PeerGlass

Query all 5 global RIRs simultaneously for an IP address using RDAP.

Fires parallel RDAP requests to AFRINIC, APNIC, ARIN, LACNIC, and RIPE NCC. Exactly one RIR will be authoritative; the others return 'not found'. Normalizes all responses into a unified schema and returns a clear summary.

Results are cached for 1 hour to respect RIR rate limits.

Args: params (IPQueryInput): - ip_address (str): IPv4 or IPv6 address e.g. '1.1.1.1', '2001:4860:4860::8888' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Registration details including prefix, owner, country, allocation date, abuse email, and responses from all 5 RIRs. JSON schema: { "ip": str, "results": [{"rir": str, "status": str, "error": str|null}], "normalized": [{"rir": str, "prefix": str, "name": str, "org_name": str, "country": str, "allocation_date": str, "abuse_email": str}] }

Query all 5 global RIRs simultaneously for an Autonomous System Number.

An ASN is a unique number assigned to a network operator (ISP, CDN, large enterprise) that participates in BGP routing. Examples: AS15169 = Google, AS13335 = Cloudflare, AS36864 = AFRINIC itself.

Accepts: 'AS15169', '15169', or named sets like 'AS-GOOGLE'. Results are cached for 1 hour.

Args: params (ASNQueryInput): - asn (str): ASN in any format (e.g. 'AS15169', '13335', 'AS-CLOUDFLARE') - response_format (str): 'markdown' (default) or 'json'

Returns: str: ASN registration details including owner, country, allocation date, abuse email, and responses from all 5 RIRs. JSON schema: { "asn": str, "results": [{"rir": str, "status": str}], "normalized": [{"rir": str, "asn": str, "name": str, "org_name": str, "country": str, "abuse_email": str}] }

Find the abuse contact for any IP address globally using IANA bootstrap routing.

Uses IANA RDAP Bootstrap to identify the authoritative RIR first (efficient), then queries only that RIR. Falls back to querying all 5 if bootstrap fails. Extracts abuse contacts from entity roles: 'abuse', 'technical', 'noc'.

Use this tool as the first step in any network abuse reporting workflow: spam, DDoS attacks, port scanning, credential stuffing, etc.

Results are cached for 1 hour.

Args: params (AbuseContactInput): - ip_address (str): IPv4 or IPv6 address (e.g. '185.220.101.1')

Returns: str: Markdown report with abuse email(s), phone(s), network name, organization, country, and authoritative RIR. JSON schema: { "ip_address": str, "authoritative_rir": str, "abuse_email": [str], "abuse_phone": [str], "network_name": str, "org_name": str, "country": str }

Check the real-time health of all 5 RIR RDAP servers simultaneously.

Queries the /help endpoint of each RIR (lightweight, no IP/ASN needed). Returns RDAP conformance levels and availability status.

Use this before bulk queries to verify connectivity, or to diagnose why a specific RIR's responses are failing.

Returns: str: Markdown table with RIR name, region, status (Online/Unreachable), and supported RDAP conformance extensions.

View the current state of the in-memory TTL cache.

The cache prevents repeated queries to RIRs within short windows, respecting rate limits and reducing latency for repeated lookups.

Returns: str: JSON with cache entry counts (total, alive, expired) and the configured TTL for each query type. Schema: { "cache_stats": {"total_entries": int, "alive": int, "expired": int}, "ttl_seconds": {"ip": int, "asn": int, "org": int, "abuse": int, "bgp": int, "rpki": int} }

Validate a prefix + ASN pair against the global RPKI using Cloudflare's validator.

RPKI (Resource Public Key Infrastructure) is the internet's route security framework. RIRs issue Route Origin Authorizations (ROAs) — digital certificates that cryptographically prove an ASN is authorized to announce a prefix.

Validity states: ✅ VALID — A matching ROA exists. Route is cryptographically authorized. 🚨 INVALID — A ROA exists but this ASN/prefix violates it. Possible hijack. ⚠️ NOT-FOUND — No ROA exists. Route is unverified (common, not inherently bad). ❓ UNKNOWN — Could not determine validity.

Combine with rir_check_bgp_status for full routing security assessment.

Results are cached for 15 minutes (ROAs can change, but not frequently).

