researchtoolssurveys Factory

REGISTER THE REGISTRAR

It's Monday, 2005-03-07, and time to confront another DNS root server abuser.

64.124.43.0 is #1 in F-root's PAO1 instance client subnet list. About half are classified as root-server.net queries, and the other half are "Other."

tcpdump:

21:50:46.381462 64.124.43.174.60201 > 192.5.5.241.53:  32381 A6? M.ROOT-SERVERS.NET. (36) (DF)
21:50:46.381738 64.124.43.174.60201 > 192.5.5.241.53:  8689 AAAA? M.ROOT-SERVERS.NET. (36) (DF)
21:50:46.382003 64.124.43.174.60201 > 192.5.5.241.53:  57393 A? M.ROOT-SERVERS.NET. (36) (DF)
21:50:46.382212 64.124.43.174.60201 > 192.5.5.241.53:  7454 A6? L.ROOT-SERVERS.NET. (36) (DF)
21:50:46.382462 64.124.43.174.60201 > 192.5.5.241.53:  50649 AAAA? L.ROOT-SERVERS.NET. (36) (DF)
21:50:46.382836 64.124.43.174.60201 > 192.5.5.241.53:  22887 A? L.ROOT-SERVERS.NET. (36) (DF)
21:50:46.383086 64.124.43.174.60201 > 192.5.5.241.53:  51870 A6? K.ROOT-SERVERS.NET. (36) (DF)
21:50:46.383336 64.124.43.174.60201 > 192.5.5.241.53:  20171 AAAA? K.ROOT-SERVERS.NET. (36) (DF)
21:50:46.383586 64.124.43.174.60201 > 192.5.5.241.53:  56246 A? K.ROOT-SERVERS.NET. (36) (DF)
21:50:46.383873 64.124.43.174.60201 > 192.5.5.241.53:  16339 A6? J.ROOT-SERVERS.NET. (36) (DF)
21:50:46.384101 64.124.43.174.60201 > 192.5.5.241.53:  29009 AAAA? J.ROOT-SERVERS.NET. (36) (DF)
21:50:46.384371 64.124.43.174.60201 > 192.5.5.241.53:  22179 A? J.ROOT-SERVERS.NET. (36) (DF)
21:50:46.384717 64.124.43.174.60201 > 192.5.5.241.53:  47357 A6? I.ROOT-SERVERS.NET. (36) (DF)
21:50:46.384960 64.124.43.174.60201 > 192.5.5.241.53:  35724 AAAA? I.ROOT-SERVERS.NET. (36) (DF)
21:50:46.385233 64.124.43.174.60201 > 192.5.5.241.53:  49742 A? I.ROOT-SERVERS.NET. (36) (DF)
21:50:46.385479 64.124.43.174.60201 > 192.5.5.241.53:  51389 A6? H.ROOT-SERVERS.NET. (36) (DF)
21:50:46.385719 64.124.43.174.60201 > 192.5.5.241.53:  31041 AAAA? H.ROOT-SERVERS.NET. (36) (DF)
21:50:46.386001 64.124.43.174.60201 > 192.5.5.241.53:  28242 A? H.ROOT-SERVERS.NET. (36) (DF)
21:50:46.386231 64.124.43.174.60201 > 192.5.5.241.53:  55560 A6? G.ROOT-SERVERS.NET. (36) (DF)
21:50:46.386586 64.124.43.174.60201 > 192.5.5.241.53:  48631 AAAA? G.ROOT-SERVERS.NET. (36) (DF)
21:50:46.386856 64.124.43.174.60201 > 192.5.5.241.53:  15939 A? G.ROOT-SERVERS.NET. (36) (DF)
21:50:46.387085 64.124.43.174.60201 > 192.5.5.241.53:  59251 A6? F.ROOT-SERVERS.NET. (36) (DF)
21:50:46.387336 64.124.43.174.60201 > 192.5.5.241.53:  30365 AAAA? F.ROOT-SERVERS.NET. (36) (DF)
21:50:46.387584 64.124.43.174.60201 > 192.5.5.241.53:  49837 A? F.ROOT-SERVERS.NET. (36) (DF)
21:50:46.387874 64.124.43.174.60201 > 192.5.5.241.53:  23024 A6? E.ROOT-SERVERS.NET. (36) (DF)
21:50:46.388212 64.124.43.174.60201 > 192.5.5.241.53:  42568 AAAA? E.ROOT-SERVERS.NET. (36) (DF)
21:50:46.388371 64.124.43.174.60201 > 192.5.5.241.53:  28350 A? E.ROOT-SERVERS.NET. (36) (DF)
21:50:46.388717 64.124.43.174.60201 > 192.5.5.241.53:  19371 A6? D.ROOT-SERVERS.NET. (36) (DF)
...
21:53:40.024650 64.124.43.173.35658 > 192.5.5.241.53:  31887 [1au] A6? pdns4.register.com. (47) (DF)
21:53:40.024841 64.124.43.173.35658 > 192.5.5.241.53:  23426 [1au] AAAA? pdns4.register.com. (47) (DF)
21:53:40.024880 64.124.43.173.35658 > 192.5.5.241.53:  50072 [1au] A? pdns4.register.com. (47) (DF)
21:53:40.024941 64.124.43.173.35658 > 192.5.5.241.53:  50777 [1au] A6? pdns3.register.com. (47) (DF)
21:53:40.025003 64.124.43.173.35658 > 192.5.5.241.53:  3691 [1au] AAAA? pdns3.register.com. (47) (DF)
21:53:40.025090 64.124.43.173.35658 > 192.5.5.241.53:  61737 [1au] A? pdns3.register.com. (47) (DF)
21:53:40.380565 64.124.43.174.60201 > 192.5.5.241.53:  29921 [1au] A6? pdns4.register.com. (47) (DF)
21:53:40.380776 64.124.43.174.60201 > 192.5.5.241.53:  47764 [1au] AAAA? pdns4.register.com. (47) (DF)
21:53:40.381006 64.124.43.174.60201 > 192.5.5.241.53:  31898 [1au] A? pdns4.register.com. (47) (DF)
21:53:40.381256 64.124.43.174.60201 > 192.5.5.241.53:  45035 [1au] A6? pdns3.register.com. (47) (DF)
21:53:40.381466 64.124.43.174.60201 > 192.5.5.241.53:  47048 [1au] AAAA? pdns3.register.com. (47) (DF)
21:53:40.381630 64.124.43.174.60201 > 192.5.5.241.53:  43905 [1au] A? pdns3.register.com. (47) (DF)
21:53:41.373299 64.124.43.174.60201 > 192.5.5.241.53:  59808 [1au] A6? pdns2.register.com. (47) (DF)
21:53:41.373549 64.124.43.174.60201 > 192.5.5.241.53:  5630 [1au] AAAA? pdns2.register.com. (47) (DF)
21:53:41.373799 64.124.43.174.60201 > 192.5.5.241.53:  40685 [1au] A? pdns2.register.com. (47) (DF)
21:53:41.374070 64.124.43.174.60201 > 192.5.5.241.53:  43936 [1au] A6? pdns1.register.com. (47) (DF)
21:53:41.374299 64.124.43.174.60201 > 192.5.5.241.53:  20212 [1au] AAAA? pdns1.register.com. (47) (DF)
21:53:41.374424 64.124.43.174.60201 > 192.5.5.241.53:  59230 [1au] A? pdns1.register.com. (47) (DF)

