The Basics of IPv4 WHOIS

November 29 2023
~1200 words, ~5-6 min read.

What's Whois Information?
The whois command is a tool used to query information. I'll be focusing on IPv4 addresses here, but it could also be used to get information on domains and ASNs (autonomous system numbers). This builds upon the topics from the previous article "What's an IP Address?", so I will assume readers will already be familiar with them.

Information can be accessed via the whois tool, typically ran on linux systems in the command line. There are also online WHOIS lookup services available, such as:

https://www.whois.com/whois

Data Points of Interest
1. Organization
Organization details can be found in WHOIS. This shows the organization that owns, or is responsible for, the IP address range.

2. IP Address Range
In this context, we're looking at the WHOIS information of a single IP address. This information includes the IP address range that the single IP address belongs to. The organization is not only responsible for the single IP address, but also the entire IP address range.

3. Contact Information
Contact information such as emails, phone numbers, and postal addresses can be found here.

4. Registration Status
This gives us an idea of the date that the IP range was registered to the organization. In other words, it may tell us when the organization first owned the IP range in question, and also the last time the WHOIS information was updated.

Usefulness for Information Security
Let's look at how we can interpret IP WHOIS information in the context of Information Security. The most likely reason for looking deeper into an IP address is seeing suspicious activity from it. Some example situations are IPs attempting to connect to your server, IPs attempting to authenticate, or IPs that send email Spam. I'll go over how the data points of interest can be used in a useful way.

Organization Info
Let's say you fired up a brand new server for your website, and nobody but you knows about it. You would expect the only traffic, the only ones connecting to your server, is yourself. This is not the case however, and the moment one of your digital assets is online (has an IP address) attempts from foreign IPs to connect are inevitable. Who are these IPs, and why are they already accessing your website that nobody knows about?

Looking at the IP's WHOIS information, perhaps you see that the organization is Google. Maybe with further cyber sleuthing you discover that the IP is used by Google for webcrawling the internet.

https://developers.google.com/search/apis/ipranges/googlebot.json

This means it is used to navigate the web and extract information from websites. This activity isn't inherently bad or illegal. Just like how you can knock on almost any house door, you can connect to any IP on the Internet. Now of course knocking on a door is okay, but trying to unlock the door or breaking windows to get inside are entirely different activities. IPs that you detect connecting to your servers can definitely behave in ways that allow you to infer with confidence that there is suspicious or malicious intent behind that IP. This example illustrates that not all unknown traffic to your server is inherently bad. Knowing the owner of the IP, and doing a little research, could aid in your confidence when inferring the degree of suspiciousness of the traffic.

IP Range Info
Perhaps you see traffic from many foreign IPs. You look at the WHOIS information and discover that many of those IPs are from the same IP range. Looking at the organization information, perhaps you see that it is an Internet Service Provider. This could indicate that the services offered on your website has generated interest with particular end users of the same ISP (eg home internet users), whom may also be in the same geographical location. This definitely isn't enough information to make a confident inference, but it is a starting point that could help guide your research decisions.

Contact Info
Similar to the previous example, let's say you are encountering traffic from the same ISP, but this time it is definitely malicious. These IPs are trying to authenticate, or log in, to your wordpress website. You could try to block the individual IPs, but new IPs from the same IP Range continue this activity. You could block the whole IP range, but you risk blocking legitimate users from accessing your website. Using the WHOIS information, you can contact someone from that ISP to report this activity, usually it is an abuse@ email address. Communication with the owner of a network could possibly provide a solution to your problem.

Registration Info
Another example similar to the previous, let's say you are encountering malicious traffic from the same IP range, and the organization is a mysterious one. Your research shows little information as to who or what this organization is. You look at the registration date, and notice that this organization very recently was assigned the IP range. A mysterious organization with an IP range recently assigned to them, already emitting bad traffic from that network. This information might increase your confidence to be very skeptical about that IP range. You may even choose to block that range entirely, especially if the IP range is a small range (/24 or less).

Being a Detective
We want to gather data as evidence, transform it into information, and develop inferences from the information gathered. It's ideal to discover as many facts (statements that are true) as we can to further support our inferences. Think of inferences as an educated guess, or the best guess we can make, based off the facts and our own personal knowledge and experience.

For example, if we see suspicious activity from an IP and check the WHOIS information, we'll know the organization that is responsible for that IP as a fact. From here we may infer that the organization has an issue with suspicious/malicious activity coming from their network. This inference could be supported if we detect similar activity from multiple unique IPs in the same IP range that the organization owns. Further, we may find forum posts about that organization expressing similar concerns of suspicious network activity. Then we might conclude that either that organization is unable to mitigate this activity coming from their network, or they don't care to.

Based on the facts and information collected our inferences will have different levels of confidence, and we want to develop our logic in creating inferences that are highly confident in accuracy. This takes practice and experience. There will be times when you have overwhelming evidence that the activity you've been researching is malicious, and you act accordingly. There will also be times when in your gut, you KNOW the activity is malicious, but you either do not have enough information to convince managers to act, or there isn't a suitable action that can mitigate the problem without affecting legitimate traffic. What I would suggest to avoid is action without adequate information, even if your inference is correct and the action will solve the problem. You'll develop a habit of lowering the requirements of confident inferences, which might lead you to solve problems with inadequate logic. In other words, believing in inferences that you have little justification for, even if it ends up being TRUE, will make your process inconsistent and irreplicable.

• What's an IP Address?

  Oct 6 2023 - Understanding IP Addresses in the Context of the Internet.