Sign in to follow this  
Followers 0
Wazoo

Looking for WHOIS scripts

4 posts in this topic

Brought here from a PM. Some edits made.

Hi Wazoo

I hope you can help me.

We are currently experiencing a mass DDoS on <elided>.org (again). While other things are happening to mitigate it, I'm collecting IP's on the worst of the worst an generating abuse reports. This time I wish to reprot them. However I'm finding a lack of abuse/support email addresses in the IP whois lookups frustrating. Our bots seems to be crawling out of the most obscure places. I'm trying not to abuse your resources, but invariably from time to time I turn to Spamcop. Example:

201.240.199.87 - Telefonica del Peru S.A.A. This gave me a runaround.

Eventually I resorted to http://www.spamcop.net/sc?track=201.240.199.87

However I'm losing pretty fast, I need to automate.

Currently I start with whois, end up miles away for some IP's, finding relevant responsible addresses I can only hope are correct. Websites do not help in many cases. I hate Flash! Google does not translate it :)

Do you know of a good and program/resource I can use for an IP query in a scri_pt to get abuse addresses reliably? It would have to attempt various methods. Whois lookups against IP addresses are simply too unreliable to stop there.

Any help/advice you have would be greatly appreciated.

Thanks

Share this post


Link to post
Share on other sites

SpamCop uses whois and abuse.net - I don't know offhand of anything that replicates that (and the addresses offered up by SC for that unired.net.pe example are from abuse.net) but abuse net has a DNS service so it should not be too hard (http://www.abuse.net/using.phtml). Abuse net has far from complete coverage.

As far as whois goes, SC does have some issues (falls down) from time to time but I guess is generally (say) 99.99% on the ball. Another resource for whois lookups is NirSoft and I use ipnetinfo.exe, their nifty little Windows stand-alone - http://www.nirsoft.net/utils/ipnetinfo.html - which will handle anything from an IP address through to complete e-mail headers - but they have other utilities, including command line ones which are mentioned on that page. That might form the basis of some automated whois lookups but there will be a problem with rate limiting, I am suspecting (without researching, just aware of the "no automated lookups" notices one sees sometimes).

Not a solution but a starting point maybe (not a lot of help when you're up to your neck in alligators but may help kick off some more highly productive input from more greatly clued members here).

Share this post


Link to post
Share on other sites

Not sure what set-up you've got going. For example, DDoS protection doesn't come to mind seeing the mydyndns.org provided DNS. From this side of the screen, not much seems to be happening, as the site seems to be non-reachable since I read your PM.

So ignoring tha, focus on your other question. Again, shooting in the dark as to what tools/access you've got available, I'll start by suggesting s jump to PHP Whois Scripts as to get something started. As compared to the general description of the purpose of some of these scripts, you've already noted that a 'simple' scri_pt isn't going to be without issue with the goal of findng the absolute correct contact point.

As in the example noted, just doing the WHOIS was the starting point, then a few more branches of code were fed with the initial results to dig further. Complicated further still by the unknown if the contact decided upon actually has any direct connection to the issue or the folks needed to be further contacted to investigate/handle the issue at that end. And even that's ignoring the probable language and attitude issues.

I'm thinking that there's even more that could/should be involved, like providing the evidence of just what you're trying to complain about. For example, do you have access to the logs that could be tapped to provide the data from your end to substantiate/pinpoint the source of the problem/acctivity? I've had some amazing conversations with other folks about my apparent misunderstanding of logged failed name/password attempts as being caused by something other than hacking attempts.

Anyway, a shot of an answer, hopefully offering a starting point.

Share this post


Link to post
Share on other sites

It isn't hard to run a WHOIS query from a scri_pt (a Unix shell scri_pt for example), you can just "shell out" to the command line and run the command and then capture the output. The trick, however, is that you must figure out what the heck to do with the output, which tends to be different for every regional internet registry.

Things are made simpler by the fact that most RIRs use one of two database models: ARIN uses its own (others in this hemisphere may also, not sure), while the rest of the world uses the RIPE WHOIS model.

I have been slowly perfecting some Java code to parse these out, this is not impossible to do (if you know Regular Expressions, that is). However, I find enough inconsistency in the way in which the database fields are filled in to conclude that it would be difficult to automate the process 100%, that is, a human would eventually have to eyeball the info to decide what to do with it and which e-mail contacts were valid or appropriate.

And then, there's the case of national registries, which often roll their own WHOIS output, complete with foreign text (e.g., Japan and Korea).

-- rick

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0