Using the RIPE Database to Trace Attacks
Contents
Where are the RIR Databases, and what do they contain?
There are five RIRs, each maintains a database holding details
of IP address registrations in their regions. The RIR databases
are located at:
- AfriNIC
(Africa)
- ARIN (North
America)
- APNIC (Asia
Pacific region)
- LACNIC
(Southern and Central America and Carribean)
- RIPE NCC (Europe, the Middle East, Central
Asia)
For historical reasons, the ARIN Database is generally the starting
point for searches. If an address is outside the ARIN region, that database
will provide a reference to one of the other databases.
Unfortunately, many people misinterpret this referral to mean that
either AfriNIC, APNIC, LACNIC, or the RIPE NCC is the network from where
the problem arose. In fact, AfriNIC, APNIC, LACNIC, and the RIPE NCC
perform the same function as ARIN. To get more specific information
you must follow the referral and search the appropriate database.
What does the RIPE Database contain?
The RIPE Database is a public database that contains registration
details allocated and assigned in the RIPE NCC service region. IP network
operators in our service region enter and maintain the data. We aid
operation of the database, but are not responsible for its contents. It is
not within the scope of activities set by our membership to check data in
the RIPE Database for accuracy. Only the maintainers of objects in
the database may make changes to data.
The RIPE Database will be able to identify the details
of the network routing the IP address you are searching for. In general
it will not identify the individual actually using the specific address.
Only the network administrator will have access to user information.
How do I use the RIPE Database?
To find details about the IP address you are searching for, simply enter it into the text box and click "Go".
There are many other options available in the advanced
interface, but for simple IP look-ups you should just use the default
settings.
What do the query results mean?
A. Which are the most important parts to
look at?
For spam and hacking complaints, you really only need to consider the
"remarks" fields or look for the "mnt-by" field.
B. What do all the other fields mean?
The other fields are included as part of the proper
registration of public resources. If you're just using the database to
look for the organisation responsible for network abuse, these other
fields should not be relevant.
C. Your database says RIPE is the "source"
of the IP address I've looked up
The "source" field shows the RIR responsible for keeping records
of the IP address allocation. It does not show the organisation responsible
for the administration or operation of the network.
Also note that the "changed" field is not a network contact
address, as it merely records who made the most recent change to the registration
information.
Where do I go from here?
To contact the network responsible for the IP address of the spammer
or hacker, you will need to contact the abuse e-mail address.
Do not use the e-mail address in the "changed" line of the RIPE Database object. Look for abuse e-mail addresses in the "remarks" field, or use the e-mail address from the "tech-c" or "admin-c".
I'm ready to query the RIPE Database
The RIPE Database is located at http://www.ripe.net/fcgi-bin/whois
More information
|
you are here: home -> Info, Stats and FAQs -> FAQs
