Finding all IP ranges belonging to a specific ISP
whois [IP address]
(or whois -a [IP Address]
) will usually give you a CIDR mask or an address range that belongs to the company/provider in question, but parsing the results is left as an exercise for the reader (there are at least 2 common whois output formats).
Note that such wholesale blocking can also potentially knock out legitimate users. Before taking this approach you should contact the abuse desk at the ISP in question (usually listed in the whois
information for their netblock or DNS domain, otherwise abuse@ is a good place to start) to see if the situation can be resolved diplomatically rather than technically.
Also note that there are some pre-made solutions to limit requests per second by IP - Check out mod-qos or your system's firewall/traffic shaping capibilities.
Figured it out on my own. Sort of.
robtex.com lists all announced IP ranges for a given AS at: http://www.robtex.com/as/as123.html#bgp
Still don't know how or where robtex retrieves this info from. If someone else wants to chime in and explain where the data comes from, that would be great.
Since you have access to iptables, I will assume you have a root access on the system anyway. In this case, I would suggest instlling Fail2Ban which will just block an IP (for a certain time you decide) if they try to abuse a service (HTTP, DNS, Mail, SSH ..etc) by hitting the service port as N times within X period. (all users decided.)
I am using that on my server and I am getting very good results. specially with those chinease hackers wanting to hit into my SSH.
hit my home page for more information. I have a blog post all about fail2ban.
You can use Hurricane Electric's BGP Service.
If you have an IP address and want to know all address blocks registered to the same ASN, do this:
- Go to https://bgp.he.net and search for the IP address to get its ASN.
- Search for the ASN.
- View tables "Prefixes v4" and "Prefixes v6" for all address blocks.