Welcome to WebmasterWorld Guest from 23.20.64.96

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Phishing Botnet Taken Down and 800,000 Domains Seized

     
6:28 pm on Dec 2, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24070
votes: 498


According to Interpol, this raid on the phishing botnet included shutting down 221 servers, and was the "largest-ever use of sinkholing to combat botnet infrastructures..."
"The operation involves arrests and searches in five countries," representatives of the FBI and US Department of Justice said in a joint statement issued today. "More than 50 Avalanche servers worldwide were taken offline." Phishing Botnet Taken Down and 800,000 Domains Seized [arstechnica.com]
8:17 pm on Dec 2, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13599
votes: 412


Is it just me, or ... is there handsome poetic justice in the fact that at least one agency involved in the takedown was one of those that were specifically spoofed in the ransomware?
Individual nodes within the botnet are registered and then quickly de-registered as the host associated with a Domain Name Service A address record for a single DNS name The destination addresses for a DNS record often change as quickly as once every 5 minutes, and can cycle through hundreds or thousands of IP addresses.

How can you do this without the knowing collusion of a name server? Wouldn't--or shouldn't--someone notice if you're changing your record every 5 minutes?
10:01 pm on Dec 2, 2016 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2930
votes: 20


No-one notices if they were running their own name servers. And with 221 servers they had the backbone to do it.

The figures are amazing. They burned 800.000 throw away domains in seven years. That is 0.24% of all the domain names currently registered over all TLDs. source: [name.com...]
8:14 pm on Dec 3, 2016 (gmt 0)

Preferred Member from GB 

5+ Year Member

joined:Sept 29, 2009
posts:468
votes: 26


does anyone thing there should a few more checks about domains that are sold? I got a junk mail the other day from a domain that was something like xygz-npts-xygz-xygz.net

And while on this subject, gmail need also to be far more proactive about accounts like qqqqqqqqq2315zzzzzzzzzz@gmail.com

In both these cases, you can get the weirdest email addresses or domains if you want, but there should be some level of manual checking once an "oddness" flag gets tripped.
7:52 am on Dec 4, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 30, 2002
posts: 2549
votes: 51


800k domains in seven years is not a lot. Most people think of TLDs as being quite monolithic. They are not. Just in .COM alone in the past month approximately 3.15 million domains were deleted and just over 2.68 million new domains in the zone. The .NET and .ORG have hundreds of thousands of new and deleted domains each month.

Regards...jmcc
10:25 pm on Dec 4, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13599
votes: 412


No-one notices if they were running their own name servers. And with 221 servers they had the backbone to do it.

But, but, but-- don't nameservers have to be accredited by somebody? If I tell my browser to find example.spam, it doesn't poll every IP in existence “Do you know where I can find these guys?” It's got a finite list of places to ask.
10:59 pm on Dec 4, 2016 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2930
votes: 20


DNS traffic is cached heavily just to prevent the root servers from collapsing. The main record for a domain which indicates where the primary name servers for that domain can be found is often assigned a time to live of one to several days. So only once every day one of the intermediate caches has to ask a root server where the authoritative domain information is stored. But after that it is the spammers own DNS server which serves up the records directly to the intermediate caches. And that is such fragmented traffic that probably no cache will notice any abnormalities.

I am running such a configuration with a root TTL time of 86400 seconds and record TTL times of 300 seconds. Not for spamming of course :) but for quick automatic failover if one of my servers fails. Google does the same with 300 seconds, Yahoo has a TTL time of 760 seconds and Bing is also in the 700 seconds range.

And then I am not even talking about the NTP pool which distributes network time to millions of devices. The 3650 active IP addresses in the pool are added and removed to the pool in a round-robin fashion to create some rudimentary form of load balancing where DNS servers do the switching with TTL times of 150 seconds.

There is so much continuously switching DNS traffic on the internet that such a "small" spam operation is very difficult to notice.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members