ARIN and RIPE whois servers don't give any information about any of these addresses. It kinda bugs me because they're constant scans. Probably caused by some application I've installed (like automatic update check or...)
Thanks a lot guys. I have absolutely no idea why I'm getting these scans from China. I have no business associates there - nor any other transactions. Perhaps Chinese want to get my business and make me unemployed too. ;-)
Thanks for the Apnic site link. RIPE and ARIN don't seem to work very well for me.
Briefly, China has 899 network assignments, all from APNIC. IP addresses are not assigned in a "convenient' manner, but are scattered in 23 ranges from 22.214.171.124/15 to 126.96.36.199/19.. For example, in the 188.8.131.52/8 range, there are 3506 assignments located in
[compton ~]$ grep -h ' 202\\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort -u | column AF BN GU JP LK MV NZ PW TV WS AP BT HK KH MN MY PF SB TW AS CK ID KI MO NC PG SG US AU CN IN KR MP NP PH TH VN BD FJ IO LA MU NU PK TO VU [compton ~]$
Note also that these country codes (from ISO3166) are where the assignment is _registered_ and may not reflect where the actual computer is located.
As noted above, there are five "Regional Internet Registries". "AFRINIC" covers Africa, and some islands in the Indian Ocean. 'APNIC" covers Southern Asia, from Afghanistan to Japan, and areas in the Pacific as far East as Pitcairn Island. ARIN, covers North America, some islands in the Atlantic and Caribbean, and legacy assignments around the world. LACNIC covers Central and South America, and some islands in the Atlantic and Caribbean. RIPE covers Europe, Northern Asia, some areas in Africa that haven't been transferred to AFRINIC yet, and some islands in the Atlantic. See
There are also quite a number of "ISP's" run by entrepreneurs out to make a fast buck by selling IP space to all takers without question. As long as they don't piss off the Army (CHINANET - the major provider in China) or the government, you'll get all kinds of crap out of Chinese IP space.
While most registrations have been transferred to the appropriate region, there are still a number of non-local ones in ARIN:
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/ARIN | sort -u | column AG BB CH FI HU JP LC PL US AI BE CZ FR IE KN LU PR VI AR BM DE GB IL KR MX SE AT BS DO GD IT KY NL SG AU CA ES HK JM LB NO TR [compton ~]$ grep -c DE ARIN.gz
24 [compton ~]$
and RIPE has quite a few outside of Europe.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/RIPE | sort -u | column AD BH EE GL IT LU NO SE UA AE BY EG GR JO LV OM SI UG AL CH ES HR KE MA PL SK UK AM CS EU HU KG MC PS SL UZ AT CY FI IE KW MD PT SM VA AZ CZ FO IL KZ MK QA SY YE BA DE FR IQ LB MT RO TJ YU BE DK GE IR LI NG RU TM BG DZ GI IS LT NL SA TR [compton ~]$
But then, APNIC has a few "out of area" registrations too.
[compton ~]$ cut -d' ' -f1 < IP.ADDR/stats/APNIC | sort -u | column AF BT GU KH MN NC PF SG VN AP CH HK KI MO NF PG TH VU AS CK ID KR MP NP PH TO WS AU CN IN LA MU NR PK TV BD FJ IO LK MV NU PW TW BN GB JP MM MY NZ SB US [compton ~]$
That odd, because when questioning RIPE I do get DE, FR, GB, BE, IT, NL and PL. When asking ARIN I'm referred to RIPE. In the meanwhile ARIN has configured its whois service in a way that they forward the question to the appropriate whois server. At least this works for RIPE and APNIC.
The few which are not belonging to Europe belong to Africa. These domains i.e. IP Ranges are currently being transferred to AFRINIC. I don't have the feeling that this makes anything easier. From time to time I came across IPs not belonging to anyone: ARIN says go-to-AFRINIC, AFRINIC says not-ours. *argl*
(1280 is 5 x 256, while 768 is 3 x 256 - the wonders of CIDR.)
Those 24 blocks in Germany at ARIN are probably early registrations that haven't been transferred to RIPE yet. The same is mostly true with the others - but note that ARIN (24) and APNIC (1) use GB and have no UK, while RIPE uses UK (1720) and has no GB.
Haven't noticed that.
Originally, there was only ARIN - RIPE, and APNIC were formed later, LACNIC later still, and AFRINIC only in April of this year. I do see a lot of the "out of region" registrations being transferred from one RIR to another, but there still are some that may be appropriate in a non-local one. For example, there are five US registrations in APNIC - one is a satellite service for ships (presumably in the Pacific), two are overseas services of US companies (Akmai and eBay), one is a US division of an Asian company, and one is a US Military facility in the Pacific (no idea why it's not ARIN).
Oh yeah, I see that one with some frequency. Often, this is a mixup between the whois database and the allocation blocks. Drives me nuts too. If it's important, each of the RIRs has contact data that can let you reach a person - may not be very smart, but might have an explanation, or be able to initiate a fix. It worked when AFRINIC was announcing that
Based on the information you have provided and my experience, I'm guessing that you are seeing traffic from these IPs on UDP ports 1026/1027/etc, in which case it would very likely be messenger spam. See