Directory

⚓ T354599 [EPIC] Provide IP reputation variables in AbuseFilter
Page MenuHomePhabricator
Create Task
Maniphest T354599

[EPIC] Provide IP reputation variables in AbuseFilter
Open, Needs TriagePublic
Actions

Description

Context

In T354597: Record IP reputation data for account creations and edits we'll likely discover that there are combinations of IP reputation data that usually result in unwanted edits or account creations. We should allow AbuseFilter maintainers to be able to create filters targeting traffic using a subset of labels in the IP reputation data.

Proposal

Introduce IP reputation AbuseFilter protected variables for things like risks (callback proxy, VPN), tunnel types, client concentration count, or simply being present in iPoid-Service's database. Based on spur.us documentation, some possibilities for variables:

  • client.behaviors
  • client.count
  • client.countries
  • client.proxies
  • infrastructure
  • risks
  • services
  • tunnels.anonymous
  • tunnels.operator
  • tunnels.type

Consequences

We would be able to define mitigations in AbuseFilter based on edits from IPs matching specific IP reputation variables.

Notes from L3SC discussion

Copying over some requirements from L3SC discussion:

[,,,] variables like tunnels.operator could narrow down user identification, especially if the VPN service is uncommon and the Abuse Filter has some overly narrow combinations of conditions. Even in that case, the risk would still be low since Abuse filters are under tight community scrutiny and filter maintainers are highly trusted volunteers who exercise care when crafting filter conditions. Additionally, with the guarantee, IP reputation AbuseFilter variables will only be restricted to AF maintainers, rather than making them visible to the wider public, there is an extra layer of precaution.

want to reiterate that we build in the right measures/controls to mitigate false positives, for eg editors from some countries often. use open proxies/shared ip addresses and may not necessarily have malicious intent and could be wrongly tagged in the abuse filter.

Conclusion:

  • The variables need to be treated in the same way as user_unnamed_ip, in that they are considered "protected variables" and the filters and logs where they are used are accessible only to users with the right to view filters with protected variables.

Related Objects
Search...

Event Timeline

kostajh created this task.Jan 9 2024, 9:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2024, 9:02 AM
kostajh mentioned this in T354600: Create persistent storage for edits, account creations, account logins, and log entries associated with IPs with poor reputation.Jan 9 2024, 9:08 AM
kostajh added a project: MediaWiki-extensions-IPReputation.Mar 6 2024, 9:41 AM
kostajh added a project: User-kostajh.May 13 2024, 7:40 AM
kostajh added a parent task: T357776: [Epic] Mitigate abilities to abuse temporary accounts.
kostajh updated the task description. (Show Details)May 13 2024, 7:44 AM
kostajh changed the task status from Open to Stalled.Jun 28 2024, 2:17 PM

Stalled on T360067: Deploy Extension:IPReputation

Aklapper added a subtask: T360067: Deploy Extension:IPReputation.Jun 29 2024, 8:39 PM
kostajh added a comment.Jul 12 2024, 7:56 AM

We may also want to have T360195: Analyze IP reputation data and how it maps to on-wiki editing and account creation activity done first, to better guide people who create filters using facets of IP reputation data as AbuseFilter variables.

kostajh mentioned this in T357778: Provide ability to require logged-out users to complete a CAPTCHA on temporary account creations in certain circumstances.Jul 25 2024, 10:24 AM
TheresNoTime mentioned this in T371870: Include proxy information from IP Information tool as conditions in Abuse Filter extension.Aug 9 2024, 2:52 PM
Titore subscribed.Aug 11 2024, 5:04 AM
Novem_Linguae subscribed.Aug 14 2024, 12:58 PM
Robertsky merged a task: T371870: Include proxy information from IP Information tool as conditions in Abuse Filter extension.Aug 14 2024, 1:45 PM
Robertsky added subscribers: Robertsky, TheresNoTime, Fastily and 2 others.
Niharika subscribed.Aug 14 2024, 4:23 PM
Nemoralis subscribed.Aug 19 2024, 10:13 AM
kostajh added a comment.Sep 11 2024, 10:24 AM

Legal, Safety & Security Service Center approval is tracked internally in https://app.asana.com/0/1201516671270795/1208282856628615/f.

kostajh added a project: FY2024-25 WE4.2.Sep 17 2024, 6:55 AM
Johannnes89 subscribed.Sep 17 2024, 7:16 PM
kostajh updated the task description. (Show Details)Sep 20 2024, 9:26 AM
Blablubbs subscribed.Oct 3 2024, 12:09 PM
Blablubbs added a comment.Oct 3 2024, 12:33 PM

One thing to note regarding consequences/use cases is that implementing these variables to would likely mean that admins and stewards pivot from preventing edits from commercial VPN and open proxy IPs by blocking individual IPs and ranges associated with these networks towards preventing them via filters that target service attributes. This would overall be a good thing, because it would (1) allow for better targeting, (2) reduce collateral, and (3) drastically reduce the time investment required. So it wouldn't just enable us to better handle potentially problematic IPs (specifically those associated with botnets and residential proxy networks), but also enable us to mostly automate NOP enforcement in the area of commercial VPNs, which Spur identifies extremely well.

TheresNoTime unsubscribed.Oct 3 2024, 2:35 PM
Jules78120 subscribed.Oct 17 2024, 10:47 AM
kostajh renamed this task from Make IP reputation available as a variable in AbuseFilter to Provide IP reputation variables in AbuseFilter.Nov 1 2024, 3:01 PM
kostajh updated the task description. (Show Details)
kostajh updated the task description. (Show Details)Nov 1 2024, 3:03 PM
kostajh mentioned this in T379348: Cache IP data from Spur in MediaWiki application-level Memcached.Nov 11 2024, 6:03 PM
kostajh changed the task status from Stalled to Open.Nov 21 2024, 10:21 AM

We have L3SC approval.

kostajh claimed this task.Nov 21 2024, 10:25 AM
kostajh added a project: Trust and Safety Product Sprint.

I'll turn this into an epic, where we can track individual variables as subtasks.

DatGuy subscribed.Nov 21 2024, 10:25 AM
kostajh renamed this task from Provide IP reputation variables in AbuseFilter to [EPIC] Provide IP reputation variables in AbuseFilter.Nov 21 2024, 10:37 AM
kostajh updated the task description. (Show Details)
Restricted Application added a project: Epic. · View Herald TranscriptNov 21 2024, 10:37 AM
kostajh mentioned this in T380708: Migrate account creation blocking logic to AbuseFilter.Nov 25 2024, 9:39 AM
kostajh closed subtask T360067: Deploy Extension:IPReputation as Resolved.Nov 25 2024, 9:46 AM
kostajh mentioned this in T380917: Ability to configure a wiki to auto block open proxies.Nov 26 2024, 8:30 PM
A_smart_kitten subscribed.Nov 26 2024, 8:46 PM
Dreamy_Jazz changed the status of subtask T380918: Provide capability to define new protected variables from other extensions from Open to Stalled.Thu, Dec 12, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits