Home / Blogs

Who Broke the WHOIS?

As Internet services go, WHOIS held a lot of promise but has repeatedly failed to live up to its potential; raising the question “is it time to retire WHOIS?”

The concept behind WHOIS was simple. For each and every registered domain name, provide the facility for querying details about who owns it, who administers it, when was it created and when it will expire. Unfortunately the service lost its way practically from day one after failing to agree upon or adhere to any formal structure of the content it provides.

Despite the absence of any formal structure to the content, regular [removed]Regex) string handling has managed to overcome many of these formatting hurdles (from a programmatic perspective). In general though, having overcome the registrars ad hoc formatting, the content of the WHOIS data is unreliable. It’s certainly unreliable from a security practitioner and abuse handling perspective!

If I had to summarize the “value” of the data actually contained in the returned WHOIS query results, it would probably break down in to the following:

  1. Relatively complete records for everyday regular Internet users who happened to register a domain at some stage and never realized that their personal address information would be visible to everyone on the Internet.
  2. Relatively complete records for privacy holding companies that manage WHOIS privacy for folks that registered domains and knew that their personal information would otherwise be broadcast over the Internet.
  3. Sparse and incomplete records for everyday regular Internet users who knew that these registration details would be leaked to all Internet users and didn’t want to pony up the fees for some additional “value add” privacy service offered by their registrar.
  4. Fraudulent and faked information supplied by cybercriminals as they registered the domains they wanted to use for an upcoming fraud campaign—where the details need to look real enough (probably linked to the stolen credit card they used to pay for the registration in the first place).
  5. Sparse fraudulent and faked information grudgingly supplied (in its minimal state) by the cybercriminals as they automatically bulk register new domains.
  6. Made-up nonsense registration data. There was a field that had to be filled in, so it was—with anything—and could have been supplied by legitimate registrants or cybercriminals. The expectation being that the domain is completely disposable and will only exist for a few hours.

I’m sure the list could go on, but effectively the odds that the data contained within a particular WHOIS record is actually accurate are stacked against an inquisitive security practitioner. That said, most threat researchers would give up an appendage (or a smaller more sensitive part of their anatomy) if they could reliably obtain the WHOIS data for all the domain registrations (and renewals) carried out every day. If they could get the same WHOIS data for some of the more frequently abused country code Top-Level Domains (ccTLDs) in remote lands, they’d probably be prepared to offer up their first born.

If the data can’t be trusted, why is it so useful to a threat researcher? The answer is “correlation”. There are enough bad guys out there that are stupid, make mistakes or simply “don’t care” that they end up recycling some or all of their registration data.

For example, the cybercrooks want to launch a phishing campaign. They’ll be sending out a few million phishing emails—which they’ll have prepared the templates for in advance. On the day of the attack, they’ll do a bulk registration of multiple domain names and use the same contact/administration email address so they can efficiently log in to the domain control accounts and configure the correct DNS settings. Even though they are using multiple domain names (often from multiple registrars and spread over multiple TLDs), if a security analyst intercepts even a single phishing email they are able to extract the domain name listed in the email and being used to drive victims to the phishing Web site.

Armed with that domain name, the analyst can check the WHOIS data, identify registration attributes (e.g. the contact/administration email address), and then search/cross-reference/correlate with all other domain name registrations sharing the same details. In many cases, they’ll uncover dozens of additional domains that happened to have been registered within hours of each other using the same email address—and able to conclude that the additional domains are part of the same phishing campaign.

The usefulness of WHOIS data from a security practitioner perspective is dependent upon the cybercriminal to provide “interesting” registration details—and those details have been getting increasingly sparse over recent years. The growth of privacy screening WHOIS services and the explosion of new gTLDs, ccTLDs and novelty TLDs is making things worse.

Perhaps it is time to retire WHOIS if the registrars can’t enforce registrants to use correct (and verifiable) registration information. In the meantime security practitioners will be milking the system for all it’s worth.

That “milking” process raises its own problems of course. Registrars are very protective of their WHOIS data. They’ve been forced to implement security features and rate limit the volume of requests for data. For example, consider the value of having the correct registration details of every domain name owner—and the value of that information to marketers, spammers, etc. Despite these protective measures, the bad guys have been automatically leaching this information for years. Unfortunately the good guys are forced to replicate the bad guys techniques for extracting WHOIS data—and end up becoming abusers of the system themselves.

The entire WHOIS system is broken.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under

Comments

Verification Frank Bulk  –  May 28, 2011 3:33 AM

I don’t want it to be like China, where every domain registration requires formal government identification, but it’s my understanding that there are existing rules in place that just aren’t enforced.

Well .. those rules were put in place to stop lots of pill spammers registering .cn domains in bulk Suresh Ramasubramanian  –  May 28, 2011 4:36 PM

Seem to have worked. Not that it's a very convenient thing for all the legit registrants of .cn

@Suresh: Of course, China is requiring gov't Frank Bulk  –  May 28, 2011 9:18 PM

@Suresh: Of course, China is requiring gov't ID for different reasons than for the ones we're talking about. But you're right, inconvenient for the legitimate registrants. And so are most regulations.

Get rid of whois and watch the Charles Christopher  –  May 29, 2011 7:13 AM

Get rid of whois and watch the situation get MUCH worse.

Enforce the accurate whois requirement. If the whois is useless, DELETE THE DOMAIN. If it’s in error, threaten deletion and mean it and require an immediate and proper update.

Privacy whois should be ended. Privacy whois causes problems, such as masking theift and denying proof of registration. The safety of whois registrations being scraped and represented across a massive number of sites shows how scrapable and useful the data is.

Further, registries should provide a “whowas” feature and let it be paid if need be.

The last thing I want is removal of registration accountability. Translating refusal to enforce the rules and terminating the system is throwing the baby out with the bath water ....

Why are we not discussing those who REFUSE to enforce the rules? If I recall correctly, it’s even a LAW ...

Why do they get a free pass?

I'm not against privacy WHOIS, as long Frank Bulk  –  May 29, 2011 4:32 PM

I'm not against privacy WHOIS, as long as law enforcement agencies and Internet security experts can access the data in a controlled manner. Frank

I have to admit it, China has Mark Giles  –  Jun 3, 2011 10:52 PM

I have to admit it, China has shown the rest of the world how to do it. Take an oriental bow.

The wise old saying comes to mind - “If it’s broke, fix it”

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API