ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]

<<< Chronological Index >>>    <<< Thread Index >>>

RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose

  • To: gaaron@xxxxxxxxxxxx
  • Subject: RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
  • From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
  • Date: Tue, 5 Aug 2008 09:03:39 -0700
Greg mentioned:

#Using the Mannheim formula, this domain would be flagged as a fast-flux
#domain -- in other words, as a false-positive.  And at this point, you feel
#the hosts are not compromised.

Are we talking about youtube.ru?

If this is youtube.ru, I don't get it -- that domain resolves to just three 
IPs, the three IP's are all from a single /24, and those three IP's are all 
from one ASN AS36561, Youtube):

;; QUESTION SECTION:
;youtube.ru.                    IN      A

;; ANSWER SECTION:
youtube.ru.             300     IN      A       208.65.153.251                  
                            
youtube.ru.             300     IN      A       208.65.153.253
youtube.ru.             300     IN      A       208.65.153.238

(1.32*3) + 18.54 = 22.5, well below the Mannheim cut off of 142.38, so
there's no false positive here. 

Moreover, checking the BFK Passive DNS Replication server, I'm not
seeing any other dotted quads associated with that FQDN. 

The whois is also consistent with this just being Youtube:

[whois.ripn.net]
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian) 
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:     YOUTUBE.RU
type:       CORPORATE
nserver:    ns4.google.com.
nserver:    ns3.google.com.
nserver:    ns2.google.com.
nserver:    ns1.google.com.
state:      REGISTERED, DELEGATED
org:        Google Inc
phone:      +1 650 330 0100
fax-no:     +1 650 618 8571
e-mail:     dns-admin@xxxxxxxxxx
e-mail:     ccops@xxxxxxxxxxxxxxx
registrar:  RUCENTER-REG-RIPN
created:    2006.01.20
paid-till:  2009.01.20
source:     TC-RIPN

I'm not seeing why folks considered youtube.ru to be fastflux (except that
some IPs associated with the sample Ultrareach example resolved into a 
number of Google address blocks, but that's not enough to trigger listing
of other domain names associated with those blocks). 

Regards,

Joe
<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy