Resolving an IP address with no reverse DNS lookup

[OneOfOne (Trevor)]

I regularly check on the ip addresses of visitors to my site and then use a reverse DNS tool to resolve the name of the site who visited. I am surprised at the number of bots and other visitors (China and Eastern Europe) that regularly visit me, I expect they are searching for email addresses...tough guys, never have had any on the site.

I also get a lot that return "no reverse lookup" . Is there some way of finding out some idea of who they are? Can you type the ip address in the address bar of the browser and have it take you there? eg. "192.168.43.56" or http://192.168.43.56 or some other syntax?

Thanks

[dpastern (Dave Pastern)]

Not really, it could be a faked IP address for starters. Even MAC addresses can be faked if you know how. Not worth the effort. You could do a WHOIS on the IP address to see who it belongs to (ISP wise), and a traceroute, but it's really not worth the effort imho.

Dave

[supernova1965 (Warren)]

You might try to ping their IP address in CMD or Dos prompt depending what you name use to find out if it is real and if it is you can type the IP address into the address bar You can also find IP addresses from a webpage name using ping in the same way. The CMD for ping example is,
ping 192.168.43.56

[dpastern (Dave Pastern)]

ping isn't worth much - if icmp echo ping replies are turned off (not uncommon)...

Dave

[multiweb (Marc)]

Quote:

Originally Posted by OneOfOne

http://192.168.43.56

That looks like an internal IP. Like a router or gateway. You know ususally in the ranges 192.168.x.x or 10.x.x.x depending. Maybe from your network.

[dpastern (Dave Pastern)]

http://en.wikipedia.org/wiki/Classful_network

It's a class c network address, internal, yes. Scroll down to special classes on the link above.

I doubt very much that the OP would have a router/gateway with that sort of IP addressing, would be very unusual.

As I said earlier, I'd put money on it being a fake IP address. Many crackers employ that sort of technique.

Dave

[mithrandir (Andrew)]

Quote:

Originally Posted by OneOfOne

I regularly check on the ip addresses of visitors to my site and then use a reverse DNS tool to resolve the name of the site who visited. I am surprised at the number of bots and other visitors (China and Eastern Europe) that regularly visit me, I expect they are searching for email addresses...tough guys, never have had any on the site.

My policy is anyone whose access attempt gets a 404, 405, 406, 413 or 414 response code from Apache, or any SSH failure, gets the allocation it came from - not just the IP - added to the firewall. There are some countries whose entire allocations are in the firewall.

I do have a CGI that generates fake but valid appearing email addresses for anyone stupid enough (which includes most bots) to follow that link.

Quote:

Originally Posted by OneOfOne

I also get a lot that return "no reverse lookup" . Is there some way of finding out some idea of who they are? Can you type the ip address in the address bar of the browser and have it take you there? eg. "192.168.43.56" or http://192.168.43.56 or some other syntax?

I presume you used that address for illustration. 192.168.0.0/16 can not have originated further away from you that your ISP. If it came from anywhere else it would have been dropped. 10.0.0.0/8 172.12.0.0/12 and 192.168.0.0/16 are prohibited outside private networks.

"whois" is the tool of choice as suggested earlier. There are web sites that will run it for you if you don't have a "whois" on your system. Depending on the delegation, you might get some useful information, but you might not.

The other one to try is "traceroute" (or "tracert" for the M$ inclined). The list of routers in the output may help you cut down the possibilities.

[dpastern (Dave Pastern)]

I'm not a networking guy (hate it to be honest), but my understand that according to RFC's, 192.168.x.x was reserved for private IP only, no public addressing. There's no way a ISP would make a private IP range available publically. I suck @ netmasks, so all I can remember is /24 being a standard 256 range. I don't think I've ever seen a /16 or /8 before, but then, I'm not the network guy @ work, that's Tony's role (or the bosses). They frig with the routers etc. I do the web hosting and hosted exchange and complex DNS

Dave

edit: for those curious on netmasks etc:

http://krow.net/dict/subnet.html

Quote:

Originally Posted by mithrandir

I presume you used that address for illustration. 192.168.0.0/16 can not have originated further away from you that your ISP. If it came from anywhere else it would have been dropped. 10.0.0.0/8 172.12.0.0/12 and 192.168.0.0/16 are prohibited outside private networks.

"whois" is the tool of choice as suggested earlier. There are web sites that will run it for you if you don't have a "whois" on your system. Depending on the delegation, you might get some useful information, but you might not.

The other one to try is "traceroute" (or "tracert" for the M$ inclined). The list of routers in the output may help you cut down the possibilities.

[mithrandir (Andrew)]

Quote:

Originally Posted by dpastern

I'm not a networking guy (hate it to be honest), but my understand that according to RFC's, 192.168.x.x was reserved for private IP only, no public addressing. There's no way a ISP would make a private IP range available publically.

The ISP won't advertise it into BGP, but it might be visible to customers. It's not good style, but looking at it from their perspective, they could be using private addresses for internal use only servers to save on public addresses that they have to pay for.

[citivolus (Ric)]

You can query the IP registries via whois, those registries being RIPE, APNIC, ARIN, etc, to find out who is delegated the address space. That is about as close as you will get if they have no reverse entry.

These are relatively expensive lookups, so I wouldn't by policy do a whois on every IP that hits your system.

