Wednesday, May 4, 2016

Find IP Addresses for an AS Number

 on  with No comments 
In , ,  
A very often asked question in the CCNA Facebook Group that I administer is how to block a website with an ACL. Naturally, a bunch of people will jump in with pinging the web server and then putting the IP address returned into the ACL, but for a major web site, this isn't going to work.  A major website is going to have multiple IP addresses serving up the content, and the IP address that gets returned when I attempt to resolve it likely won't be the same IP address that gets returned when I attempt to resolve it hours or even days later.  So the more knowledgeable members of the group answer (correctly) that the original poster should be looking into a proper firewall or proxy server to handle this job.


But there is a potential way to get this accomplished, at least somewhat, with a simple ACL on a router. This is not a completely infallible method either, and I'll go into that more later, but it will get you closer than simply blocking a single IP address. First, you need the AS number that the website is coming out of.  For this, I'll use the whois command, which is available on most Linux, BSD, and Unix systems.  With whois, I'll query a host called whois.radb.net.  According to it's owner, Merit (Michigan Education Research Information Triad), RADb is "a public registry of network routing information that assists with the transfer of data over the Internet.

Merit Network is a non-profit, member-owned association governed by Michigan's public universities.  It was founded in 1966 and today operates the longest running research and education network in the United States.  Merit manged NSFNET, which you may recognize as being the forerunner to the modern Internet.

First, we need an IP address of the web site.  For now, any IP address will do.  We can get this by simply pinging the web server and noting what is returned.  In this example, I'll use my own site, which is hosted on Blogger, a service of Google.  Since Google owns a large number of subnets, using this example will help demonstrate everything better.

alan@linux01:~> ping www.firewallninja.info
PING ghs.l.google.com (74.125.193.121) 56(84) bytes of data.
64 bytes from ig-in-f121.1e100.net (74.125.193.121): icmp_seq=1 ttl=48 time=34.5 ms
64 bytes from ig-in-f121.1e100.net (74.125.193.121): icmp_seq=2 ttl=48 time=30.3 ms

Next, we'll send a whois query to RADb.  

alan@linux01:~> whois -h whois.radb.net 74.125.193.121
route:      74.125.193.0/24
descr:      Google
origin:     AS15169
notify:     radb-contact@google.com
mnt-by:     MAINT-AS15169
changed:    radb-contact@google.com 20150728
source:     RADB

Note the third line of the response, which is the AS number for Google, who hosts the website.  We'll use this to send another query to RADb.  Note that we're sending !gAS along with the AS number.  This is the format you'll use every time.

alan@linux01:~> whois -h whois.radb.net '!gAS15169'
A110312
66.249.64.0/20 66.249.80.0/20 74.125.57.240/29 216.239.44.0/24 216.239.45.0/24 23.251.128.0/23 23.251.128.0/24 23.251.129.0/24 23.251.130.0/23 23.251.130.0/24 23.251.131.0/24 23.251.132.0/23 23.251.132.0/24 23.251.133.0/24 23.251.134.0/23 23.251.134.0/24 23.251.135.0/24 23.251.136.0/23 23.251.136.0/24 23.251.137.0/24 23.251.138.0/23 23.251.138.0/24 23.251.139.0/24 23.251.140.0/23 23.251.140.0/24 23.251.141.0/24 23.251.142.0/23 23.251.142.0/24 23.251.143.0/24 23.251.144.0/23 23.251.144.0/24 23.251.145.0/24


Note that I've clipped off the response, which scrolled on and on as Google has associated a large number of their subnets with this AS.  Most AS's will not have so many subnets associated with them.  Google just happens to be very large.  Now you can take every subnet returned from this query, and use them to construct your ACL.

Now here's two catches.  For one, we can't say for sure that this is the only AS number that belongs to Google. I'm not aware of a way of finding every AS belonging to an entity, and searching online didn't turn up anything.  Second, this will block everything of Google.  There is no definitive way of knowing with IP addresses are associated with www.google.com, which are associated with GMail, which are associated with YouTube, etc.  While Google is an extreme example, we still may be blocking too much or we may be blocking too little still.  But with something like Facebook with one site we're ultimately trying to deny access to, this will get us very close to what we're looking for.
Share:

0 comments:

Post a Comment

Discuss this post!