[Emerging-Sigs] auto-domain creation
David Glosser
david.glosser at gmail.com
Wed Mar 12 05:47:57 EST 2008
1. How often do these guys switch netblocks?
2. I guess none of these are fast-flux.
Is it best to concentrate on blocking the fast-flux domains rather than
"regular ones"
3. Sounds like an interesting two-pronged strategy would be to block IPs of
"regular" RBN domains and domains themselves which are part of a fast-flux
botnet... Not sure what the easiest way to do this is besides a script to
check each domain to see if it's fast-flux'ed...
On Tue, Mar 11, 2008 at 11:24 PM, Jim McQuaid <jim.mcquaid at gmail.com> wrote:
> "One way to beat the RBN's auto-domain creation tactic is to catalogue
> their IP space and block it whether they have anything there or not.
> I've thought about this as a means to diminish the effectiveness of
> fast flux. An example is at RapidSwitch, yesterday the RBN sigs blocked:
> 87.117.252.11
> 87.117.255.20
> 87.117.255.30
>
> However, we have now observed:
> 87.117.252.11/32 trustedprotection.com
> 87.117.255.20/32 mail.yourprivacyguard.com,
> mail.storageprotector.com, ns1.trustedprotection.com and
> mail.trustedprotection.com
> 87.117.255.30/32 ns2.harddriveguard.com, ns2.trustedprotection.com
> 87.117.255.38/32 *.trygpcbruger.com
> 87.117.255.41/32 *.toolsicuro.com
> 87.117.255.42/32 *.schijfbewaker.com
> 87.117.255.47/32 *.harddriveguard.com
> 87.117.255.52/32 *.erreurchasseur.com
> 87.117.255.81/32 *.trustedprotection.com
> 87.117.255.85/32 *.elmejorantivirus.com
> 87.117.255.87/32 *.diskretter.com
> 87.117.255.96/32 *.bestsellerantivirus.com
> 87.117.255.98/32 *.exterminadordevirus.com
> 87.117.255.124/32 *.pctoolpro.com
> 87.117.255.158/32 *.confidentsurf.com
> 87.117.255.185/32 *.cleanuptool.com
> 87.117.255.218/32 *.gubbishremover.com
> 87.117.255.226/32 *.yourprivacyguard.com
> 87.117.255.250/32
>
> Conclusion, RBN owns that block of 255 addresses. So, we should
> always block it, as they are free to move domains in and out of that
> range at will."
>
>
> --
> James McQuaid
> http://www.jamesmcquaid.com
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080312/fdd64357/attachment.html
More information about the Emerging-sigs
mailing list