Re: Detecting short-TTL domains?

Steve Freegard Sun, 12 Aug 2007 13:49:30 -0700

[ repost: obfusicating domains to avoid the apache.org SMTP filter... ]


Hi John,

John Rudd wrote:

I'm a prophet now!?

:-)
Hm. So, I'm sure I can figure this out eventually, but does anyone knowthe right Net::DNS way to extract the TTL?
I could probably set it up as a value in Botnet.cf, where the default is0 (disabled), but other values will trigger some rule's score if itsless than the number that was set.
And, it shouldn't be too hard for me to write a test for number of Arecords returned by a domain.
I probably wont make them part of the BOTNET rule, but make themseparate BOTNET_* rules (BOTNET_TTL and BOTNET_NUM_ARECS ?).


A better and more reliable way than simply looking at the TTL is to
count the number of A and NS records returned for the URI.  Based on the
Honeynet paper and my testing you'll always see a number of these
(usually >=4) for example:

[EMAIL PROTECTED] ~]# host khk15tr30ib5tl . afstrikesbut . com
khk15tr30ib5tl . afstrikesbut . com is an alias for afstrikesbut . com .
afstrikesbut . com has address 220 . 84 . 183 . 184
afstrikesbut . com has address 71 . 239 . 64 . 172
afstrikesbut . com has address 74 . 213 . 64. 116
afstrikesbut . com has address 86 . 49 . 102 . 161
afstrikesbut . com has address 89 . 176 . 134 . 27
afstrikesbut . com has address 203 . 81 . 193 . 254
afstrikesbut . com has address 203 . 203 . 118 . 48
afstrikesbut . com has address 217 . 70 . 53 . 126

Then lookup the PTR records and you can check them against the
CLIENTWORDS list:

[EMAIL PROTECTED] ~]# host 203 . 81 . 193 . 254
Host 254 . 193 . 81 . 203 . in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 203 . 203 . 118 . 48
48 . 118 . 203 . 203 . in-addr.arpa domain name pointer
203-203-118-48. cable .dynamic .giga .net .tw.
[EMAIL PROTECTED] ~]# host 217 . 70 . 53 . 126
126 . 53 . 70 . 217 .in-addr.arpa domain name pointer g126 . zicom . pl.
[EMAIL PROTECTED] ~]# host 220 . 84 . 183 . 184
Host 184 . 183 . 84 . 220.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 71 . 239 . 64 . 172
Host 172 . 64 . 239 . 71.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 71 . 213 . 64 . 116
116 . 64 . 213 . 71.in-addr.arpa domain name pointer 71-213-64-116 .slkc
. qwest . net.
[EMAIL PROTECTED] ~]# host 89 . 176 . 134 . 27
27 . 134 . 176 . 89.in-addr.arpa domain name pointer rb5g27 .net .upc .cz.

And/or Spamhaus Zen:

[EMAIL PROTECTED] ~]# host 126 . 53 . 70 . 217.zen.spamhaus.org
126 . 53 . 70 . 217.zen.spamhaus.org has address 127.0.0.4

Same with the NS records:

ns1. hardtomakeforliving . com. 13727 IN   A       62 .129.34.86
ns2. hardtomakeforliving . com. 13727 IN   A       89 .103.117.20
ns3. hardtomakeforliving . com. 13727 IN   A       200 .147.164.37
ns4. hardtomakeforliving . com. 13727 IN   A       151 .118.144.136
ns5. hardtomakeforliving . com. 75945 IN   A       89 .229.248.242

[EMAIL PROTECTED] ~]# host 62 .129.34.86
86 .34.129.62.in-addr.arpa domain name pointer 1048650326 .ip2long. net.
[EMAIL PROTECTED] ~]# host 89 .103.117.20
20 .117.103.89.in-addr.arpa domain name pointer ip-89-103-117-20.
karneval.cz.
[EMAIL PROTECTED] ~]# host 200 .147.164.37
Host 37 .164.147.200.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 151 .118.144.136
136.144.118.151.in-addr.arpa domain name pointer
VDSL-151-118-144-136. DNVR. QWEST. NET.
[EMAIL PROTECTED] ~]# host 89 .229.248.242
242.248.229.89.in-addr.arpa domain name pointer
host-89-229-248-242. grudziadz .mm. pl.

I've been doing this for a bit in some software that I have been working
on and it seems to work quite well.

Kind regards,
Steve.

Re: Detecting short-TTL domains?

Reply via email to