Args: params (RPKICheckInput): - prefix (str): CIDR prefix e.g. '1.1.1.0/24' or '2400:cb00::/32' - asn (str): Originating ASN e.g. 'AS13335' or '13335'

Returns: str: RPKI validity state, description, and list of covering ROAs. JSON schema: { "prefix": str, "asn": str, "validity": "valid"|"invalid"|"not-found"|"unknown", "covering_roas": [{"asn": int, "prefix": str, "maxLength": int}], "description": str }

Check whether a prefix or ASN is currently visible in the global BGP routing table.

Uses RIPE Stat (which aggregates data from RIPE RIS route collectors worldwide). BGP is the internet's routing protocol — the "GPS" that tells traffic how to navigate from one network to another.

For a prefix, returns:

• Whether it is currently announced in BGP

• Which ASN(s) are announcing it (multiple = potential hijack)

• Percentage of global BGP peers that can see it (visibility)

For an ASN, returns:

• Whether the ASN has any active BGP announcements

• A list of all announced prefixes (use rir_get_announced_prefixes for details)

Combine with rir_check_rpki for complete routing security assessment. Results are cached for 5 minutes (BGP tables change frequently).

Args: params (BGPStatusInput): - resource (str): Prefix (e.g. '1.1.1.0/24') or ASN (e.g. 'AS15169') - response_format (str): 'markdown' (default) or 'json'

Returns: str: BGP visibility, announcing ASNs, and prefix list. JSON schema: { "resource": str, "resource_type": str, "is_announced": bool, "announcing_asns": [str], "visibility_percent": float, "announced_prefixes": [{"prefix": str, "peers_seeing": int}] }

Retrieve all IP prefixes currently being announced by an ASN in BGP.

This shows the ASN's complete routing footprint — every IP range it is actively advertising to the global internet via BGP. Uses RIPE Stat's announced-prefixes endpoint.

Useful for:

• Understanding an organization's complete IP footprint

• Detecting unexpected prefix announcements (possible hijacks)

• M&A due diligence on network assets

• Security research and threat intelligence

min_peers_seeing filters out unstable/flapping routes that only a small number of BGP peers can see. Higher = more stable routes only.

Results are cached for 5 minutes.

Args: params (AnnouncedPrefixesInput): - asn (str): ASN to query (e.g. 'AS13335' or '15169') - min_peers_seeing (int): Minimum peer count filter (default: 5)

Returns: str: Complete list of announced prefixes with peer visibility and first/last seen timestamps. JSON schema: { "resource": str, "is_announced": bool, "announced_prefixes": [ {"prefix": str, "peers_seeing": int, "first_seen": str, "last_seen": str} ] }

Find all IP blocks and ASNs registered to an organization across all RIRs.

Searches RDAP entity databases at AFRINIC, APNIC, ARIN, and RIPE (LACNIC does not support RDAP entity search — a limitation is noted). Aggregates results into a unified inventory.

Use cases:

• M&A due diligence: What internet resources does Company X own globally?

• Security research: What is the full IP footprint of an organization?

• ICANN/RIR policy: Are resources distributed across multiple RIRs?

• Incident response: Did this org transfer/sell IP space recently?

Tips:

• Use org handles for precision (e.g. 'GOOGL-ARIN' not 'Google')

• Partial name matching is supported (e.g. 'Cloudflare' finds 'Cloudflare Inc.')

• Results are cached for 6 hours.

Args: params (OrgAuditInput): - org_name (str): Organization name or handle (e.g. 'Cloudflare', 'GOOGL-ARIN') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Summary of all IP blocks and ASNs by RIR, with handles, names, countries, and allocation dates. JSON schema: { "org_query": str, "total_resources": int, "ip_blocks": [{"rir": str, "handle": str, "prefix_or_asn": str, "name": str, "country": str}], "asns": [...], "rirs_found_in": [str], "errors": [str] }

Fetch the complete registration history for an IP prefix or ASN.

Returns a chronological timeline of every change ever recorded:

• Initial registration (who, when, under which RIR)

• Org / maintainer changes (potential ownership transfers)

• Status changes (allocated → assigned → available)

• Last-changed updates

Uses RIPE Stat's historical-whois and allocation-history APIs. Coverage is best for RIPE NCC resources; partial for other RIRs.

