I want to know all IPv4 addresses with subnets that are outside of the
USA. I have followed these links and have not been able to find out
all the infromation I need. I want these subnets so I can block them
on my first router from ever even coming into my network. For what we
do, there is no reason anyone from outside the USA should be in our
network. I would prefer that the subnets be listed in an IP format,
such as 255.255.255.255.

http://www.apnic.net/db/ranges.html   <- this is what Im looking for
http://www.apnic.net/community/other_orgs.html
http://www.ripe.net/
http://lacnic.net/en/index.html
http://www.afrinic.org/

---

Request for Question Clarification by markoft-ga on 10 Nov 2002 23:36 PST

I went to the first link given and about 3/4 of the way down the page
it links to periodical reports of allocations for RIPE, ARIN, and
APNIC.  Are you looking for Cisco config ready versions of those
reports?

In addition to the warnings mentioned in the comments below I would
also like to add that you will not be able to access any sites outside
of the US.  Programs such as VNS and PuttySSH live on UK servers,
Cisco has 3 separate support centers located around the world so that
they can provide support 24/7 but only have each call center open for
8-10 hours a day.  I do not know if any of those are of use to
you/your company but just wanted to bring it to your attention just in
case.

---

Clarification of Question by ghostalker623-ga on 11 Nov 2002 14:08 PST

I want to know what resource IP ranges APIC, RIPE, AFRINIC and LACNIC
are in charge of. The question as I see it is 25% answered as I
answered the first question providing exactly what kind of information
I want. If you will follow that link you will see exactly what Im
looking for.

I hope that clarifies things better.

---

Clarification of Question by ghostalker623-ga on 11 Nov 2002 14:12 PST

Sorry I did not see your clarification request. I was reading the
comments.

Yes, I am aware of that as well as CISCO Support centers are located
throughout the World. I am fully aware of the consequences that can
happen once this list gets put onto our perimeter router.

Im not looking for CISCO ready configs. If you look at APIC's link I
provided about half a page down you will see:

61.0.0.0/8
202.0.0.0/7
210.0.0.0/7
218.0.0.0/7
220.0.0.0/7
169.208.0/12 (Conferences & exhibitions; temporary assignments)

This is exactly the information I am looking for. Except, break out
the 8's, 7's and the 12 into an actual mask such as 255.0.0.0 instead
of the 8 or the 7 or 12.

---

Clarification of Question by ghostalker623-ga on 11 Nov 2002 14:28 PST

Also, when providing the answer, post under each authority the ranges
they are in charge of.

Also post how the information was obtained.

---

Clarification of Question by ghostalker623-ga on 12 Nov 2002 07:23 PST

I gave this to another staff member to research and was able to come
up with the IP ranges that I had requested. Here is what you do:

http://www.arin.net/whois/index.html 

And here is what to search for:

Asia Pacific Network

European Regional Internet

RIPE

Down at the bottom you will see the ranges that each authority is
responsible for, with IP ranges and subnet masks.

there is no 100% definitive way to reject non-us ip addresses.

you may want to check out another question that was answered that
relates to your current one:
https://answers.google.com/answers/main?cmd=threadview&id=94277

Specifically, it has a link to the only truly promising software I
have found for mapping an ip to a location:
http://www.networldmap.com/TryIt.htm

Unfortunatly, the product appears to be tuned to use on websites, but
could possibly be adaptable to your needs.

Sure you can. Its called ip access-list 102 deny ip 64.0.0.0 255.0.0.0
No IP address in this subnet range will then be permitted to pass my
CISCO 7206 router to my network.

These websites I provided are the internet assignment authority for
countries. ARIN.NET as far as I know is in charge of assignments for
North America. Its got to be out there somewhere.

I think what funkywizard is referring to is the fact that there is no
100% definitive way to determine if an IP is in the US. See the
discussion here:

https://answers.google.com/answers/main?cmd=threadview&id=93523

There are way too many weird, off the wall configurations out there to
make this a possibility.  An IP address, no matter where it has been
'assigned', can end up anywhere, really.

watershed-ga

It doesnt matter to me. If the Internet Authorities for these
countries are in charge of the assignment of these IP addresses and
somebody here in the US makes use of one of these IP's that have been
designated for use outside of the US then theres something wrong with
that persons ISP. I understand that maybe a US company in Europe may
have an IP address of the company here in the US, but even still they
would have no business coming to where I work.

We have a PIX 535 firewall that does block most of this. The problem
we have is we have to have certain ports open such as 80, 25, 3389,
POP3, as well as a few others. Im tired of these damn Asian/European
numbers scanning us, trying to hack us, or trying to relay off of us.
Its getting extremely annonying. All of the IP's I have seen are all
off shore from the US from my logs. If I can get these IP's then I can
apply them to the 7206's ethernet interface that goes to the outside
interface of my PIX, and they will never get through. Now I understand
that if someone in the US tries or a CPU is compromised, then of
course yes it will get through. But then we have more of a chance of
getting something done with the ISP here in the US than in Taiwan.

You're unlikely to be 100% successful, as funkywizard says.

Anyone who was really concerned with accessing your network, as
opposed to an curious overseas visitor, could quite easily use a US
based proxy (for web related things), or open a shell account in the
US to do socket level operations into your network.

After reading what exactly is trying to be accomplished here, I can
say that other researchers should definitly look into this more.
Although I still assert that the asker will not be 100% sucessful with
what he is trying to accomplish, his main goal could probably be
achieved using less than perfect data. I do not believe I am up to
this task, but I do encourage others to try to do their best to answer
this question.

If theres someone out there that determined who lives in a foreign
country that wants to hack into our network; no matter what I do, is
not going to stop them from doing this. However, for the most part, it
will stop a lot of those annonyances from ever comming in on the ports
we do allow open. Im not saying that this will solve 100% of all our
problems. However, if I could get this information, it would solve
almost 95% of the problems I see in our security logs. Its very
cumbersome to build deny access-lists based off of each IP I see in
the logs.

For the most part, being the "entity" where I work, applying some
legal pressure to a US company/citizen, and/or obtaining legal action
against an ISP would be much easier with the laws/rules we have in
this Nation than it would be against a Taiwanese/European ISP.

Hello,

As others have pointed out before, there is no correlation between ip
adress and geographic location. However you can determine who the
adress belongs to, and also the postal address provided for
registration, using whois servers from the APNIC, RIPE, etc ...

Here is a tool which automates the requests and also extracts country
codes and geographic locations from the whois report :

NetGeo :
http://www.caida.org/tools/utilities/netgeo/index.xml

There are perl and Java APIs available as well as an interactive form
for you to experiment :
http://netgeo.caida.org/perl/netgeo.cgi