[rescue] IP blocks

Derrick D. Daugherty derrick at blinky-lights.org
Mon Feb 18 21:43:55 CST 2002 

It's rumored that around Mon, Feb 18, 2002 at 09:08:59PM -0500
Dave McGuire <mcguire at neurotica.com> wrote:
> On February 18, Eric Dittman wrote:
> > I've got a question that may be best asked here, since we've
> > got people with lots of net experience.  I want to find all
> > the IP blocks for wanadoo.fr (and a couple of others, but
> > that's the top one on my list) so I can block them at my
> > firewall.  What's the best way to find all the IP blocks
> > for a given domain?
> 
>   You can't do that...IP addresses are tied to organizations, as are
> domains.  I haven't had to do this in years, so I'm very fuzzy, but I
> believe you'll have to query a route registry.  Try digging around at
> www.radb.net, you might find something useful there.

Dave's on the right track.  did a normal whois to see their ns to get
an idea of address space then used the ripe-radb-whois client to ask for
info, it's 193.252.0.0/18 and is a sprint block.  if you mail
abuse@ both of those as per rfc2142 you should see some action.  It'd be
a good idea to mail the hostmaster as well, and the nocc@ all of
them.  a whack 18 is over 16k addresses...(193.252.0.0-192.252.63.255)
it shouldn't fall outside of those bounds or else the revers dns
wouldn't be wanadookey.

$ whois3 -h whois.radb.net 193.252.19.10
route:        193.252.0.0/18
descr:        France Telecom
descr:        FTI
origin:       AS3215
mnt-by:       FT-BRX
changed:      gestionip.ft at francetelecom.fr 20001018
source:       RIPE

route:         193.252.19.0/24
descr:         Proxy-registered route object for Sprint :-)
origin:        AS3215
remarks:       auto-generated route object
remarks:       this next line gives the robot something to recognize
remarks:       The quick brown fox jumped over the lazy dog.
remarks:       
remarks:       This route object is for a Sprint customer route
remarks:       which is being exported under this origin AS.
remarks:       
remarks:       This route object was created because no existing
remarks:       route object with the same origin was found, and
remarks:       we really just wanted to help out those poor Sprint
remarks:       folks who have an aversion to registering routes.
remarks:       
remarks:       We hope they have a sense of humor.
remarks:       
remarks:       Please contact WeLoveThoseCrazySprintFolks at Level3.net
remarks:       if you have any questions regarding this object.
mnt-by:        SPRINT-MNT
changed:       WeLoveThoseCrazySprintFolks at Level3.net 20011126
source:        LEVEL3

the netops i know at sprint aren't at their consoles right now...
but you can block that whole block (as3215) and that should
suffice...if you're getting others outside it'd be a trivial hack
to write something that watched the logs and added rules on the
fly.  i have some perl code somewhere that does that if ya want
me to look in my backups for it...

if ya don't have a firewall just null route that block

HTH,
^D

More information about the rescue mailing list