Whois "geofeed" Data
Attributing a particular IP address to a specific location is hard and often fails miserably. There are several difficulties that I have talked about before: Out-of-date whois data, data that is outright fake, or was never correct in the first place. Companies that have been allocated a larger address range are splitting it up into different geographic regions, but do not reflect this in their whois records.
And beyond giving threat intel geeks a quick attribution high, the fact that the IP address is allocated to a particular country is useless information that costs a ton of CPU power to acquire. You are better off mining Dogecoin with those cycles.
But... if you are still reading... I saw something new, at least new to me: geofeed attributes in whois data! This appears to be particularly common in Europe. To our US readers, Europe is odd in that it is subdivided into entities referred to as "Countries", not "States". Just like states in the US, different countries may have different local laws. For example, in France, it is illegal to name your pet pig "Napoleon". Enforcement of these laws across the Internet often requires specific geolocation knowledge, and I can only assume that this lead to the "geofeed" attribute.
For example, if you look at the latest kid scanning for Ivanti (good luck kid... but you are LATE!): 193.35.18.40. The whois record includes in part:
inetnum: 193.35.18.0 - 193.35.18.255
netname: Pfcloud
descr: Pfcloud
geofeed: https://raw.githubusercontent.com/pfcloud-io/geofeed/main/geofeed.csv
org: ORG-PU39-RIPE
country: NL
The "geofeed" URL leeds us to a brief CSV file breaking down this cloud provider IP address space:
193.35.18.0/24,NL,NL-LI,Eygelshoven,
45.128.232.0/24,NL,NL-LI,Eygelshoven,
31.13.211.0/24,IR,IR-ES,Shahreza,
84.54.51.0/24,NL,NL-LI,Eygelshoven,
2.58.95.0/24,DE,DE-NW,Düsseldorf,
94.103.124.0/24,NL,NL-LI,Eygelshoven,
141.98.4.0/24,US,US-AZ,Phoenix,
147.78.102.0/24,NL,NL-LI,Eygelshoven,
87.121.69.0/24,GB,GB-LND,London,
87.121.58.0/24,NL,NL-LI,Eygelshoven,
2a05:b0c6:a000::/39,US,US-AZ,Phoenix,
2a05:b0c6:a200::/39,DE,DE-BE,Berlin,
2a05:b0c6:a400::/39,GB,GB-LND,London,
There is also a tool to discover these geofeed files:
https://github.com/massimocandela/geofeed-finder
The geofeed format and details are also defined in RFC 8805 https://www.rfc-editor.org/rfc/rfc8805.html
RFC 9092 defined the inetnum object, including the geofeed: https://www.rfc-editor.org/rfc/rfc9092.html
The definition allows for specificity down to postal code. The example above just shows cities.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments