FW: [gnso-ff-pdp-may08] Introduction and Statement of Interest: Jose Nazario (Arbor Networks)

["Mike Rodenbaugh" <icann@xxxxxxxxxxxxxx>]

Attached is some dialogue between Jose and me re the report that Greg just
cited to this list, fyi.

Best,
Mike R.

-----Original Message-----
From: jose nazario [mailto:jose@xxxxxxxxx] 
Sent: Wednesday, October 08, 2008 12:41 PM
To: mike@xxxxxxxxxxxxxx
Subject: [Bulk] Re: [gnso-ff-pdp-may08] Introduction and Statement of
Interest: Jose Nazario (Arbor Networks)

On 10/7/08 6:10 PM, "Mike Rodenbaugh" <mike@xxxxxxxxxxxxxx> wrote:

> Jose, great to have you and your expertise in the group.  I know many int
> the group will be particularly interested in any and all data you can
share,
> and in your experience with any false positive identifications of fast
flux
> -- finding malice when in fact it is benign.  Some in the group continue
to
> argue that there is no acceptable remedy so long as there are some false
> positives.  Of course that is ridiculous, but if we can show an extremely
> low rate of false positives that could be extremely helpful to the cause
of
> stopping malicious fast flux exploits at the registry level.  Do you have
> any data on that point specifically?

The heuristic described on our paper, "As the Net Churns", is the one we use
in ATLAS to qualify domain names as fluxy for monitoring purposes. We do
have a whitelist function as several large provides are groups use DNS round
robin techniques to provide load balancing.

The white list includes names like Yahoo (mainly european Yahoo properties),
ICQ, ClamAV, and a few others. The full list is here:

WHITELIST = ('ebay.com', 'paypal.com', 'aol.com', 'yahoo.com',
             'amazon.com', 'mailscanner.com',  'wellsfargo.com',
             'cnn.com', 'geocities.com', 'myspace.com', 'yahoo.fr',
             'yahoo.es', 'yahoo.it', 'rapidshare.com', 'icq.com',
             'naver.com')

This is based on experience and on trying to anticipate what may be a
problem. It grows periodically and requires a human to do some screening and
qualifications. This is usually based on trial and error, and discussions
with folks like those at SURBL who use a similar (but larger) white list.

Here's the current number of fast flux domains we've detected since we
started the monitoring:

  # SELECT count(name) from fastflux_domain;
   count 
   -------
   21460

The frequency with which we see these appear, however, is rare. Out of tens
of thousands of fast flux names we have seen, fewer than 100 distinct (based
on our techniques mining for names through spamvertised and
malcode-associated URLs and such) have been falsely accused. This is well
below 1% (actually .07%). Other domain name mining techniques may yield
higher or lower rates of false positives. Also, other fast flux screening
techniques (like those from Holz et al from NDSS 07) may be less prone to
false positives. 

As fast flux evolves these numbers may change, specifically as we see more
changes work to evade fast flux screening and qualifying techniques like
those we use.

I hope this helps. 

-------------------------------------------------------------
jose nazario, ph.d.  <jose@xxxxxxxxx>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------