Re: [registrars] RE: WHOIS BLUES

[Rick Wesson <wessorh@ar.com>]

Bhavin,

handeling black lists of subnets is real easy, infact easyer than
blacklisting hosts, just check to see if the incomming address is within
the netmask in this case a /24. first convert the ipaddress to a long and
the netmask, and the incomming host as addr.

   (addr & mask) == net then reject the request.

if you keep a list of blacklisted networks hosts appear as {host-ip}/32 or
{host-ip}/255.255.255.255 depending on how you parse the blacklist.

for instance 65.218.40.0/24 =~ 65.218.40.0/255.255.255.0

hope this helps

-rick


On Thu, 2 May 2002, Bhavin Turakhia wrote:

> HEY WAIT A MINUTE ... i just checked ARIN on this SUBNET and Found this -
>
> SnapNames.com, Inc. (NETBLK-UU-65-218-40) UU-65-218-40
> 						   65.218.40.0 - 65.218.40.255
>
> HELLO .... WHY is SNAPNAMES SLAMMING MY WHOIS??? for EVERY one of my Domain
> Name ....
>
> bhavin
>
> > -----Original Message-----
> > From: Bhavin Turakhia [mailto:bhavin.t@directi.com]
> > Sent: Thursday, May 02, 2002 12:37 AM
> > To: Registrars@Dnso. Org
> > Cc: Dan Halloran
> > Subject: WHOIS BLUES
> >
> >
> > Hi,
> >
> > i am going thru whois blues that most of you must have gone thru
> > already. i get more hits on my whois everyday than my entire list
> > of domain names .... for instance there is this guy right now
> > slamming my whois server using multiple ip addresses from the
> > same damn subnet ... as the log below shows....
> >
> > [01 May 2002 19:09:05,463] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.188/65.218.40.188 Hash {65.218.40.188/65.218.40.188=1}
> > [01 May 2002 19:09:16,048] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.189/65.218.40.189 Hash {65.218.40.188/65.218.40.188=1,
> > 207.174.230.245/207.174.230.245=1, 65.218.40.189/65.218.40.189=1}
> > [01 May 2002 19:09:26,847] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.190/65.218.40.190 Hash
> > {213.225.132.39/213.225.132.39=1, 65.218.40.190/65.218.40.190=1}
> > [01 May 2002 19:09:35,467] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.191/65.218.40.191 Hash {65.218.40.191/65.218.40.191=1}
> > [01 May 2002 19:09:45,479] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.192/65.218.40.192 Hash {65.218.40.192/65.218.40.192=1}
> > [01 May 2002 19:10:03,610] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.193/65.218.40.193 Hash {65.218.40.193/65.218.40.193=1,
> > golem.itsyourdomain.com/63.85.86.40=1}
> > [01 May 2002 19:10:08,909] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.194/65.218.40.194 Hash {65.218.40.194/65.218.40.194=1,
> > 65.218.40.193/65.218.40.193=1}
> > [01 May 2002 19:10:15,510] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.195/65.218.40.195 Hash {65.218.40.195/65.218.40.195=1,
> > 65.218.40.194/65.218.40.194=1}
> > [01 May 2002 19:10:25,519] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.196/65.218.40.196 Hash {65.218.40.196/65.218.40.196=1}
> > [01 May 2002 19:10:36,040] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.197/65.218.40.197 Hash {65.218.40.197/65.218.40.197=1,
> > 216.168.229.6/216.168.229.6=1}
> > [01 May 2002 19:10:54,460] DEBUG WhoisServer  -++Added New Client
> > 65.218.40.198/65.218.40.198 Hash {65.218.40.198/65.218.40.198=1,
> > droid.daze.net/130.94.96.2=1}
> >
> >
> > This process becomes more and more manual - we put in a feature
> > to block an ip and here comes a subnet .... subnets we have to
> > handle manually - unlessi write some stuff to track complex
> > patterns (wonder how i would take CIDR into account to identify subnets)
> >
> > If i get whois requests for all my domains several times everyday
> > in this fashion my margins wont support my whois server bandwidth costs :)
> >
> > something should be done by icanb about this port 43 whois
> > requirement ...... maybe require eveyone who wants to use it to
> > ask the registrar for an account (username and passwd) so that
> > abuse can be tracked and stopped ....
> >
> > bhavin
>
>