Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted)

Nathan Eisenberg nathan at atlasnetworks.us
Mon Oct 4 12:05:46 CDT 2010


http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt

"
Whois traffic has been going through the roof; they
added more proxies in front to support it.
Apparently, there's IP management packages that do
whois queries.  It would be good to find out who is
doing it, and talk to ARIN engineering, to find a better
way of handling it.
We can't keep up if so many machines on the internet
keep doing it like this.
Source addresses are all over, they're all over, not
sign of bots; could be a DLL or mac system startup
that's doing it.
Please, don't embed whois lookups in everyone's computers
like this!!
"

The only thing I know of is that packages like fail2ban that perform WHOIS lookups when blocking IPs to generate abuse POC notification emails.  So more SSH bruteforce attacks = more whois lookups.

Nathan
 

> For those who might care, I've put version 1.0 of my notes from the morning
> session up at http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt






More information about the NANOG mailing list