Simultaneously search thousands of IPs in minutes and gain accurate WHOIS lookup results
Team Cymru is happy to provide various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. Each of the services is based on the same BGP feeds from 50+ BGP peers and is updated at 4-hour intervals.
Whois (TCP 43)
DNS (UDP 53)
HTTPS (TCP 443)
Obtain the following information.
-
BGP Origin ASN
-
BGP Peer ASN
-
BGP Prefix
-
Prefix Country Code (assigned)
-
Prefix Registry (assigned)
-
Prefix Allocation date
-
ASN Country Code (assigned)
-
ASN Registry (assigned)
-
ASN Allocation date
-
ASN Description
IP to ASN Mapping is Not a GeoIP Service!
The country code, registry, and allocation date are all based on data obtained directly from the regional registries including: ARIN, RIPE, AFRINIC, APNIC, LACNIC. The information returned relating to these categories will only be as accurate as the data present in the RIR databases.
IMPORTANT NOTE: Country codes are likely to vary significantly from actual IP locations, and we must strongly advise that the IP to ASN mapping tool not be used as an IP geolocation (GeoIP) service.
The exact links for each of the datasets are as follows:
ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
ftp.ripe.net/ripe/stats/delegated-ripencc-latest
ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
ftp.apnic.net/pub/stats/apnic/delegated-apnic-latest
ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
The ASN descriptions are based on data obtained from cidr-report.
Looking for an IP geolocation service?
If you are looking for an IP geolocation service, please check out one of the following (note: links do not constitute an endorsement):
How is each service used?
WHOIS
The whois daemon acts like a standard whois server would, but with some added functionality. It accepts arguments on the command-line for single whois queries, and it also supports BULK IP submissions when combined with GNU’s netcat for those who wish to optimize their queries. When issuing requests for two or more IPs we strongly suggest you use netcat for BULK IP submissions, or DNS since there is less overhead. As a measure of speed, queries of approximately 10,000 IPs should return in less than a minute given a moderately sized Internet link.
WARNING:
IPs that are seen abusing the whois server with large numbers of individual queries instead of using the bulk netcat interface will be null routed. If at all possible you should consider using the DNS based query interface since it is much more efficient for individual queries. The netcat interface should be used for groups of IP lists at a time in one single TCP query.
There are presently two whois servers available:
-
whois.cymru.com (v4.whois.cymru.com)
-
peer.whois.cymru.com (v4-peer.whois.cymru.com)
The v4.whois.cymru.com server is primarily designed to map an IP address to a BGP Origin ASN and prefix.
The v4-peer.whois.cymru.com server is designed to map an IP address to the possible BGP peer ASNs that are one AS hop away from the BGP Origin ASN’s prefix. This can be useful at times when you’re looking for a quick view into who an IP’s upstreams might be. Note that this method of finding peers is FAR from perfect and not an exact science. When the Origin ASN is a Tier 1 any concept of ‘upstream’ tends to lose its meaning.
The syntax for whois and netcat whois IP queries is as follows:
Whois
Netcat
Action
begin
enable bulk input mode
(netcat only)
end
exit the whois/netcat client
(netcat only)
- p
prefix
include matching prefix
- q
noprefix
disable matching prefix (default)
- c
countrycode
include matching country code
- d
nocountrycode
disable country codes (default)
- n
asname
include asnames (default)
- o
noasname
disable asnames
- r
registry
display matching registry
- s
noregistry
disable registry display (default)
- a
allocdate
enable allocation date
- b
noallocdate
disable allocation date (default)
- t
truncate
truncate asnames (default)
- u
notruncate
do not truncate asnames
- v
verbose
enable all flags (-c -r -p -a -u -a)
- e
header
enable column headings (default)
- f
noheader
disable column headings
- w
asnumber
include asnumber column (default)
- x
noasnumber
disable asnumber column (will not work for IP mappings)
- h
help
this help message
To use the command-line arguments on a single IP query, be sure to enclose the request in quotes and to have a space before the first argument so that your whois client will not try to interpret the flags locally.
