one specific ISP.

Blocked it using the basics of this post and some extra Command Line Fu:

ip=201.243.7.136
as=$(whois -h whois.radb.net $ip | awk '$1 ~ /origin:/{print $2}')
ranges=$(whois -h whois.radb.net -- "-i origin $as" | awk '$1 ~ /route:/{print $2}')
for range in $ranges; do iptables -I INPUT -s $range -j DROP; done
service iptables save

No Más, Venezuela!

Reply


venkyhack Tuesday, August 2, 2016 at 09:26

Hi Matt,

May i please know the format of the command? what was the — used for and also why the – i was under the single quote? Thanks for your help

Reply


fj Friday, August 12, 2016 at 21:03

Script to block all of facebook:

#!/bin/bash

ACTION="DROP"
FACEBOOK_AS="AS32934"

# flush (clear) the tables and clear the counters
     iptables -F
     iptables -Z
     ip6tables -F
     ip6tables -Z

for AS in ${FACEBOOK_AS}
do

  IPs=`whois -h whois.radb.net \!g${AS} | grep /`
  for IP in ${IPs}
  do
    for TARGET in INPUT OUTPUT FORWARD
    do
           iptables  -A ${TARGET} -p all -d ${IP} -j ${ACTION}
    done
  done

  IPs=`whois -h whois.radb.net \!6${AS} | grep /`
  for IP in ${IPs}
  do
    for TARGET in INPUT OUTPUT FORWARD
    do
           ip6tables  -A ${TARGET} -p all -d ${IP} -j ${ACTION}
    done
  done
done

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links