Date: Thu, 9 Oct 2003 10:51:08 -0500
Subject: Re: Wired mag article on spammers playing traceroute games with
trojaned boxes
From: Chris Boyd <cboyd@gizmopartners.com>
To: nanog@merit.edu>
> http://www.wired.com/news/business/0,1367,60747,00.html
>
> --
> srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
> manager, outblaze.com security and antispam operations
>
>
>I found one of these today, as a matter of fact. The spam was
advertising an anti-spam package, of course.The domain name is vano-soft.biz, and looking up the address, I get
Name: vano-soft.biz
Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168,
193.165.6.97
12.229.122.9A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz
Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
12.252.185.129This is a real Hydra. If everyone on the list looked up vano-soft.biz
and removed the trojaned boxes, would we be able to kill it?
This is NOT a hydra. The IP addresses are the same but presented
differently. This happens because of THIS setup in DNS:
vano-soft.biz. IN A 131.220.108.232
IN A 165.166.182.168
IN A 193.165.6.97
IN A 12.229.122.9
IN A 12.252.185.129
This setup is called "Round-robin" because the name server provides the
first IP address FIRST to the first query; the second IP address first
to the second query; the third IP address first to the third query; ...
to the fifth query. Then it starts over with the first IP Address in
response to the sixth query...
In each case, ALL IP addresses are provided in response to each query.
Yes, the TTL may be a bit low, but it is a workable setup...
And no, I am NOT condoning what vano-soft.biz is doing, just trying to
explain why, when you checked the first time, you got one answer, and
when you checked sometime later, you got a different answer...
(Donning flameproof underwear...)
Regards,
Gregory Hicks