IP Attribution Skill
Purpose
Map discovered IP addresses to cloud providers, Autonomous System Numbers (ASNs), and organizations through WHOIS lookups and cloud IP range matching.
Operations
- dns_resolve
Resolve domain names to IP addresses.
Command:
dig +short A {domain} dig +short AAAA {domain}
Process:
-
Query A records for IPv4 addresses
-
Query AAAA records for IPv6 addresses
-
Handle CNAME chains (follow to final IP)
-
Record all resolved IPs
Output:
{ "domain": "example.com", "ipv4": ["93.184.216.34"], "ipv6": ["2606:2800:220:1:248:1893:25c8:1946"], "cname_chain": ["example.com", "cdn.example.net"] }
- whois_ip_lookup
Query WHOIS for IP ownership information.
Command:
whois {ip_address} | grep -iE "OrgName|Organization|NetName|Country|CIDR|ASN"
Fields to Extract:
-
OrgName / Organization
-
NetName
-
Country
-
CIDR Block
-
ASN / OriginAS
-
Abuse Contact
Example Output:
{ "ip": "93.184.216.34", "organization": "Edgecast Inc.", "net_name": "EDGECAST", "country": "US", "cidr": "93.184.216.0/24", "asn": "AS15133" }
- asn_lookup
Identify the Autonomous System Number for an IP.
Command:
dig +short {reversed_ip}.origin.asn.cymru.com TXT
Process:
-
Reverse IP octets (1.2.3.4 → 4.3.2.1)
-
Query Team Cymru ASN service
-
Parse ASN, country, registry info
Response Format:
"15133 | US | arin | 2007-03-01 | EDGECAST"
- cloud_provider_match
Match IP against known cloud provider IP ranges.
Cloud Provider IP Sources:
AWS:
URL: https://ip-ranges.amazonaws.com/ip-ranges.json Fields: ip_prefix, region, service
GCP:
URL: https://www.gstatic.com/ipranges/cloud.json Fields: ipv4Prefix, ipv6Prefix, scope
Azure:
URL: https://www.microsoft.com/en-us/download/details.aspx?id=56519 Note: Weekly updated JSON files
Cloudflare:
URL: https://www.cloudflare.com/ips-v4 URL: https://www.cloudflare.com/ips-v6
Matching Process:
-
Download/cache cloud IP ranges
-
For each target IP, check membership in ranges
-
Return provider, region, service if matched
Output
{ "skill": "ip_attribution", "domain": "string", "results": { "ip_mappings": [ { "domain": "example.com", "ip": "93.184.216.34", "ip_version": "ipv4", "attribution": { "cloud_provider": "AWS|GCP|Azure|Cloudflare|Other", "cloud_region": "us-east-1", "cloud_service": "CloudFront", "organization": "Amazon.com, Inc.", "asn": "AS16509", "asn_name": "AMAZON-02", "country": "US", "cidr": "93.184.216.0/24" }, "is_cloud": true, "is_cdn": true } ], "summary": { "unique_ips": "number", "cloud_hosted": "number", "cdn_fronted": "number", "providers_detected": ["array"] } }, "evidence": [ { "type": "dns_resolution", "domain": "string", "ip": "string", "timestamp": "ISO-8601" }, { "type": "whois", "ip": "string", "organization": "string" }, { "type": "cloud_ip_match", "ip": "string", "provider": "string", "range": "string" } ] }
Cloud Provider Detection Signals
Provider IP Range Pattern ASN Pattern
AWS From ip-ranges.json AS16509, AS14618
GCP From cloud.json AS15169, AS396982
Azure From ServiceTags AS8075
Cloudflare 104.16.0.0/12, 172.64.0.0/13 AS13335
Fastly 151.101.0.0/16 AS54113
Akamai Various AS20940, AS16625
DigitalOcean Various AS14061
Linode Various AS63949
Vultr Various AS20473
Heroku AWS ranges (Uses AWS)
Vercel Various AS209242
Netlify Various AS205948
Rate Limiting
-
DNS queries: No hard limit (use local resolver)
-
WHOIS queries: 5 requests/minute
-
Cloud IP range downloads: Cache for 24 hours
Error Handling
-
If DNS fails, record as unresolvable
-
If WHOIS fails, continue with ASN lookup
-
If cloud matching fails, return "Unknown" provider
-
Never block on single failure
Security Considerations
-
Only use public DNS and WHOIS services
-
Cache cloud IP ranges to reduce external requests
-
Log all queries for audit trail
-
Respect rate limits