Home / Blogs

Who Broke the WHOIS?

Gunter Ollmann

As Internet services go, WHOIS held a lot of promise but has repeatedly failed to live up to its potential; raising the question "is it time to retire WHOIS?"

The concept behind WHOIS was simple. For each and every registered domain name, provide the facility for querying details about who owns it, who administers it, when was it created and when it will expire. Unfortunately the service lost its way practically from day one after failing to agree upon or adhere to any formal structure of the content it provides.

Despite the absence of any formal structure to the content, regular [removed]Regex) string handling has managed to overcome many of these formatting hurdles (from a programmatic perspective). In general though, having overcome the registrars ad hoc formatting, the content of the WHOIS data is unreliable. It's certainly unreliable from a security practitioner and abuse handling perspective!

If I had to summarize the "value" of the data actually contained in the returned WHOIS query results, it would probably break down in to the following:

  1. Relatively complete records for everyday regular Internet users who happened to register a domain at some stage and never realized that their personal address information would be visible to everyone on the Internet.
  2. Relatively complete records for privacy holding companies that manage WHOIS privacy for folks that registered domains and knew that their personal information would otherwise be broadcast over the Internet.
  3. Sparse and incomplete records for everyday regular Internet users who knew that these registration details would be leaked to all Internet users and didn't want to pony up the fees for some additional "value add" privacy service offered by their registrar.
  4. Fraudulent and faked information supplied by cybercriminals as they registered the domains they wanted to use for an upcoming fraud campaign — where the details need to look real enough (probably linked to the stolen credit card they used to pay for the registration in the first place).
  5. Sparse fraudulent and faked information grudgingly supplied (in its minimal state) by the cybercriminals as they automatically bulk register new domains.
  6. Made-up nonsense registration data. There was a field that had to be filled in, so it was — with anything — and could have been supplied by legitimate registrants or cybercriminals. The expectation being that the domain is completely disposable and will only exist for a few hours.

I'm sure the list could go on, but effectively the odds that the data contained within a particular WHOIS record is actually accurate are stacked against an inquisitive security practitioner. That said, most threat researchers would give up an appendage (or a smaller more sensitive part of their anatomy) if they could reliably obtain the WHOIS data for all the domain registrations (and renewals) carried out every day. If they could get the same WHOIS data for some of the more frequently abused country code Top-Level Domains (ccTLDs) in remote lands, they'd probably be prepared to offer up their first born.

If the data can't be trusted, why is it so useful to a threat researcher? The answer is "correlation". There are enough bad guys out there that are stupid, make mistakes or simply "don't care" that they end up recycling some or all of their registration data.

For example, the cybercrooks want to launch a phishing campaign. They'll be sending out a few million phishing emails — which they'll have prepared the templates for in advance. On the day of the attack, they'll do a bulk registration of multiple domain names and use the same contact/administration email address so they can efficiently log in to the domain control accounts and configure the correct DNS settings. Even though they are using multiple domain names (often from multiple registrars and spread over multiple TLDs), if a security analyst intercepts even a single phishing email they are able to extract the domain name listed in the email and being used to drive victims to the phishing Web site.

Armed with that domain name, the analyst can check the WHOIS data, identify registration attributes (e.g. the contact/administration email address), and then search/cross-reference/correlate with all other domain name registrations sharing the same details. In many cases, they'll uncover dozens of additional domains that happened to have been registered within hours of each other using the same email address — and able to conclude that the additional domains are part of the same phishing campaign.

The usefulness of WHOIS data from a security practitioner perspective is dependent upon the cybercriminal to provide "interesting" registration details — and those details have been getting increasingly sparse over recent years. The growth of privacy screening WHOIS services and the explosion of new gTLDs, ccTLDs and novelty TLDs is making things worse.

Perhaps it is time to retire WHOIS if the registrars can't enforce registrants to use correct (and verifiable) registration information. In the meantime security practitioners will be milking the system for all it's worth.

That "milking" process raises its own problems of course. Registrars are very protective of their WHOIS data. They've been forced to implement security features and rate limit the volume of requests for data. For example, consider the value of having the correct registration details of every domain name owner — and the value of that information to marketers, spammers, etc. Despite these protective measures, the bad guys have been automatically leaching this information for years. Unfortunately the good guys are forced to replicate the bad guys techniques for extracting WHOIS data — and end up becoming abusers of the system themselves.

The entire WHOIS system is broken.

By Gunter Ollmann, CTO at NCC Group Domain Services. More blog posts from Gunter Ollmann can also be read here.

Related topics: DNS, Domain Names, Security, Top-Level Domains, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Verification Frank Bulk  –  May 27, 2011 8:33 PM PDT

I don't want it to be like China, where every domain registration requires formal government identification, but it's my understanding that there are existing rules in place that just aren't enforced.

Well .. those rules were put in place to stop lots of pill spammers registering .cn domains in bulk Suresh Ramasubramanian  –  May 28, 2011 9:36 AM PDT

Seem to have worked. Not that it's a very convenient thing for all the legit registrants of .cn

@Suresh: Of course, China is requiring gov't Frank Bulk  –  May 28, 2011 2:18 PM PDT

@Suresh: Of course, China is requiring gov't ID for different reasons than for the ones we're talking about.  But you're right, inconvenient for the legitimate registrants.  And so are most regulations.

Get rid of whois and watch the Charles Christopher  –  May 29, 2011 12:13 AM PDT

Get rid of whois and watch the situation get MUCH worse.

Enforce the accurate whois requirement. If the whois is useless, DELETE THE DOMAIN. If it's in error, threaten deletion and mean it and require an immediate and proper update.

Privacy whois should be ended. Privacy whois causes problems, such as masking theift and denying proof of registration. The safety of whois registrations being scraped and represented across a massive number of sites shows how scrapable and useful the data is.

Further, registries should provide a "whowas" feature and let it be paid if need be.

The last thing I want is removal of registration accountability. Translating refusal to enforce the rules and terminating the system is throwing the baby out with the bath water ....

Why are we not discussing those who REFUSE to enforce the rules? If I recall correctly, it's even a LAW ...

Why do they get a free pass?

I'm not against privacy WHOIS, as long Frank Bulk  –  May 29, 2011 9:32 AM PDT

I'm not against privacy WHOIS, as long as law enforcement agencies and Internet security experts can access the data in a controlled manner.

Frank

I have to admit it, China has Mark Giles  –  Jun 03, 2011 3:52 PM PDT

I have to admit it, China has shown the rest of the world how to do it. Take an oriental bow.

The wise old saying comes to mind - "If it's broke, fix it"

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

.nyc Goes Public to Brand the Big Apple

pink.host: Breast Cancer Awareness by Bluehost

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Radix Announces the Addition of .tech to Its Portfolio

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Infographic: Where in the World Do Chinese People Live?

Public Interest Registry Seeks Leaders to Serve on its NGO Community Advisory Council

Neustar to Build Multiple Tbps DDoS Mitigation Platform

Auctions Update: MMX Wins .law and .vip

LogicBoxes Partners with I-Content to Implement Vertical Integration for .RICH and .ONL

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

General Availability Kicks Off for .Website, .Press and .Host

New .ORGANIC Top-Level Domain Welcomes Leading Brands As .ORGANIC Pioneers

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

Independent Endorsement of Dot Chinese Online & Dot Chinese Website by by FiarWinds Partners

New gTLDs and Best Practices for Domain Management Policies (Video)

.Host Announces Top Global Players As Pioneer Partners

Sponsored Topics