Shortly after the resumption of the service, Nominet posted the following:
Late yesterday evening, as a result of a distributed and high volume data
mining attempt, we were forced to temporarily suspend our public WHOIS
service. The service has since been re-started.
We believe that there is a very persistent person/organisation attempting
to gain a detailed copy of the .uk register. This attempt began last
week, but increased efforts last night resulted in us needing to take more
severe action than previously necessary. The data mining attempt operates
by systematically querying the WHOIS server using whatever WHOIS proxies
they can find. The queries normally take place overnight (GMT) with
sometimes hundreds of proxies being commandeered simultaneously for this
purpose. Yesterday evening, the volumes were such that we had no
alternative but to suspend the service from 23.00 hours GMT onwards. The
service was re-started at 07.45 hours GMT.
Before last night's action we had been actively working against this
action every night by blocking the proxies that we believed were being
used for this attack. It is important to note that some of the proxies
being blocked were not exceeding any form of rate limit and so were not
being blocked for individual misuse, but rather for their unwitting
involvement in this distributed attack. We have also been currently
blocking all traffic from the originating subnets. We have made a formal
complaint to the ISP responsible for the address ranges concerned and are
currently taking legal advice on related issues.
To reduce the problems caused to members by our needing to block their
access, we unblock most proxies when we are confident that the attack has
subsided, which is normally early in the morning (GMT). Those left
blocked are either exceeding rate limits or seem to be still being used in
We apologise to anyone inconvenienced by these events, but trust that
members will understand the importance of protecting the .uk register.
CTO, CentralNic Ltd. [centralnic.com]