For example, to enable the verbose mode (all flags) one would use:
$ whois -h whois.cymru.com " -v 216.90.108.31 2005-12-25 13:23:01 GMT"
AS | IP | BGP Prefix | CC | Registry | Allocated | Info | AS Name
23028 | 216.90.108.31 | 216.90.108.0/24 | US | arin | 1998-09-25 | 2005-12-25 13:23:01 GMT | TEAM-CYMRU - Team Cymru Inc., US
You may also query for some basic AS information directly:
$ whois -h whois.cymru.com " -v AS23028"
AS | CC | Registry | Allocated | AS Name
23028 | US | arin | 2002-01-04 | TEAM-CYMRU - Team Cymru Inc., US
We recommend the use GNU’s version of netcat, not nc. (nc has been known to cause buffering problems with our server and will not always return the full output for larger IP lists). GNU netcat can be downloaded from https://sourceforge.net/projects/netcat/. This is the same as gnetcat in FreeBSD ports.
To issue bulk queries, follow these steps:
1. Create a file with a list of IPs or ASNs, one per line. Add the word begin at the top of the file and the word end at the bottom.
Example of list01:
begin
68.22.187.5
207.229.165.18
...
198.6.1.65
end
Remember: you can add comments and other flags per the table above if you’d like.
begin
verbose
68.22.187.5 2005-06-30 05:05:05 GMT
207.229.165.18 2005-06-30 05:05:05 GMT
...
198.6.1.65 2005-06-30 05:05:05 GMT
end
2. Run the list through GNU netcat (NOT the venerable nc).
$ netcat whois.cymru.com 43 < list01 | sort -n > list02
The file list02 will be sorted by origin AS, and should appear as:
Bulk mode; whois.cymru.com [2018-08-29 21:04:00 +0000]
701 | 198.6.1.65 | 198.6.0.0/16 | US | arin | 1992-11-10 | 2005-06-30 05:05:05 GMT | UUNET - MCI Communications Services, Inc. d/b/a Verizon Business, US
6079 | 207.229.165.18 | 207.229.128.0/18 | US | arin | 1996-11-01 | 2005-06-30 05:05:05 GMT | RCN-AS - RCN, US
23028 | 68.22.187.5 | 68.22.187.0/24 | US | arin | 2002-03-15 | 2005-06-30 05:05:05 GMT | TEAM-CYMRU - Team Cymru Inc., US
3. The same can be done with a list of ASNs
Example of list02:
begin
verbose
as23028
end
And the output:
$ nc whois.cymru.com 43 < file
Bulk mode; whois.cymru.com [2020-06-10 13:55:43 +0000]
23028 | US | arin | 2002-01-04 | TEAM-CYMRU, US
4. Bulk queries can contain IPs AND ASNs, however the output may not be ideal:
Example of list03:
begin
verbose
8.8.0.0
as23028
end
Output:
$ nc whois.cymru.com 43 < file
Bulk mode; whois.cymru.com [2020-06-10 13:57:00 +0000]
3356 | 8.8.0.0 | 8.0.0.0/12 | US | arin | 1992-12-01 | LEVEL3, US
23028 | US | arin | 2002-01-04 | TEAM-CYMRU, US
Additional help can be obtained by issuing the help command:
$ whois -h whois.cymru.com help
For additional support or to report an issue, please contact support@cymru.com.
DNS
The DNS daemon is designed for rapid reverse lookups, much in the same way as RBL lookups are done. DNS has the added advantage of being cacheable and based on UDP so there is much less overhead. Similar to the whois TCP based daemon, there are three IPv4 zones available, and one for IPv6:
-
origin.asn.cymru.com
-
origin6.asn.cymru.com
-
peer.asn.cymru.com
-
asn.cymru.com
The origin.asn.cymru.com zone is used to map an IP address or prefix to a corresponding BGP Origin ASN.
The origin6.asn.cymru.com zone is used to map an IPv6 address or prefix to a corresponding BGP Origin ASN.
The peer.asn.cymru.com zone is used to map an IP address or prefix to the possible BGP peer ASNs that are one AS hop away from the BGP Origin ASN’s prefix.
The asn.cymru.com zone is used to determine the AS description of a given BGP ASN.
All DNS-based queries should be made by pre-pending the reversed octets of the IP address of interest to the appropriate zone listed above, demonstrated in the following examples:
$ dig +short 31.108.90.216.origin.asn.cymru.com TXT
"23028 | 216.90.108.0/24 | US | arin | 1998-09-25"
The same query could be expressed as:
$ dig +short 108.90.216.origin.asn.cymru.com TXT
"23028 | 216.90.108.0/24 | US | arin | 1998-09-25"
IPv6 queries are formed by reversing the nibbles of the address, and placing dots between each nibble, just like an IPv6 reverse DNS lookup, except against origin6.asn.cymru.com instead of ip6.arpa. Note that you must pad out all omitted zeroes in the IPv6 address, so this can get quite long! For example, to look up 2001:4860:b002::68, you would issue the following query:
$ dig +short 8.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.b.0.6.8.4.1.0.0.2.origin6.asn.cymru.com. TXT
"15169 | 2001:4860::/32 | US | arin | 2005-03-14"
You can considerably shorten your query if you assume that the long runs of zeroes are in the host portion of the address (as is often the case with IPv6 addresses:
$ dig +short 2.0.0.b.0.6.8.4.1.0.0.2.origin6.asn.cymru.com. TXT
"15169 | 2001:4860::/32 | US | arin | 2005-03-14"
To query for a given IP/prefix peer ASNs, one would use the peer.asn.cymru.com zone as follows:
$ dig +short 31.108.90.216.peer.asn.cymru.com TXT
"701 1239 3549 3561 7132 | 216.90.108.0/24 | US | arin | 1998-09-25"
When there are multiple Origin ASNs or Peer ASNs, they will all be included in the same TXT record such as in the example above.
Notice that the format is very similar to the data returned in the verbose whois based query. The major difference is that the AS Description information has been omitted. In order to return the ASN Description and additional info, one use:
$ dig +short AS23028.asn.cymru.com TXT
"23028 | US | arin | 2002-01-04 | TEAM-CYMRU - Team Cymru Inc., US"
If a given prefix does not exist in the table, the daemon will return a standard NXDOMAIN response (domain does not exist).
HTTPS
The HTTPS daemon acts as a web based proxy to the whois based service. You can reach the service directly by browsing to:
Simply click on one of the above links and follow the onscreen instructions on how translate IPs to their corresponding BGP ASNs.
References
The following is small sampling of the public projects and sites that have incorporated these tools:
-
How do I use the reputation feed?This is designed to be a near-real-time feed to allow subscribers to monitor for infected computers visiting their networks. Subscribers can utilize the IP Reputation Feed to identify compromised hosts as they access their networks, thus enabling them to monitor or block these infected hosts before they can cause any damage. Combine the other categories we include and you have the most complete list possible. Possible uses include: Banks checking for infected customers at sign-on Companies pro-actively monitoring for exfiltration of data via bots ISPs checking for infected customers and other abuse Vendors importing data for enterprise appliances
-
Where do you get the data?This information is gathered through a number of methods, including malware analysis, observation of botnet command and control (C&C) botnets that we have uniquely decoded, and monitoring of dark IP space (darknets).
-
What is the ‘REPUTATION_SCORE’ entry?As part of the XML file for this report, each IP has been assigned a “reputation” value derived from various methods. The key used to calculate this value is included in the feed. The intention is that clients determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision-making capability, we prefer to give you a reputation value to assist you. You may decide that some threats are important, and others are not. This value will help you along the way.