Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

WHOIS Lookup

WHOIS Lookup is a small utility tool that queries the global WHOIS system for information about an IP address or domain. It is most often used during incident triage: you see a suspicious-looking visitor in Live Traffic, and you want to know which ISP, datacenter, or organization the IP belongs to before deciding what to do about it.

In This Article

Running a WHOIS lookup

Open VMP Security → Tools → WHOIS Lookup. Enter either an IPv4 address, an IPv6 address, or a domain name and click Lookup. The page queries the appropriate WHOIS server for that resource type and returns the result in a few seconds.

You can also reach the WHOIS Lookup tool directly from any IP shown elsewhere in the plugin — from Live Traffic, from the firewall’s blocked-IP list, from scan results that mention an IP. The IP is pre-filled in the lookup form.

Interpreting the results

WHOIS results look intimidating but boil down to a few questions worth answering:

  • Who owns this range? The OrgName, org, or netname field. Often the ISP, sometimes the company that has been allocated the range directly. Useful for distinguishing “this is some random residential ISP” from “this is a known hosting provider known for hosting attack traffic.”
  • What size range is the IP part of? The CIDR or inetnum field shows the start and end of the allocation. Useful when you are deciding whether to block a single IP or the whole range. A /32 block (single IP) catches one attacker; a /24 block (256 IPs) catches the whole subnet but may sweep up unrelated traffic.
  • Where is the registrant? The country field gives the country the range is registered in. Note that this is the country of registration, which can differ from the country the traffic actually comes from for cloud providers and large ISPs.
  • Is there abuse contact information? Most large allocations include an abuse-c or OrgAbuseEmail field. If you decide the traffic is genuinely malicious and worth reporting, this is where the report goes.

Taking action from a lookup

Once you understand the IP, the most common next steps from the WHOIS Lookup page are:

  • Block the IP. Adds the IP to the manual block list. Use for individual attackers.
  • Block the range. Adds the entire CIDR from the WHOIS result to the manual block list. Use for ranges that consistently produce attack traffic.
  • Allowlist the IP. Use only if you have positively identified the IP as legitimate (your own infrastructure, a payment provider, a known partner).
  • Send abuse report. Pre-fills an email to the abuse contact with timestamps and a brief description. You should still review and edit before sending.

Limitations

WHOIS data has known weak points to keep in mind:

  • Out-of-date information. Some allocations have not been re-registered in years, and the data on file may be stale. Hosting providers in particular reassign IPs frequently within their range.
  • Privacy proxies. Domain WHOIS results are often masked behind privacy services. The visible registrant is the privacy provider, not the actual owner. There is generally no way around this from public data.
  • Cloud and CDN ranges. Major cloud providers (AWS, GCP, Azure) and CDNs (Cloudflare, Fastly) own huge ranges that any of their customers can be using. A WHOIS result of “Amazon” tells you the IP is on AWS but not which AWS customer is using it.
  • Rate limits. WHOIS servers rate-limit queries from the same source IP. If you run many lookups quickly, expect some to be deferred. The plugin caches recent results to reduce repeated queries.
Contents