Criminals tend to develop a habit of doing things. Well this is of course true about anybody. We all develop our habits. But cyber criminals develop their habits out of necessity. They develop these habits with the hope of avoiding being caught for some of the sneaky activities that they are pulling. Some of these habits include making sure that their server is locked down and also making sure that their IP address is not giving away their private information.
They will also try their best to avoid using certain domain names.
If you are in charge of protecting a network then there is a good chance that you have read the server logs on the machines. This is especially true after there has been an attack of some kind. If you really take a look, then you will notice that a lot of these attacks come from certain domain names. Very few of those domain names will have the familiar ending of .com or of .net.
They are more likely to be of the .ru and the .ch variety. Lately, you are starting to see more attacks coming from the old school .su domain name ending. The .su domain ending stands for Soviet Union. And yes, even though the Soviet Union is no longer around, they still have a set of domains that can be purchased.
So when you are looking to see if the bad guys are invading your server, then it is a good idea to check to see if any of these domain name extensions are popping up. And while a lot of those domain endings will be owned by people from that country, not all of them will be. There are plenty of those domain names bought for people who do not live in those countries. The reason is because it is easier to hide their true identity with these domain names. Also, they do not have as many rules as the other domain names might have. When the bad guys on the internet are trying to get away with a crime, buying a foreign domain because of its benefits is the least that they will do to get away with their crime.
If you are trying to protect your network then make sure that you look at all of the clues that are on the logs. And one of the clues that you should check for is the domain name endings of the source of the attacks.