Re: [gnso-ff-pdp-may08] Fast Flux Definition - V4.1

[Kal Feher <kalman.feher@xxxxxxxxxxxxxxxxxx>]

A thought regarding the first point.

Does the network need to be made up of compromised systems?

Obviously it is the most common scenario, but I can imagine quite a few
alternate scenarios where the hosting software is "legitimately" installed
on a large base of systems, both knowingly and unknowingly. We should not
digress into the legality of "click wrap agreements" but merely acknowledge
that legitimately installed and operated software could still be used to
deliver illegitimate content in a manner that would mirror FF behaviour with
regards misdirection and obfuscation of the operators identity.


On 29/7/08 12:47 AM, "Greg Aaron" <gaaron@xxxxxxxxxxxx> wrote:

> I think what Dave says names sense.  And ³difficult or impossible to contact²
> seems unnecessary.
>  
> 
> 
> From: owner-gnso-ff-pdp-may08@xxxxxxxxx
> [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Dave Piscitello
> Sent: Monday, July 28, 2008 9:16 AM
> To: Mike O'Connor; fast Flux Workgroup
> Subject: Re: [gnso-ff-pdp-may08] Fast Flux Definition - V4.1
>  
> While Randy¹s definitions are accurate and extremely helpful and important for
> this WG¹s work, I think they are too dense for counsel members and the ICANN
> community at large. I would prefer that we use short bullet items that
> enumerate the characteristics rather than use ³inherited definitions².
> 
> I am also uncomfortable to paint a blue haze over the characteristics that
> clearly distinguish unauthorized and potentially criminal behavior by saying
> ³difficult or impossible to contact².
> 
> The characteristics I believe best describe flux networks in general:
> * operated on compromised systems
> * operated for the purpose of hosting unauthorized, malicious or criminal
> content 
> * operated using software that was installed without notice or consent to the
> system operator/owner
> * ³volatile² in the sense that the network changes its topology for the
> specific purpose of sustaining the lifetime of the network and the attack(s)
> the network supports, using
>> * (rapid) modification of TTLs for name servers and malicious content hosts
>> * monitoring to determine/conclude that a host has been identified and shut
>> down 
>> * time- or other metric-based topology change (in theory, I could choose to
>> move a web host simply because I¹ve reached some ³max² number of visitors
>> that I judge to be sufficient to put that host on someone¹s radar)
> 
> For me, this definition paints a very different kind of network than one that
> is used for any commercial or other non-criminal activity. And it¹s the kind
> of network I am very eager to put out of business.
> 
> 
> On 7/26/08 1:13 PM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
> 
> 
> Hi all,
> 
> Here's what I wind up with:
> 
> FastFlux -- for purposes of our working group;
> 
> "A volatile compromised host service network, the operators of which
> are difficult or impossible to contact."
> 
> The "longer version" can be found in the notes from yesterday's call
> in the Definition of Fastflux part of the Discussion Topics;
> 
>   https://st.icann.org/pdp-wg-ff/index.cgi?july_25_call
> 
> Two questions --
> 
> 1) Does this do it?
> 
> 2) Can we identify these in the data we collect?
> 
> m
> 
> 
> voice: 651-647-6109
> fax: 866-280-2356
> 
> web: www.haven2.com
> 
> 
> 
> 
> 
> 
>  
> 


-- 
Kal Feher
Architect group
Melbourne IT Ltd