Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux
- To: Dave Piscitello <dave.piscitello@xxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux
- From: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 01 Jul 2008 20:55:25 -0700
Would it be fair to say that data exists which supports the general
characterization of addresses to which domains momentarily resolve to,
perhaps many times, and perhaps for more than one domain, are
dynamically assigned, from provider assigned blocks?
Dave Piscitello wrote:
I believe one of the questions the GNSO has asked this group to answer is:
Who benefits from fast flux, and who is harmed?
I would like to suggest that this question is slightly misleading and would
suggest that we break it down into "Who benefits from the use of short
TTLs?" and "Who is harmed by fast flux activities?"
I will defer to folks who are exposed to legitimate uses of short TTLs and
offer the following answers to "Who is harmed by fast flux activities?"
1. Individuals whose computers are infected by attackers and subsequently
used to host name servers or web sites for a fast flux phishing attack. The
individual may have his Internet connection blocked. In the extreme, should
the computer be suspected of hosting illegal material, the computer may be
seized by law enforcement agents (LEAs) and the individual may be subjected
to a criminal investigation.
2. Businesses and organizations whose computers are infected may have
Internet connections blocked, which may result in loss of connectivity for
all users as well as the possible loss of connectivity for any Internet
services also hosted via the blocked connection (e.g., mail, web, e-merchant
or ecommerce sites). Again, in the extreme, should the computer be suspected
to host illegal material, the computer may be seized by LEAs and the
individual may be subjected to a criminal investigation. If this computer
were hosting web and other services for the business/organization, the
seizure could also result in an interruption of service, loss of income or
3. Individuals who receive phishing emails and are lured to a phishing site
hosted on a bot used by the miscreants/criminals who run the phishing attack
may have their identities stolen or suffer financial loss from credit card,
securities or bank fraud. They may unwittingly disclose medical or personal
information that could be used for blackmail or coersion. They may infect
their computers with malicious software that would "enlist" their computers
into a bot herd. Individuals who purchase bogus products, especially
pharmaceuticals, may be physically harmed from using such products.
4. Internet access operators are harmed when their IP address blocks are
associated with bot nets and phishing attacks that are linked to fast flux
activities. These operators also bear the burden of switching the
unauthorized traffic that phishing attacks generate and they may also incur
the cost of diverting staff and resources to respond to abuse reports or
5. Registrars are harmed when their registration and DNS hosting services
are used to abet "double flux" attacks. Like Internet access providers, they
may also incur the cost of diverting staff and resources to monitor abuse,
or to respond to abuse reports or legal inquiries.
6. Businesses and organizations who are "phished" from bogus web sites
hosted on fast fluxing networks may experience financial or material loss,
tarnish to brand, or loss of customer/consumer confidence. They also incur
the cost associated with brand abuse monitoring, detection and mitigation.
7. Registries may incur the cost of diverting staff and resources to monitor
abuse or to respond to abuse reports or legal inquiries.
These are my top 7. I can think of other parties who are affected indirectly
through phishing (consumers, in the form of fees and higher interest rates
financials use to compensate from losses resulting from identity theft and
credit card fraud).