|
As Internet services go, WHOIS held a lot of promise but has repeatedly failed to live up to its potential; raising the question “is it time to retire WHOIS?”
The concept behind WHOIS was simple. For each and every registered domain name, provide the facility for querying details about who owns it, who administers it, when was it created and when it will expire. Unfortunately the service lost its way practically from day one after failing to agree upon or adhere to any formal structure of the content it provides.
Despite the absence of any formal structure to the content, regular [removed]Regex) string handling has managed to overcome many of these formatting hurdles (from a programmatic perspective). In general though, having overcome the registrars ad hoc formatting, the content of the WHOIS data is unreliable. It’s certainly unreliable from a security practitioner and abuse handling perspective!
If I had to summarize the “value” of the data actually contained in the returned WHOIS query results, it would probably break down in to the following:
I’m sure the list could go on, but effectively the odds that the data contained within a particular WHOIS record is actually accurate are stacked against an inquisitive security practitioner. That said, most threat researchers would give up an appendage (or a smaller more sensitive part of their anatomy) if they could reliably obtain the WHOIS data for all the domain registrations (and renewals) carried out every day. If they could get the same WHOIS data for some of the more frequently abused country code Top-Level Domains (ccTLDs) in remote lands, they’d probably be prepared to offer up their first born.
If the data can’t be trusted, why is it so useful to a threat researcher? The answer is “correlation”. There are enough bad guys out there that are stupid, make mistakes or simply “don’t care” that they end up recycling some or all of their registration data.
For example, the cybercrooks want to launch a phishing campaign. They’ll be sending out a few million phishing emails—which they’ll have prepared the templates for in advance. On the day of the attack, they’ll do a bulk registration of multiple domain names and use the same contact/administration email address so they can efficiently log in to the domain control accounts and configure the correct DNS settings. Even though they are using multiple domain names (often from multiple registrars and spread over multiple TLDs), if a security analyst intercepts even a single phishing email they are able to extract the domain name listed in the email and being used to drive victims to the phishing Web site.
Armed with that domain name, the analyst can check the WHOIS data, identify registration attributes (e.g. the contact/administration email address), and then search/cross-reference/correlate with all other domain name registrations sharing the same details. In many cases, they’ll uncover dozens of additional domains that happened to have been registered within hours of each other using the same email address—and able to conclude that the additional domains are part of the same phishing campaign.
The usefulness of WHOIS data from a security practitioner perspective is dependent upon the cybercriminal to provide “interesting” registration details—and those details have been getting increasingly sparse over recent years. The growth of privacy screening WHOIS services and the explosion of new gTLDs, ccTLDs and novelty TLDs is making things worse.
Perhaps it is time to retire WHOIS if the registrars can’t enforce registrants to use correct (and verifiable) registration information. In the meantime security practitioners will be milking the system for all it’s worth.
That “milking” process raises its own problems of course. Registrars are very protective of their WHOIS data. They’ve been forced to implement security features and rate limit the volume of requests for data. For example, consider the value of having the correct registration details of every domain name owner—and the value of that information to marketers, spammers, etc. Despite these protective measures, the bad guys have been automatically leaching this information for years. Unfortunately the good guys are forced to replicate the bad guys techniques for extracting WHOIS data—and end up becoming abusers of the system themselves.
The entire WHOIS system is broken.
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byWhoisXML API
I don’t want it to be like China, where every domain registration requires formal government identification, but it’s my understanding that there are existing rules in place that just aren’t enforced.
Seem to have worked. Not that it's a very convenient thing for all the legit registrants of .cn
@Suresh: Of course, China is requiring gov't ID for different reasons than for the ones we're talking about. But you're right, inconvenient for the legitimate registrants. And so are most regulations.
Get rid of whois and watch the situation get MUCH worse.
Enforce the accurate whois requirement. If the whois is useless, DELETE THE DOMAIN. If it’s in error, threaten deletion and mean it and require an immediate and proper update.
Privacy whois should be ended. Privacy whois causes problems, such as masking theift and denying proof of registration. The safety of whois registrations being scraped and represented across a massive number of sites shows how scrapable and useful the data is.
Further, registries should provide a “whowas” feature and let it be paid if need be.
The last thing I want is removal of registration accountability. Translating refusal to enforce the rules and terminating the system is throwing the baby out with the bath water ....
Why are we not discussing those who REFUSE to enforce the rules? If I recall correctly, it’s even a LAW ...
Why do they get a free pass?
I'm not against privacy WHOIS, as long as law enforcement agencies and Internet security experts can access the data in a controlled manner. Frank
I have to admit it, China has shown the rest of the world how to do it. Take an oriental bow.
The wise old saying comes to mind - “If it’s broke, fix it”