Open kristovatlas opened 7 years ago
kristovatlas
commented
7 years ago Actually, this has to be handled slightly differently from the previous quota-exceeded message in that it does not indicate how much time is left in the cooldown. One option is to set the cooldown to 24 hours worth of seconds.
kristovatlas
commented
7 years ago This is particularly problematic if the WHOIS request is sent from a shared IP address (e.g. shared hosting).
Here's another way to tackle it: If the response does not contain a "quota exceeded" error, set a counter to zero. If it does contain that error, increment the counter and store the time the error was first received. When the counter reaches a user-configurable value (e.g. through command-line argument), sent an alert email to recipients that the service has been blind for a given amount of time.
This is to defend against an attack in which the attacker sends WHOIS records from a shared IP address in order to blind the service while launching a parallel, registration-impacting attack.
Sample error message including in WHOIS response:
This should be handled the same as issue #2.
Also highlights the relevance of sending to multiple recipients rather than having one querying thread per recipient.