ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux

  • To: joe@xxxxxxxxxxxxxxxxxx
  • Subject: Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux
  • From: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 01 Jul 2008 19:50:40 -0700


Joe,

Speaking for myself I'm happy with dig scripts, plus any perl|awk|sort processing needed to make any particular point for any particular observed dataset in the wild. The whois data should be junk and tending to freeformat (a side effect of the thin registry model), though someone may want to look through it anyway for patterns.

Eric

Joe St Sauver wrote:
Greg mentioned...

#To answer the questions in the charter we may therefore have to ask and
#research some questions such as: #* How widely is fast-flux hosting used? How many sites are hosted using FF?

Is there interest in receiving a feed of fast-flux hosted FQDNs? What sort
of format would work for folks? For example, how about something like dig
output?

dependablequality[dot]com.  120     IN      A       79.119.143.30
dependablequality[dot]com.  120     IN      A       85.29.194.24
dependablequality[dot]com.  120     IN      A       85.179.115.73
dependablequality[dot]com.  120     IN      A       87.228.106.7
dependablequality[dot]com.  120     IN      A       88.134.190.175
dependablequality[dot]com.  120     IN      A       88.134.236.222
dependablequality[dot]com.  120     IN      A       89.173.18.71
dependablequality[dot]com.  120     IN      A       89.173.87.34
dependablequality[dot]com.  120     IN      A       91.127.1.68
dependablequality[dot]com.  120     IN      A       91.201.48.98
dependablequality[dot]com.  120     IN      A       24.35.75.248
dependablequality[dot]com.  120     IN      A       59.112.239.18
dependablequality[dot]com.  120     IN      A       61.15.232.198
dependablequality[dot]com.  120     IN      A       61.18.221.154
dependablequality[dot]com.  120     IN      A       61.224.140.184
dependablequality[dot]com.  120     IN      A       62.178.232.75
dependablequality[dot]com.  120     IN      A       78.48.71.159
dependablequality[dot]com.  120     IN      A       78.102.113.236
dependablequality[dot]com.  120     IN      A       78.102.210.159
dependablequality[dot]com.  120     IN      A       78.159.38.201

dependablehigh[dot]com.     120     IN      A       78.102.113.236
dependablehigh[dot]com.     120     IN      A       78.159.38.201
dependablehigh[dot]com.     120     IN      A       79.119.143.30
dependablehigh[dot]com.     120     IN      A       85.179.115.73
dependablehigh[dot]com.     120     IN      A       87.228.106.7
dependablehigh[dot]com.     120     IN      A       88.134.190.175
dependablehigh[dot]com.     120     IN      A       88.134.236.222
dependablehigh[dot]com.     120     IN      A       89.41.109.23
dependablehigh[dot]com.     120     IN      A       89.173.18.71
dependablehigh[dot]com.     120     IN      A       89.173.87.34
dependablehigh[dot]com.     120     IN      A       91.89.144.26
dependablehigh[dot]com.     120     IN      A       92.227.34.52
dependablehigh[dot]com.     120     IN      A       220.74.144.187
dependablehigh[dot]com.     120     IN      A       24.35.75.248
dependablehigh[dot]com.     120     IN      A       59.112.239.18
dependablehigh[dot]com.     120     IN      A       61.15.170.57
dependablehigh[dot]com.     120     IN      A       61.18.129.109
dependablehigh[dot]com.     120     IN      A       61.18.221.154
dependablehigh[dot]com.     120     IN      A       61.224.140.184
dependablehigh[dot]com.     120     IN      A       62.178.232.75
[etc]

(dots rendered as [dot] to avoid triggering URI-based spam filtering that
some of you may use) Those IP's will naturallty change over time, but you
can look at the current ones to get a pretty good sense that this is not
a legitimately hosted domain.
Or do folks not care about individual dotted quads, just wanting a list
of FQDNs? I assume that folks are also aware of the possibility of following the name servers used for this sort of thing to identify clusters of related domains, right? For example, I can send you a sample of 1000 domains currently using ns0.wkakekod[dot]com, all of which I believe to be FF
(and that's only a fraction of what's associated with just that single name
server). That might be somewhat awkward to share by email, however. Also, any interest in the bogus whois data that often accompanies these? E.G.,

[whois.paycenter[dot]com.cn]
Domain Name:dependablequality[dot]com

Registrant: AS JLIJ
        SD JLI
        789607

Administrative Contact: AD JLIJ
        AS JLIJ
        SD JLI
        A JLI  789607
        Costa Rica
        tel: 0987 9807 8907 9807
        fax: 8907 8907 897 978
        890asd@xxxxxx

Technical Contact: AD JLIJ
        AS JLIJ
        SD JLI
        A JLI  789607
        Costa Rica
        tel: 0987 9807 8907 9807
        fax: 8907 8907 897 978
        890asd@xxxxxx

Billing Contact: AD JLIJ
        AS JLIJ
        SD JLI
        A JLI  789607
        Costa Rica
        tel: 0987 9807 8907 9807
        fax: 8907 8907 897 978
        890asd@xxxxxx

 Registration Date: 2007-11-28
       Update Date: 2008-02-18
   Expiration Date: 2008-11-28

    Primary DNS:  ns0.wkakekod[dot]com              217.78.189.54
  Secondary DNS:  ns0.cnogaira[dot]com              77.41.80.55

#* What kinds of activities are occurring on those sites?

pillz, in the case of the examples shown... however one will also see
virtually all other types of spamvertised content (warez, watchez and
other replicaz, malware, you name it).

Regards,

Joe St Sauver (joe@xxxxxxxxxxxxxxxxxx)
http://www.uoregon.edu/~joe/

Disclaimer: all opinions strictly my own





<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy