Update: Re: GeekTools Whois Proxy and RIPE/RIPE-NCC

Rodney Joffe rjoffe at centergate.com
Mon Dec 31 19:36:44 UTC 2012


So we think we're working out the impact, and have a work-around for users.

There seem to be more than a few hundred network operations groups (thats many of you on NANOG) that use GeekTools (we can tell by the NAT IP addresses, and the rate of queries) that will be affected. It seems that what RIPE is doing is removing the ability for us to query their whois server using the special format that passes "your" ip address to RIPE in our queries that go to them. This was how they satisfied themselves that if *you* were abusing the query limit, and we had not caught it, and were not already preemptively blocking you or rate limiting you, they could do it. I guess its their version of "trust, but verify". No argument from us. 

They are not alone. We do the same thing with AFRINIC and APNIC amongst RIRs, nic.br as a TLD operator, and Network Solutions as a registrar.  DENIC and a few others have asked us to provide queries in special formats, and we happily comply with all of these. We appreciate their efforts to enable us to help the community. And I think they've mostly been happy with us for the last 14 years or whatever. (BTW there are about 310 of them total at the moment that we're able to parse and identify and query for, as well as many more specially requested cases, like uk.com, au.com, etc.

RIPE-NCC has decided to limit this to their members only. Not us.

So they are now removing that from us. We will now be subject to their normal limits (whatever that is). When we reach our daily limit, we will be blocked. When we do that a few times, we will be permanently blacklisted.

The good news is that if you query them yourselves, you'll be able to query them up to your daily individual limit before being blocked. So if you have been using us, and have never been blocked with RIPE queries, you will likely not be blocked when you query then direct (we have already been passing them your IP address so they can count and rate limit). The only difference is that now you you can make a single query for every TLD, every RWHOIS delegated server via the TLD whois server,  and every RIR, and get a answer in one. Except if it ends up in RIPE land. Then you're on your own, walking their tree, etc. But you can do it manually.

Later today, when we see how RIPE handles rejecting us, we'll write a script, and <sarcasm> without asking you all to become members and pay us $1,800 a year </sarcasm>, we'll post here, identifying the text we'll pass so that you can configure scripts to recognize the rejection, and handle the query in an exception routine.

Also, more than 10 years ago, we created a windows program that loaded in the systray, and provided desktop capabilities. And we also made available the gpl'd unix source for people who wanted to run it locally.  We haven't updated it for years, but many of you have it and did update, and that will not be affected, beyond the existing limitation you would be seeing - the app queries from your own IP address already. If any of you has been maintaining and upgrading/updating the app, and feels like sharing it, please do ;-). If you want, send it to us and we'll audit it (I know you won't mind in today's environment) and then add it to the geektools website.

I guess I should also put together a smartphone app that uses the proxy as well… 

Anyway, enough noise for now. Apologies. And thanks to all of you who responded privately, with offers etc. Fortunately we don't need finance, or resources or support. I'm just happy it has helped for so long.

Wishing you everything you want for yourselves in 2013 - the year of IPv6 and hundreds of new TLDs.

Rodney and the CenterGate/GeekTools crew (yes, we're still around ;-)).

.  .  .  -  .  -

 
On Dec 31, 2012, at 11:46 AM, Job Snijders <job.snijders at atrato-ip.com> wrote:

> Hi Rodney,
> 
> From the looks of it, this decision was made by the RIPE NCC Executive Board rather than at the General Meeting.  Inqueries will have to be made why this was decided, and what the consequences are. But, I don't expect a resolution to be reached in the next 6 hours. 
> 
> In the meantime you could consider setting up an irrd[1], redirect queries to that instance instead of whois.ripe.net, and keep it kind of fresh by feeding it ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz on a daily basis. 
> 
> Kind regards,
> 
> Job
> 
> [1] http://www.irrd.net/
> 
> On Dec 31, 2012, at 4:41 PM, Rodney Joffe <rjoffe at centergate.com> wrote:
> 
>> NANOG and ARIN Friends,
>> 
>> 14 Years ago, at the suggestion of Jon Postel and some of the early participants in NANOG, we developed the GeekTools Whois proxy to make it easier for *us* - network security and abuse techs - to deal with the expanding number of gtlds and registrars and the varied whois servers that were appearing. The service had both a CLI and  web interface.
>> 
>> The service also led directly to the creation of whois-servers.net, which now seems to be part of a number of *nix distributions.
>> 
>> The service has been up for 14 years, and over that time we have fulfilled the requirements of all of the whois server operators in regards to minimizing and stopping abuse of the GT whois proxy by domain scrapers, spammers, etc, while enabling the security folks to do their jobs. In some cases we have even written code to pass the ip address of the requestor to the whois server registry operator when they wanted to manage quota's directly. We think we have a really good relationship with all of the whois server operators, and I think we provide a useful service to the community, and is widely used. And in 14 years we have never been tarred as an enabler of abuse of "the whois" system.
>> 
>> There has obviously never been any kind of charge or fee for using the proxy, or any of the other tools on GeekTools. In about 2002 we started placing a banner ad on the web interface page to offset some of the costs for the bandwidth that the proxy consumes. An average of about $70 a month for over the last 10 years. Actual bandwidth costs are higher than that of course, but it was a thought in 2002 that we had frankly forgotten about until recently.
>> 
>> Two weeks ago RIPE-NCC, who provide the whois data for IP addresses in the RIPE region, informed us that based on decisions by their members, as of January 1st 2013, tomorrow, they would no longer provide whois proxy query response services to GeekTools unless we ponied up $1,800 a year for RIPE membership.
>> 
>> I don't work very well above layer 7. It is what it is. So I wanted to let you know that as of midnight tonight, apparently, you won't be able to use GeekTools for RIPE related queries. If you have automated scripts, and you are one of the users who has expanded access to GeekTools, you'll need to find an alternative for RIPE queries *today*. My guess is that you will be able to query RIPE directly, once you have worked out that the address space is within RIPE's assignments.
>> 
>> I think its wrong to have to pay for whois data that is part of a community resource . So I won't do it.
> 
> -- 
> AS5580 - Atrato IP Networks
> 
> 
> 
> 




More information about the NANOG mailing list