DNSO Archives: [registrars]

ICANN/DNSO DNSO Mailling lists archives

[registrars]

<<< Chronological Index >>> <<< Thread Index >>>

RE: [registrars] RE: WHOIS BLUES

To: "Rick Wesson" <wessorh@ar.com>
Subject: RE: [registrars] RE: WHOIS BLUES
From: "Bhavin Turakhia" <bhavin.t@directi.com>
Date: Thu, 2 May 2002 09:50:13 +0530
Cc: "Registrars@Dnso. Org" <registrars@dnso.org>
Importance: Normal
In-Reply-To: <Pine.LNX.4.33.0205011333050.20799-100000@flash.ar.com>
Sender: owner-registrars@dnso.org

hi Rick,

i understand how i may block a subnet. that is not the concern.

the issue is trying to figure out automatically that there is mischief
happening from a subnet.

for instance if someone has a CIDR address, and is sending whois requests
from the same subnet with random ip addresses..... how do i know what his
subnet is.

he might have a /27 ..... but be randomly using ips from the /27, i cannot
identify what the exact subnet is and might end up banning the entire class
C when he did not own the entire /24.

that is the problem

bhavin

> handeling black lists of subnets is real easy, infact easyer than
> blacklisting hosts, just check to see if the incomming address is within
> the netmask in this case a /24. first convert the ipaddress to a long and
> the netmask, and the incomming host as addr.
>
>    (addr & mask) == net then reject the request.
>
> if you keep a list of blacklisted networks hosts appear as {host-ip}/32 or
> {host-ip}/255.255.255.255 depending on how you parse the blacklist.
>
> for instance 65.218.40.0/24 =~ 65.218.40.0/255.255.255.0
>
> hope this helps
>
> -rick
>
>
> On Thu, 2 May 2002, Bhavin Turakhia wrote:
>
> > HEY WAIT A MINUTE ... i just checked ARIN on this SUBNET and
> Found this -
> >
> > SnapNames.com, Inc. (NETBLK-UU-65-218-40) UU-65-218-40
> > 						   65.218.40.0 -
> 65.218.40.255
> >
> > HELLO .... WHY is SNAPNAMES SLAMMING MY WHOIS??? for EVERY one
> of my Domain
> > Name ....
> >
> > bhavin
> >
> > > -----Original Message-----
> > > From: Bhavin Turakhia [mailto:bhavin.t@directi.com]
> > > Sent: Thursday, May 02, 2002 12:37 AM
> > > To: Registrars@Dnso. Org
> > > Cc: Dan Halloran
> > > Subject: WHOIS BLUES
> > >
> > >
> > > Hi,
> > >
> > > i am going thru whois blues that most of you must have gone thru
> > > already. i get more hits on my whois everyday than my entire list
> > > of domain names .... for instance there is this guy right now
> > > slamming my whois server using multiple ip addresses from the
> > > same damn subnet ... as the log below shows....
> > >
> > > [01 May 2002 19:09:05,463] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.188/65.218.40.188 Hash {65.218.40.188/65.218.40.188=1}
> > > [01 May 2002 19:09:16,048] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.189/65.218.40.189 Hash {65.218.40.188/65.218.40.188=1,
> > > 207.174.230.245/207.174.230.245=1, 65.218.40.189/65.218.40.189=1}
> > > [01 May 2002 19:09:26,847] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.190/65.218.40.190 Hash
> > > {213.225.132.39/213.225.132.39=1, 65.218.40.190/65.218.40.190=1}
> > > [01 May 2002 19:09:35,467] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.191/65.218.40.191 Hash {65.218.40.191/65.218.40.191=1}
> > > [01 May 2002 19:09:45,479] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.192/65.218.40.192 Hash {65.218.40.192/65.218.40.192=1}
> > > [01 May 2002 19:10:03,610] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.193/65.218.40.193 Hash {65.218.40.193/65.218.40.193=1,
> > > golem.itsyourdomain.com/63.85.86.40=1}
> > > [01 May 2002 19:10:08,909] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.194/65.218.40.194 Hash {65.218.40.194/65.218.40.194=1,
> > > 65.218.40.193/65.218.40.193=1}
> > > [01 May 2002 19:10:15,510] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.195/65.218.40.195 Hash {65.218.40.195/65.218.40.195=1,
> > > 65.218.40.194/65.218.40.194=1}
> > > [01 May 2002 19:10:25,519] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.196/65.218.40.196 Hash {65.218.40.196/65.218.40.196=1}
> > > [01 May 2002 19:10:36,040] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.197/65.218.40.197 Hash {65.218.40.197/65.218.40.197=1,
> > > 216.168.229.6/216.168.229.6=1}
> > > [01 May 2002 19:10:54,460] DEBUG WhoisServer  -++Added New Client
> > > 65.218.40.198/65.218.40.198 Hash {65.218.40.198/65.218.40.198=1,
> > > droid.daze.net/130.94.96.2=1}
> > >
> > >
> > > This process becomes more and more manual - we put in a feature
> > > to block an ip and here comes a subnet .... subnets we have to
> > > handle manually - unlessi write some stuff to track complex
> > > patterns (wonder how i would take CIDR into account to
> identify subnets)
> > >
> > > If i get whois requests for all my domains several times everyday
> > > in this fashion my margins wont support my whois server
> bandwidth costs :)
> > >
> > > something should be done by icanb about this port 43 whois
> > > requirement ...... maybe require eveyone who wants to use it to
> > > ask the registrar for an account (username and passwd) so that
> > > abuse can be tracked and stopped ....
> > >
> > > bhavin
> >
> >
>
>

Follow-Ups:
- RE: [registrars] RE: WHOIS BLUES
  - From: Rick Wesson <wessorh@ar.com>

References:
- Re: [registrars] RE: WHOIS BLUES
  - From: Rick Wesson <wessorh@ar.com>

<<< Chronological Index >>> <<< Thread Index >>>