http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt " Whois traffic has been going through the roof; they added more proxies in front to support it. Apparently, there's IP management packages that do whois queries. It would be good to find out who is doing it, and talk to ARIN engineering, to find a better way of handling it. We can't keep up if so many machines on the internet keep doing it like this. Source addresses are all over, they're all over, not sign of bots; could be a DLL or mac system startup that's doing it. Please, don't embed whois lookups in everyone's computers like this!! " The only thing I know of is that packages like fail2ban that perform WHOIS lookups when blocking IPs to generate abuse POC notification emails. So more SSH bruteforce attacks = more whois lookups. Nathan
For those who might care, I've put version 1.0 of my notes from the morning session up at http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt