RDAP Explorer

Posted on 06 February 2017 in Technology • Tagged with django, ip, ipv4, ipv6, ipwhois, nginx, python, rdap, uwsgi, whois

Having fallen behind a bit on Takeout Inspector, the 12 Years of Gmail series and some other projects, I decided to try to put something very simple together from beginning to end and actually launch it. One of my previous posts, Examining the Remnants of a Small DDoS Attack introduced me to the Python package ipwhois and the alternative WHOIS system RDAP. This eventually led me to a quick and simple project called RDAP Explorer...

What is RDAP?

According to APNIC

The Registration Data Access Protocol (RDAP) is an alternative to WHOIS for accessing Internet resource registration data. RDAP is designed to address a number of shortcomings in the existing Whois service. The most important changes are:

  • Standardization of queries and responses
  • Internationalization considerations to cater for languages other than English in data objects
  • Redirection capabilities to allow seamless referrals to other registries

The most important advantage of RDAP over WHOIS is the Standardization of queries and responses. While reviewing a large set of IP addresses, I found it rather difficult to deal with non-standard (and sometimes nonsensical) output of WHOIS queries. Mostly they were easy enough to parse, but the odd balls made the process annoying and time consuming …


Continue reading

Examining the Remnants of a Small DDoS Attack

Posted on 03 December 2016 in Technology • Tagged with apache, botnets, ddos, drupal, ip, logs, sqlite

On Sunday (27 November 2016) a small website that I advise on was the victim of a DDoS attack that managed to knock the site offline. I received notice on Monday that the website was not working. I was able to ssh to the web server and quickly found that the database service was stopped. After a brief examination of the database logs (nothing too out of the ordinary), I started the service back up and sure enough the website came back online. As the website runs on Drupal, I logged in to take a peak at the Recent log messages and found hundreds of records of log in attempts from a lot of different IP addresses. User accounts on the website are only used by administrators to update content, so it was clear that the site was hit by a DDoS attack!

After getting things back online, I poked around the various log files to try to get an idea of what happened. The Drupal watchdog logs seemed to indicate that the attack started around 15:22 EST and overloaded the server's memory around 15:42 EST. The Apache server's access logs, however, revealed that the attack started closer …


Continue reading