nanog mailing list archives
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
From: Gregory Hicks <ghicks () cadence com>
Date: Thu, 9 Oct 2003 10:00:46 -0700 (PDT)
Date: Thu, 9 Oct 2003 10:51:08 -0500 Subject: Re: Wired mag article on spammers playing traceroute games with
trojaned boxes
From: Chris Boyd <cboyd () gizmopartners com> To: nanog () merit edu On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote:http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operationsI found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name: vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
This is NOT a hydra. The IP addresses are the same but presented
differently. This happens because of THIS setup in DNS:
vano-soft.biz. IN A 131.220.108.232
IN A 165.166.182.168
IN A 193.165.6.97
IN A 12.229.122.9
IN A 12.252.185.129
This setup is called "Round-robin" because the name server provides the
first IP address FIRST to the first query; the second IP address first
to the second query; the third IP address first to the third query; ...
to the fifth query. Then it starts over with the first IP Address in
response to the sixth query...
In each case, ALL IP addresses are provided in response to each query.
Yes, the TTL may be a bit low, but it is a workable setup...
And no, I am NOT condoning what vano-soft.biz is doing, just trying to
explain why, when you checked the first time, you got one answer, and
when you checked sometime later, you got a different answer...
(Donning flameproof underwear...)
Regards,
Gregory Hicks
-------------------------------------------------------------------
"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."
When a team of dedicated individuals makes a commitment to act as
one... the sky's the limit.
Just because "We've always done it that way" is not necessarily a good
reason to continue to do so... Grace Hopper, Rear Admiral, United
States Navy
Current thread:
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes, (continued)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes John Capo (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Jeremy T. Bouse (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Jack Bates (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Joe Abley (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Vinny Abello (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Richard D G Cox (Oct 09)
- RE: Wired mag article on spammers playing traceroute games with trojaned boxes Fred Baker (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Valdis . Kletnieks (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Mike Tancsa (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Joe St Sauver (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Gregory Hicks (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Dr. Jeffrey Race (Oct 09)
- Re: Wired mag article on spammers playing traceroute games with trojaned boxes Dr. Jeffrey Race (Oct 09)