The main goal of laboratory report is to identify the responsibilities for the IP addresses below and how we can make connection to them. IP addresses are randomly chosen by the lecture.
External IP that is used for purpose of this test is following: 18.104.22.168/255 1. The ISP that provides this network is EENet2. Organization that is behind is Tallinn Technical University, Estonia. City location is Tallinn and the region is Harjumaa. The phone number of my ISP is: +372 73*. The e-mail we should report abuse are: first persons that is in charge: Viktor Borisevitch (e-mail:tor at cc.ttu.ee and phone number: +372-2-*46) and Andres Lepp (e-mail: l at cc.ttu.ee and phone number: +372 6 *55). In addition, if we wont to submit an abuse we should use both persons of network administration and then we can submit and security incident on the following ISP e-mail: email@example.com [RIPE NCC].
All in all, Method 1 and Appendix 1 describes the website, tools and application that are used to conduct this laboratory report. In addition, Method 2 and Appendix 2 will introduce website tools and databases where we can check if following IP’s have been reported before as abuse and security risk. Both methods are represented with answer and consequences confront in the result section.
Finally the conclusion made of all collected data will be concise in conclusion section of this report.
First method describes and demonstrates web tools that have been used to collect the needed information from the stated IP’s addresses. Second method is pointing out website tools and databases that can be applied if the IP has been reported previously as a abuse, spam or security threat.
Firstly, we need to collect as much as we can details about the IP address. In Appendix 1 is showing the wholly information of the IP’s, contact details, organization name, address, location, state, country, technicians contact, abuse phone number, abuse e-mail, etc.
Depending on the location of IP we should make sure that not only we know the ISP or abuse contact details, but we should know national CERT 3 agency that is in charge too. Therefore, to collect the information we have used different web sites, agencies: [RIPENCC, LACNIC, AfriNIC, APNIC, ARIN]. The above reference are agencies collected from IANA4. Authority responsible for global coordination of the Internet Protocol addressing systems [IANA].
Moreover, to have more details about the route of the IP’s we are using command prompt in Windows 7 with the following command, where the results are presented in Appendix 2 section:
After we have collected the wholly information about the concrete IP proposals, we should check if in addition those IP’s previously have been reported as abused, spam or security threat. To complete the following method we need to check concrete database system that is offering following service. First that crossed on web is [MalwareURL] which is dedicated to fighting malware, trojans and a multitude of other web-related threats. In addition, we can check if the IP addresses are listed in anti-spam databases. With other words blacklist check [MyIPAddress].
Results from Method 1 are presented in Result 1, further Method 2 is presented in Result 2.
For each IP are presented only the most important data details that we need to collect for our goal. In addition, full description and details are presented in Appendix 1. The tables bellow are illustrating the most important information that we should look-for. In addition, the highlighted lines are indicating the abuse e-mail box that should be send mail too.
However, now that we know the abuse e-mail, phone number and contact person details, still is this information enough for us. If we look in details all of the IP’s are from different countries. Therefore we need to find what is the national CERT agency contact details. First table is based in USA, therefore we need to use their reporting system, which is locate in the following link: http://www.us-cert.gov/ . Second table is UK, the national CERT agency link: www.ukcert.org.uk. Third table is based in Germany, the CERT agency link: http://www.cert-verbund.de/.
From the routing trace we can conclude that the first IP and the third respond and it did not miss route trace, where in the second IP, 22.214.171.124 there is miss route trace.
That is why we will run this IP address to Method 2. Despite the fact, still we will run the rest of IP’s in the Method 2, to be trusted that are not in the abuse list.
Next step is to attempt to search the IP address to check if they have been previously report as a abuse, trojan, malware, security threat, etc.
To check and verify the security status we are using the service
available [MalwareURL]. Where results for 126.96.36.199 and
188.8.131.52 are with status that have not been previously reported as
abuse. On the other hand, 184.108.40.206 IP address is detected as an
security threat before. More details are presented in Appendix 3. Where
is demonstrating that the
/404.php?type=stats&affid=531&subid=03&iruns has been
reported as malicious URL and it is in a blacklist of Google, MyWOT,
Not only that it is listed in the malware database list, but also if we double check on service [MyIPAddress] that the 220.127.116.11 IP address is listed in few blacklist which is assess by DNSBL5.
In conclusion, I would like to reiterate that the concrete IP’s that we analysis in this report are demonstrating the process and methods that should be done in future to detect, report abuse, malware, threat, trojan, security risk, etc. Where we should gather the detail information, and to whom to turn the abuse. To be precise that are not in blacklist, spam list, etc.
In spite of following IP’s: 18.104.22.168 and 22.214.171.124, from performing methods and delivering results are safe and secure, still think can be exploited in easy manners. The opposite, IP address 126.96.36.199 it has been already report infected as malicious code from few blacklist providers. When checking the DNS, host name is linking to UK company that deals with IP Transit. For further information please check the following link: http://www.laveconetworks.co.uk/.
In general, hope that laboratory report and the analyse will help to anyone else to guide them for future use.
Appendix 1 is list of details collected from service. Appendix 2 is trace route details. Where Appendix 3 is the result collected from the black list database.
Because of large content please download [PDF]
RIPE NCC: RIPE NCC, Data & Tools, 2011, https://www.ripe.net/data-tools
LACNIC: Internet Address Registry for Latin America and the Caribbean, REGISTRATION SERVICES , http://lacnic.net/cgi-bin/lacnic/whois?lg=EN
AfriNIC: AfriNIC LTD, Query the AfriNIC Whois Database, 2011, href="http://www.afrinic.net/cgi-bin/whois" target="_blank">http://www.afrinic.net/cgi-bin/whois
APNIC: APNIC, APNIC – Query the APNIC Whois Database, 2011, http://wq.apnic.net/apnic-bin/whois.pl
ARIN: ARIN, WHOIS-RWS, 2011, http://whois.arin.net
IANA: IANA, Number Resources, 2011, http://www.iana.org/numbers/
MalwareURL: The MalwareURL Team, The MalwareURL Team, 2011, http://www.malwareurl.com
MyIPAddress: What Is My IP Address, Blacklist Check, 2011, http://whatismyipaddress.com/blacklist-check
 I will not show my own IP address
 EENet – http://www.eenet.ee/EENet/
 CERT – Computer Emergency Response Team
 IANA – Internet Assigned Numbers Authority – http://www.iana.org/
 DNSBL – Domain Name System Blacklist
- Changed on purpose, not to disclose the exposure