<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
- To: <joe@xxxxxxxxxxxxxxxxxx>
- Subject: RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
- From: "Greg Aaron" <gaaron@xxxxxxxxxxxx>
- Date: Tue, 5 Aug 2008 12:53:03 -0400
J--
I was not talking about youtube.ru -- I was talking about
AVONMPRODUCTS.INFO, the original subject domain.
Yesterday you said it was "Definitely fastflux under the Mannheim equation"
after just three checks/iterations.
All best,
--Greg
-----Original Message-----
From: Joe St Sauver [mailto:joe@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 05, 2008 12:04 PM
To: gaaron@xxxxxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: RE: [gnso-ff-pdp-may08] case study: fluxing domains used for
unusual purpose
Greg mentioned:
#Using the Mannheim formula, this domain would be flagged as a fast-flux
#domain -- in other words, as a false-positive. And at this point, you feel
#the hosts are not compromised.
Are we talking about youtube.ru?
If this is youtube.ru, I don't get it -- that domain resolves to just three
IPs, the three IP's are all from a single /24, and those three IP's are all
from one ASN AS36561, Youtube):
;; QUESTION SECTION:
;youtube.ru. IN A
;; ANSWER SECTION:
youtube.ru. 300 IN A 208.65.153.251
youtube.ru. 300 IN A 208.65.153.253
youtube.ru. 300 IN A 208.65.153.238
(1.32*3) + 18.54 = 22.5, well below the Mannheim cut off of 142.38, so
there's no false positive here.
Moreover, checking the BFK Passive DNS Replication server, I'm not
seeing any other dotted quads associated with that FQDN.
The whois is also consistent with this just being Youtube:
[whois.ripn.net]
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
domain: YOUTUBE.RU
type: CORPORATE
nserver: ns4.google.com.
nserver: ns3.google.com.
nserver: ns2.google.com.
nserver: ns1.google.com.
state: REGISTERED, DELEGATED
org: Google Inc
phone: +1 650 330 0100
fax-no: +1 650 618 8571
e-mail: dns-admin@xxxxxxxxxx
e-mail: ccops@xxxxxxxxxxxxxxx
registrar: RUCENTER-REG-RIPN
created: 2006.01.20
paid-till: 2009.01.20
source: TC-RIPN
I'm not seeing why folks considered youtube.ru to be fastflux (except that
some IPs associated with the sample Ultrareach example resolved into a
number of Google address blocks, but that's not enough to trigger listing
of other domain names associated with those blocks).
Regards,
Joe
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|