[registrars] Script to combat Whois data mining on the web

["Bhavin Turakhia" <bhavin.t@directi.com>]

Hi,

We had a whois slamming issue where someone was slamming our Web based
whois with a large number of requests. We have already taken care of it
on our port 43 whoius, but the web one was not taken care of.

We have now written a script that will completely block anyone from
trying a web whois on our server with an automated script. This script
uses a standard known methoid -

1. It generates an image of a random number and shows it on the whois
page

2. It then asks the user to feed that random number in a box alongwith
the domain name

3. the form submits to a servlet which verifies the random number
against the number input by the user and if it matches the whois output
is displayed

You can check the live implementation on http://manage.directi.com/whois

I am attaching the main Servlet script (java) .... And the usage
instructions below

USAGE INSTRUCTIONS
==================

* Linux has inherent problem of having a Client-Server concept for GUIs.
Becoz of this for ANY GUI related activities, u need an X server
running. In Java whenever u use any GUI related activities u would need
an X running. Obviously on Live production servers u dont have X running
& so u can't generate images dynamically on Unix environment. For this
we have used a Pure Java AWT implementation which does not require X to
be running but still u can use some of GUI related activities from Java
like generating images. If u want to do so, then following are the steps
to get urself up an running, happily generating dynamic images without
X.

* Download pja.jar from www.eteks.com/pja. This is a Pure Java AWT
implementation using which we can serve our goal of creating dynamic
images.

* Put this pja.jar in ur classpath from where the Image generating class
is going to use it. For e.x if you are going to use it from within
servlets, then put it in /WEB-INF/lib.

* The PJA library needs some settings to be done prior to running it.
Below are the required settings needed by pja.

awt.toolkit=com.eteks.awt.PJAToolkit
java.awt.graphicsenv=com.eteks.java2d.PJAGraphicsEnvironment

* compile the java file and put it in your servlets folder

* on your whois page make a call to this servlet inside an <img src> tag
as below

<img src="/context/servlet/ImageServlet>

The Image Servlet will load a random number image and at the same time
put this number in the session.

* You will need to put a check in your WhoisServlet (to which the form
action gets submitted to) to match the number in the session with the
number input by the user. If the number matches you make the whois call,
else display an error

Best Regards
Bhavin Turakhia
CEO
Directi
----------------------------
Tel: 91-22-6370256 (4 lines)
Fax: 91-22-6370255
http://www.directi.com
----------------------------

ImageServlet.java