Home / Blogs

Who Broke the WHOIS?

Gunter Ollmann

As Internet services go, WHOIS held a lot of promise but has repeatedly failed to live up to its potential; raising the question "is it time to retire WHOIS?"

The concept behind WHOIS was simple. For each and every registered domain name, provide the facility for querying details about who owns it, who administers it, when was it created and when it will expire. Unfortunately the service lost its way practically from day one after failing to agree upon or adhere to any formal structure of the content it provides.

Despite the absence of any formal structure to the content, regular [removed]Regex) string handling has managed to overcome many of these formatting hurdles (from a programmatic perspective). In general though, having overcome the registrars ad hoc formatting, the content of the WHOIS data is unreliable. It's certainly unreliable from a security practitioner and abuse handling perspective!

If I had to summarize the "value" of the data actually contained in the returned WHOIS query results, it would probably break down in to the following:

  1. Relatively complete records for everyday regular Internet users who happened to register a domain at some stage and never realized that their personal address information would be visible to everyone on the Internet.
  2. Relatively complete records for privacy holding companies that manage WHOIS privacy for folks that registered domains and knew that their personal information would otherwise be broadcast over the Internet.
  3. Sparse and incomplete records for everyday regular Internet users who knew that these registration details would be leaked to all Internet users and didn't want to pony up the fees for some additional "value add" privacy service offered by their registrar.
  4. Fraudulent and faked information supplied by cybercriminals as they registered the domains they wanted to use for an upcoming fraud campaign — where the details need to look real enough (probably linked to the stolen credit card they used to pay for the registration in the first place).
  5. Sparse fraudulent and faked information grudgingly supplied (in its minimal state) by the cybercriminals as they automatically bulk register new domains.
  6. Made-up nonsense registration data. There was a field that had to be filled in, so it was — with anything — and could have been supplied by legitimate registrants or cybercriminals. The expectation being that the domain is completely disposable and will only exist for a few hours.

I'm sure the list could go on, but effectively the odds that the data contained within a particular WHOIS record is actually accurate are stacked against an inquisitive security practitioner. That said, most threat researchers would give up an appendage (or a smaller more sensitive part of their anatomy) if they could reliably obtain the WHOIS data for all the domain registrations (and renewals) carried out every day. If they could get the same WHOIS data for some of the more frequently abused country code Top-Level Domains (ccTLDs) in remote lands, they'd probably be prepared to offer up their first born.

If the data can't be trusted, why is it so useful to a threat researcher? The answer is "correlation". There are enough bad guys out there that are stupid, make mistakes or simply "don't care" that they end up recycling some or all of their registration data.

For example, the cybercrooks want to launch a phishing campaign. They'll be sending out a few million phishing emails — which they'll have prepared the templates for in advance. On the day of the attack, they'll do a bulk registration of multiple domain names and use the same contact/administration email address so they can efficiently log in to the domain control accounts and configure the correct DNS settings. Even though they are using multiple domain names (often from multiple registrars and spread over multiple TLDs), if a security analyst intercepts even a single phishing email they are able to extract the domain name listed in the email and being used to drive victims to the phishing Web site.

Armed with that domain name, the analyst can check the WHOIS data, identify registration attributes (e.g. the contact/administration email address), and then search/cross-reference/correlate with all other domain name registrations sharing the same details. In many cases, they'll uncover dozens of additional domains that happened to have been registered within hours of each other using the same email address — and able to conclude that the additional domains are part of the same phishing campaign.

The usefulness of WHOIS data from a security practitioner perspective is dependent upon the cybercriminal to provide "interesting" registration details — and those details have been getting increasingly sparse over recent years. The growth of privacy screening WHOIS services and the explosion of new gTLDs, ccTLDs and novelty TLDs is making things worse.

Perhaps it is time to retire WHOIS if the registrars can't enforce registrants to use correct (and verifiable) registration information. In the meantime security practitioners will be milking the system for all it's worth.

That "milking" process raises its own problems of course. Registrars are very protective of their WHOIS data. They've been forced to implement security features and rate limit the volume of requests for data. For example, consider the value of having the correct registration details of every domain name owner — and the value of that information to marketers, spammers, etc. Despite these protective measures, the bad guys have been automatically leaching this information for years. Unfortunately the good guys are forced to replicate the bad guys techniques for extracting WHOIS data — and end up becoming abusers of the system themselves.

The entire WHOIS system is broken.

By Gunter Ollmann, Chief Technology Officer at IOActive. More blog posts from Gunter Ollmann can also be read here.

Related topics: DNS, Domain Names, Security, Top-Level Domains, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Verification Frank Bulk  –  May 27, 2011 8:33 PM PDT

I don't want it to be like China, where every domain registration requires formal government identification, but it's my understanding that there are existing rules in place that just aren't enforced.

Well .. those rules were put in place to stop lots of pill spammers registering .cn domains in bulk Suresh Ramasubramanian  –  May 28, 2011 9:36 AM PDT

Seem to have worked. Not that it's a very convenient thing for all the legit registrants of .cn

@Suresh: Of course, China is requiring gov't Frank Bulk  –  May 28, 2011 2:18 PM PDT

@Suresh: Of course, China is requiring gov't ID for different reasons than for the ones we're talking about.  But you're right, inconvenient for the legitimate registrants.  And so are most regulations.

Get rid of whois and watch the Charles Christopher  –  May 29, 2011 12:13 AM PDT

Get rid of whois and watch the situation get MUCH worse.

Enforce the accurate whois requirement. If the whois is useless, DELETE THE DOMAIN. If it's in error, threaten deletion and mean it and require an immediate and proper update.

Privacy whois should be ended. Privacy whois causes problems, such as masking theift and denying proof of registration. The safety of whois registrations being scraped and represented across a massive number of sites shows how scrapable and useful the data is.

Further, registries should provide a "whowas" feature and let it be paid if need be.

The last thing I want is removal of registration accountability. Translating refusal to enforce the rules and terminating the system is throwing the baby out with the bath water ....

Why are we not discussing those who REFUSE to enforce the rules? If I recall correctly, it's even a LAW ...

Why do they get a free pass?

I'm not against privacy WHOIS, as long Frank Bulk  –  May 29, 2011 9:32 AM PDT

I'm not against privacy WHOIS, as long as law enforcement agencies and Internet security experts can access the data in a controlled manner.

Frank

I have to admit it, China has Mark Giles  –  Jun 03, 2011 3:52 PM PDT

I have to admit it, China has shown the rest of the world how to do it. Take an oriental bow.

The wise old saying comes to mind - "If it's broke, fix it"

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

Introducing the New .ORGANIC Domain: A Trusted, Credible Space for Organic Products on the Web

.WANG - 15,000 Registrations on Day One of General Availability

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

Afilias Announces Start of .BLACK Sunrise Period

Radix Launches Three New TLDs in Sunrise With Backing from 50+ Registrar Partners

.WANG General Availability Opens on June 30, 2014

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

.Press Domain Names - The Changing Face of Journalism

LogicBoxes Waives Upfront Fees for New gTLD Vertical Integration Solutions

Radix Announces .Website Launch Timeline

.Host Timeline Released As Pioneer Program Kicks Off

Verisign Named to the OTA's 2014 Online Trust Honor Roll

TLD Registry Sponsored Xinnet's Partner Conference in Nanjing

Afilias Selected for CIO 100 Award

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

Sponsored Topics