Sunday, August 06, 2006

Domain Kiting - how many hosts fit on one ip?

Bob Parson wrote in his noteworthy blog about Domain-Kiting - see http://www.bobparsons.com/DomainKiting.html - and i thought it should be possible to identify kited domains easily by querying Serversniff.net's host-database: A kited domain i thought will share its IP with many many other hosts. So i started gathering a list of known ips sorted by the count of known hostnames living on this ip. I ended up with the following list:

Known
Hostnames - IP
---------------------
142643 | 194.159.245.16
132972 | 64.72.112.11
123455 | 127.0.0.1
59117 | 67.108.253.121
46819 | 66.165.220.18
40765 | 213.29.7.212
36617 | 70.84.80.195
34971 | 81.94.227.213
32697 | 219.153.13.42
32415 | 203.36.59.60
31617 | 134.58.241.14
29830 | 66.102.15.101
29142 | 209.163.113.99
27024 | 217.76.128.34
25405 | 70.84.48.227
23997 | 212.227.34.3
22636 | 70.85.132.35
19653 | 209.249.170.10
19553 | 216.200.145.43
19543 | 216.200.145.44
19168 | 209.185.12.47
19036 | 195.117.6.10
18994 | 70.86.121.3
18387 | 66.220.2.7
18311 | 66.220.2.9
17638 | 211.239.151.191
17459 | 61.142.254.216
17360 | 66.98.195.129
17132 | 205.178.189.131
17018 | 203.74.57.13
16961 | 82.208.4.213
16677 | 65.98.98.75
16253 | 70.86.143.154
15815 | 134.58.126.198
15807 | 134.58.126.199
13998 | 209.25.170.64
13952 | 64.202.189.170
13597 | 213.29.7.211
13565 | 217.116.0.144
13142 | 213.21.186.51
13131 | 65.98.98.59
12883 | 213.4.134.161
12711 | 213.239.203.47
12458 | 207.217.96.28
12444 | 207.217.96.29
12439 | 207.217.96.30
12437 | 207.217.96.32
12437 | 207.217.96.31
12436 | 207.217.96.33

So the Hostnames hosted at 127.0.0.1 might not be kited but the rest: the impressive figures for 64.72.112.11 e.g.: 132972 hostnames. Kited? - No, not at all. Whatever host- and domainname we checked on this domain was not kited, not even parked, but operational. It might be a loadbalancer behind - but i find this count of hostnames for one single IP still impressive.

Checking the other hosts we found a lot of parked and not too many kited domains. By explicitly checking known kited domainnames like namenddomain.com we found, that most kited domains live together with parked domain-names on one host - often with as less as 4.000 known hostnames for this special ip. But still: on the named IPs you might (or might not) found a lot of kited domains. If you bring a few minutes of patiences, you might use the "host-on-ip"-function on http://serversniff.net to check these ips for hostnames living there.
Restart your query if you don't get an answer after about a minute - it'll be faster then, for the database has stuff in its cache.

tom