Introduction

A couple services have been established for mapping IP numbers to BGP prefixes and ASNs:

  • Whois (TCP 43)
  • DNS (UDP 53)

Three modes are supported origin, peer, and prefix. The data returned is basically the same except that the peer mode also lists the BGP peers for the ASN.

The data to support these services are collected from the following sources:

Whois

The whois interface is used as follows:

Whois/Origin

 
$ whois -h asn.shadowserver.org origin 17.112.152.32
714 | 17.112.0.0/15 | APPLE-ENGINEERING | US | Apple Inc., US 

The output is as follows

ASN | Prefix        | AS Name           | CN | ISP 

Whois/Peer

Using the peer mode is very similar:

$ whois -h asn.shadowserver.org peer 17.112.152.32
2603 3356 4826 | 714 | 17.112.0.0/15 | APPLE-ENGINEERING | US | Apple Inc., US 

The output is as follows

Peer(s)   | ASN | Prefix        | AS Name           | CN | ISP 

A more verbose mode is also available:

$ whois -h asn.shadowserver.org peer 4.5.6.4 verbose
3356 | 4.0.0.0/9 | LEVEL3 | US | Level 3 Communications, Inc., US
2914   NTT-COMMUNICATIONS-2  NTT America, Inc., US                               
3257   GTT                   BACKBONE GTT, DE                                    
6453   AS6453                TATA COMMUNICATIONS (AMERICA) INC, US               
6830   LGI                   UPC formerly known as UPC Broadband Holding B.V., AT
13272  STARMAN,              EE                                                  
21320  GEANT_IAS_VRF,        EU

Whois/Prefix

 
$ whois -h asn.shadowserver.org prefix 8075
64.4.0.0/18                                                           
65.54.8.0/22                                                          
65.54.48.0/20                                                         
65.54.74.0/23                                                         
65.54.80.0/23                                                         
65.54.83.0/24                                                         
65.54.86.0/23                                                         
65.54.92.0/23                                                         
65.54.94.0/23                                                         
65.54.96.0/20                                                         
65.54.120.0/21                                                        
65.54.128.0/19        
<<CHOPPED>>

Whois Batch Mode

The Whois server also supports batch mode where a list of IP addresses can be handled. For example:

begin origin
4.5.4.3
17.112.152.32
208.77.188.166
end

Use netcat, telnet, or perl to send your list to the whois server:

$ netcat asn.shadowserver.org 43 < /tmp/list
4.5.4.3 | 3356 | 4.0.0.0/9 | LEVEL3 | US | Level 3 Communications, Inc., US
17.112.152.32 | 714 | 17.112.0.0/15 | APPLE-ENGINEERING | US | Apple Inc., US
208.77.188.166 | 40528 | 208.77.188.0/22 | ICANN-LAX | US | ICANN, US

There is not a limit on our end for the amount of IPs you can submit through the bulk API. The limit is with the version of netcat you use and the amount of memory you have.

DNS

The format for a DNS based origin lookup is:

$ dig +short 32.152.112.17.origin.asn.shadowserver.org TXT
"714 | 17.112.0.0/15 | APPLE-ENGINEERING | US | Apple Inc., US" 

And the format for a ''peer' lookup is:

$ dig +short 32.152.112.17.peer.asn.shadowserver.org TXT
"2603 3356 4826 | 714 | 17.112.0.0/15 | APPLE-ENGINEERING | US | Apple Inc., US"

Third-party libraries

Third-party libraries to query the IP-BGP service is available here:

Installation:

sudo pip install RashlyOutlaid

Usage (example project.cjl file):

(defproject ipbgp-test "0.1.0-SNAPSHOT"
  :description "FIXME: write description"
  :url "http://example.com/FIXME"
  :license {:name "Eclipse Public License"
            :url "http://www.eclipse.org/legal/epl-v10.html"}
  :dependencies [[org.clojure/clojure "1.8.0"]
                 [ipbgp "0.3.0"]])