ICANN Email Archives: [gnso-ff-pdp-may08]

ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]

<<< Chronological Index >>> <<< Thread Index >>>

Re: FW: [gnso-ff-pdp-may08] Introduction and Statement of Interest: Jose Nazario (Arbor Networks)

To: George Kirikos <fastflux@xxxxxxxx>
Subject: Re: FW: [gnso-ff-pdp-may08] Introduction and Statement of Interest: Jose Nazario (Arbor Networks)
From: Jose Nazario <jose@xxxxxxxxx>
Date: Thu, 9 Oct 2008 13:26:53 -0400 (EDT)


On Thu, 9 Oct 2008, George Kirikos wrote:

 Who is going to pay the damages when that occurs?

i agree, and that is always a risk. any block list has these very sameproblems.

bear in mind that our purposes in generating a list of fast flux domainswas not blockage but identification for further analysis and humanscreened deactivation.

The fact that you have to have a whitelist demonstrates that theheuristic is weak, as it would otherwise capture innocent sites likeYahoo.com or eBay.com by default. Why would ICANN single out Yahoo.comto be whitelisted, and not any of my company's websites? We each payICANN 20 cents/year per domain.

see above; our purposes are just gathering data for a human analyst toreview, not to automatically shut things down. if we're going to do thatwe have to be even more rigorous in our analysis.

that said, i think whitelisting is a necessary step. any fast fluxoperator can massage the technique to still provide resilient services,aka "bulletproof hosting", and look like a legitimate content provider whojust happens to be spread across multiple ASNs.

And exactly how many hours/days/weeks did it take for those falselyaccused websites to be removed from the blacklist? If they were falselyaccused, but didn't report anything to you (i.e. silent victims), wouldthey even appear in your dataset as false positives? And what financialdamages were paid to the victimized websites?

again, this isn't a blacklist. but the false posiives get identifiedwithin 24h and removed almost immediately. no damage was done to any"victimized websites" here so no damages were paid. we become aware of theproblem usually through human follow ups on the data stream itself, notthe end point (they are unaffected by our approach, so they don't see anyimpact).


-------------------------------------------------------------
jose nazario, ph.d.     <jose@xxxxxxxxx>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427             http://asert.arbornetworks.com/

Follow-Ups:
- Re: FW: [gnso-ff-pdp-may08] Introduction and Statement of Interest: Jose Nazario (Arbor Networks)
  - From: George Kirikos

References:
- FW: [gnso-ff-pdp-may08] Introduction and Statement of Interest: Jose Nazario (Arbor Networks)
  - From: Mike Rodenbaugh
- Re: FW: [gnso-ff-pdp-may08] Introduction and Statement of Interest: Jose Nazario (Arbor Networks)
  - From: George Kirikos

<<< Chronological Index >>> <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy