[gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

Dear group:

 

Here is an interesting case.  It is a service that uses fast-flux methods --
but apparently not for the purposes we usually see.  This example touches
upon several issues the WG has been discussing, including:

* Is it easy to establish malicious or criminal intent?  What issues are
faced by those who must evaluate cases, and intervenors?

* What are people out on the Internet using fast-flux for?  

* Who could be impacted or harmed by any solutions or counter-measures?  Is
there any impact upon the existence or creation of new and/or legitimate
services on the Internet?

 

Initially I shared this case with a small group consisting of Chairman Mike,
Dave P., Eric B-W., Steve C., and Randy V., for two reasons:

1.      They have some relevant experience and expertise, so I thought they
could help examine what was going on.
2.      I wanted to research the registrant before discussing its identity
in a public fashion.

I'm going to try and state just the facts, and invite the five to correct
anything I am missing or get wrong.

 

The registrant is an entity called Domain UltraReach.  Domain UltraReach
offers a proxy service called UltraSurf, which it says is designed to allow
Web users to circumvent Internet censorship by the Chinese government:
http://www.ultrareach.com/company/aboutus.htm  

These articles mention details:

Forbes: http://www.forbes.com/forbes/2006/0227/090.html

PBS: http://www.pbs.org/newshour/bb/asia/jan-june06/china_4-18.html

In May, an UltraReach representative testified before the U.S. Senate
Committee on the Judiciary, Subcommittee on Human Rights and the Law:

http://judiciary.senate.gov/testimony.cfm?id=3369
<http://judiciary.senate.gov/testimony.cfm?id=3369&wit_id=7187> &wit_id=7187


I think the testimony is notable because it shows the organization chose to
step into the public spotlight.

 

I cannot attest to the stated motives or truthfulness of UltraReach.
Issues of censorship, free speech, national laws, etc. present themselves; I
merely reference the info above and will let others discuss, research, and
draw their own conclusions.  I will stick to what is going on technically:

 

UltraSurf's domain names run on the fast-flux technique -- the technical
practice of using the DNS to rapidly rotate the hosting of the domain.
Attached is representative query data.  

 

People use various indicators or "flags" to decide whether a fluxing domain
is being used for bad purposes or not.  UltraReach's indicators are mixed.
UltraReach does these, which score it on the "negative" side:

*       Uses very short TTLs
*       Uses IPs on a large number of geographically diverse ASNs
*       Some of those are in consumer broadband ranges.  (For example,
Comcast and RoadRunner have shown up in query results.  However, use of
consumer ranges is less frequent than with usual bad fluxing domains.)

On the other hand, UltraReach does these, which could indicate it as benign:


*       The WHOIS data appears to be complete and accurate.
*       Usually returns three A records per nameserver, which is on the low
side.  (Joe S., this will score the domains low using Mannheim's equation.)

 

We do not know exactly how the UltraReach software works.  We do not know if
the hosts are compromised.  On one hand, the client software has been out
there for several years, distributed in a public fashion.  On the other
hand, one of the guys found that an anti-virus vendor flags it as malware,
and we do not know why the vendor does so.  We have not seen user
documentation, and therefore we do not know if there is adequate disclosure
of exactly what the software does to a user's computer.  

 

I would like to hear if anyone out there has additional edge cases.  

 

All best,

--Greg

 

 

 

 

**********************************

Greg Aaron

Director, Key Account Management and Domain Security

Afilias

vox: +1.215.706.5700 x104

fax: 1.215.706.5701

gaaron@xxxxxxxxxxxx 

**********************************

The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify
us immediately by replying to the message and deleting it from your
computer.

