By: Donald McLachlan and the GIAC community
The question is always who to contact when you receive unusual traffic from a host. Here are the methods GIAC analysts use.
Hubert Weikert suggest that the simplest way to query all the whois databases is to use a 'whois proxy' like http://www.geektools.com/cgi-bin/proxy.cgi
This program automaticaly finds the right registry or whois service based on the query.
Patrick Oonk suggests:You might like the whois from http://www.linux.it/~md/software/, which is very smart and knows where to look for what you are searching. Give it a try, I never leave home without it :)
Also, http://www.abuse.net/lookup.phtml is very handy to look up abuse contacts.
Unix users may want to try the following techniques:
One can use DNS to find a contact for an IP address. This is done by looking for the contact listed in the "Start Of Authority" for the IP number or name. Assuming you are starting with the IP number, use the command:
don> dig -x AAA.BB.CC.DDD soaIf you have an IP name, omit the "-x" and use the command:
dig host.name soaLook for the "AUTHORITY RECORDS:" information that looks like this:
;; AUTHORITY RECORDS:What you are looking for here is the info in the same location as root.XXXXXXXXX.XXXX.XXX.XX. above. To contact the SOA for the DNS domain, change the first "dot" to an "at", and send your gripe-mail there. E.g.
mail root@XXXXXXXXX.XXXX.XXX.XXIf you don't have dig, but you do have nslookup, the sequence of commands:
To use the registries, one can use a web browser but I find it faster and easier to use "whois". Unless I know where the host is registered I always start off at arin with the following command:
whois -h whois.arin.net 10.1.2.3Now I'm your typically lazy Unix type so I have the following aliases defined to make life easier for myself:
alias arin"/usr/ucb/whois -h whois.arin.net"So all I have to type is:
arin XX.X.X.XLook for "Coordinator:" and there should be at least one way to contact them listed, and often an e-mail address, a telephone number, and a fax number are given. Sometimes the address you are dealing with is not listed in ARIN, but ARIN will tell you where to get the info you need, e.g
don> arin XXX.XX.XXX.XXX European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C)So now I try ripe, and get an e-mail address from there:
don> ripe XXX.XX.XXX.XXX-----
Actually there is a third set of addresses I might try. These are a last resort since it is possible that these addresses be monitored by a hacker that that owns the host:
firstname.lastname@example.org or email@example.com