2 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Intrusion Detection FAQ: Contacting Host Owners

By: Donald McLachlan and the GIAC community

The question is always who to contact when you receive unusual traffic from a host. Here are the methods GIAC analysts use.

Hubert Weikert suggest that the simplest way to query all the whois databases is to use a 'whois proxy' like http://www.geektools.com/cgi-bin/proxy.cgi

This program automaticaly finds the right registry or whois service based on the query.

Patrick Oonk suggests:You might like the whois from http://www.linux.it/~md/software/, which is very smart and knows where to look for what you are searching. Give it a try, I never leave home without it :)

Also, http://www.abuse.net/lookup.phtml is very handy to look up abuse contacts.

Unix users may want to try the following techniques:

One can use DNS to find a contact for an IP address. This is done by looking for the contact listed in the "Start Of Authority" for the IP number or name. Assuming you are starting with the IP number, use the command:
don> dig -x AAA.BB.CC.DDD soa
If you have an IP name, omit the "-x" and use the command:
dig host.name soa
Look for the "AUTHORITY RECORDS:" information that looks like this:
;; AUTHORITY RECORDS:
CC.BB.AAA.in-addr.arpa. 28800 SOA ns1.XXX.XX. root.XXXXXXXXX.XXXX.XXX.XX. (
   2000021700 ; serial
   3600 ; refresh (1 hour)
   900 ; retry (15 mins)
   604800 ; expire (7 days)
   28800 ) ; minimum (8 hours)
What you are looking for here is the info in the same location as root.XXXXXXXXX.XXXX.XXX.XX. above. To contact the SOA for the DNS domain, change the first "dot" to an "at", and send your gripe-mail there. E.g.
mail root@XXXXXXXXX.XXXX.XXX.XX
If you don't have dig, but you do have nslookup, the sequence of commands:
nslookup
set type=soa
DDD.CC.BB.AAA.in-addr.arpa.
exit
Note:
  • this example assumes you are starting with an IP address. If you have a hostname, replace "DDD.CC.BB.AAA.in-addr.arpa." with "host.name".
  • the numbers in the address are reversed. If you want to lookup 10.1.2.3 this way, the 3rd line would be 3.2.1.10.in-addr.arpa.
-----

To use the registries, one can use a web browser but I find it faster and easier to use "whois". Unless I know where the host is registered I always start off at arin with the following command:
whois -h whois.arin.net 10.1.2.3
Now I'm your typically lazy Unix type so I have the following aliases defined to make life easier for myself:
alias arin"/usr/ucb/whois -h whois.arin.net"
alias ripe"/usr/ucb/whois -h whois.ripe.net"
alias apnic "/usr/ucb/whois -h whois.apnic.net"
alias jpnic "/usr/ucb/whois -h whois.nic.ad.jp"
alias aunic "/usr/ucb/whois -h whois.aunic.net"
alias milnic "/usr/ucb/whois -h whois.nic.mil"
alias govnic "/usr/ucb/whois -h whois.nic.gov"
alias krnic "/usr/ucb/whois -h whois.krnic.net"
So all I have to type is:
arin XX.X.X.X
Look for "Coordinator:" and there should be at least one way to contact them listed, and often an e-mail address, a telephone number, and a fax number are given. Sometimes the address you are dealing with is not listed in ARIN, but ARIN will tell you where to get the info you need, e.g
don> arin XXX.XX.XXX.XXX European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C)
   These addresses have been further assigned to European users.
   Contact information can be found in the RIPE database, via the
   WHOIS and TELNET servers at whois.ripe.net, and at
   http://www.ripe.net/db/whois.html
[ snip ]
So now I try ripe, and get an e-mail address from there:
  don> ripe XXX.XX.XXX.XXX

  % Rights restricted by copyright.
  See http://www.ripe.net/ripencc/pub-services/db/copyright.html

  inetnum: XXX.XX.XXX.XXX - XXX.XX.XXX.XXX
  netname: XXXXXXXX
  descr:XXXXXXXX WWW server
  descr:Zagreb, Croatia
  country: HR
  admin-c: XXXXXX-RIPE
  tech-c: XXXXXX-RIPE
  status: ASSIGNED PA
  mnt-by: XXX-MNT
  changed: XXXXX.XXXXXXXXXXXX@XXX.hr 19981103
  source: RIPE

  route:XXX.XX.0.0/16
  descr:XXX-Internet
  origin: XXXXXX
  remarks: The same thing with objects in MCI database.
  mnt-by: XXX-MNT
  changed: XXXXX.XXXXXX@XXX.hr 19980826
  changed: XXXXX.XXXXX@XXX.hr 19991201
  source: RIPE

  person: XXXXXX XXXXXXXX
  address: XXXXXX XX
  address: 10000 Zagreb
  address: Croatia
------> phone: XXXX X XXXX XXX
------> fax-no: XXXX X XXXX XXX
------> e-mail: XXXXXXX@XXXXXXXX.hr

[ snip ]
-----

Actually there is a third set of addresses I might try. These are a last resort since it is possible that these addresses be monitored by a hacker that that owns the host:
root@ip.of.bad.hst or root@bad.host
postmaster@ip.of.bad.hst or postmaster@bad.host
webmaster@ip.of.bad.hst or webmaster@bad.host
abuse@ip.of.bad.hst or abuse@bad.host