I have about 200 ip’s that have been firewalled because of various factors(ssh brute force attempts, ftp brute force attempts, attempted ssh access from linux).
I got a bug up my butt and decided to build a database so that I could track how often a specific ip that has been firewalled made repeated attempts. Ie: same day, every day. And also, where these ip’s originated from(origin country).
During some initial research, i was doing some command line whois against these ip’s and for the most part the originating country was China. I then downloaded the Net::Whois::ARIN CPAN module to automate this collection process and was surprised at the results.
Where I was expecting most of the offending IP’s coming from eastern countries(Korea/china), I was seeing south American originating countries. The registrant url that was being used by this CPAN module is whois.arin.net. When I changed this to whois.apnic.net, I began seeing the countries I was expecting to see. Now I haven’t run any trace’s against these IP’s to actually see where they go back to, and I sure am not going to do that in a Perl script.
But, why the differences. Who is right? Lol, I think I’m firewalled from whois.apnic.net because I kept running the script with too much volume.
???
Dan