Since Marco d'Itri's
whois(1) v5.5.0 released in July 2019, most sysadmins no longer need to do trial-and-error or detectivework to guess which of the 5 RIRs controls the IP attacking you and then hunt down the appropriate WHOIS server—the
-I flag will now do that annoying accounting on your behalf:
whois.iana.organd then follow its referral to the whois server authoritative for that request. This works for IP addresses, AS numbers[,] and domains. BEWARE: this implies that the IANA server will receive your complete query.
a bare-bones example:
whois -a -I 18.104.22.168 | grep -i -E '^origin'
and, for a highly applied example:
dig +short archive.is \ | xargs -n 1 whois -a -I \ | sed -n 's/^[Oo]rigin\(AS\)\?:\s\+\(AS[0-9]\+\)$/\2/p' | uniq \ | xargs -n 1 whois -I \ | less -F
(OpenBSD has supported this since
whois(1) v1.34, released in November 2004; FreeBSD has supported this since Release 11.0.0, released in October 2016; NetBSD has supported this since
whois(1) v1.27, released in February 2020.)
If you want to eschew the IANA query and "DIY" it by brute force, here's the key to that:
for h in whois.arin.net whois.ripe.net whois.apnic.net whois.lacnic.net; do whois -a -h "$h" 22.214.171.124 \ | grep -i -E '^origin' && break; done