Re: Wired mag article on spammers playing traceroute games with trojaned boxes

[Michael G <michaelg () amerion net>]

On Thu, 2003-10-09 at 09:11, Vinny Abello wrote:
> They're using extremely low TTL's on most of their records. Typically 2 
> minutes to accomplish this. The thing is I would imagine at least ONE of 
> those NS servers cannot change within a 2 hour window whereas the others 
> can change every 2 minutes. If you identify the server that only changes 
> every 2 hours and track what it's replaced with every 2 hours, you're 
> likely to find a rotating list of master servers... Another question is why 
> is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 
> 2 hours and submitting those to the GTLD servers. Maybe it's just me, but 
> that's the first time I've seen a registrar set such a low TTL on an NS 
> record. If NeuLevel is any good they would likely have some sort of 
> information to identify the owner of the domain, even if the information is 
> invalid listed on their whois server. They might have a credit card 
> transaction although that too could always be a stolen credit card number.
>
> Any other ideas or different angles/experiences?

Looks like there was a slight misinterpretation of the DNS records.  The
2hr TTL is on the NS record from the registrar (NeuStar/*.GTLD.BIZ),
which means it would take up to 2 hours to switch DNS servers (probably
longer, due to red tape).  However, the DNS servers aren't what's being
rotated.  It's the data that they are giving that's rotating, hence the
2 minute ttl.  ALL of the nsX.uzc12.biz servers record changes will be
seen w/in 2 minutes, not just one of them.

Also, after doing some preliminary digging, it would seem that the
GTLD.BIZ servers have very low TTLs on a lot of their domains.  In fact,
7200 seems high compared to some other ones I found.

--Gar