register.com? We've seen them before. Let's check whois just to make sure:

> whois -a 64.124.43.173
Abovenet Communications, Inc ABOVENET (NET-64-124-0-0-1)
                                  64.124.0.0 - 64.125.255.255
REGISTER.COM MFN-B580-64-124-43-160-28 (NET-64-124-43-160-1)
                                  64.124.43.160 - 64.124.43.175

> whois -a NET-64-124-43-160-1

CustName:   REGISTER.COM
Address:    575 8'th Ave
City:       New York
StateProv:  NY
PostalCode: 10018
Country:    US
RegDate:    2003-01-27
Updated:    2003-01-27

NetRange:   64.124.43.160 - 64.124.43.175
CIDR:       64.124.43.160/28
NetName:    MFN-B580-64-124-43-160-28
NetHandle:  NET-64-124-43-160-1
Parent:     NET-64-124-0-0-1
NetType:    Reassigned
Comment:    Abuse issues should be sent to rgardos@register.com,rroberto@register.com
RegDate:    2003-01-27
Updated:    2003-01-27

TechHandle: NOC41-ORG-ARIN
TechName:   AboveNet NOC
TechPhone:  +1-877-479-7378
TechEmail:  noc@above.net

OrgAbuseHandle: ABOVE-ARIN
OrgAbuseName:   AboveNet Abuse
OrgAbusePhone:  +1-877-479-7378
OrgAbuseEmail:  abuse@above.net

OrgNOCHandle: NOC41-ORG-ARIN
OrgNOCName:   AboveNet NOC
OrgNOCPhone:  +1-877-479-7378
OrgNOCEmail:  noc@above.net

OrgTechHandle: ABOVE1-ARIN
OrgTechName:   AboveNet Engineering
OrgTechPhone:  +1-877-479-7378
OrgTechEmail:  arin@above.net

Most of the contacts for this netblock are @above.net, but there is a helpful comment about sending abuse issues to addresses @register.com. I sent them a message:

To: rgardos@register.com, rroberto@register.com
Subject: excessive DNS queries from 64.124.43.174
Message-ID: <20050307145137.A68614@life-gone-hazy.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

Hi Register.com

I do research on DNS root server traffic.  Today one of your hosts, 64.124.43.174,
is ranked #1 in queries sent to F-root.  Can you tell me why it is sending these
same queries over and over?
...

Didn't take too long to get a reply:

This is the mail server at host mail89-ash-R.bigfish.com.

I wasn't able to deliver the message you sent to one or more 
destinations.

<rgardos@register.com>: host smtpa.register.com[216.21.229.220] said: 550
    unknown user (in reply to RCPT TO command)

<rroberto@register.com>: host smtpa.register.com[216.21.229.220] said: 550
    unknown user (in reply to RCPT TO command)

wow, shocking.

Let's see if we can find some other contact addresses.

> whois =register.com

   Domain Name: REGISTER.COM
   Registrar: REGISTER.COM, INC.
   Whois Server: whois.register.com
   Referral URL: http://www.register.com
   Name Server: DNS3.REGISTER.COM
   Name Server: DNS4.REGISTER.COM
   Name Server: DNS1.REGISTER.COM
   Name Server: DNS2.REGISTER.COM
   Status: REGISTRAR-LOCK
   Updated Date: 02-jul-2004
   Creation Date: 01-nov-1994
   Expiration Date: 04-aug-2009

Well, not much useful there. Maybe they have more info on their own whois server:

> whois -h whois.register.com register.com

   Administrative Contact, Technical Contact, Zone Contact:
      Register.Com, Inc.
      Domain Registrar
      575 Eighth Avenue, 11th Floor
      New York, NY 10018
      US
      Phone: 212-798-9200
      Fax..: 212-629-9305
      Email: domainregistrar@register.com

   Domain servers in listed order:

   DNS1.REGISTER.COM                                 216.21.234.71
   DNS2.REGISTER.COM                                 216.21.226.71
   DNS3.REGISTER.COM                                 216.21.234.72
   DNS4.REGISTER.COM                                 216.21.226.72

domainregistrar@register.com feels like it will reach the wrong people, if anyone. Let's look for ARIN contacts in their main DNS server address space:

> whois -a 216.21.234.71

TechHandle: CK296-ARIN
TechName:   Kleban, Chris
TechPhone:  +1-212-798-9100
TechEmail:  chris@register.com

OrgAbuseHandle: CUSTO-ARIN
OrgAbuseName:   Customer Service
OrgAbusePhone:  +1-800-899-9724
OrgAbuseEmail:  support@register.com

OrgNOCHandle: NOC207-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-902-749-2488
OrgNOCEmail:  ops@register.com

OrgTechHandle: NETWO55-ARIN
OrgTechName:   Network Engineering
OrgTechPhone:  +1-212-798-9100
OrgTechEmail:  neteng@register.com

ooh, these look more promising. However, chris@register.com also bounced, and I received no replies from their ops or neteng aliases. sigh.