nanog mailing list archives
Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted)
From: Nathan Eisenberg <nathan () atlasnetworks us>
Date: Mon, 4 Oct 2010 17:05:46 +0000
http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt " Whois traffic has been going through the roof; they added more proxies in front to support it. Apparently, there's IP management packages that do whois queries. It would be good to find out who is doing it, and talk to ARIN engineering, to find a better way of handling it. We can't keep up if so many machines on the internet keep doing it like this. Source addresses are all over, they're all over, not sign of bots; could be a DLL or mac system startup that's doing it. Please, don't embed whois lookups in everyone's computers like this!! " The only thing I know of is that packages like fail2ban that perform WHOIS lookups when blocking IPs to generate abuse POC notification emails. So more SSH bruteforce attacks = more whois lookups. Nathan
For those who might care, I've put version 1.0 of my notes from the morning session up at http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt
Current thread:
- Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted) Nathan Eisenberg (Oct 04)
- Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted) Seth Mattinen (Oct 04)
- Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted) John Curran (Oct 04)
- Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted) David Conrad (Oct 04)
- Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted) Mark Kosters (Oct 04)
- Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted) John Curran (Oct 04)
- Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted) Seth Mattinen (Oct 04)