Round robin
From Spamwiki
Contents |
[edit] Definition
Round Robin DNS Load Balancing (also known as fast-flux) is a technique where a DNS server rotates which of several server IP addresses is to be used. It holds a list of IP addresses, and provides a different one for each successive request, returning to the first on the list after the last has been provided.
Strictly speaking, round robin is a load splitting technique, rather than load balancing.
[edit] How to recognize it
The simplest way to spot a round robin DNS is if you do periodic lookups of a group of nameservers and see that the IP addresses of the nameservers change frequently, some may be as frequent as 30 seconds between rotations, but typically they cycle at a rate of between 10 minutes and one day. See examples at SexyFriends and Premier Pharmacy.
[edit] Why it is used
The main purpose of using this technique is to balance the load on the nameservers by distributing requests of the domain to numerous geographically-separated servers. This way, in the event that there is a huge demand for the nameserver, the demand will be spread out over time among the various servers, rather than just one.
In addition to assuring a better load distribution, an additional benefit for spammers is that it makes blacklisting more difficult, as the IP addresses are in constant flux (see fast-flux).
[edit] Where are the servers?
In the case of spam or botnets, the servers used in this scheme are frequently hijacked hosts.
[edit] Examples
Some nameservers that are using (or that have been seen to use) this technique are:
{ns1., ns2., ns3., ns4., ns5.}alltigersmine.net
{ns1., ns2., ns3., ns4., ns5.}gjgutjk.info
ns1.vtmcod.com
{ns01., ns02., ns03., ns04., ns05., ns06., ns07., ns08., ns09., ns10., ns11., ns12.}freenfltracker.com (part of the Storm Worm Attack)
