Looking at your network from the outside in

By on 13 Mar 2020

Category: Tech matters

Tags: , ,

1 Comment

Blog home

‘Ping’ or ‘traceroute’ are useful commands for investigating issues or problems inside your network. However, the Internet is bidirectional. Therefore, it is important to also look from outside your network as well.

Luckily there is a range of free online tools to help. Two of the most popular ones that you may have had experience with are traceroute.org and RIPEstat.

At JPNIC, we use traceroute.org to look at BGP routes from remote ASes to a specific IP address, sometimes to our own networks. RIPEstat, on the other hand, is useful for reviewing the whois database and information on the DNS.

One tool that we’ve recently been trialling is NetOX. It uses almost all the same data sources and scripts as RIPEstat, but it’s focused on the Asia Pacific region. I’ve found it particularly helpful in my work looking into the deployment of RPKI/ROA in the region.

RPKI/ROA is a security mechanism useful for BGP security. Even when RPKI/ROA is not an issue, some IP prefixes are investigated by our team. For such situations we use NetOX.

Below are some other NetOX applications that we’ve found useful.

BGP visibility

You can search for and confirm the visibility of a specific IP address prefix by typing it into the search box on the NetOX top page. You will be provided with an ‘Overview of the Prefix’, including the ASN it is announced by and whether its RPKI status is valid, and its current routing status. I’ve added a bookmark on my web browser for 202.12.31.0/24 as I found I was frequently accessing this.

Figure 1 — Routing Status for 202.12.30.0/24 shows 99% visible from RIS nodes.
Figure 1 — Routing status for 202.12.30.0/24 shows 99% visibility from RIS nodes.

BGP history/change

If the IP address you are investigating is suspected to be misused by another AS, you can find its BGP history by clicking the Routing tab.

Scroll down to see ‘Routing history’, where you’ll find the origin AS. If you see an AS different from what you expect, you should contact the person/organization who operates this AS to tell them they are announcing it by mistake. Contact details can be found via the Database tab > Whois Matches > Show more fields.

Figure 2 — Whois results for 202.12.31.0/24. By clicking ‘show more fields’ admin-c and tech-ca will be shown.
Figure 2 — Whois results for 202.12.31.0/24. By clicking ‘show more fields’ admin-c and tech-c will be shown.

Whois and geolocation

A nice visual feature is the map showing the geolocation of the resources, which can be accessed via the Geographic tab.

This widget shows geolocation information provided by MaxMind and if it has been updated from the whois database. The information may not be 100% accurate or specific but it gives a quick indication of the economy of the network/organization that has been allocated the IP address.

Figure 3 — AU is coloured as where 202.12.31.0/24 is allocated.
Figure 3 — AU is coloured as to where 202.12.31.0/24 is allocated.

Incident review

Using the BGP history function (under the Routing History widget) you can look at BGP incidents for IP addresses. This is a useful tool for diagnosing suspected route leaks or bandwidth changes associated with changes in AS paths — the Activity tab shows bandwidth changes up to one year.

Blacklisted or not

When you plan to transfer or receive transferred IP addresses, you should check whether the addresses have been blacklisted — the Anti-abuse tab will show the results.

The RQC tab has collective results of routing status, routing history, geolocation, geolocation history and APNIC transfer history.

What online tools do you use to investigate your network from the outside?

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Top