You could just rune trace from a cisco router (or do a trace from a
looking glass). It shows the AS numbers along the path. Just pick out the
last one. It also has the advantage of telling you who is really
announcing it at this time rather then who 'should' be announcing
it.
Guessing a script could be written using RANCID or some code from
lookingglass quite quickly.
Tracing the route to w2.scd.yahoo.com
(66.218.71.81)
1 sjc3-core5-pos6-0.atlas.algx.net (165.117.48.62) 204 msec 204
msec 200 msec
2 sjc3-yahoo.peer.algx.net (165.117.67.110) 200 msec 200 msec 4
msec
3 ge-0-0-0-p32.pat2.pao.yahoo.com (216.115.100.76) [AS 10310] 200
msec 0 msec
ge-0-0-0-p31.pat2.pao.yahoo.com (216.115.100.68) [AS
10310] 200 msec
4 vl28.bas1.scd.yahoo.com (216.115.101.42) [AS 10310] 200 msec 204
msec 200 msec
5 w2.scd.yahoo.com (66.218.71.81) [AS 26101] 0 msec 204 msec 228
msec
At 08:09 AM 2/20/2003 -0500, William Allen Simpson
wrote:
Anybody have a pointer to scripts to map IP to AS?
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
and I'd like to start blocking routing to those irresponsible AS's
that haven't blocked their miscreant customers.
http://isc.sans.org/port_details.html?port=1434
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32