DNSO Archives: [registrars]

ICANN/DNSO DNSO Mailling lists archives
[registrars]

<<< Chronological Index >>> <<< Thread Index >>>
RE: [registrars] RE: WHOIS BLUES

To: Bhavin Turakhia <bhavin.t@directi.com>
Subject: RE: [registrars] RE: WHOIS BLUES
From: Rick Wesson <wessorh@ar.com>
Date: Wed, 1 May 2002 21:41:44 -0700 (PDT)
cc: "Registrars@Dnso. Org" <registrars@dnso.org>
In-Reply-To: <JHEBIMIIFEIEENCJHLHPKEHGJOAA.bhavin.t@directi.com>
Sender: owner-registrars@dnso.org


On Thu, 2 May 2002, Bhavin Turakhia wrote:

> hi Rick,
>
> i understand how i may block a subnet. that is not the concern.
>
> the issue is trying to figure out automatically that there is mischief
> happening from a subnet.

you look up the subnet in the appropiate whois database such as ARIN.

> for instance if someone has a CIDR address, and is sending whois requests
> from the same subnet with random ip addresses..... how do i know what his
> subnet is.

keep track of the requests from the subnet not the host, you could do this
daily, take the address from your logs and look them up at ARIN, RIPE, or
APNIC and keep those in a database.

you can also look up an offender such as snap names, they have alot of
blocks listed in arin's database...

SnapNames (NETBLK-FON-110191616090163) FON-110191616090163
                                                   65.173.232.0 - 65.173.232.7
SnapNames (NETBLK-FON-110181760090217) FON-110181760090217
                                                   65.172.103.0 - 65.172.103.7
SnapNames (NETBLK-FON-110189811290269) FON-110189811290269
                                               65.173.161.128 - 65.173.161.135
SnapNames (NETBLK-FON-110176547291317) FON-110176547291317
                                                65.171.155.96 - 65.171.155.103
SnapNames (NETBLK-FON-110176548091318) FON-110176548091318
                                               65.171.155.104 - 65.171.155.111
SnapNames (NETBLK-FON-345549529620259) FON-345549529620259
                                             205.246.172.128 - 205.246.172.135
SnapNames (NETBLK-FON-345532363291915) FON-345532363291915
                                               205.244.13.240 - 205.244.13.247
SnapNames (NETBLK-FON-342881582491955) FON-342881582491955
                                               204.95.147.208 - 204.95.147.215
SnapNames (NETBLK-FON-344992671292257) FON-344992671292257
                                               205.161.180.56 - 205.161.180.63
SnapNames (NETBLK-FON-110180598492261) FON-110180598492261
                                                 65.172.57.160 - 65.172.57.191
SnapNames.com, Inc. (NETBLK-UU-65-218-40) UU-65-218-40
                                                   65.218.40.0 - 65.218.40.255


> he might have a /27 ..... but be randomly using ips from the /27, i cannot
> identify what the exact subnet is and might end up banning the entire class
> C when he did not own the entire /24.

look up the ip at whois.arin.net...

> that is the problem

its solveable.

