RE: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux
Thanks for those notes, Dave; very useful. The WG is also tasked with answering some related questions, such as how registrants and Internet users are generally affected by fast-flux hosting. To answer those questions, the group will need to thoroughly understand the scope of the problem and quantify its dimensions. By doing so can we satisfy the charter and have a basis for any conclusions or recommendations. To answer the questions in the charter we may therefore have to ask and research some questions such as: * How widely is fast-flux hosting used? How many sites are hosted using FF? * What kinds of activities are occurring on those sites? * As a follow-on to Dave's notes: How many phishing attacks are hosted on botnets? * The answers may then help us understand questions such as: approximately how many harmed parties are there? And, What's the scope of the damage? What sources can help us answer these types of questions, and what research is already available on such topics? All best, --Greg Aaron -----Original Message----- From: owner-gnso-ff-pdp-may08@xxxxxxxxx [mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Dave Piscitello Sent: Tuesday, July 01, 2008 12:31 PM To: gnso-ff-pdp-May08@xxxxxxxxx Subject: [gnso-ff-pdp-may08] Jump start on answering GNSO questions regarding fast flux I believe one of the questions the GNSO has asked this group to answer is: Who benefits from fast flux, and who is harmed? I would like to suggest that this question is slightly misleading and would suggest that we break it down into "Who benefits from the use of short TTLs?" and "Who is harmed by fast flux activities?" I will defer to folks who are exposed to legitimate uses of short TTLs and offer the following answers to "Who is harmed by fast flux activities?" 1. Individuals whose computers are infected by attackers and subsequently used to host name servers or web sites for a fast flux phishing attack. The individual may have his Internet connection blocked. In the extreme, should the computer be suspected of hosting illegal material, the computer may be seized by law enforcement agents (LEAs) and the individual may be subjected to a criminal investigation. 2. Businesses and organizations whose computers are infected may have Internet connections blocked, which may result in loss of connectivity for all users as well as the possible loss of connectivity for any Internet services also hosted via the blocked connection (e.g., mail, web, e-merchant or ecommerce sites). Again, in the extreme, should the computer be suspected to host illegal material, the computer may be seized by LEAs and the individual may be subjected to a criminal investigation. If this computer were hosting web and other services for the business/organization, the seizure could also result in an interruption of service, loss of income or "web presence". 3. Individuals who receive phishing emails and are lured to a phishing site hosted on a bot used by the miscreants/criminals who run the phishing attack may have their identities stolen or suffer financial loss from credit card, securities or bank fraud. They may unwittingly disclose medical or personal information that could be used for blackmail or coersion. They may infect their computers with malicious software that would "enlist" their computers into a bot herd. Individuals who purchase bogus products, especially pharmaceuticals, may be physically harmed from using such products. 4. Internet access operators are harmed when their IP address blocks are associated with bot nets and phishing attacks that are linked to fast flux activities. These operators also bear the burden of switching the unauthorized traffic that phishing attacks generate and they may also incur the cost of diverting staff and resources to respond to abuse reports or legal inquiries. 5. Registrars are harmed when their registration and DNS hosting services are used to abet "double flux" attacks. Like Internet access providers, they may also incur the cost of diverting staff and resources to monitor abuse, or to respond to abuse reports or legal inquiries. 6. Businesses and organizations who are "phished" from bogus web sites hosted on fast fluxing networks may experience financial or material loss, tarnish to brand, or loss of customer/consumer confidence. They also incur the cost associated with brand abuse monitoring, detection and mitigation. 7. Registries may incur the cost of diverting staff and resources to monitor abuse or to respond to abuse reports or legal inquiries. These are my top 7. I can think of other parties who are affected indirectly through phishing (consumers, in the form of fees and higher interest rates financials use to compensate from losses resulting from identity theft and credit card fraud).