Nominet Suspends Whois to Block Data Miner
Date: Sunday January 26 2003, @09:51AM
Topic: Privacy

The Register reports that Nominet blocked whois service for almost nine hours in an attempt to foil "a distributed and high volume data mining attempt" that Nominet believes "is a very persistent person/organisation attempting to gain a detailed copy of the .uk register".

Escrow self-help? Not likely...

This discussion has been archived. No new comments can be posted.
Nominet Suspends Whois to Block Data Miner | Log in/Create an Account | Top | 1 comments | Search Discussion
Click this button to post a comment to this story
The options below will change how the comments display
Threshold:
Check box to change your default comment view
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Nominet's Response
by CapnB on Sunday January 26 2003, @10:43AM (#11031)
User #3567 Info | http://www.joel.co.uk/
Shortly after the resumption of the service, Nominet posted the following:

Late yesterday evening, as a result of a distributed and high volume data
mining attempt, we were forced to temporarily suspend our public WHOIS
service. The service has since been re-started.

We believe that there is a very persistent person/organisation attempting
to gain a detailed copy of the .uk register. This attempt began last
week, but increased efforts last night resulted in us needing to take more
severe action than previously necessary. The data mining attempt operates
by systematically querying the WHOIS server using whatever WHOIS proxies
they can find. The queries normally take place overnight (GMT) with
sometimes hundreds of proxies being commandeered simultaneously for this
purpose. Yesterday evening, the volumes were such that we had no
alternative but to suspend the service from 23.00 hours GMT onwards. The
service was re-started at 07.45 hours GMT.

Before last night's action we had been actively working against this
action every night by blocking the proxies that we believed were being
used for this attack. It is important to note that some of the proxies
being blocked were not exceeding any form of rate limit and so were not
being blocked for individual misuse, but rather for their unwitting
involvement in this distributed attack. We have also been currently
blocking all traffic from the originating subnets. We have made a formal
complaint to the ISP responsible for the address ranges concerned and are
currently taking legal advice on related issues.

To reduce the problems caused to members by our needing to block their
access, we unblock most proxies when we are confident that the attack has
subsided, which is normally early in the morning (GMT). Those left
blocked are either exceeding rate limits or seem to be still being used in
this attack.

We apologise to anyone inconvenienced by these events, but trust that
members will understand the importance of protecting the .uk register.

--
CTO, CentralNic Ltd. [centralnic.com]

[ Reply to This | Parent ]




This article comes from ICANNWatch
http://www.icannwatch.org/

The URL for this story is:
http://www.icannwatch.org/article.pl?sid=03/01/26/1856222