Wired mag article on spammers playing traceroute games with trojaned boxes
Michael G
michaelg at amerion.net
Thu Oct 9 16:57:25 UTC 2003
On Thu, 2003-10-09 at 09:11, Vinny Abello wrote:
>
> They're using extremely low TTL's on most of their records. Typically 2
> minutes to accomplish this. The thing is I would imagine at least ONE of
> those NS servers cannot change within a 2 hour window whereas the others
> can change every 2 minutes. If you identify the server that only changes
> every 2 hours and track what it's replaced with every 2 hours, you're
> likely to find a rotating list of master servers... Another question is why
> is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be
> 2 hours and submitting those to the GTLD servers. Maybe it's just me, but
> that's the first time I've seen a registrar set such a low TTL on an NS
> record. If NeuLevel is any good they would likely have some sort of
> information to identify the owner of the domain, even if the information is
> invalid listed on their whois server. They might have a credit card
> transaction although that too could always be a stolen credit card number.
>
> Any other ideas or different angles/experiences?
>
Looks like there was a slight misinterpretation of the DNS records. The
2hr TTL is on the NS record from the registrar (NeuStar/*.GTLD.BIZ),
which means it would take up to 2 hours to switch DNS servers (probably
longer, due to red tape). However, the DNS servers aren't what's being
rotated. It's the data that they are giving that's rotating, hence the
2 minute ttl. ALL of the nsX.uzc12.biz servers record changes will be
seen w/in 2 minutes, not just one of them.
Also, after doing some preliminary digging, it would seem that the
GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact,
7200 seems high compared to some other ones I found.
--Gar
More information about the NANOG
mailing list