Whois at the CLI: get all IP ranges from an AS number

Just a note to my future self, in case I ever need it again. All you need is the AS number.

$ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'
route:          1.2.3.0/24
...

For instance, all Facebook's IP addresses in use.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
route:      204.15.20.0/22
route:      69.63.176.0/20
...

Or all their IPv6 ranges.

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route6:'
route6:     2620:0:1c00::/40
route6:     2a03:2880::/32
...

Very useful if you want to write scripts that use these IP ranges as filters. Think of scripts to quickly ban all Facebook traffic (you know, in case the Facebook content scrapers are performing a DoS on your site, for instance), check Google IP ranges vs. the User-Agent in your logs, ...

Looking for help?

Tired of fixing all these tech-problems yourself? We've got an excellent team at Nucleus, a top-class Belgian hosting provider, that can help you. Discover our Managed Hosting, where skilled engineers manage your servers and keep them up-to-date, so you can focus on your core business. We use a variety of Configuration Management Systems such as Puppet to make sure every config is reviewed, unit-tested and guaranteed to be working.

Want to get in touch? Find me as @mattiasgeniar on Twitter or via the contact-page on my blog.

Tagged with:
Posted in Technology
5 comments on “Whois at the CLI: get all IP ranges from an AS number
  1. Stéphan says:

    Is this using jwhois?

    With jwhois-4.0-19.el6.x86_64.rpm I get:

    # whois -h whois.radb.net — ‘-i origin AS32934′ | grep ‘route:’
    whois: invalid option — ‘ ‘
    whois: invalid option — ‘o’
    whois: invalid option — ‘g’
    whois: invalid option — ‘ ‘
    whois: invalid option — ‘A’
    whois: invalid option — ‘S’
    whois: invalid option — ’3′
    whois: invalid option — ’2′
    whois: invalid option — ’9′
    whois: invalid option — ’3′
    whois: invalid option — ’4′

    • jwhois works, but WordPress has screwed up the formatting. It’s a double dash in the middle;
      $ whois -h whois.radb.net -- '-i origin AS1234' | grep 'route:'

      I’ve updated the article with HTML codes to avoid that default formatting, should be more obvious now. ;-)

  2. Stéphan says:

    Aha,

    a double dash breaker :)

    Makes perfect sense.
    Thanks!

    I also see what WP did
    it converted — to —
    which is not the same as -

  3. Stéphan says:

    And again, it was wise to copy this little snippet into my own cheat sheet.
    Just had an attack from one specific ISP.

    Blocked it using the basics of this post and some extra Command Line Fu:

    ip=201.243.7.136
    as=$(whois -h whois.radb.net $ip | awk '$1 ~ /origin:/{print $2}')
    ranges=$(whois -h whois.radb.net -- "-i origin $as" | awk '$1 ~ /route:/{print $2}')
    for range in $ranges; do iptables -I INPUT -s $range -j DROP; done
    service iptables save
    

    No Más, Venezuela!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>