[ale] resolving ip addresses

Mel Burslan mel.burslan at s1.com
Wed Jun 27 08:42:07 EDT 2001



I think I understand what you are trying to accomplish. Correct me if I
am wrong but you are trying to know who these IPs belong to (which
company/isp) that you found suspicious in your firewall logs. Am I right
? If that is the case, more than likely nslookup will not work, because,
more than likely these are dynamic IPs. In which case you can do a
traceroute to these IP addresses. It will not be unobtrusive, if the IPs
are static and the person have a firewall like yourself. They will
notice an ICMP packet hitting their firewall, like a ping request, but
since it won't be a series of them to raise a possible DDoS attack
alarm, so it may be overlooked. Best is to do it from someplace like
Netzero (sorry, have to use windows for it). If they happen to backtrace
the ICMP requester, all they will get is a Netzero border gateway router
address or a mile-long computer name which will correspond to a dial up
user.

The output of the trace route will most probably stop at the border
gateway router/firewall, if this is a company or hit the actual IP
address, in which case you may need to back track a step or two to get a
meaningful name. If no hostnames have been displayed, you can check the
following url, to see if it is listed anywhere on this list or any close
proximity :

http://www.employees.org:80/~tbates/cidr-report.html

(shave off the last octet from the IP address returned and do a find on
this very long page against this first 3 octets of ip and see if there
is a match with a provider/company name. Some does, some don't)

Well, this is my method of dealing with them.

Regards

Mel


"I. Herman" wrote:
> 
> I use either nslookup or dig.  Both are part of the bind utilities (i think)
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list