-rick

> bhavin
>
> > handeling black lists of subnets is real easy, infact easyer than
> > blacklisting hosts, just check to see if the incomming address is within
> > the netmask in this case a /24. first convert the ipaddress to a long and
> > the netmask, and the incomming host as addr.
> >
> >    (addr & mask) == net then reject the request.
> >
> > if you keep a list of blacklisted networks hosts appear as {host-ip}/32 or
> > {host-ip}/255.255.255.255 depending on how you parse the blacklist.
> >
> > for instance 65.218.40.0/24 =~ 65.218.40.0/255.255.255.0
> >
> > hope this helps
> >
> > -rick
> >
> >
> > On Thu, 2 May 2002, Bhavin Turakhia wrote:
> >
> > > HEY WAIT A MINUTE ... i just checked ARIN on this SUBNET and
> > Found this -
> > >
> > > SnapNames.com, Inc. (NETBLK-UU-65-218-40) UU-65-218-40
> > > 						   65.218.40.0 -
> > 65.218.40.255
> > >
> > > HELLO .... WHY is SNAPNAMES SLAMMING MY WHOIS??? for EVERY one
> > of my Domain
> > > Name ....
> > >
> > > bhavin
> > >
> > > > -----Original Message-----
> > > > From: Bhavin Turakhia [mailto:bhavin.t@directi.com]
> > > > Sent: Thursday, May 02, 2002 12:37 AM
> > > > To: Registrars@Dnso. Org
> > > > Cc: Dan Halloran
> > > > Subject: WHOIS BLUES
> > > >
> > > >
> > > > Hi,
> > > >
> > > > i am going thru whois blues that most of you must have gone thru
> > > > already. i get more hits on my whois everyday than my entire list
> > > > of domain names .... for instance there is this guy right now
> > > > slamming my whois server using multiple ip addresses from the
> > > > same damn subnet ... as the log below shows....
> > > >
> > > > [01 May 2002 19:09:05,463] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.188/65.218.40.188 Hash {65.218.40.188/65.218.40.188=1}
> > > > [01 May 2002 19:09:16,048] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.189/65.218.40.189 Hash {65.218.40.188/65.218.40.188=1,
> > > > 207.174.230.245/207.174.230.245=1, 65.218.40.189/65.218.40.189=1}
> > > > [01 May 2002 19:09:26,847] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.190/65.218.40.190 Hash
> > > > {213.225.132.39/213.225.132.39=1, 65.218.40.190/65.218.40.190=1}
> > > > [01 May 2002 19:09:35,467] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.191/65.218.40.191 Hash {65.218.40.191/65.218.40.191=1}
> > > > [01 May 2002 19:09:45,479] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.192/65.218.40.192 Hash {65.218.40.192/65.218.40.192=1}
> > > > [01 May 2002 19:10:03,610] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.193/65.218.40.193 Hash {65.218.40.193/65.218.40.193=1,
> > > > golem.itsyourdomain.com/63.85.86.40=1}
> > > > [01 May 2002 19:10:08,909] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.194/65.218.40.194 Hash {65.218.40.194/65.218.40.194=1,
> > > > 65.218.40.193/65.218.40.193=1}
> > > > [01 May 2002 19:10:15,510] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.195/65.218.40.195 Hash {65.218.40.195/65.218.40.195=1,
> > > > 65.218.40.194/65.218.40.194=1}
> > > > [01 May 2002 19:10:25,519] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.196/65.218.40.196 Hash {65.218.40.196/65.218.40.196=1}
> > > > [01 May 2002 19:10:36,040] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.197/65.218.40.197 Hash {65.218.40.197/65.218.40.197=1,
> > > > 216.168.229.6/216.168.229.6=1}
> > > > [01 May 2002 19:10:54,460] DEBUG WhoisServer  -++Added New Client
> > > > 65.218.40.198/65.218.40.198 Hash {65.218.40.198/65.218.40.198=1,
> > > > droid.daze.net/130.94.96.2=1}
> > > >
> > > >
> > > > This process becomes more and more manual - we put in a feature
> > > > to block an ip and here comes a subnet .... subnets we have to
> > > > handle manually - unlessi write some stuff to track complex
> > > > patterns (wonder how i would take CIDR into account to
> > identify subnets)
> > > >
> > > > If i get whois requests for all my domains several times everyday
> > > > in this fashion my margins wont support my whois server
> > bandwidth costs :)
> > > >
> > > > something should be done by icanb about this port 43 whois
> > > > requirement ...... maybe require eveyone who wants to use it to
> > > > ask the registrar for an account (username and passwd) so that
> > > > abuse can be tracked and stopped ....
> > > >
> > > > bhavin
> > >
> > >
> >
> >
>
>
Follow-Ups:
- RE: [registrars] RE: WHOIS BLUES
  - From: "Bhavin Turakhia" <bhavin.t@directi.com>
References:
- RE: [registrars] RE: WHOIS BLUES
  - From: "Bhavin Turakhia" <bhavin.t@directi.com>
<<< Chronological Index >>> <<< Thread Index >>>