Regards,
Eric

[dpastern (Dave Pastern)]

Quote:

Originally Posted by mithrandir

The ISP won't advertise it into BGP, but it might be visible to customers. It's not good style, but looking at it from their perspective, they could be using private addresses for internal use only servers to save on public addresses that they have to pay for.

None of our PIP infrasctructure is visible to anyone else on our network. I'd have to telnet into our core router (redback) and go into the particular context for pings etc to work. Or, set a modem up on the test line with the right IP addressing and subnet etc etc. I really suck @ networking lol. Boss lent me a O'Reilly's book on networking and Ciscos a year ago and I still haven't read it. Just puts me to sleep...

Dave

[OneOfOne (Trevor)]

Sorry, the address I used was for illustration only. I had already closed my site stats window when I thought of asking you guys for some ideas. I checked the stats this morning and had 4 visits on Saturday with no lookup:

65.19.129.18
221.12.147.80
124.150.105.239
74.222.4.74

I use WebYield.net for my lookup, I tried DomainTools the other day and I got less resolved addresses than with WebYield.

I also had one from a site with a .ru extension and one .mx, neither of which are probably more than someone looking for email addresses.

[Starkler (Geoff)]

Quote:

Originally Posted by OneOfOne

I checked the stats this morning and had 4 visits on Saturday with no lookup:

65.19.129.18

Dshield site gives:

OrgName: Hurricane Electric, Inc.
OrgID: HURC
Address: 760 Mission Court
City: Fremont
StateProv: CA
PostalCode: 94539
Country: US

http://www.dshield.org/indexd.html

[snowyskiesau]

Quote:

Originally Posted by OneOfOne

Sorry, the address I used was for illustration only. I had already closed my site stats window when I thought of asking you guys for some ideas. I checked the stats this morning and had 4 visits on Saturday with no lookup:

65.19.129.18
221.12.147.80
124.150.105.239
74.222.4.74

I use WebYield.net for my lookup, I tried DomainTools the other day and I got less resolved addresses than with WebYield.
.

I was able to resolve all of these IP's using 'dig' (I'm a linux user). A 'whois' gives varying levels of information for the domains in question. The least information was provided on the last IP address - 74.222.4.74
To do the whois lookup, I changed the last digit to 0.

[dpastern (Dave Pastern)]

nslookup will do similar to dig, although it's deprecated in favour of dig by all accounts. Optus looking glass might be of use:

http://looking-glass.optus.net.au/

Dave

[mithrandir (Andrew)]

Quote:

Originally Posted by OneOfOne

65.19.129.18
221.12.147.80
124.150.105.239
74.222.4.74

My personal opinions on some of those:

65.19.129.18 - is in 65.19.128.0/18 assigned to Hurricane Electric. Large parts of their network are blocked but this piece is not. Their abuse admin leaves a lot to be desired. This particular address is in a /28 reassigned to someone with an Italian management phone number.

221.12.147.80 - all of China is blocked. No correspondence will be entered into.

124.150.105.239 - is in 124.150.0.0/17 assigned to iiNet and appears to be reassigned to WestNet with an Adelaide management address. I have no record of problems from their network.

74.222.4.74 - is in 74.222.0.0/19 assigned to Vrtservers (California). I have no record of problems from their network.

Changing the last digit to get whois to work may be misleading. Addresses may be reassigned on smaller boundaries than that. For example, if you applied that to 65.19.129.18 giving 65.19.129.0 you would be looking up a different allocation because the .18 block starts at .16

[OneOfOne (Trevor)]

Thanks for the information guys, I was expecting that most would be locations that were of a dubious nature. I have added the links to my favourites for alternate lookup.

[mithrandir (Andrew)]

Quote:

Originally Posted by dpastern

nslookup will do similar to dig, although it's deprecated in favour of dig by all accounts.

nslookup comes with Windows. To get "dig" you need to install the Windows port of ISC BIND

Quote:

Originally Posted by dpastern

Optus looking glass might be of use:

http://looking-glass.optus.net.au/

Another useful one for finding other blocks owned by the same provider is http://bgp.potaroo.net/

Short bash script for looking-glass. Run as "scriptname ipaddress":

#!/bin/bash
firefox -remote "openURL(http://looking-glass.optus.net.au/cgi-bin/nph-looking-glass.pl?query=bgp&addr=$1&BGP_Tabl e=International&DIG_Table=ANY,new-tab)"

Windows cmd file version

@echo off
cd path-to-firefox
firefox -remote "openURL(http://looking-glass.optus.net.au/cgi-bin/nph-looking-glass.pl?query=bgp&addr=%1&BGP_Tabl e=International&DIG_Table=ANY,new-tab)"

Applied to 65.19.129.18 gives you AS6939

Once you know the AS number, you can use this one to get the BGP path from Telstra to the target. Run as "scriptname asnumber"

#!/bin/bash
firefox -remote "openURL(http://bgp.potaroo.net/cgi-bin/as-report?as=AS$1&view=1221,new-tab)"

or

@echo off
cd path-to-firefox
firefox -remote "openURL(http://bgp.potaroo.net/cgi-bin/as-report?as=AS%1&view=1221,new-tab)"

Applied to 6939 gives you a long list of adjacent networks and about 50 IP blocks advertised by Hurricane.

[dpastern (Dave Pastern)]

Good stuff Andrew.

Dave

[snowyskiesau]

There's a website that provides all sorts of IP related information.

The home page as given above should show your own IP address, ISP and physical location. I'd be interested in how accurate it is for you. For me, it correctly gave my suburb.