Date: Thu, 9 Oct 2003 10:51:08 -0500 Subject: Re: Wired mag article on spammers playing traceroute games with
trojaned boxes
From: Chris Boyd <cboyd@gizmopartners.com> To: nanog@merit.edu
On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote:
http://www.wired.com/news/business/0,1367,60747,00.html
-- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course.
The domain name is vano-soft.biz, and looking up the address, I get
Name: vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129
This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
This is NOT a hydra. The IP addresses are the same but presented differently. This happens because of THIS setup in DNS: vano-soft.biz. IN A 131.220.108.232 IN A 165.166.182.168 IN A 193.165.6.97 IN A 12.229.122.9 IN A 12.252.185.129 This setup is called "Round-robin" because the name server provides the first IP address FIRST to the first query; the second IP address first to the second query; the third IP address first to the third query; ... to the fifth query. Then it starts over with the first IP Address in response to the sixth query... In each case, ALL IP addresses are provided in response to each query. Yes, the TTL may be a bit low, but it is a workable setup... And no, I am NOT condoning what vano-soft.biz is doing, just trying to explain why, when you checked the first time, you got one answer, and when you checked sometime later, you got a different answer... (Donning flameproof underwear...) Regards, Gregory Hicks ------------------------------------------------------------------- "The trouble with doing anything right the first time is that nobody appreciates how difficult it was." When a team of dedicated individuals makes a commitment to act as one... the sky's the limit. Just because "We've always done it that way" is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy