[130479] in North American Network Operators' Group
Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted)
daemon@ATHENA.MIT.EDU (Seth Mattinen)
Mon Oct 4 13:25:39 2010
Date: Mon, 04 Oct 2010 10:25:29 -0700
From: Seth Mattinen <sethm@rollernet.us>
To: nanog@nanog.org
In-Reply-To: <8C26A4FDAE599041A13EB499117D3C284060517F@ex-mb-2.corp.atlasnetworks.us>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 10/4/2010 10:05, Nathan Eisenberg wrote:
> http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt
>
> "
> Whois traffic has been going through the roof; they
> added more proxies in front to support it.
> Apparently, there's IP management packages that do
> whois queries. It would be good to find out who is
> doing it, and talk to ARIN engineering, to find a better
> way of handling it.
> We can't keep up if so many machines on the internet
> keep doing it like this.
> Source addresses are all over, they're all over, not
> sign of bots; could be a DLL or mac system startup
> that's doing it.
> Please, don't embed whois lookups in everyone's computers
> like this!!
> "
>
> The only thing I know of is that packages like fail2ban that perform WHOIS lookups when blocking IPs to generate abuse POC notification emails. So more SSH bruteforce attacks = more whois lookups.
>
Or the new whois doesn't scale as well as the old one.
~Seth
