You are here: Home > Publications > RIPE Labs > Paul Palse > Updated Heuristics for the Abuse Finder Service

Updated Heuristics for the Abuse Finder Service

Paul Palse — Jun 2010
This article outlines some of the refinements made to the Abuse Finder tool based on community feedback. It also explains the heuristics of the tool.

The Abuse Finder tool has been online for a little over a month now (see Find Abuse Handler Details Using the Abuse Finder ). Since we published the tool we received some excellent feedback from the forum and during the Anti Abuse working group session at the RIPE 60 Meeting where we presented the tool. We found that the heuristics used by the tool needed some refinements.

We have made the following refinements and fixed these issues:

  • The Abuse Finder only accepts address space and AS Numbers as input. It will try to loosely verify the input and otherwise return a “Nothing Found” result.
  • We introduced some filtering for placeholder data in the database that caused the tool to frequently and incorrectly return " abuse _at_ ripe _dot_ net ".
  • We fixed the situation where the Abuse Finder returned additional results that were unrelated to the input data, because primary and indexed keys are not unique for different object types.
  • We implemented recursive search through layers of personal data (for example, role -> role -> person).

With these refinements the Abuse Finder returns much more accurate and focused results.

The updated Abuse Finder tool can be found here: https://apps.db.ripe.net/search/abuse-finder.htm l


The Abuse Finder heuristics explained

A question frequently asked was what exact logic the Abuse Finder tool uses to come to the results.

Because there isn’t a single method or even documented best practise for documenting Abuse Contact information in the RIPE Database, we implemented a set of rules that we feel harvest the most useful results.

These are the steps taken to get to its results:

  • Lookup the given AUT-NUM or INETNUM or INET6NUM object
    • Find reference to IRT object if it exists
    • Lookup referenced ROLE, PERSON and ORGANISATION objects
  • Extract ROUTE[6] objects
    • Lookup referenced ROLE, PERSON and ORGANISATION objects
  • Lookup referenced MNTNER objects.

We remove duplicate entries from the resulting collection of objects. We then extract the abuse-mailboxes and pointers to objects that contain abuse related text in the remarks field.

The total amount of queries the service makes to the RIPE Database may range between 30 and 150 queries. This depends largely on the amount of referenced objects the routine has to retrieve.

For example, when we query for “193.0.0.1” the abuse finder performs 37 separate queries to the RIPE Database.

Here are the exact queries that were performed:

    whois -B -r -T inetnum,inet6num 193.0.0.1
whois -B -r -G 193.0.0.0 - 193.0.7.255
whois -r -B -T person,role AMR68-RIPE
whois -r -B -T person,role BRD-RIPE
whois -r -B -T person,role OPS4-RIPE
whois -r -B -T person,role AMR68-RIPE
whois -r -B -T person,role BRD-RIPE
whois -r -B -T person,role GL7321-RIPE
whois -r -B -T person,role JA47
whois -r -B -T person,role MENN1-RIPE
whois -r -B -T person,role EMIL-RIPE
whois -r -B -T person,role SSIE-RIPE
whois -r -B -T person,role RCO-RIPE
whois -r -B -T person,role APZ-RIPE
whois -r -B -T person,role CNAG-RIPE
whois -r -B -T person,role SMCA-RIPE
whois -r -B -T person,role BOH-RIPE
whois -r -B -T mntner RIPE-NCC-MNT
whois -r -B -T mntner RIPE-NCC-RIS-MNT
whois -r -B -T person,role AP110-RIPE
whois -r -B -T person,role OPS4-RIPE
whois -r -B -T person,role MD1601-RIPE
whois -r -B -T person,role RISM-RIPE
whois -r -B -T person,role AMR68-RIPE
whois -r -B -T person,role BRD-RIPE
whois -r -B -T person,role GL7321-RIPE
whois -r -B -T person,role JA47
whois -r -B -T person,role MENN1-RIPE
whois -r -B -T person,role EMIL-RIPE
whois -r -B -T person,role SSIE-RIPE
whois -r -B -T person,role RCO-RIPE
whois -r -B -T person,role APZ-RIPE
whois -r -B -T person,role CNAG-RIPE
whois -r -B -T person,role SMCA-RIPE
whois -r -B -T person,role BOH-RIPE
whois -r -B -T person,role EROM1-RIPE
whois -r -B -T person,role VAA
   

 

We are looking forward to your feedback.

Are there other searches that you need to perform frequently that we could group in a similar tool?

Any such searches we call “Use Case searches” and we’re looking forward to receiving some suggestions.

You can post your comments in the RIPE Database API forum or send email to the RIPE Labs mailbox .

 

 

0 Comments

Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.