RE: DDOS-Guard [was: Parler]

[Jean St-Laurent via NANOG <nanog () nanog org>]

This one ended up in Junk. I guess you pasted too much domain names with "Junk" behaviours. 😉

I removed the domain names from this reply.

Interesting list though. Thanks for sharing. Any others got that in their junk?


Jean St-Laurent 
CISSP #634103

ddosTest me security inc
site:  https://ddostest.me 
email:  jean () ddostest me 


-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Rich Kulawiec
Sent: January 21, 2021 8:02 AM
To: nanog () nanog org
Subject: DDOS-Guard [was: Parler]

About this network:

On Sun, Jan 17, 2021 at 01:27:10PM -0800, William Herrin wrote:

[snip]

> inetnum:     190.115.16.0/20
> status:      allocated
> aut-num:     AS262254
> owner:       DDOS-GUARD CORP.
> ownerid:     BZ-DALT-LACNIC
> responsible: Evgeniy Marchenko
> address:     1/2Miles Northern Highway, --, --
> address:     -- - Belize - BZ

[snip]

I've taken a look at this /20 and recommend either firewalling it
(bidrectionally) or null-routing it.  It's loaded with scammy domains, many of which are typosquatting on Hulu, Roku, 
Netgear, ATT, Facebook, Norton, AOL, HP, Canon, SBC, Epson, Bitdefender, Rand-McNally, Roadrunner, McAfee, Magellan, 
Office365, Tomtom, Garmin, Webroot, Brother, Belkin, Linksys, and probably some others that I overlooked while 
eyeballing the list.

Appended below is a partial list of domains.  All of these either
(a) are using nameservers in that /20 or (b) have A records that resolve to that /20 or (c) both, as of when I checked 
this week.  Notes:
(1) this list is likely only a subset of what's actually there and
(2) h/t to Brian Krebs for cataloging some of these in a blog post.

---rsk