Use cases:

• "Has this IP block ever changed hands?"

• "When was this ASN first registered?"

• "What organization historically owned this prefix?"

• Due diligence, incident response, fraud investigation

Results are cached for 12 hours (historical records are stable).

Args: params (PrefixHistoryInput): - resource (str): IP prefix (e.g. '8.8.8.0/24') or ASN (e.g. 'AS15169') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Chronological event timeline with dates, event types, and attribute changes. JSON schema: { "resource": str, "resource_type": str, "current_holder": str, "current_rir": str, "registration_date": str, "total_events": int, "events": [{"event_date": str, "event_type": str, "attribute": str, "old_value": str, "new_value": str}], "sources": [str], "errors": [str] }

Detect past ownership or cross-RIR transfers for an IP prefix or ASN.

An ownership transfer happens when a registered org (e.g. 'GOOGL-ARIN') changes to another org ('META-1-ARIN') in the registration record. A cross-RIR transfer is rarer — it means the resource physically moved between registries (e.g. from ARIN to RIPE NCC after an acquisition).

Transfer types detected: 🏢 Org Change — The registering organization changed 🌍→🌎 Cross-RIR — The resource moved to a different RIR 🔄 Intra-RIR — Maintainer changed within the same RIR

How it works: compares consecutive historical WHOIS object versions. If 'org' or 'mnt-by' changed between versions, a transfer is flagged. If RIR-specific suffixes in the handles differ, it's cross-RIR.

Results are cached for 12 hours.

Args: params (TransferDetectInput): - resource (str): IP prefix (e.g. '8.8.8.0/24') or ASN (e.g. 'AS15169') - response_format (str): 'markdown' (default) or 'json'

Returns: str: List of detected transfers with dates, types, from/to org, and evidence. JSON schema: { "resource": str, "resource_type": str, "transfers_detected": int, "transfers": [{"transfer_date": str, "transfer_type": str, "from_org": str, "to_org": str, "from_rir": str, "to_rir": str, "evidence": str}], "current_holder": str, "first_registered": str, "sources": [str], "notes": [str] }

Fetch global IPv4, IPv6, and ASN allocation statistics from all 5 RIRs.

Parses the NRO Extended Delegation Stats files — the authoritative daily publication of how each RIR has distributed address space:

• How many IPv4 prefixes allocated (to ISPs) vs assigned (to end users)

• Remaining free IPv4 pool (where published — most RIRs are exhausted)

• IPv6 prefix count and growth

• Total ASNs issued

Why this matters:

• IPv4 was exhausted at IANA in 2011

• APNIC exhausted in 2011, RIPE in 2012, ARIN in 2015

• LACNIC near exhaustion 2020, AFRINIC followed

• IPv6 transition is the only long-term solution

• This tool lets you track adoption and exhaustion state in real time

Results are cached for 24 hours (stats files are published once daily).

Args: params (IPv4StatsInput): - rir_filter (str, optional): Filter to one RIR ('AFRINIC', 'APNIC', 'ARIN', 'LACNIC', 'RIPE'). Leave empty for all 5. - include_blocks (bool): Include raw delegated IPv4 blocks for the selected RIR. Requires rir_filter to be set. - status_filter (str, optional): allocated | assigned | available (free is normalized). - country_filter (str, optional): 2-letter country code filter (e.g. 'GH', 'ZA'). - limit (int): Max number of block rows when include_blocks=true. - offset (int): Pagination offset for block rows. - response_format (str): 'markdown' (default) or 'json'

Returns: str: Per-RIR table of IPv4/IPv6/ASN counts with totals and exhaustion context. JSON schema: { "queried_at": str, "rirs": [{"rir": str, "region": str, "ipv4_total_prefixes": int, "ipv4_allocated": int, "ipv4_assigned": int, "ipv4_available": int, "ipv6_total_prefixes": int, "asn_total": int, "stats_date": str}], "global_ipv4_prefixes": int, "global_ipv6_prefixes": int, "global_asns": int, "ipv4_blocks": [ {"rir": str, "country": str|null, "start_ip": str, "end_ip": str, "address_count": int, "date": str|null, "status": str} ], "blocks_total": int, "blocks_returned": int, "blocks_limit": int|null, "blocks_offset": int|null, "blocks_filters": {"rir_filter": str|null, "status_filter": str|null, "country_filter": str|null} }

Fetch a rich hierarchical overview of an IP prefix.

