Trawling attack knocks SRS whois offline

It has been revealed that in February the 'whois' server of the new shared registry system (SRS) that runs the country's domain name system was knocked out of action for 10 minutes following 'an abuse attack'.

It has been revealed that in February the "whois" server of the new shared registry system (SRS) that runs the country's domain name system was knocked out of action for 10 minutes following "an abuse attack".

The Domain Name Commissioner (DNC) Debbie Monahan (InternetNZ's representative overseeing the registry system) rates the attack as "medium" in severity.

The whois server stores the names and contact details for all the owners of domain names in the .nz space.

The attack, which came in the form of multiple requests sent to the SRS in a short space of time, originated in Australia, says .nz Registry Services manager Nick Griffin. Registry Services runs the register for InternetNZ.

"Fortunately it was at about four o'clock in the morning so it wasn't a major problem," Griffin says.

"We've lodged a complaint with the Australian telco where the attack originated, but that process will take time to work through," says Griffin who declined to name the telco.

This isn't the first such attack, which Griffin says was simply trawling the register trying to find contact details, presumably for spammers.

He says the attack came from an IP address in Australia and the system automatically limited traffic from that address.

Griffin says it is unusual for such a search to be successful because of the way the system is set up.

"Normally the more requests you send in a short space of time the slower your connection goes until it stops. Unfortunately, possibly because of the time of day, this one managed to bring about an unscheduled outage."

Griffin says the registry will have to adopt a "shoot first, ask questions later" policy in order to block such events in the future.

"There might be a genuine reason why a registrar is trying to put through so many requests so quickly but we'll talk to them as it happens and find out what's going on."

Griffin has reported the problem to the Australian telco, however the procedure there is a slow one.

"Last time we spoke to a different Aussie telco it took two or three months before they sorted out what was going on. Obviously they want to make sure the attack is genuine before acting, but we're hoping to sort out some other procedure with them to speed things up."

Griffin says it needs to be handled differently at the telco's end because the national register is being affected, not someone's home page.

He says extra code has been added to the SRS to try to prevent such trawls in future. In the mean time the IP address of the latest attacker has joined Registry Services' black list.

Join the newsletter!

Error: Please check your email address.

Tags SRS

More about Griffin

Show Comments
[]