RE: [gnso-ff-pdp-may08] Fwd: NCUC FF Statement
- To: <joe@xxxxxxxxxxxxxxxxxx>, <dave.piscitello@xxxxxxxxx>
- Subject: RE: [gnso-ff-pdp-may08] Fwd: NCUC FF Statement
- From: "Greg Aaron" <gaaron@xxxxxxxxxxxx>
- Date: Tue, 19 Aug 2008 10:41:30 -0400
The Mannheim formula is interesting for identifying "domains of interest"
for additional investigation. The intent or use of the domains, i.e.
whether they are a problem or not, is another matter, of course.
I don't think we want to throw out Dave's work, though -- he made good
points about compromised hosts, etc. I think it would be useful to go back
to that enumeration.
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Joe St Sauver
Sent: Tuesday, August 19, 2008 2:33 AM
Subject: Re: [gnso-ff-pdp-may08] Fwd: NCUC FF Statement
#At one point we were on a very constructive path towards enumerating the
#characteristics of fast flux networks and thus defining the varieties of
#such networks. I really wish we would go back to that enumeration and
#complete it very analytically and dispassionately.
I continue to be quite pleased with the Mannheim definition for
fastflux (see "Measuring and Detecting Fast-Flux Service Networks,"
16_measuring_and_detecting.pdf , URL wrapped due to length), and I've yet
to see an example where it provides an incorrect "false positive"
classification of a non-fastflux domain as fastflux.
For those who'd like to try a quick test, hotnoun.com (yet another
Canadian Pharmacy pillz domain) currently scores 341.58 at
http://www.uoregon.edu/~joe/fastflux/simple.cgi , well above
the 142.38 cutoff threshold even on just a single pass...
Found 20 IPs:
126.96.36.199 --> AS42610
188.8.131.52 --> AS9318
184.108.40.206 --> AS18231
220.127.116.11 --> AS12695
18.104.22.168 --> AS29562
22.214.171.124 --> AS9908
126.96.36.199 --> AS9304
188.8.131.52 --> AS12695
184.108.40.206 --> AS9318
220.127.116.11 --> AS33491
18.104.22.168 --> AS4766
22.214.171.124 --> AS9824
126.96.36.199 --> AS31514
188.8.131.52 --> AS30764
184.108.40.206 --> AS8813
220.127.116.11 --> AS33491
18.104.22.168 --> AS3462
22.214.171.124 --> AS33287
126.96.36.199 --> AS10066
188.8.131.52 --> AS12714
17 unique ASNs
Mannheim score = 341.58
Could we agree to use the Mannheim definition unless/until someone
else proposes something else that is empirically based and which
seems to do a better job of identifying these domains? The Mannheim
test is simple, fast, objective and seems to provide good
Disclaimer: all opinions strictly my own.