IP address space is organized in a tree structure:

• A /8 contains 256 /16s, each /16 contains 256 /24s, and so on.

• 'Less-specific' = the parent block this prefix was carved from.

• 'More-specific' = smaller blocks assigned within this prefix.

Think of it like a real estate map: Less-specific = the city block (containing your property) The prefix itself = your land parcel More-specific = subdivisions within your parcel

This tool fetches all three layers in parallel (3 RIPE Stat API calls simultaneously) and returns a unified view including:

• Current holder and announcement status

• Which ASN(s) are announcing it (multiple = potential hijack)

• All less-specific (parent) prefixes up the tree

• All more-specific (child) prefixes within the block

Combine with rir_check_rpki to validate the announcing ASN. Results are cached for 1 hour.

Args: params (PrefixOverviewInput): - prefix (str): IP prefix in CIDR notation (e.g. '1.1.1.0/24') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Holder info, BGP status, and full prefix hierarchy table. JSON schema: { "prefix": str, "holder": str, "rir": str, "country": str, "announced": bool, "announcing_asns": [str], "allocation_status": str, "related_prefixes": [{"prefix": str, "relationship": str, "holder": str, "origin_asn": str}], "errors": [str] }

Fetch peering policy, IXP presence, NOC contacts, and BGP neighbours for an ASN.

Data sources (queried in parallel):

• PeeringDB (www.peeringdb.com) — the internet's peering registry

• RIPE Stat asn-neighbours — live BGP upstream/downstream relationships

Information returned:

• Peering policy: Open / Selective / Restrictive / No Peering

• IRR AS-SET (used in route filters, e.g. AS-CLOUDFLARE)

• NOC email, abuse email, peering contact email

• IXP presence: which exchange points, peering IPs, link speed

• BGP neighbours: up to 30 adjacent ASNs in the routing table

Use cases:

• "Does Cloudflare have an Open peering policy?"

• "Which IXPs is AS13335 present at?"

• "What is the NOC email for AS1234 to report an incident?"

• "Is this ASN a residential ISP or a CDN?"

Results are cached for 6 hours.

Args: params (PeeringInfoInput): - asn (str): ASN to look up (e.g. 'AS13335', '13335', 'AS-CLOUDFLARE') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Peering policy table, IXP presence table, contacts, BGP neighbours. JSON schema: { "asn": str, "network_name": str, "policy_general": str, "noc_email": str, "irr_as_set": str, "ixp_presence": [{"name": str, "city": str, "country": str, "ipaddr4": str, "ipaddr6": str, "speed": int}], "neighbour_asns": [str], "errors": [str] }

Search PeeringDB for Internet Exchange Points (IXPs) by country code or name.

An IXP is a physical location where ISPs and networks directly interconnect. Without IXPs, all traffic between two ISPs would travel via paid transit providers, costing more and adding latency. IXPs are the backbone of regional internet ecosystems.

Searching by country:

• Use 2-letter ISO country code: 'MU' (Mauritius), 'ZA' (South Africa), 'DE' (Germany), 'US' (United States), 'SG' (Singapore)

Searching by name:

• Partial name match: 'AMS-IX', 'LINX', 'Nairobi', 'Frankfurt'

Notable IXPs worldwide:

• DE-CIX Frankfurt (Germany) — Europe's busiest, 13+ Tbps

• AMS-IX (Netherlands) — 10+ Tbps

• LINX (UK) — London Internet Exchange

• JPNAP (Japan) — Asia-Pacific hub

• Nap.Africa / JINX — African exchanges

• MAURITIUS-IX — your local exchange!

Results are cached for 12 hours.

Args: params (IXPLookupInput): - query (str): 2-letter country code (e.g. 'MU') or IXP name fragment - response_format (str): 'markdown' (default) or 'json'

Returns: str: Table of matching IXPs with city, country, member count, and contact. JSON schema: { "query": str, "total_found": int, "ixps": [{"name": str, "city": str, "country": str, "member_count": int, "website": str, "tech_email": str}], "errors": [str] }

Run a comprehensive parallel health check on any IP address, prefix, or ASN.

