Page 1 of 1

Host based lookup

PostPosted: Sat Oct 01, 2005 6:51 am
by Gandalf_the_grey
Hello. I'm a tad new here. (i found your site after doing some reserch for a program i was making).

I've been doing a bit of work with host based lookups, rather then ip based (which you seem to be doing).

I did this, mainly because there was plainly obvious information in hosts, and that ip's have a tendancy of changing a lot more then ip's. (when was the last time your isp's host changed?)

I've been getting up to state level accuricy so far (only with comcast tho. I usually find the isp, and country of a person).

For eg.
*removed*.hsd1.ga.comcast.net

We know he's from georgia, because of the ga.
We know that comcast is his isp, because its the first part of the host after the suffix (which is .net in this case).

And we know that he's in america, because
1. it ended in .net, so it was registered in america. (although sometimes when i do an ipcheck it turns out that it is in another country, which registered an american domain name).
2. Comcast is in america (its an american isp). I put that information in my comcast records.
3. America is a good defult to have. (lots of people on the internet compared to other countries).

The process i use for my geolocator basically looks for similar adresses.
I look from the suffix down to the end, and i count the number of "parts" of the host that are the same.
ie. www.hostip.info
Hostip is one part, the info is another part.
Something.hostip.info
Something is one part, ect.

So, whenever i find an entry with a better match then what i currently have, i add its information to the current bank of knoweledge (of the host), and continue on.

When i find contradictory records (ie. [country] the united states [country] Switzerland), i consider the one that was put in last, to be accurite.

So, for eg. for *removed*.hsd1.ga.comcast.net
The pattern of information is basically:
.net matched. [country] The united states of america Added
.comcast.net matched. [isp] Comcast added
.ga.comcast.net matched [state] Georgia added

For unknown isp's i add [isp] to be the last part of the host, that isn't a suffix. (ie. more then three letters, and not .info).

This seems to be working well. (i currently scrounged up a list of country suffixes for country lookup, and added a few isp's there too.) and seems to be giving good country + isp lookup, most of the time. (isp lookup is the most reliable, followed by country, followed by state).

I've also been making an iptable for additional searching. (ie. finding out if an host that appears american (ie. .net) is actually from another country).

What i did, was store the long ip of the name, with the information about it. I stored the whole thing as a sorted list, and i used a binary search to find the closest match.

This helped a great deal, and corrects the host based appreach when it fails. (ie. just not enough information).

I'd like to know if anyone else here has tried anything similar, and there success/failure with it?

(also, why does the city in the main page change every time on reload?)

From,
Gandalf the grey.

PostPosted: Wed Oct 05, 2005 11:06 am
by Teo
you could extract some good informations with the geo patents from Quova :

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=6,684,250.WKU.&OS=PN/6,684,250&RS=PN/6,684,250

(Patent that forgive you to retrieve and use geo data if you live on USA)

Re: Host based lookup

PostPosted: Thu Oct 06, 2005 10:02 am
by bfolkens
Gandalf_the_grey wrote:Hello. I'm a tad new here. (i found your site after doing some reserch for a program i was making).


We did something remotely similar with the Sarangworld regex patterns and traceroutes.