tl;dr looking for internet resources information ? Go for RIPEStat, an interface to RIS (Routing Information Service), which allows you to retrieve very interesting and accurate information regarding BGP/AS/Routing/prefixes/… – it all happens here.
Ever wanted to know the evolution of internet routing paths, or maybe a country’s internet resources, or even the different paths leading to your IP address ?
Well, RIPE is collecting a ton of information through their RIS (Routing Information Service). In short, they have probes spread all around the world that retrieve information regarding internet resources (routing, BGP, geolocation, …). It is possible to query those probes (and the resulting data) through the RIPEStat interface. A service providing raw json query (through HTTPS GET query) is available but also some nice widgets to get the information you’re looking for.
I won’t go into details for all available resources, as they are well documented on RIPE’s API page, but note that some of them could be interesting for someone looking for specific data/answers on the current (or past) situation of some specific internet resources.
The basic available resources that might be quite useful for an everyday network professional include:
- Abuse Contact Finder – allows you to query whois entry for abuse contact by providing either a prefix, a single IP address or an ASN
- Blacklist – allows you to know if a specific prefix or IP range is UCEPROTECT-blacklisted (I wouldn’t rely on them too much though ;-))
- Geolocation – if you want geo coordinates of a prefix, IP range, ASN or even hostname
- Network Info – provides you the prefix and the ASN to which the queried IP belongs to
- Reverse DNS IP – simple reverse DNS lookup of an IP address
- Whats My Ip – the usual what-is-my-ip query
- Whois – a whois lookup on a specific resource (IPv4, IPv6 or ASN)
Now let’s look at an example of some queries:
$ curl 'https://stat.ripe.net/data/network-info/data.json?resource=8.8.8.8'
{
...
"data": {
"asns": [
"15169"
],
"prefix": "8.8.8.0/24"
},
...
}
$ curl 'https://stat.ripe.net/data/geoloc/data.json?resource=8.8.8.8'
{
...
"data": {
"locations": [
{
"city": "",
"country": "US",
"covered_percentage": 100,
"latitude": 38.0,
"longitude": -97.0,
"prefixes": [
"8.8.0.0/19"
]
}
],
"query_time": "2014-08-01T00:00:00",
"resource": "8.8.8.8",
"unknown_percentage": 0.0
},
...
}
Here we are able to retrieve the AS, the prefix to which the IP address 8.8.8.8 belongs to, as well as query the geoloc service to retrieve its geo coordinates.
This information is also retrievable by using other resources and/or tools. There are some very interesting queries that are available for true network researchers but listing them here wouldn’t be as fun as showing you some concrete examples.
Let’s for instance retrieve the information for the smallest country on the planet: Vatican City (va)
$ curl 'https://stat.ripe.net/data/country-resource-list/data.json?resource=va'
{
...
"data": {
"query_time": "2014-08-06T00:00:00",
"resources": {
"asn": [
"61160"
],
"ipv4": [
"46.36.192.0/21",
"46.36.200.0/22",
"185.17.220.0/22",
"193.43.102.0/23",
"193.43.128.0/22",
"212.77.0.0/19"
],
"ipv6": [
"2a01:b8::/32",
"2a04:640::/29"
]
}
},
...
}
This country has a single AS (61160), 6 IPv4 prefixes and 2 IPv6 prefixes.
We can then search for the different neighbouring AS of the Vatican city AS:
$ curl 'https://stat.ripe.net/data/asn-neighbours/data.json?resource=61160'
{
...
"data": {
"neighbour_counts": {
"left": 2,
"right": 0,
"uncertain": 0,
"unique": 2
},
"neighbours": [
{
"asn": 12874,
"power": 117,
"type": "left",
"v4_peers": 190,
"v6_peers": 83
},
{
"asn": 174,
"power": 19,
"type": "left",
"v4_peers": 24,
"v6_peers": 14
}
],
"query_endtime": "2014-08-08T08:00:00",
"query_starttime": "2014-08-08T08:00:00",
"resource": "61160"
},
...
}
We are given some interesting data here: there are 2 unique AS that are neighbours to the Vatican City’s one. And both are “left” ones.
To understand the “left” concept, we have to go back to the way an AS-PATH (i.e. the path from one AS, the source, to another AS, the destination) is described : <SRC-ASN>,<ASN-…>,…,<DST-ASN>. Now the “left” and “right” concepts make more sense: the neighbouring AS found are both “left of” the destination AS, which was our query, and thus the Vatican City AS is an originating-only AS.
Now that we know which AS are leading to the Vatican City, let’s see what RIPE’s probes provide as routes to get to that country:
$ curl 'https://stat.ripe.net/data/bgp-state/data.json?resource=61160'
{
"cached": true,
"data": {
"bgp_state": [
{
"community": [
"7018:5000",
"7018:37232"
],
"path": [
7018,
174,
61160
],
"source_id": "00-12.0.1.63",
"target_prefix": "185.17.220.0/22"
},
... (snip) ...
{
"community": [],
"path": [
28138,
16735,
3303,
12874,
61160
],
"source_id": "15-2001:12f8::90",
"target_prefix": "193.43.102.0/23"
}
],
"nr_routes": 311,
"query_time": "2014-08-08T12:10:00",
"resource": "61160"
},
...
}
Well, there are 311 different sources (understand RIPE probe hosts) that give us paths to reach the AS 61160. Of course I won’t list them here, but after verification (with some scripting), there are only two different AS preceding the destination: 12874 and 174. This confirms the previous query: to reach the Vatican through internet, you’ll have to go through those two AS.
As you can see, you can quickly get interesting information about a country, an AS or an IP thanks to this collection of tools.
But if you are more into DNS, there are also some nice API calls that you can use to get interesting data. For example you can do a recursive DNS chain lookup on a specific IP or hostname:
$ curl 'https://stat.ripe.net/data/dns-chain/data.json?resource=www.vatican.va'
{
...
"data": {
"authoritative_nameservers": [
"ns2.nic.it",
"john.vatican.va",
"seth.namex.it",
"osiris.namex.it",
"michael.vatican.va"
],
"forward_nodes": {
"www.vatican.va": [
"212.77.1.247",
"212.77.1.244",
"212.77.1.243",
"212.77.1.246"
]
},
"nameservers": [
"193.0.19.102",
"193.0.19.103",
"193.0.19.101"
],
"query_time": "2014-08-08T14:54:00",
"resource": "www.vatican.va",
"reverse_nodes": {
"212.77.1.243": [
"www.vatican.va"
],
"212.77.1.244": [
"www.vatican.va"
],
"212.77.1.246": [
"www.vatican.va"
],
"212.77.1.247": [
"www.vatican.va"
]
}
},
...
}
This query gives you all information regarding DNS on the specified resource: the authoritative NS, the reverse DNS lookups and the NS IPs.
Well, I guess that if you’ve followed up to here, you deserve to know that there are some nice widgets to visualize the information in nice graphs and other GUI forms. The list of all widgets is available here.
For example, by using the bgplay widget, you can view the relations of the AS leading to the Vatican City’s one:
That’s it, give a huge applause to RIPE for providing this information with an easy-to-use and well documented API.
And have fun crawling the internet routing information ;-)
Kudelski Security Research 