Fires all checks simultaneously (parallel asyncio): RDAP → Who owns it? Which RIR? Country? Abuse contact? BGP → Is it announced? Which ASNs? What global visibility %? RPKI → Is the announcing ASN cryptographically authorized? (prefix only) PeeringDB → Peering policy? NOC email? IXP count? (ASN only)

Synthesises a health signal dashboard: ✅ All good — registered, announced, RPKI valid ⚠️ Warning — not announced, unprotected route (no ROA), missing contacts 🚨 Critical — RPKI invalid (possible hijack!), multiple origin ASNs (MOAS)

This is your first-response tool for:

• "Is this IP address legitimate?"

• "Is this ASN healthy and reachable?"

• "Is there anything suspicious about this prefix?"

• NOC incident triage, security team first-response

Results are cached for 5 minutes (includes live BGP data).

Args: params (NetworkHealthInput): - resource (str): IP ('1.1.1.1'), prefix ('1.1.1.0/24'), or ASN ('AS13335') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Health signal dashboard + RDAP + BGP + RPKI + PeeringDB sections. JSON schema: { "resource": str, "resource_type": str, "queried_at": str, "rdap_holder": str, "rdap_rir": str, "rdap_country": str, "bgp_announced": bool, "bgp_announcing_asns": [str], "bgp_visibility_pct": float, "rpki_validity": str, "peering_policy": str, "peering_ixp_count": int, "health_signals": [str], "errors": [str] }

Monitor a prefix or ASN for registration and BGP routing changes between calls.

How it works:

• First call: captures a baseline snapshot of RDAP + BGP state. Stores it in memory for the server's lifetime.

• Subsequent calls: fetches the current state and diffs it against the baseline. Reports exactly which fields changed and from what to what.

• When changes are detected: automatically updates the baseline so the next call diffs from the new state (not the original).

• reset_baseline=True: discards any stored baseline and captures fresh.

Tracked fields (8 total): RDAP: Holder, RIR, Country, Allocation Status, Abuse Email BGP: Announced (bool), Origin ASN(s), Visibility %

Severity of changes: 🔴 BGP Origin ASN changed → possible hijack, verify with rir_check_rpki 🔴 RDAP Holder changed → possible transfer, check rir_detect_transfers 🟡 BGP Announced changed → prefix appeared/disappeared from routing 🟡 Country changed → registration country updated 🟢 Visibility % changed → normal BGP fluctuation

Baseline persists in server memory — not in a database. If the server restarts, baselines are lost and will be recreated on next call.

Args: params (ChangeMonitorInput): - resource (str): IP prefix (e.g. '8.8.8.0/24') or ASN (e.g. 'AS15169') - reset_baseline (bool): If True, discard baseline and start fresh

Returns: str: Baseline created confirmation (first call), or diff table (subsequent calls). JSON schema: { "resource": str, "status": str, (baseline_created|changes_detected|no_changes) "baseline_captured_at": str, "checked_at": str, "changes": [{"field": str, "old_value": str, "new_value": str}], "current_holder": str, "current_rir": str, "message": str }

Resolve a hostname or reverse-lookup an IP address and correlate the result with RDAP registration data (holder, country, RIR, covering prefix).

Args: params (DNSResolveInput): - target (str): Hostname or IP address (e.g. '8.8.8.8', 'cloudflare.com') - record_type (str): DNS record type — A, AAAA, PTR, MX, TXT, NS, CNAME … - response_format (str): 'markdown' (default) or 'json'

Returns: str: DNS records table + RDAP owner details for each resolved IP.

Enumerate all common DNS record types for a domain in one call: A, AAAA, MX, NS, TXT, SOA, CNAME, CAA, SRV — plus extracts SPF and DMARC policies inline.

Args: params (DNSEnumerateInput): - domain (str): Domain name (e.g. 'cloudflare.com') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Per-type record tables with TTL values and extracted SPF/DMARC.

Validate the DNSSEC chain-of-trust for a domain. Checks DNSKEY, DS, and RRSIG records and reports SECURE / INSECURE / BOGUS / INDETERMINATE.

BOGUS status means signatures exist but fail validation — a serious indicator of misconfiguration or potential tampering.