 

Domain Query started name server result AS 
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns1.AVONMPRODUCTS.INFO 204.0.5.32 
NTT-COMMUNICATIONS-2914 - NTT America, Inc. 
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns1.AVONMPRODUCTS.INFO 204.252.142.121 
UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns1.AVONMPRODUCTS.INFO 204.223.32.233 
PENS-NET-AS - Navy Network Information Center (NNIC) 
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns2.AVONMPRODUCTS.INFO 64.151.115.197 
SERVEPATH - ServePath, LLC 
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns2.AVONMPRODUCTS.INFO 64.196.254.49 MCLEOD 
- McLeod, Inc. 
AVONMPRODUCTS.INFO 2008-06-03 20:26 ns2.AVONMPRODUCTS.INFO 64.4.109.127 
NTELOSINC - Ntelos Inc. 
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns1.AVONMPRODUCTS.INFO 221.192.149.102 
CHINA169-BACKBONE CNCGROUP China169 Backbone 
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns1.AVONMPRODUCTS.INFO 221.234.155.122 
CHINANET-BACKBONE No.31,Jin-rong Street 
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns1.AVONMPRODUCTS.INFO 221.141.216.67 
HANARO-AS Hanaro Telecom Inc. 
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.67.57.226 
SOVAM-AS Golden Telecom, Moscow, Russia 
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.13.52.50  
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.121.16.127 KPN 
KPN Internet Backbone AS 
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns1.AVONMPRODUCTS.INFO 212.129.63.31 
SKYROCK Skyrock content delivery network 
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns1.AVONMPRODUCTS.INFO 212.105.133.231 
Euronext 
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns1.AVONMPRODUCTS.INFO 212.230.244.4 
AS15704 Xtratelecom Spain AS 
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns2.AVONMPRODUCTS.INFO 219.239.94.45 DXTNET 
Beijing Dian-Xin-Tong Network Technologies Co., Ltd. 
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns2.AVONMPRODUCTS.INFO 219.10.51.50 
GIGAINFRA BB TECHNOLOGY Corp. 
AVONMPRODUCTS.INFO 2008-06-03 17:17 ns2.AVONMPRODUCTS.INFO 219.98.11.127 SO-NET 
So-net Entertainment Corporation 
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.170.89.4 XL-AS XL 
Network 
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.44.193.230  
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.219.201.4 DTAG 
Deutsche Telekom AG 
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns2.AVONMPRODUCTS.INFO 212.27.48.10 PROXAD 
AS for Proxad/Free ISP 
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns2.AVONMPRODUCTS.INFO 212.222.48.229 
INTEROUTE Interoute Communications Ltd 
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns2.AVONMPRODUCTS.INFO 212.123.105.4 
IP-EXCHANGE IP Exchange GmbH 
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns1.AVONMPRODUCTS.INFO 209.17.70.11 
PHOTOBUCKET - PHOTOBUCKET.COM, INC. 
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns1.AVONMPRODUCTS.INFO 209.71.142.194 
VOICENET - Voicenet 
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns1.AVONMPRODUCTS.INFO 209.66.40.124 JERSEY 
- InterActive Network Services 
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns2.AVONMPRODUCTS.INFO 65.214.39.56 WAN - 
Worldcom Advance Networks 
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns2.AVONMPRODUCTS.INFO 65.88.255.172 
LVLT-8043 - Level 3 Communications, Inc. 
AVONMPRODUCTS.INFO 2008-06-03 07:13 ns2.AVONMPRODUCTS.INFO 65.77.20.79 ETHERN - 
Global Communications INTERNETworking Corp. 
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns1.AVONMPRODUCTS.INFO 38.99.77.80 
EZRI-36323 - Ezri Inc 
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns1.AVONMPRODUCTS.INFO 38.180.8.183 COGENT 
Cogent/PSI 
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns1.AVONMPRODUCTS.INFO 38.172.214.108 
COGENT Cogent/PSI 
