You could just rune trace from a cisco router (or do a trace from a looking glass). It shows the AS numbers along the path. Just pick out the last one. It also has the advantage of telling you who is really announcing it at this time rather then who 'should' be announcing it. Guessing a script could be written using RANCID or some code from lookingglass quite quickly. Tracing the route to w2.scd.yahoo.com (66.218.71.81) 1 sjc3-core5-pos6-0.atlas.algx.net (165.117.48.62) 204 msec 204 msec 200 msec 2 sjc3-yahoo.peer.algx.net (165.117.67.110) 200 msec 200 msec 4 msec 3 ge-0-0-0-p32.pat2.pao.yahoo.com (216.115.100.76) [AS 10310] 200 msec 0 msec ge-0-0-0-p31.pat2.pao.yahoo.com (216.115.100.68) [AS 10310] 200 msec 4 vl28.bas1.scd.yahoo.com (216.115.101.42) [AS 10310] 200 msec 204 msec 200 msec 5 w2.scd.yahoo.com (66.218.71.81) [AS 26101] 0 msec 204 msec 228 msec At 08:09 AM 2/20/2003 -0500, William Allen Simpson wrote: Anybody have a pointer to scripts to map IP to AS? There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets, and I'd like to start blocking routing to those irresponsible AS's that haven't blocked their miscreant customers. http://isc.sans.org/port_details.html?port=1434 <http://isc.sans.org/port_details.html?port=1434> -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 -tdawson -tdawson@sprintlabs.com