Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

Joe,

Speaking for myself I'm happy with dig scripts, plus any perl|awk|sort 
processing needed to make any particular point for any particular 
observed dataset in the wild. The whois data should be junk and tending 
to freeformat (a side effect of the thin registry model), though someone 
may want to look through it anyway for patterns.
Eric

Joe St Sauver wrote:
> Greg mentioned...
>
> #To answer the questions in the charter we may therefore have to ask and
> #research some questions such as:  
> #* How widely is fast-flux hosting used?  How many sites are hosted using FF?
> Is there interest in receiving a feed of fast-flux hosted FQDNs? What sort
> of format would work for folks? For example, how about something like dig
> output?
>
> dependablequality[dot]com.  120     IN      A       79.119.143.30
> dependablequality[dot]com.  120     IN      A       85.29.194.24
> dependablequality[dot]com.  120     IN      A       85.179.115.73
> dependablequality[dot]com.  120     IN      A       87.228.106.7
> dependablequality[dot]com.  120     IN      A       88.134.190.175
> dependablequality[dot]com.  120     IN      A       88.134.236.222
> dependablequality[dot]com.  120     IN      A       89.173.18.71
> dependablequality[dot]com.  120     IN      A       89.173.87.34
> dependablequality[dot]com.  120     IN      A       91.127.1.68
> dependablequality[dot]com.  120     IN      A       91.201.48.98
> dependablequality[dot]com.  120     IN      A       24.35.75.248
> dependablequality[dot]com.  120     IN      A       59.112.239.18
> dependablequality[dot]com.  120     IN      A       61.15.232.198
> dependablequality[dot]com.  120     IN      A       61.18.221.154
> dependablequality[dot]com.  120     IN      A       61.224.140.184
> dependablequality[dot]com.  120     IN      A       62.178.232.75
> dependablequality[dot]com.  120     IN      A       78.48.71.159
> dependablequality[dot]com.  120     IN      A       78.102.113.236
> dependablequality[dot]com.  120     IN      A       78.102.210.159
> dependablequality[dot]com.  120     IN      A       78.159.38.201
>
> dependablehigh[dot]com.     120     IN      A       78.102.113.236
> dependablehigh[dot]com.     120     IN      A       78.159.38.201
> dependablehigh[dot]com.     120     IN      A       79.119.143.30
> dependablehigh[dot]com.     120     IN      A       85.179.115.73
> dependablehigh[dot]com.     120     IN      A       87.228.106.7
> dependablehigh[dot]com.     120     IN      A       88.134.190.175
> dependablehigh[dot]com.     120     IN      A       88.134.236.222
> dependablehigh[dot]com.     120     IN      A       89.41.109.23
> dependablehigh[dot]com.     120     IN      A       89.173.18.71
> dependablehigh[dot]com.     120     IN      A       89.173.87.34
> dependablehigh[dot]com.     120     IN      A       91.89.144.26
> dependablehigh[dot]com.     120     IN      A       92.227.34.52
> dependablehigh[dot]com.     120     IN      A       220.74.144.187
> dependablehigh[dot]com.     120     IN      A       24.35.75.248
> dependablehigh[dot]com.     120     IN      A       59.112.239.18
> dependablehigh[dot]com.     120     IN      A       61.15.170.57
> dependablehigh[dot]com.     120     IN      A       61.18.129.109
> dependablehigh[dot]com.     120     IN      A       61.18.221.154
> dependablehigh[dot]com.     120     IN      A       61.224.140.184
> dependablehigh[dot]com.     120     IN      A       62.178.232.75
> [etc]
>
> (dots rendered as [dot] to avoid triggering URI-based spam filtering that
> some of you may use) Those IP's will naturallty change over time, but you
> can look at the current ones to get a pretty good sense that this is not
> a legitimately hosted domain. 
>
> Or do folks not care about individual dotted quads, just wanting a list
> of FQDNs? I assume that folks are also aware of the possibility of following 
> the name servers used for this sort of thing to identify clusters of related
> domains, right? For example, I can send you a sample of 1000 domains 
> currently using ns0.wkakekod[dot]com, all of which I believe to be FF
> (and that's only a fraction of what's associated with just that single name
> server). That might be somewhat awkward to share by email, however. 
>
> Also, any interest in the bogus whois data that often accompanies these? 
> E.G.,
> [whois.paycenter[dot]com.cn]
> Domain Name:dependablequality[dot]com
>
> Registrant: 
> AS JLIJ
>         SD JLI
>         789607
>
> Administrative Contact: 
> AD JLIJ
>         AS JLIJ
>         SD JLI
>         A JLI  789607
>         Costa Rica
>         tel: 0987 9807 8907 9807
>         fax: 8907 8907 897 978
>         890asd@xxxxxx
>
> Technical Contact: 
> AD JLIJ
>         AS JLIJ
>         SD JLI
>         A JLI  789607
>         Costa Rica
>         tel: 0987 9807 8907 9807
>         fax: 8907 8907 897 978
>         890asd@xxxxxx
>
> Billing Contact: 
> AD JLIJ
>         AS JLIJ
>         SD JLI
>         A JLI  789607
>         Costa Rica
>         tel: 0987 9807 8907 9807
>         fax: 8907 8907 897 978
>         890asd@xxxxxx
>
>  Registration Date: 2007-11-28
>        Update Date: 2008-02-18
>    Expiration Date: 2008-11-28
>
>     Primary DNS:  ns0.wkakekod[dot]com              217.78.189.54
>   Secondary DNS:  ns0.cnogaira[dot]com              77.41.80.55
>
> #* What kinds of activities are occurring on those sites?
>
> pillz, in the case of the examples shown... however one will also see
> virtually all other types of spamvertised content (warez, watchez and
> other replicaz, malware, you name it).
>
> Regards,
>
> Joe St Sauver (joe@xxxxxxxxxxxxxxxxxx)
> http://www.uoregon.edu/~joe/
>
> Disclaimer: all opinions strictly my own
>
>
>