the domains .in and .at used in fast flux botnets

There is also the .ru and the .cn domainextension but I don't think that they will be blocked by the domainextension managers anyway soon. And the same goes for the .net, .com and .org domainnames. If they change their mind they could maybe contact Arbor networks.

Why

Because when in the beginning of this year the .be domainname was used/tested by the operators of the fastflux botnets (in which the IP address and the location changes every tiime but only the domainname stays the same so it makes no sense in trying to get the server down) it was by a drastic but effective coordinated action by the FCCU, the magistrate and the DNS responsable for the .be domainname that those names were quickly blocked at the root level. The reason is that or the domains were registrered by fraudulent addresses or they were used for fraudulent illegal activities and based upon our commercial and cybercrime laws those domains could be blocked immediately. Also the conditions of use by DNS.Be gave dns.be the possibility to do such a thing if they were instructed by the justice department.

The .at and .in domainextension managers should look into it and demand themselves if they will let the problem continue and grow (and arrive at the same blacklist as .ru and .cn if you don't need them extensively) or if they will act and preserve the trust in their domainextension.

Start with getting into contact with arbor networks.

Check the listings often.

Have a process for handling such cases quickly (standard form for the magistrate from the police/cyberpolice with the standard proof from the web and the registration) and block it at your root dns of the domainextension. They will continue to try now and than, but if you follow up they will just go on untill they find another domainextension that doesn't have such processes.

Oh yes and if you find 10 domains that are registrered by the same person you should block them all, even if they were not all used because if 5 were used for phishing than the other five will not be used for personal means.

It is effective because aside one or two new trials we haven't seen any .be domains in the list of fastflux domains in 2009 after the first re-action.

The comments are closed.