Args: params (DNSSECInput): - domain (str): Domain name (e.g. 'cloudflare.com') - response_format (str): 'markdown' (default) or 'json'

Returns: str: DNSSEC status, chain validity, record counts, and signing algorithms.

Check an IPv4 address against 30 DNS blocklists simultaneously, including Spamhaus ZEN, Barracuda, SORBS, URIBL, and more. All queries run in parallel for fast results.

Args: params (DNSBLInput): - ip (str): IPv4 address to check (e.g. '1.2.3.4') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Per-list listed/clean status with return codes and descriptions.

Comprehensive email security posture check for a domain:

• SPF: record presence, validity, and policy strength (-all / ~all / ?all)

• DMARC: policy (none/quarantine/reject), pct coverage, rua/ruf reporting

• DKIM: probes common selectors (google, selector1, default, k1, mail …)

• MX: mail server records

• BIMI: brand indicator for message identification

• Risk score: LOW / MEDIUM / HIGH / CRITICAL with specific issues listed

Args: params (EmailSecurityInput): - domain (str): Domain name (e.g. 'example.com') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Full email security audit with risk level, score, and recommendations.

Check whether a recent DNS change has propagated globally by querying 10 geographically distributed resolvers simultaneously: Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9, OpenDNS, Comodo, Verisign, Level3, FreeDNS, CleanBrowsing, and Alternate DNS.

Compares each resolver's answer to the majority answer and reports which resolvers are stale, diverging, or failing.

Args: params (DNSPropagationInput): - domain (str): Domain name (e.g. 'cloudflare.com') - record_type (str): DNS record type to check (default: A) - response_format (str): 'markdown' (default) or 'json'

Returns: str: Per-resolver answer table with propagation status and majority answer.

Connect to hostname:port over TLS and return full certificate details: subject, issuer, Subject Alternative Names (SANs), expiry date, days remaining, self-signed flag, TLS protocol version, cipher suite, chain length, and HSTS header presence.

Useful for:

• Verifying certificate validity before expiry

• Detecting self-signed or untrusted certificates

• Checking TLS configuration (version, cipher suite)

• Auditing HSTS deployment

Args: params (TLSInspectInput): - hostname (str): Target hostname (e.g. 'cloudflare.com') - port (int): TCP port — default 443 - response_format (str): 'markdown' (default) or 'json'

Returns: str: Certificate details, expiry countdown, issuer chain, and HSTS status.

Search crt.sh for all TLS certificates ever issued for a domain via Certificate Transparency logs. Returns deduplicated entries showing common name, issuer CA, validity period, and SAN name_value.

Useful for:

• Discovering shadow IT / undocumented subdomains

• Auditing which CAs have been used for a domain

• Finding certificates issued before/after security incidents

• Verifying certificate rotation

Args: params (CTLogInput): - domain (str): Domain name (e.g. 'cloudflare.com') - limit (int): Max entries to return (default 50, max 500) - response_format (str): 'markdown' (default) or 'json'

Returns: str: Certificate log table with CN, CA, validity dates, and unique CA summary.

Passive threat intelligence for an IP address from two sources:

1. Shodan InternetDB (always available, no API key required):

   • Open ports detected via internet scanning

   • CVE identifiers for detected services

   • Reverse DNS hostnames

   • Shodan tags (cdn, vpn, tor-exit, etc.)

2. GreyNoise Community (requires GREYNOISE_API_KEY env var):

   • Classification: malicious / benign / unknown

   • RIOT flag: trusted service (Google, Amazon, etc.)

   • Noise flag: benign internet background scanner

   • Named actor or service attribution

Produces an aggregated risk score (0–100) and level (LOW / MEDIUM / HIGH / CRITICAL).

Args: params (ThreatIntelInput): - ip (str): IPv4 address (e.g. '1.2.3.4') - response_format (str): 'markdown' (default) or 'json'

Returns: str: Open ports, CVEs, GreyNoise classification, and risk assessment.

Query RIPE Stat Passive DNS for historical DNS records associated with an IP address or domain name. Shows what hostnames pointed to an IP (or what IPs a hostname resolved to) over time, with first/last seen timestamps and observation counts.

