Looking at your network from the outside in

14 views
Skip to first unread message

Willy Sutrisno

unread,
Mar 13, 2020, 3:27:41 AM3/13/20
to IDNOG
https://blog.apnic.net/2020/03/13/looking-at-your-network-from-the-outside-in/


Looking at your network from the outside in | APNIC Blog

By Taiji Kimura on 13 Mar 2020

‘Ping’ or ‘traceroute’ are useful commands for investigating issues or problems inside your network. However, the Internet is bidirectional. Therefore, it is important to also look from outside your network as well.

Luckily there is a range of free online tools to help. Two of the most popular ones that you may have had experience with are traceroute.org and RIPEstat.

At JPNIC, we use traceroute.org to look at BGP routes from remote ASes to a specific IP address, sometimes to our own networks. RIPEstat, on the other hand, is useful for reviewing the whois database and information on the DNS.

One tool that we’ve recently been trialling is NetOX. It uses almost all the same data sources and scripts as RIPEstat, but it’s focused on the Asia Pacific region.I’ve found it particularly helpful in my work looking into the deployment of RPKI/ROA in the region.

RPKI/ROA is a security mechanism useful for BGP security. Even when RPKI/ROA is not an issue, some IP prefixes are investigated by our team. For such situations we use NetOX.

Below are some other NetOX applications that we’ve found useful.

BGP visibility

You can search for and confirm the visibility of a specific IP address prefix by typing it into the search box on the NetOX top page. You will be provided with an ‘Overview of the Prefix’, including the ASN it is announced by and whether its RPKI status is valid, and its current routing status. I’ve added a bookmark on my web browser for 202.12.31.0/24 as I found I was frequently accessing this.

Figure 1 — Routing Status for 202.12.30.0/24 shows 99% visible from RIS nodes.
Figure 1 — Routing status for 202.12.30.0/24 shows 99% visibility from RIS nodes.

BGP history/change

If the IP address you are investigating is suspected to be misused by another AS, you can find its BGP history by clicking the Routing tab.

Scroll down to see ‘Routing history’, where you’ll find the origin AS. If you see an AS different from what you expect, you should contact the person/organization who operates this AS to tell them they are announcing it by mistake. Contact details can be found via the Database tab > Whois Matches > Show more fields.

Figure 2 — Whois results for 202.12.31.0/24. By clicking ‘show more fields’ admin-c and tech-ca will be shown.
Figure 2 — Whois results for 202.12.31.0/24. By clicking ‘show more fields’ admin-c and tech-c will be shown.

Whois and geolocation

A nice visual feature is the map showing the geolocation of the resources, which can be accessed via the Geographic tab.

This widget shows geolocation information provided by MaxMind and if it has been updated from the whois database. The information may not be 100% accurate or specific but it gives a quick indication of the economy of the network/organization that has been allocated the IP address.

Figure 3 — AU is coloured as where 202.12.31.0/24 is allocated.
Figure 3 — AU is coloured as to where 202.12.31.0/24 is allocated.

Incident review

Using the BGP history function (under the Routing History widget) you can look at BGP incidents for IP addresses. This is a useful tool for diagnosing suspected route leaks or bandwidth changes associated with changes in AS paths — the Activity tab shows bandwidth changes up to one year.

Blacklisted or not

When you plan to transfer or receive transferred IP addresses, you should check whether the addresses have been blacklisted — the Anti-abuse tab will show the results.

The RQC tab has collective results of routing status, routing history, geolocation, geolocation history and APNIC transfer history.

What online tools do you use to investigate your network from the outside?


Willy

Good judgement come from experience; experience come from bad judgement - Mulla Nasrudin

Reply all
Reply to author
Forward
0 new messages