<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [registrars] RE: WHOIS BLUES
hi Rick,
i understand how i may block a subnet. that is not the concern.
the issue is trying to figure out automatically that there is mischief
happening from a subnet.
for instance if someone has a CIDR address, and is sending whois requests
from the same subnet with random ip addresses..... how do i know what his
subnet is.
he might have a /27 ..... but be randomly using ips from the /27, i cannot
identify what the exact subnet is and might end up banning the entire class
C when he did not own the entire /24.
that is the problem
bhavin
> handeling black lists of subnets is real easy, infact easyer than
> blacklisting hosts, just check to see if the incomming address is within
> the netmask in this case a /24. first convert the ipaddress to a long and
> the netmask, and the incomming host as addr.
>
> (addr & mask) == net then reject the request.
>
> if you keep a list of blacklisted networks hosts appear as {host-ip}/32 or
> {host-ip}/255.255.255.255 depending on how you parse the blacklist.
>
> for instance 65.218.40.0/24 =~ 65.218.40.0/255.255.255.0
>
> hope this helps
>
> -rick
>
>
> On Thu, 2 May 2002, Bhavin Turakhia wrote:
>
> > HEY WAIT A MINUTE ... i just checked ARIN on this SUBNET and
> Found this -
> >
> > SnapNames.com, Inc. (NETBLK-UU-65-218-40) UU-65-218-40
> > 65.218.40.0 -
> 65.218.40.255
> >
> > HELLO .... WHY is SNAPNAMES SLAMMING MY WHOIS??? for EVERY one
> of my Domain
> > Name ....
> >
> > bhavin
> >
> > > -----Original Message-----
> > > From: Bhavin Turakhia [mailto:bhavin.t@directi.com]
> > > Sent: Thursday, May 02, 2002 12:37 AM
> > > To: Registrars@Dnso. Org
> > > Cc: Dan Halloran
> > > Subject: WHOIS BLUES
> > >
> > >
> > > Hi,
> > >
> > > i am going thru whois blues that most of you must have gone thru
> > > already. i get more hits on my whois everyday than my entire list
> > > of domain names .... for instance there is this guy right now
> > > slamming my whois server using multiple ip addresses from the
> > > same damn subnet ... as the log below shows....
> > >
> > > [01 May 2002 19:09:05,463] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.188/65.218.40.188 Hash {65.218.40.188/65.218.40.188=1}
> > > [01 May 2002 19:09:16,048] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.189/65.218.40.189 Hash {65.218.40.188/65.218.40.188=1,
> > > 207.174.230.245/207.174.230.245=1, 65.218.40.189/65.218.40.189=1}
> > > [01 May 2002 19:09:26,847] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.190/65.218.40.190 Hash
> > > {213.225.132.39/213.225.132.39=1, 65.218.40.190/65.218.40.190=1}
> > > [01 May 2002 19:09:35,467] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.191/65.218.40.191 Hash {65.218.40.191/65.218.40.191=1}
> > > [01 May 2002 19:09:45,479] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.192/65.218.40.192 Hash {65.218.40.192/65.218.40.192=1}
> > > [01 May 2002 19:10:03,610] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.193/65.218.40.193 Hash {65.218.40.193/65.218.40.193=1,
> > > golem.itsyourdomain.com/63.85.86.40=1}
> > > [01 May 2002 19:10:08,909] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.194/65.218.40.194 Hash {65.218.40.194/65.218.40.194=1,
> > > 65.218.40.193/65.218.40.193=1}
> > > [01 May 2002 19:10:15,510] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.195/65.218.40.195 Hash {65.218.40.195/65.218.40.195=1,
> > > 65.218.40.194/65.218.40.194=1}
> > > [01 May 2002 19:10:25,519] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.196/65.218.40.196 Hash {65.218.40.196/65.218.40.196=1}
> > > [01 May 2002 19:10:36,040] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.197/65.218.40.197 Hash {65.218.40.197/65.218.40.197=1,
> > > 216.168.229.6/216.168.229.6=1}
> > > [01 May 2002 19:10:54,460] DEBUG WhoisServer -++Added New Client
> > > 65.218.40.198/65.218.40.198 Hash {65.218.40.198/65.218.40.198=1,
> > > droid.daze.net/130.94.96.2=1}
> > >
> > >
> > > This process becomes more and more manual - we put in a feature
> > > to block an ip and here comes a subnet .... subnets we have to
> > > handle manually - unlessi write some stuff to track complex
> > > patterns (wonder how i would take CIDR into account to
> identify subnets)
> > >
> > > If i get whois requests for all my domains several times everyday
> > > in this fashion my margins wont support my whois server
> bandwidth costs :)
> > >
> > > something should be done by icanb about this port 43 whois
> > > requirement ...... maybe require eveyone who wants to use it to
> > > ask the registrar for an account (username and passwd) so that
> > > abuse can be tracked and stopped ....
> > >
> > > bhavin
> >
> >
>
>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|