A powershell script for running reverse lookups on many IP addresses at once

Posted on May 10, 2012 by

I often find myself looking at web logs when researching anomalous traffic on our servers.  It’s not uncommon for a poorly written web scraper to come through the system and generate spurious errors, and I start looking at what IP addresses are generating the most hits to see if I can pinpoint who it is.

One of my first steps is run a reverse lookup on the IP to see if there is a PTR record registered in DNS that might identify them.  For example, Amazon’s EC2 servers have registered PTR records:

> nslookup 184.169.245.120

Name: ec2-184-169-245-120.us-west-1.compute.amazonaws.com
Address: 184.169.245.120

Running nslookup by hand is fine if I need to look up just one or two sites, but sometimes I found myself with a long list of addresses that I want to look up.  I could easily write a script around nslookup, but the output was too verbose (usually 5 or 6 lines per IP address) to easily scan through the results.

I also wanted to take it a step further than just a PTR lookup.  Many IPs have no PTR record, but over time I have accumulated a list of IPs that I have identified and recognize.  For example, I have a long list of Akamai servers that are frequently intermediate nodes for traffic on our Akamai urls.  I also have the IPs of proxy servers for several clients that have large numbers of users sharing a single address.  I wanted to combine the results of my home-grown list with the reverse lookup in easy-to-use command.

I ended up writing a powershell script to do just that.  It takes a list of IPs (or a single IP on a command line), and runs an nslookup.   Rather than spitting many lines of output, it parses the results to extract the part I am interested – the name record.  It then also checks the IP address against my known list of IPs, and then finally outputs it in a tab-delimited, easy-to-read format with one IP per line:

> ip_lookup.ps1 -k knownips.txt -f input_ips.txt
204.236.179.177   ec2-204-236-179-177.us-west-1.compute.amazonaws.com
204.236.188.194   ec2-204-236-188-194.us-west-1.compute.amazonaws.com
204.236.188.206   ec2-204-236-188-206.us-west-1.compute.amazonaws.com
209.170.118.215   NOT FOUND                Akamai
216.246.87.201    unknown.scnet.net        Akamai
50.18.0.118       ec2-50-18-0-118.us-west-1.compute.amazonaws.com

As I run the tool looking at different issues, I learn about new IPs and add them to my known IP list, saving me troubleshooting time in the future.

Here is the powershell script:

About these ads
This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink.

3 Responses to A powershell script for running reverse lookups on many IP addresses at once

  2. Arshad says:
    May 6, 2013 at 1:26 am

    It worked. THANKs.
    What is knownips.txt for ?

    Reply
    • jrothmanshore says:
      May 6, 2013 at 12:30 pm

      It allows you to maintain a list of IP addresses that you recognize that may not have an associated reverse IP looked or the reverse may give cryptic information. It’s useful if you do this regularly and want to avoid researching mysterious IP addresses multiple times because you forgot what they were.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s