Since Marco d'Itri's whois(1) v5.5.0 released in July 2019, most sysadmins no longer need to do trial-and-error or detectivework to guess which of the 5 RIRs controls the IP attacking you and then hunt down the appropriate WHOIS server—the -I flag will now do that annoying accounting on your behalf:

-I First query whois.iana.org and then follow its referral to the whois server authoritative for that request. This works for IP addresses, AS numbers[,] and domains. BEWARE: this implies that the IANA server will receive your complete query.

a bare-bones example:

whois -a -I 1.1.1.1 | grep -i -E '^origin'

and, for a highly applied example:

dig +short archive.is \
| xargs -n 1 whois -a -I \
| sed -n 's/^[Oo]rigin\(AS\)\?:\s\+\(AS[0-9]\+\)$/\2/p' | uniq \
| xargs -n 1 whois -I \
| less -F

(OpenBSD has supported this since whois(1) v1.34, released in November 2004; FreeBSD has supported this since Release 11.0.0, released in October 2016; NetBSD has supported this since whois(1) v1.27, released in February 2020.)

Without -I

If you want to eschew the IANA query and "DIY" it by brute force, here's the key to that:

for h in whois.arin.net whois.ripe.net whois.apnic.net whois.lacnic.net;
  do whois -a -h "$h" 200.3.14.10 \
  | grep -i -E '^origin' && break;
done

Leave a Reply

Your email address will not be published.

Warning: This site uses Akismet to filter spam. Until or unless I can find a suitable replacement anti-spam solution, this means that (per their indemnification document) all commenters' IP addresses will be sent to Automattic, Inc., who may choose to share such with 3rd parties.
If this is unacceptable to you, I highly recommend using an anonymous proxy or public Wi-Fi connection when commenting.