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns2.AVONMPRODUCTS.INFO 198.172.81.21 
NTT-COMMUNICATIONS-2914 - NTT America, Inc. 
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns2.AVONMPRODUCTS.INFO 198.85.245.171 NCREN 
- MCNC 
AVONMPRODUCTS.INFO 2008-06-03 04:46 ns2.AVONMPRODUCTS.INFO 198.94.171.227 
LEVEL3 Level 3 Communications 
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns1.AVONMPRODUCTS.INFO 193.33.59.200 
GRONO-AS grono.net 
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns1.AVONMPRODUCTS.INFO 193.6.168.165 
HBONE-AS HUNGARNET 
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns1.AVONMPRODUCTS.INFO 193.248.13.227 
AS3215 France Telecom - Orange 
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns2.AVONMPRODUCTS.INFO 63.99.250.195 WAN - 
Worldcom Advance Networks 
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns2.AVONMPRODUCTS.INFO 63.88.39.116 UUNET - 
MCI Communications Services, Inc. d/b/a Verizon Business 
AVONMPRODUCTS.INFO 2008-06-03 02:26 ns2.AVONMPRODUCTS.INFO 63.11.31.2 UUNET - 
MCI Communications Services, Inc. d/b/a Verizon Business 
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns1.AVONMPRODUCTS.INFO 85.17.132.149 
LEASEWEB LEASEWEB AS 
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns1.AVONMPRODUCTS.INFO 85.187.85.229 B-NET 
BiConsult Eood 
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns1.AVONMPRODUCTS.INFO 85.237.255.4 ORANGE 
SLOVENSKO Autonomous system 
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns2.AVONMPRODUCTS.INFO 15.201.49.22 
HP-DIGITAL-10782 - Hewlett-Packard Company 
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns2.AVONMPRODUCTS.INFO 15.200.102.165 
TELSTRA-AS-AP Telstra International HK Limited 
AVONMPRODUCTS.INFO 2008-06-03 00:11 ns2.AVONMPRODUCTS.INFO 15.54.195.227 
HP-INTERNET-AS Hewlett-Packard Company 
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns1.AVONMPRODUCTS.INFO 201.7.178.45 TV 
GLOBO LTDA 
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns1.AVONMPRODUCTS.INFO 201.213.120.166 
Prima S.A. 
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns1.AVONMPRODUCTS.INFO 201.48.105.79 
Companhia de Telecomunicacoes do Brasil Central 
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns2.AVONMPRODUCTS.INFO 66.70.92.80 DATAPIPE 
- DataPipe 
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns2.AVONMPRODUCTS.INFO 66.246.26.231 
NET-ACCESS-CORP - Net Access Corporation 
AVONMPRODUCTS.INFO 2008-06-02 21:59 ns2.AVONMPRODUCTS.INFO 66.125.111.4 SBIS-AS 
- AT&T Internet Services 
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.89.199.26 MATTEL 
- Mattel, Inc. 
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.217.173.127 
NTT-COMMUNICATIONS-2914 - NTT America, Inc. 
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.7.82.67  
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns2.AVONMPRODUCTS.INFO 212.48.10.150 
MATRIX-AS Matrix S.p.A. 
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns2.AVONMPRODUCTS.INFO 212.121.2.112 JANET 
The JANET IP Service 
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns2.AVONMPRODUCTS.INFO 212.23.66.67 Ural 
Relcom Ltd. 
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns1.AVONMPRODUCTS.INFO 66.135.200.146 EBAY 
- eBay, Inc 
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns1.AVONMPRODUCTS.INFO 66.70.35.110 
DATAPIPE - DataPipe 
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns1.AVONMPRODUCTS.INFO 66.228.240.2 PRMTC - 
Park Region Mutual Telephone Co 
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns2.AVONMPRODUCTS.INFO 60.12.228.40 
CHINA169-BACKBONE CNCGROUP China169 Backbone 
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns2.AVONMPRODUCTS.INFO 60.148.167.56 
GIGAINFRA BB TECHNOLOGY Corp. 
AVONMPRODUCTS.INFO 2008-06-02 17:48 ns2.AVONMPRODUCTS.INFO 60.101.119.4 
GIGAINFRA BB TECHNOLOGY Corp.