I often find myself looking at web logs when researching anomalous traffic on our servers. It’s not uncommon for a poorly written web scraper to come through the system and generate spurious errors, and I start looking at what IP addresses are generating the most hits to see if I can pinpoint who it is.
One of my first steps is run a reverse lookup on the IP to see if there is a PTR record registered in DNS that might identify them. For example, Amazon’s EC2 servers have registered PTR records:
> nslookup 22.214.171.124 Name: ec2-184-169-245-120.us-west-1.compute.amazonaws.com Address: 126.96.36.199
Running nslookup by hand is fine if I need to look up just one or two sites, but sometimes I found myself with a long list of addresses that I want to look up. I could easily write a script around nslookup, but the output was too verbose (usually 5 or 6 lines per IP address) to easily scan through the results.
I also wanted to take it a step further than just a PTR lookup. Many IPs have no PTR record, but over time I have accumulated a list of IPs that I have identified and recognize. For example, I have a long list of Akamai servers that are frequently intermediate nodes for traffic on our Akamai urls. I also have the IPs of proxy servers for several clients that have large numbers of users sharing a single address. I wanted to combine the results of my home-grown list with the reverse lookup in easy-to-use command.
I ended up writing a powershell script to do just that. It takes a list of IPs (or a single IP on a command line), and runs an nslookup. Rather than spitting many lines of output, it parses the results to extract the part I am interested – the name record. It then also checks the IP address against my known list of IPs, and then finally outputs it in a tab-delimited, easy-to-read format with one IP per line:
> ip_lookup.ps1 -k knownips.txt -f input_ips.txt 188.8.131.52 ec2-204-236-179-177.us-west-1.compute.amazonaws.com 184.108.40.206 ec2-204-236-188-194.us-west-1.compute.amazonaws.com 220.127.116.11 ec2-204-236-188-206.us-west-1.compute.amazonaws.com 18.104.22.168 NOT FOUND Akamai 22.214.171.124 unknown.scnet.net Akamai 126.96.36.199 ec2-50-18-0-118.us-west-1.compute.amazonaws.com
As I run the tool looking at different issues, I learn about new IPs and add them to my known IP list, saving me troubleshooting time in the future.
Here is the powershell script: