Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
- To: "gnso-ff-pdp-may08@xxxxxxxxx" <gnso-ff-pdp-may08@xxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
- From: "Mike O'Connor" <mike@xxxxxxxxxx>
- Date: Wed, 16 Jul 2008 06:55:15 -0500
At 06:41 AM 7/16/2008, Dave Piscitello wrote:
Fast flux is not an attack, but a technique ?
one element ? of an attack. As we try to refine
the terminology, we might want to be careful
when we use each term. These definitions seem to be emerging:
* fast flux: an attack technique that
involves rapidly changes the bindings of IP
addresses to domain names, typically to prevent
detection of hosts operating illegal or unauthorized services (DNS, mail, web)
* fast flux hosting: employing fast flux as
part of the hosting component of a criminal or
other unauthorized activity (e.g., phishing)
* fast flux attack: an attack that uses fast flux
* short TTL: a value in the Time To Live
parameter associated with a DNS resource
record(s) that is observably less than the
values encountered in the DNS under typical
operating conditions, e.g., less than 3600
seconds. Short TTLa may be used for both
legitimate and abusive purposes; for example,
the use of a short TTLa is one way to enable a fast flux attack.
Using an antispam analogy, you can?t conclude
that an email is spam solely on the basis that
it contains the brand name of an erectile
dysfunction product. Ditto for short TTL.
The use of short TTLs is one of several
?markers? that you might use to detect an attack
that employs fast flux. Large numbers of NS name
server resource records and frequent changes to
those RRs is another. The use of IP addresses
that fall outside the typical address range used
for this domain is another. Evaluated in
combination, these may be useful. Evaluated in
isolation, they might result in false positives.
We are supposed to study fast flux. Do the
definitions above help us with the scope we are struggling to identify?
but... here's another example of where a posting
to the private list has "escaped" to the public one.