D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] IP to Location software

 

Simon Waters wrote:
> Richard Coupe wrote:
>> I was interested to see where all of my pet brute force login guys were 
>> from. Korea and Hong Kong, as it turns out (thanks James).
> 
> You can derive block owners from IP address using "whois". The whois
> data does need to be maintained, as the TLD do change slowly.
> 
> I'd use "whois" data over geographical IP data for reporting abuse.

I suspect that much of the latter was generated from the former, at
least at the country level.  If you ignore 127/8, RFC1918 and multicast
address space, I wonder how many times you have to hit each of the major
registries to give a first approximation of country for any IP address?
I bet it's not a huge number.

And how often does it change once assigned?  Are there instances, say,
of a French ISP with a European presence buying a UK ISP and then using
the UK ISPs assignments in, say, Germany?  Perhaps these things were
discussed on NANOG.

> I did on one occasion find a lot of abusive Korean allocated IP address
> space was traffic tunnelled from Georgia, in the good old US of A.

<rhetorical question>Why do people call it the "good old" US of A, when
it is neither good nor old?  Must be an irony thing.  But then the yanks
don't do irony, do they? :)</rt>

> Although that would have been impossible to figure out, without someone
> on the ground in Korea sorting out the people who were assisting the
> spammers.

I'm not entirely surprised by that, I have to admit.  Sometimes I'm just
tempted to null-route anything assigned to APNIC.

James

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html