<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
- To: <gnso-ff-pdp-May08@xxxxxxxxx>
- Subject: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
- From: "Greg Aaron" <gaaron@xxxxxxxxxxxx>
- Date: Sun, 3 Aug 2008 21:38:13 -0400
Dear group:
Here is an interesting case. It is a service that uses fast-flux methods --
but apparently not for the purposes we usually see. This example touches
upon several issues the WG has been discussing, including:
* Is it easy to establish malicious or criminal intent? What issues are
faced by those who must evaluate cases, and intervenors?
* What are people out on the Internet using fast-flux for?
* Who could be impacted or harmed by any solutions or counter-measures? Is
there any impact upon the existence or creation of new and/or legitimate
services on the Internet?
Initially I shared this case with a small group consisting of Chairman Mike,
Dave P., Eric B-W., Steve C., and Randy V., for two reasons:
1. They have some relevant experience and expertise, so I thought they
could help examine what was going on.
2. I wanted to research the registrant before discussing its identity
in a public fashion.
I'm going to try and state just the facts, and invite the five to correct
anything I am missing or get wrong.
The registrant is an entity called Domain UltraReach. Domain UltraReach
offers a proxy service called UltraSurf, which it says is designed to allow
Web users to circumvent Internet censorship by the Chinese government:
http://www.ultrareach.com/company/aboutus.htm
These articles mention details:
Forbes: http://www.forbes.com/forbes/2006/0227/090.html
PBS: http://www.pbs.org/newshour/bb/asia/jan-june06/china_4-18.html
In May, an UltraReach representative testified before the U.S. Senate
Committee on the Judiciary, Subcommittee on Human Rights and the Law:
http://judiciary.senate.gov/testimony.cfm?id=3369
<http://judiciary.senate.gov/testimony.cfm?id=3369&wit_id=7187> &wit_id=7187
I think the testimony is notable because it shows the organization chose to
step into the public spotlight.
I cannot attest to the stated motives or truthfulness of UltraReach.
Issues of censorship, free speech, national laws, etc. present themselves; I
merely reference the info above and will let others discuss, research, and
draw their own conclusions. I will stick to what is going on technically:
UltraSurf's domain names run on the fast-flux technique -- the technical
practice of using the DNS to rapidly rotate the hosting of the domain.
Attached is representative query data.
People use various indicators or "flags" to decide whether a fluxing domain
is being used for bad purposes or not. UltraReach's indicators are mixed.
UltraReach does these, which score it on the "negative" side:
* Uses very short TTLs
* Uses IPs on a large number of geographically diverse ASNs
* Some of those are in consumer broadband ranges. (For example,
Comcast and RoadRunner have shown up in query results. However, use of
consumer ranges is less frequent than with usual bad fluxing domains.)
On the other hand, UltraReach does these, which could indicate it as benign:
* The WHOIS data appears to be complete and accurate.
* Usually returns three A records per nameserver, which is on the low
side. (Joe S., this will score the domains low using Mannheim's equation.)
We do not know exactly how the UltraReach software works. We do not know if
the hosts are compromised. On one hand, the client software has been out
there for several years, distributed in a public fashion. On the other
hand, one of the guys found that an anti-virus vendor flags it as malware,
and we do not know why the vendor does so. We have not seen user
documentation, and therefore we do not know if there is adequate disclosure
of exactly what the software does to a user's computer.
I would like to hear if anyone out there has additional edge cases.
All best,
--Greg
**********************************
Greg Aaron
Director, Key Account Management and Domain Security
Afilias
vox: +1.215.706.5700 x104
fax: 1.215.706.5701
gaaron@xxxxxxxxxxxx
**********************************
The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify
us immediately by replying to the message and deleting it from your
computer.
Domain Query started name server result AS
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns1.AVONMPRODUCTS.INFO 204.0.5.32
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns1.AVONMPRODUCTS.INFO 204.252.142.121
UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns1.AVONMPRODUCTS.INFO 204.223.32.233
PENS-NET-AS - Navy Network Information Center (NNIC)
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns2.AVONMPRODUCTS.INFO 64.151.115.197
SERVEPATH - ServePath, LLC
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns2.AVONMPRODUCTS.INFO 64.196.254.49 MCLEOD
- McLeod, Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns2.AVONMPRODUCTS.INFO 64.4.109.127
NTELOSINC - Ntelos Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns1.AVONMPRODUCTS.INFO 221.192.149.102
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns1.AVONMPRODUCTS.INFO 221.234.155.122
CHINANET-BACKBONE No.31,Jin-rong Street
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns1.AVONMPRODUCTS.INFO 221.141.216.67
HANARO-AS Hanaro Telecom Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.67.57.226
SOVAM-AS Golden Telecom, Moscow, Russia
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.13.52.50
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.121.16.127 KPN
KPN Internet Backbone AS
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns1.AVONMPRODUCTS.INFO 212.129.63.31
SKYROCK Skyrock content delivery network
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns1.AVONMPRODUCTS.INFO 212.105.133.231
Euronext
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns1.AVONMPRODUCTS.INFO 212.230.244.4
AS15704 Xtratelecom Spain AS
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns2.AVONMPRODUCTS.INFO 219.239.94.45 DXTNET
Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns2.AVONMPRODUCTS.INFO 219.10.51.50
GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns2.AVONMPRODUCTS.INFO 219.98.11.127 SO-NET
So-net Entertainment Corporation
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.170.89.4 XL-AS XL
Network
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.44.193.230
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.219.201.4 DTAG
Deutsche Telekom AG
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns2.AVONMPRODUCTS.INFO 212.27.48.10 PROXAD
AS for Proxad/Free ISP
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns2.AVONMPRODUCTS.INFO 212.222.48.229
INTEROUTE Interoute Communications Ltd
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns2.AVONMPRODUCTS.INFO 212.123.105.4
IP-EXCHANGE IP Exchange GmbH
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns1.AVONMPRODUCTS.INFO 209.17.70.11
PHOTOBUCKET - PHOTOBUCKET.COM, INC.
