1. 2

Perhaps this sounds like a dumb question but hear me out: I’d like to determine who the service provider is for a given public IP address. I’m not talking about who owns it–that information is readily available–but instead who is actually using it.

Let’s take Netflix for example: if I see a stream of packets to a Netflix server and look up the owner of that destination IP I will invariably get Amazon because Netflix (like many service providers) run on Amazon.

How could I identify that it is Netflix who is providing the service without doing DPI on the TLS handshake? (you can guess the service provider pretty well from the raw data stream as the server’s hostname will be there in plain text)

  1.  

  2. 4

    What are you asking? If Bob is “subletting” an IP to Joe, how could you possibly detect that reliably? Providers are supposed to include accurate information in whois, but the system relies entirely on trust and many people submitted false information even before the days of AWS.

    1. 1

      Well, I could reliably detect “joe.com” if Joe was hosting “joe.com” on the IP and using proper TLS. I would just inspect the byte stream of his clients and scrape the hostname out of it.

      I’m wondering if perhaps there are databases available that do this mapping for you, or any other less invasive solutions to this.