Defending cyberattacks is one of the most challenging topics in a digital world. Proactive activities regarding protection and security concepts are essential in cybersecurity. One of the goals is cyber resilience. Another essential piece is data analysis. Administration of servers requires log file analysis every now and then. One important data point is the IP address to identify possible attackers. This data point can be enriched with additional information from the whois database, e.g. subnets, autonomous system numbers, company names or geolocation data. This transformed data set can be used to aggregate and extract more information and to make tactical or strategic defense decisions.
Running a real world server you can observe log files becoming arbitrarily large - especially during heavy cyberattacks the number of lines can exceed any expectation very easily. The main tool for IP database queries is whois, which sends network requests to whois database servers of one of the regional Internet registries (RIR) by default. This might leed to rate limit exhaustion depending on whatever the RIR has got configured, and even without a rate limit it is a dependenciy on external ressources which is not the best way to be included in a security concept.
External dependencies and rate limits can be avoided by running a local whois server. This consists of two pieces: software and data. Assembling a solution from scratch by developing software and collecting huge data sets might be an approach, but maybe it can be done in a more feasible way.
IPinfo provides the IPinfo Lite database with a subset of whois data as CC licensed download in several data formats (e.g. MMDB, CSV, JSON). From the Frequently Asked Questions:
IPinfo Lite is released under the Creative Commons Attribution-ShareAlike 4.0 International License, which allows you to freely use and incorporate the data into commercial and non-commercial applications.
A simple Python script is provided by the community: Create a WHOIS server from scratch. The script server.py can be improved, some minor details are added below: the route in CIDR notation, no eternal wait state on missing IP ranges and a dbstatus which indicates presence or absence of IP ranges in the database. You can check all of this at once by choosing e.g. 127.0.0.1 as query.
import argparse import asyncio import maxminddb import ipaddress SEPARATOR = b"\r\n" class Handler: def __init__(self, database): self.reader = maxminddb.open_database(database) async def handle(self, reader, writer): data = await reader.readuntil(SEPARATOR) # Convert bytes to UTF-8 and lookup data in the MMDB. ip = data.split(SEPARATOR)[0].decode() info , prefix = self.reader.get_with_prefix_len(ip) bgp = ipaddress.ip_network(f"{ip}/{prefix}", strict=False) writer.write(f"route: {bgp}".encode() + SEPARATOR) # Output one key/value pair per line. if info: for k, v in info.items(): writer.write(f"{k}: {v}".encode() + SEPARATOR) writer.write(f"dbstatus: ok - data found".encode() + SEPARATOR) else: writer.write(f"dbstatus: warning - no data available".encode() + SEPARATOR) await writer.drain() # Close the connection. writer.close() await writer.wait_closed() async def main(): parser = argparse.ArgumentParser() parser.add_argument("database") parser.add_argument("--host", default="localhost") parser.add_argument("--port", default=43, type=int) args = parser.parse_args() handler = Handler(args.database) server = await asyncio.start_server(handler.handle, args.host, args.port) await server.serve_forever() if __name__ == "__main__": asyncio.run(main())
On the shell level prepare a folder for your local whois server python environment, download the MMDB database IPinfo lite and prepare the server:
mkdir whois cd whois python3 -m venv .venv source .venv/bin/activate pip install maxminddb editor server.py # script above python3 server.py --port 8043 ipinfo_lite.mmdb
Now the queries might look like:
$ whois -h localhost -p 8043 -- 127.0.0.1 route: 127.0.0.0/8 dbstatus: warning - no data available $ $ whois -h localhost -p 8043 -- 8.8.8.8 route: 8.8.8.0/24 as_domain: google.com as_name: Google LLC asn: AS15169 continent: North America continent_code: NA country: United States country_code: US dbstatus: ok - data found
WP: Information security WP: Computer security WP: Network security WP: Cyberattack WP: Cyber resilience WP: Data analysis WP: Subnet WP: Autonomous system (Internet) WP: Tactic (method) WP: Strategy WP: Regional Internet registry