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns1.AVONMPRODUCTS.INFO 209.71.142.194
VOICENET - Voicenet
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns1.AVONMPRODUCTS.INFO 209.66.40.124 JERSEY
- InterActive Network Services
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns2.AVONMPRODUCTS.INFO 65.214.39.56 WAN -
Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns2.AVONMPRODUCTS.INFO 65.88.255.172
LVLT-8043 - Level 3 Communications, Inc.
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns2.AVONMPRODUCTS.INFO 65.77.20.79 ETHERN -
Global Communications INTERNETworking Corp.
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns1.AVONMPRODUCTS.INFO 38.99.77.80
EZRI-36323 - Ezri Inc
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns1.AVONMPRODUCTS.INFO 38.180.8.183 COGENT
Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns1.AVONMPRODUCTS.INFO 38.172.214.108
COGENT Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns2.AVONMPRODUCTS.INFO 198.172.81.21
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns2.AVONMPRODUCTS.INFO 198.85.245.171 NCREN
- MCNC
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns2.AVONMPRODUCTS.INFO 198.94.171.227
LEVEL3 Level 3 Communications
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns1.AVONMPRODUCTS.INFO 193.33.59.200
GRONO-AS grono.net
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns1.AVONMPRODUCTS.INFO 193.6.168.165
HBONE-AS HUNGARNET
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns1.AVONMPRODUCTS.INFO 193.248.13.227
AS3215 France Telecom - Orange
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns2.AVONMPRODUCTS.INFO 63.99.250.195 WAN -
Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns2.AVONMPRODUCTS.INFO 63.88.39.116 UUNET -
MCI Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns2.AVONMPRODUCTS.INFO 63.11.31.2 UUNET -
MCI Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns1.AVONMPRODUCTS.INFO 85.17.132.149
LEASEWEB LEASEWEB AS
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns1.AVONMPRODUCTS.INFO 85.187.85.229 B-NET
BiConsult Eood
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns1.AVONMPRODUCTS.INFO 85.237.255.4 ORANGE
SLOVENSKO Autonomous system
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns2.AVONMPRODUCTS.INFO 15.201.49.22
HP-DIGITAL-10782 - Hewlett-Packard Company
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns2.AVONMPRODUCTS.INFO 15.200.102.165
TELSTRA-AS-AP Telstra International HK Limited
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns2.AVONMPRODUCTS.INFO 15.54.195.227
HP-INTERNET-AS Hewlett-Packard Company
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns1.AVONMPRODUCTS.INFO 201.7.178.45 TV
GLOBO LTDA
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns1.AVONMPRODUCTS.INFO 201.213.120.166
Prima S.A.
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns1.AVONMPRODUCTS.INFO 201.48.105.79
Companhia de Telecomunicacoes do Brasil Central
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns2.AVONMPRODUCTS.INFO 66.70.92.80 DATAPIPE
- DataPipe
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns2.AVONMPRODUCTS.INFO 66.246.26.231
NET-ACCESS-CORP - Net Access Corporation
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns2.AVONMPRODUCTS.INFO 66.125.111.4 SBIS-AS
- AT&T Internet Services
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.89.199.26 MATTEL
- Mattel, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.217.173.127
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.7.82.67
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns2.AVONMPRODUCTS.INFO 212.48.10.150
MATRIX-AS Matrix S.p.A.
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns2.AVONMPRODUCTS.INFO 212.121.2.112 JANET
The JANET IP Service
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns2.AVONMPRODUCTS.INFO 212.23.66.67 Ural
Relcom Ltd.
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns1.AVONMPRODUCTS.INFO 66.135.200.146 EBAY
- eBay, Inc
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns1.AVONMPRODUCTS.INFO 66.70.35.110
DATAPIPE - DataPipe
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns1.AVONMPRODUCTS.INFO 66.228.240.2 PRMTC -
Park Region Mutual Telephone Co
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns2.AVONMPRODUCTS.INFO 60.12.228.40
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns2.AVONMPRODUCTS.INFO 60.148.167.56
GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns2.AVONMPRODUCTS.INFO 60.101.119.4
GIGAINFRA BB TECHNOLOGY Corp.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|