IP Address record attributes - nesting dolls

IP Address Lookups: The Clues are Inside the Attributes

Finding out who’s in control of an IP address isn’t always as straight forward as you may think. Sometimes there’s more than one ISP mentioned in the record and that makes a difference when you need to know who’s in charge.

The process of sifting through an IP address record is like taking apart a Russian nesting doll. There can be several layers with each layer fitting in a particular order. To get to the secret inside you’ll want to take these layers apart.

In today’s post, we’re taking apart IP address records to identify the key attributes and what the attributes tell us about the record’s status.

When you think about it, an IP address is distributed in layers. On the top layer is the Regional Internet Registry (RIR) that oversee large areas like a continent. For example, ARIN is the North American registry and RIPE oversees Europe.

Each RIR allocates IP addresses in blocks to large networks that operate in one or several countries within their regions known as Local Internet Registries (LIR). These LIRs are ISPs that assign some of these IP addresses to their end-user customers.

IP Address: Allocations and Assignments
LIRs also divide and allocate some of this space to other networks in their region. This improves the region by creating more connections with each LIR routing some of the traffic for their network clients.

IP address records document these key connections between the end-user and the RIR. But, these records can become challenging to read when multiple networks appear in the record or when the details provided are unusual or vague.

These details are informational fields known as attributes. Attributes identify the RIR that allocated the address and, by association, the region. It can also identify the network and if the network reallocated or reassigned to another entity operating like an ISP. Some attributes are descriptive fields that hint about how the address is being used and whether it is portable and can be physically relocated to another data center. In other words, attributes are powerful  clues about the status of an IP address and who’s in charge of it – when they’re maintained correctly. Select a tab below to learn more about a key attribute and the types of information it can relay.

IP Address Attribute Definitions


netnamedescrstatus / nettypeanycastmnt-bysourceabuse
The netname is the name of the network. The name is supposed to be a concise and descriptive and reflect the name of the IP address block user. The network that has administrative control of the IP address record registers this name with their RIR. When that network ceases business, control of the IP address reverts back to the RIR for allocation to another network.
The descr is a free form field that is supposed to be used as a reference for identifying the organization and its location. Many times, this description ends up being more generic than that, i.e. the IP address is being used for cloud infrastructure or, in a reassignment; it is hosted at a datacenter operated by a particular customer. Descriptions may also be found under other attribute labels like the “remarks” field.

You’ll likely encounter at least one of these options in the status or nettype area:


There are rules to how an IP address can be distributed and rules for routing traffic to them. This section tells us which type we’re looking at. Several status codes describe these attributes, though the ones you’ll most likely encounter are Assigned PA, Reassignment, Reallocation and Anycast. Note that you will find similar announcements under “nettype” that include Direct Allocation and Reallocation.

It is important to note the difference between “allocation” and “assignment.” Allocation means the IP addresses are provided to networks and they maintain control of these addresses. .Assignment, on the other hand, means the address is delegated or loaned to the end-user which could also be an ISP. You should see these distinctions in the attributes below:

Direct Allocation” means the ISP or end-user received the IP address block direct from the RIR. These ISPs are at the top level and are encouraged to assign or allocate segments of this space to other ISPs or end-users. An ISP with a direct allocation has the ability to move the block and this is something to look for with ISPs that have small allocations.

An Assigned PA or “provider aggregatable” means the ISP (provider) can divide and assign (aggregate) segments of their IP address block to end-users. These end-users can include other ISPs. When this happens, traffic is routed through the network that provided them with the addresses. This means the path to the IP address is controlled by the network and not the customer and that is an important distinction for PA addresses. Because of this, PA addresses are not portable: they can only be used with the network providing the address. When a customer ceases to do business, the IP address is returned to the network and not the RIR. Most IP addresses that you encounter will probably be Assigned PA.

Why would an ISP choose a PA address if they are sharing traffic with their upstream PA provider? For one thing, this is an easy and inexpensive solution. By getting a PA address, an ISP can host in their provider’s data centers and take advantage of their traffic exchange. It adds flexibility to the hosting location. A PA address ISP can create a network in multiple RIR regions and place servers strategically. They can place servers near their target users or in countries where laws are either lenient or more protective with their hosting. If things change, the ISP can walk away and migrate their customers to a new location.


Assigned PI or “provider independent” fits the description of a portable IP address, though you may never see one. Some are owned by banks and SSL accreditation services that may choose a PI address to maintain the reputation of their IP block. PI addresses are allocated directly to end-users by the RIRs and, as such, have no ties to a network. Their routing is always independent of the Internet, though it provides the owner with the flexibility of changing hosting without changing IP addresses.

Reassignment is the transfer of a block or some subset of a block of IP addresses from one network or ISP to another network.

Reallocation is the transfer of IP addresses between Local Internet Registries (LIR) and RIRs. Siteground.com is an example of an ISP with reallocations between RIRs.

Anycast” identifies a service rather than a website. Anycast means multiple servers are sharing and receiving traffic for the same IP address. This is commonly used with services running on UDP like BitTorrent, as well as CDNs or content delivery networks like CloudFlare that direct requests for the customer’s domain to the nearest server in their region.

The “maintainer” is the network that currently manages and edits the IP address record. These edits include attributes like the netname and descr field, as well as reassignments and reallocations. Look for the MNT record at the bottom of an IP address record when troubleshooting an IP address reassignment or reallocation.

This is the Regional Internet Registry and, by association, the region where the IP address was originally allocated.
The “abuse” contact receives complaints for the IP address block shown next to its email address. Note that an ISP can maintain control of the abuse email over addresses that it has reassigned to a downstream ISP. A traceroute can sometimes help visualize the position of the abuse ISP relative to other users referenced in an IP address record. This is because the network with the original allocation of the IP address may be the first point of entry into the IP address block, followed by any downstream ISPs.

IP address attributes are only as good as the networks that maintain the records and this is another reason why traceroute may be needed to determine the relationship between networks.
Hosting information can also provide clues. Look for resolvehosts, the domain names through Whois or DNS lookup services like Domaintools.com. These domain names are issued by an ISP or user with some additional access to the IP address as an internal reference to its location or use.

In summary: IP addresses can be distributed through multiple layers. Check the attributes for clues about the status and control of your target IP address. You may want to verify your findings with a traceoute, checking the resolvehost record, looking for listings on a data center map, and by viewing the record through the rWhois service of the RIR that allocated the address.


IP Address references

Image source: https://en.wikipedia.org/wiki/Hierarchy#Nested_hierarchy