Useful for:

• Tracing infrastructure changes over time

• Finding previously-used domains for an IP

• Investigating historical malware C2 infrastructure

• Attribution and threat hunting

Data source: RIPE NCC's Passive DNS system, which aggregates DNS queries from recursive resolvers across the network.

Args: params (PassiveDNSInput): - resource (str): IP address or domain name - limit (int): Max records (default 100, max 500) - response_format (str): 'markdown' (default) or 'json'

Returns: str: Historical DNS records table with rrtype, value, and first/last seen dates.

Check IRRExplorer for route objects covering a prefix and verify they are consistent with the claimed origin ASN.

IRR (Internet Routing Registry) route objects tell ISPs which ASN is authorised to originate a prefix. Inconsistent or missing route objects can cause route filtering and reachability issues even when RPKI is valid.

Args: params (IRRCheckInput): - prefix (str): CIDR prefix e.g. '1.1.1.0/24' - asn (str): Expected origin ASN e.g. 'AS13335' or '13335' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Route objects per IRR source, consistency status, and missing IRR coverage.

Detect potential BGP route leaks or hijacks for a prefix using RIPE Stat BGP-state data.

Checks for:

• Multiple distinct origin ASNs (possible hijack — two ASNs claiming the same prefix)

• AS-path loops (valley-free violations — a transit ASN re-exporting a learned route)

Args: params (RouteLeakInput): - prefix (str): CIDR prefix e.g. '1.1.1.0/24' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Leak detection result with confidence, suspect ASNs, and anomalous AS paths.

Show BGP routing table entries for a prefix as seen from RIPE RIS (Route Information Service) collectors around the world.

Unlike BGP visibility (which answers whether a route exists), a looking glass shows how the route is announced — the actual AS paths from different geographic vantage points.

Args: params (LookingGlassInput): - prefix (str): CIDR prefix e.g. '1.1.1.0/24' - vantage_points (int): Max entries to return (default 10, max 50) - response_format (str): 'markdown' (default) or 'json'

Returns: str: AS paths per RIPE RIS collector with region and BGP community values.

Analyse BGP route stability for a prefix over a configurable time window using RIPE Stat routing-history data.

A stable route has no state changes (no withdrawal/re-announcement cycles). Repeated flapping can indicate hardware failure, misconfiguration, or DDoS and causes router CPU load and convergence delays for peers.

Args: params (RouteStabilityInput): - prefix (str): CIDR prefix e.g. '1.1.1.0/24' - hours (int): Analysis window in hours (default 24, max 168 = 7 days) - response_format (str): 'markdown' (default) or 'json'

Returns: str: Stability score (0–100), state change count, uptime %, and event timeline.

Detect internet shutdowns at the country level by comparing current BGP prefix counts against a stored baseline.

On the first call for a country the baseline is established. Subsequent calls measure how many prefixes have been withdrawn and classify severity: • NORMAL < 5% withdrawn • DEGRADED 5–20% withdrawn • PARTIAL_SHUTDOWN 20–80% withdrawn • FULL_SHUTDOWN > 80% withdrawn

Args: params (ShutdownDetectInput): - country_code (str): ISO 3166-1 alpha-2 code e.g. 'SY', 'IR', 'MM' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Severity level, withdrawn percentage, and sampled ASN prefix counts.

Register a country code, ASN, or prefix for shutdown monitoring with a webhook URL. When the withdrawn% exceeds the threshold, PeerGlass will POST a JSON alert to the webhook.

Args: params (MonitorRegisterInput): - resource (str): Country code, ASN, or prefix to monitor - webhook_url (str): HTTPS URL to POST alerts to - threshold_pct (float): Alert threshold in % withdrawn (default 20%) - interval_minutes (int): Polling interval (default 5 min)

Returns: str: Registration confirmation and registration count.

Retrieve a timestamped BGP withdrawal/restoration timeline for a country or ASN over a date range. Includes a SHA-256 content hash for evidence integrity verification (useful for UN reports, press, legal proceedings).

Args: params (ShutdownTimelineInput): - resource (str): Country code (e.g. 'SY') or ASN (e.g. 'AS29256') - start_date (str): ISO date e.g. '2023-10-07' - end_date (str): ISO date e.g. '2023-10-14' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Timeline of BGP events, total downtime hours, and SHA-256 integrity hash.

