ICANN ICANN Email List Archives

[fast-flux-initial-report]


<<< Chronological Index >>>    <<< Thread Index >>>

Comments on Fast Flux initial report

  • To: fast-flux-initial-report@xxxxxxxxx
  • Subject: Comments on Fast Flux initial report
  • From: Gary Warner <gar@xxxxxxxxxx>
  • Date: Sat, 14 Feb 2009 07:56:58 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Only a few comments . . .
- --

p. 6 - Who benefits from fast flux?  You list "free speech / advocacy
groups".  Is there evidence of this in practice? or this only theory?  I
have seen FF used by phishers, child pornographers, money mule
recruiters, and pill spammers, but not by anyone I would call a "Free
Speech / Advocacy group", unless advocated child pornography falls
within your definition.

I would strongly urge you to add to your list "Criminal entitities".
(acknowledged that this is included on p. 17, but I believe it should be
here as well)

Later in the report you discuss the "anti-censorship" theory, but is
this not in itself illegal in many of the countries where it is being
practiced?  If the State is the censor, treating this activity as
something to be condoned puts ICANN in the position of encouraging the
violation of local law.  The only named example given, UltraReach
(p.72), has as its model to provide an infrastructure to allow Chinese
citizens to violate Chinese law.  As an international body, this is an
unacceptable position for ICANN to take.  A stronger "free speech"
position, with examples that are not illegal, should be identified, or
this category should be dropped. (this position is already stated in
your document on p. 79)

- --

p. 6/7 - Who would benefit from cessation?

Please add "Law Enforcement and Investigators" to your list.  The
greatest harm of Fast Flux is not the people you list - because they
will continue to perform the same actions with or without the benefit of
fast flux.  The greatest harm is that we can't CATCH them because we
can't FIND them.  It is the investigator who would be most greatly
benefited, and by the success of his investigation other parties would
benefit as well.



p. 8 - Are registrars involved?

Yes.  There is strong evidence that registrars which operate "reseller
practices" - particularly those registrars who are based in China and
have resellers in St. Petersburg Russia - have resellers of their
services which are entirely corrupt and who practice fast flux
registration as a matter of course. (addressed on p.33)

Some of the time the criminal uses MANY registrars to establish his Fast
Flux.  We have one very active FF net we are currently working on where
the criminal registered domains on 10 different Registrars in six
different countries to establish his FF Hosting Infrastructure.  How do
you run a 10 Registrar investigation from the US, when many of the
Registrars are not subject to a US-based subpoena?

(more details are available on this example, but not suitable for public
comment)

p.43/44 - 5.7 What measures could be implemented?

One problem is convincing the registrars that they should do something
about fast flux domains.  Many challenge that no crime is being
committed, and it is very hard to "prove" that the IP addresses involved
are not willing participants in a timely way.

Further, the problem of breaking up a particular HOSTED DOMAIN does not
necessarily address the issue of the UNDERLYING INFRASTRUCTURE.  Several
companies offer Fast Flux hosting services to a variety of clients, and
because their hosting service domains are harder to accuse of actual
crime, nothing happens to them.

Some of the potential solutions do not take this into account.  So, for
example, many phishers register a domain and point it at a nameserver
which is owned by a FF HOSTING PROVIDER.  The client domain owner never
has to change his NS pointers because all of that is taken care of for
him by the Hosting infrastructure.  Because the hosting infrastructure
domains never host any content themselves, they are very hard to legally
compel to shut down.  We can't say they host any objectionable or
illegal material.  We can only say their existence provides support for
other domains which host the material, which is often not enough to
violate laws or terms of service.


p. 45 - 5.8 What would be the impact of establishing limitations . . .

Because many of these services are paid for with illegal credit cards
anyway, having a fee charged for modification of the name server data is
not a disincentive.

p. 70 - Addressing Fast Fluxing by targeting "short TTLs" is not
appropriate. There are many possible reasons for short TTLs.
Identifying short TTL domains AS A BASIS FOR DEEPER INVESTIGATION is
very appropriate.  Our techniques, and those of others, can readily
identify which short TTL domains are being used to host offensive
content, and perhaps the establishment of a clearing house for that sort
of data would be useful.  Short TTL domains could be centrally archived,
and complaints about the activities of those domains could be used to
provide an ICANN-sponsored "must terminate" list?

p.71 - Reporting to law enforcement
At a Federal level, law enforcement is unlikely to care about individual
domain names.  However, identifying the "Fast Flux Hosting
Infrastructures" has great merit and could be used to build significant
and worthy cases.  Information sharing, and a place to allow access to
the shared information, will be the key to that.

p.86 - the Fast Flux Metrics are applauded and necessary.  We believe
tying those domains to spam, such as the spam archived in the UAB Spam
Data Mine, may provide a more useful picture, as mentioned below.


General comment:

One of the research projects my students are working on is examining
which netblocks are most commonly associated with high volume spam
attacks.  The answer came out rather strongly that many high volume spam
attacks are hosted by a Fast Flux infrastructure.  A paper on this topic
is current being authored which will be submitted to the MIT Spam
Conference.  We would be happy to share supporting data from this paper,
which examines spam received in November '08, December '08, and January
'09, with the Working Group if it would be beneficial, including many
hundreds of domain names used in high volume spam which were fast flux
hosted.


- --

- --------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
gar@xxxxxxxxxxx            gar@xxxxxxxxxx
205.934.8620               205.422.2113
Blog = http://garwarner.blogspot.com/
Home = http://www.cis.uab.edu/forensics/

- --------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJls2qg79eYCOO6PsRArXyAJ9CbvGbocpYQOlzOfY6W2cISXyD/QCfVdow
5UlJOXqTdxw59Q4pdhGgRQE=
=mbH9
-----END PGP SIGNATURE-----


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy