Finding NAT ranges for Associations

Some background

We work with a few organisations that use Google Analytics on a large scale to monitor their websites' traffic.

A standard part of the Google Analytics configuration is to filter traffic by IP address so that internal traffic can be excluded from a particular Google Analytics view.

We had a case recently where we had a large number of IP addresses to filter out for a client. The list was gathered by talking to various internal teams to discover their externally facing ip addresses (it's a big organisation). While auditing the list I noticed that there was a long consecutive run of IPs with ONE missing. Knowing that IP addresses are generally assigned in blocks, this struck me as strange so I did a quick whois on the missing IP address and it belongs to the same association as the others (the client we work with have their own association and assigned IPs).

A better way

So, the scenario is that we gather IP addresses manually, yet there will be a number that will slip through the cracks - I thought, there must be a better way! And of course there is - let's do a whois on the association to get our list. This of course assumes that the association the IP belongs to only assigns those IPs to the company's network.

The Code

Using whois in bash, we can grab the list of ip addresses that belong to an association... first you will need an AS* number... grab this from an initial whois on a known IP address.

Here is the command to run:

whois -h -- '-i origin AS13414' | grep -Eo "([0-9.]+){4}/[0-9]+"  

We use the radb database of ip ranges to lookup the ips belonging to an association. Then we parse the output, listing on the IP addresses with a grep regular expression.

If we want to output this to a file, just use linux shell redirection to send it into a file:

whois -h -- '-i origin AS13414' | grep -Eo "([0-9.]+){4}/[0-9]+" > twitter-ips.txt  

And so, now we have a much better way of gathering our lists of IPs and can filter then all out (if required).

Of course there is the big assumption, that a) the company is large enough to have it's own IP range and association and b) that that association's IP addresses are only used for internal traffic that we want to filter out.