Probe for DNS censorship by querying a domain from multiple resolver vantage points — neutral global resolvers (Cloudflare, Google, Quad9) and optionally country-specific ISP resolvers.

Detects: • NXDOMAIN injection — domain exists globally but ISP returns NXDOMAIN • IP poisoning — ISP returns a different (block-page) IP • DPI block — timeout / connection refused

Args: params (CensorshipProbeInput): - domain (str): Domain to probe e.g. 'twitter.com' - country_code (str, optional): ISO code for country-specific resolvers - response_format (str): 'markdown' (default) or 'json'

Returns: str: Censorship status, technique, and per-resolver response table.

Check whether satellite internet providers (Starlink, Viasat, OneWeb, SES, Inmarsat, HughesNet) are actively announcing BGP prefixes.

During ground-based internet shutdowns, satellite services often remain the only available connectivity option for journalists and aid workers.

Args: params (SatelliteConnectivityInput): - country_code (str): ISO 3166-1 alpha-2 code (used for context) - response_format (str): 'markdown' (default) or 'json'

Returns: str: Per-provider active status and announced prefix count.

Map internet resilience for a country by identifying transit providers that many in-country ASNs depend on, and computing a resilience score.

Countries with 1–2 dominant upstream providers are catastrophically vulnerable — cutting those providers isolates the entire country.

Args: params (ChokePointInput): - country_code (str): ISO 3166-1 alpha-2 code e.g. 'SY', 'BY' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Resilience score (0–100), transit providers by dependency, single-upstream count.

Fetch OONI (Open Observatory of Network Interference) censorship measurements for a country over the last 30 days.

Shows confirmed blocked websites, Tor accessibility, and circumvention tool status (Psiphon, OpenVPN, Signal) as measured by OONI probes running inside the country.

Args: params (OONIReportInput): - country_code (str): ISO 3166-1 alpha-2 code e.g. 'IR', 'RU' - domain (str, optional): Filter to a specific domain - response_format (str): 'markdown' (default) or 'json'

Returns: str: Blocked domains, Tor accessibility, and circumvention tool status.

Composite country internet health score combining: • BGP shutdown detection (40%) — routing table withdrawal analysis • DNS censorship probe (30%) — neutral vs ISP resolver comparison • OONI app score (20%) — blocked domains and tool access • Satellite availability (10%) — Starlink/Viasat/OneWeb BGP presence

Gives journalists, NGO directors, and crisis responders a single 0–100 score and plain-language summary of internet conditions.

Args: params (CountryHealthInput): - country_code (str): ISO 3166-1 alpha-2 code e.g. 'UA', 'SY', 'MM' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Overall score, severity level, component scores, and plain-language summary.

Fetch AS relationship data from CAIDA AS-Rank API.

Classifies neighbouring ASNs as: • Providers (upstream transit) • Customers (downstream networks) • Peers (settlement-free peering)

Unlike RIPE Stat asn-neighbours (which only gives left/right/uncertain), CAIDA AS-Rank uses a BGP-path-based inference algorithm for higher accuracy.

Args: params (ASRelationshipInput): - asn (str): ASN e.g. 'AS13335' or '13335' - response_format (str): 'markdown' (default) or 'json'

Returns: str: Classified providers, customers, and peers with relationship type.

Look up the geographic location of an IP address using MaxMind GeoLite2.

Returns city, region, country, coordinates, and timezone when available. Requires the PEERGLASS_GEOIP_DB environment variable pointing to a GeoLite2-City.mmdb file (free download from maxmind.com with account).

Args: params (GeoLookupInput): - ip (str): IPv4 or IPv6 address - response_format (str): 'markdown' (default) or 'json'

Returns: str: City, region, country, coordinates, timezone, EU membership.

Launch a RIPE Atlas traceroute measurement to a target IP or hostname.

Uses the RIPE Atlas global probe network (thousands of vantage points). Requires PEERGLASS_RIPE_ATLAS_KEY environment variable with a valid Atlas API key (free from atlas.ripe.net).

Args: params (AtlasTraceInput): - target (str): IP address or hostname - probes (int): Number of probes to use (default 5, max 25) - response_format (str): 'markdown' (default) or 'json'

Returns: str: Traceroute hop tables per probe with RTT and IP at each hop.