ViewDNS.info > Research > Inside the DOJ's domain name graveyards



Inside the DOJ�s domain name graveyards

Added June 01, 2011 @ 7:40 pm



Tweet



B etween November 2010 and May 2011, the US Department of Justice (DOJ), under many banners including the U.S. Immigration and Customs Enforcement (ICE) and the Federal Bureau of Investigations (FBI), seized over 140 domain names from sites allegedly engaged in the "illegal sale and distribution of counterfeit goods and copyrighted works" or other illegal activities.



But what exactly happens when domains are seized in such a manner? How is it done, and where do they end up? This article provides insight into the takedown process as well as providing a unique look into the DOJ�s domain name graveyard.



How is it done? In order to take down a domain name, the United States Government needs to take in rem action against the domain names. This basically means that they are applying to seize property (the domain name) that is directly used in criminal activities.



Once this order is obtained, the authorities must send a request to the registrar responsible for the top level domain (TLD) in question to take specific actions against the domain names in question. In most of the cases seen to date, this registrar has been VeriSign. The registrar is then compelled to take the documented action against the domain names.



This actions taken by the registrar is as follows:



1. Set the following flags on all domain names to prevent the owner or the registry�s from modifying the domain�s details:

Status: clientDeleteProhibited

Status: clientTransferProhibited

Status: clientUpdateProhibited

Status: serverDeleteProhibited

Status: serverTransferProhibited

Status: serverUpdateProhibited 2. Update the name servers of the domain to the name server specified by the relevant authority in the takedown request.



To date, the name servers that have been identified on seized domains have been either one of the following combinations:

NS1.CIRFU.NET and NS2.CIRFU.NET � Name servers for the FBI�s Cyber Initiative and Resource Fusion Unit.

NS1.SEIZEDSERVERS.COM and NS2.SEIZEDSERVERS.COM � These name servers appear to be managed by government contractor �immixGroup IT solutions� on servers hosted with �CaroNet Managed Hosting�. Or alternatively, name servers are registered as ns1.<seized-domain>.com and ns2.<seized-domain>.com that point to a server under the control of �ShadowServer.org�, an organization whose mission is to "help put a stop to high stakes cybercrime in the information age".



Once these name server changes are in place, these domains will start to resolve to one of two servers controlled by the parties above: 74.81.170.110

74.208.15.160 Inside the DOJ�s domain name graveyards As we now know the IP addresses of the servers used to store these seized domains and ultimately display the seizure notice, using ViewDNS.info�s Reverse IP Lookup tool it is possible to take a peek inside the final resting place for these domains. This tool shows all domain names hosted on a given IP address.



Below is the output of this tool for the first of the IP addresses listed above.







View full Reverse IP Lookup for 74.81.170.110

View full Reverse IP Lookup for 74.208.15.160



Thanks to the unique view provided by the Reverse IP Lookup tool, it is possible to shed some light on the true scale of activity currently being undertaken by the DOJ to stamp out illegal activities online, as well as view a definitive list of domains now in the control of the DOJ.



Data from this tool is constantly updated and is arguably one of the best single views of the domains that have been seized by the DOJ. Keep checking these IP addresses for new additions, you might just catch the latest seized domain before the media!



Tweet



Do you have an idea for other research that can be conducted using tools provided by ViewDNS.info? Please send in your ideas!



