This is a very clear example of what is Fast-Flux Domains.

at ANSWER SECTION

1)  low TTL value (10 seconds)

2) different networks /16

3) different ASN for every IP address

4) CNAME for several IP address

dig 1476529054.xiazaidown.com

; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> 1476529054.xiazaidown.com
...

;; ANSWER SECTION:
 1476529054.xiazaidown.com. 600    IN    CNAME    xzz.dns-vip.net.
 xzz.dns-vip.net.    10    IN    A    221.229.204.145
 xzz.dns-vip.net.    10    IN    A    59.45.79.75
 xzz.dns-vip.net.    10    IN    A    58.218.211.172
 xzz.dns-vip.net.    10    IN    A    61.172.246.236
 xzz.dns-vip.net.    10    IN    A    61.160.210.226

Looking for more NS-type information

A NS pointing to CNAME ( RFC1034 says, “Domain names in RRs which point at another name should always point at the primary name and not the alias”)

dig -t ns 1476529054.xiazaidown.com

; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> -t ns 1476529054.xiazaidown.com
 ...

;; ANSWER SECTION:
 1476529054.xiazaidown.com. 572    IN    CNAME    xzz.dns-vip.net.

;; AUTHORITY SECTION:
 dns-vip.net.        600    IN    SOA    ns1.dnsv5.com. enterprise3dnsadmin.dnspod.com. 1476625792 3600 180 1209600 180

So, by looking again to  xzz.dns-vip.net we can see that was pointing to the same IP address found first time.

; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> xzz.dns-vip.net
.....
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52226
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
 xzz.dns-vip.net.    9    IN    A    221.229.204.145
 xzz.dns-vip.net.    9    IN    A    59.45.79.75
 xzz.dns-vip.net.    9    IN    A    58.218.211.172
 xzz.dns-vip.net.    9    IN    A    61.172.246.236
 xzz.dns-vip.net.    9    IN    A    61.160.210.226

When a domain changes only the  A-type at ANSWER SECTION we call such domains as Fast-Flux Single-Flux, but when a domain changes its IP address on both  ANSWER SECTION and AUTHORITY SECTION we call Double-Flux domains.

I have been reading a lot of papers since Holz et al. (Measuring and Detecting Fast-Flux Service Networks) , and there are more then 20 distinct features just for single- and double-flux domain using active probing (when we send queries to a domain), however for passive monitoring (using network sensors)  sky is the limit!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.