While I was implementing a perl script to catch nimda virus on Apache
(www.digitalcon.ca/nimda/) and send an e-mail to the owner of the IP, I
realised it is rather difficult to automatise whois searches.
First of all there are 3 repositories of IP networks: ARIN, APNIC and
RIPE. There is no whois repository above them to specify which one is in
charge of which range of IP (There is only a text file on the
www.iana.org web site). None of these repositories implement the same
database structure, so a whois query must be adapted to each repository.
Lastly, most IPs are delegated to ISP who could also implement whois
database to specify to which company they have lent their IP addresses.
Basically, it seems there is no heirarchy structure to find the owner of
a certain IP Block.
If there was some kind of standard, it would help fighting worms by
informing IP owners that some machines have been infected. It would also
help all Intrusion detection System to inform system administrator of
potential attacks with a detailed report...
The DNS is well implemented the reverse DNS is not so well done as only
major hosts have a record, and IP whois database are not that
specific...
Just a thought...
Cheers
franck(_at_)sopac(_dot_)org