ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Who benefits from fast flux activities, and who is harmed?

  • To: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] Who benefits from fast flux activities, and who is harmed?
  • From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
  • Date: Fri, 11 Jul 2008 17:20:07 -0700


On 7/11/08 5:30 PM, "Joe St Sauver" <joe@xxxxxxxxxxxxxxxxxx> wrote:

Dave did an exemplary job in the text below... a little markup/reaction in

#"Who is harmed by fast flux activities?"
#1. Individuals whose computers are infected by attackers and subsequently
#used to host name servers or web sites for a fast flux phishing attack. The
#individual may have his Internet connection blocked. In the extreme, should
#the computer be suspected of hosting illegal material, the computer may be
#seized by law enforcement agents (LEAs) and the individual may be subjected
#to a criminal investigation.

I would add:

-- even if their connection doesn't end up completely blocked, users may
   experience degraded performance (as computer or network resources get
   consumed by the parasitic miscreant user(s) of their system)

-- also, even if the ISP doesn't block the infected user, remote ISPs
   may end up blocking all or some traffic from the user, e.g., as a result
   of the user's IP being listed on a DNS block list

-- the user may be (repeatedly) diverted from a normal connection to a walled
   garden where the only resources they can access are remediation sites
   or tools

-- a user's systems may become unstable as a result of malware which was
   installed to enable fast fluxing (even some *vendors* have trouble
   building patches that are safe for *all* version/patch permutations,
   so it shouldn't be surprising if some malware also causes stability issues)

Some specific examples of how users can be harmed by this, beyond what's
already been mentioned, can be seen in things like:

-- increased operational complexity and loss of Internet transparency as
   operators implement increasingly draconian measures in an effort to
   control abuse from potentially compromised users

-- costs associated with the prophylactic purchase of antivirus products,
   home firewall "routers" and other security products meant to keep bots
   and other security threats at bay

-- clean up costs when prophylactic measures fail (e.g., when a non-technical
   user needs to hire a technician to help them try to get uninfected)

-- in the case of users who get dropped by their ISP, or who become so
   disgusted with their ISP that they leave, the costs associated with
   moving from one ISP to another, including both direct contractual costs
   (such as potentially overlapping subscription costs, or disconnection
   and connection fees), as well as indirect costs such as changes in
   email addresses (with attendent lost or delayed email), time spent
   learning the ins-and-outs of a new ISP, time spent reconfiguring
   systems to use the new ISP, etc.

#2. Businesses and organizations whose computers are infected may have
#Internet connections blocked, which may result in loss of connectivity for
#all users as well as the possible loss of connectivity for any Internet
#services also hosted via the blocked connection (e.g., mail, web, e-merchant
#or ecommerce sites). Again, in the extreme, should the computer be suspected
#to host illegal material, the computer may be seized by LEAs and the
#individual may be subjected to a criminal investigation. If this computer
#were hosting web and other services for the business/organization, the
#seizure could also result in an interruption of service, loss of income or
#"web presence".

A compromised system in a business environment also immediately raises the
dreaded spectre of a breach of personally identifiable information (PII).

If PII was present on the compromised machine, notification may be mandated
by statute, which may result in substantial direct costs to affected
organization (my understanding is that a dollar a notification is a very
conservative floor for notification costs, and obviously some PII incidents
involve millions of affected individuals). PII-related worries also drive
the substantial costs associated with deployment of whole disk encryption.

Some businesses may also be affected by additional legislation specific to
their discipline, e.g., here in the States, things like GLBA or HIPAA apply
to financial institutions or health care institutions, respectively.

Employees may also be subject to non-criminal consequences, including
sanctions up to and including dismisal if they are found to be, or are
simply *believed to be*, at least partially responsible for their
company-supplied system being compromised.

#3. Individuals who receive phishing emails and are lured to a phishing site
#hosted on a bot used by the miscreants/criminals who run the phishing attack
#may have their identities stolen or suffer financial loss from credit card,
#securities or bank fraud.

Those losses may include both direct losses which a financial institution
declines to make whole, as well as indirect costs (potentially higher
interest rates, reduced credit lines, declined credit applications, etc.)

Identity theft can also touch on national security issues, if stolen
identity information is used to illegally cross borders, to illegally
remain in country or to work without permission, or to purchase items or
services (such as weapons or airline travel) that might not otherwise be
available if a person used their real identity.

#They may unwittingly disclose medical or personal
#information that could be used for blackmail or coersion.

Or for discriminatory treatment by employers concerned with potential
costs associated with identified (but latent) genetic conditions, for

Fear that medical record systems are porus may also deter some individuals
from even seeking help ("I'd like to find out what's causing my condition,
but I'm afraid that if I go in, the whole town will know I have <whatever>")

#They may infect
#their computers with malicious software that would "enlist" their computers
#into a bot herd.

[It seems odd to have this item pop up here -- this feels more like something
that belongs in an introductory paragraph explaining how fastflux works]

#Individuals who purchase bogus products, especially
#pharmaceuticals, may be  physically harmed from using such products.

... and in a variety of ways. For example:

-- teenagers might have uncontrolled access to narcotics, steroids or other
   dangerous controlled substances, with potentially tragic consequences,

-- women attempting to purchase birth control patches online might be sold
   adhesive bandages with no active ingredient whatsoever instead (true
   example, BTW)

-- cancer patients, rather than receiving efficacious treatment from a
   licensed physician, might rely on bogus online herbal "cures" that
   actually do nothing to treat their disease, again, potentially resulting
   in deaths or serious complications

and the list goes on... [Illegal generics also undercut the incentive for
pharmaceutical firms to invest in new drug research by cutting into their
earning stream while their discovery is protected by patents.]

Besides pillz, I'd also note that sale of counterfeit products is another
example of how fast flux networks can result in users and businesses being
harmed. Counterfeit products may undermine the value of carefully nurtured
brand names, leave consumers with shoddy or disfunctional products, deny
nation's legitimate customs revenues associated with the importation of
premium brand-name products, result in unsafe products (I was surprised to
learn that counterfeit UL-listed electrical appliances cords are a routinely
available item, for example).

#4. Internet access operators

I'd probably call them Internet access providers or Internet service
providers instead of Internet access operators

#are harmed when their IP address blocks

and their domain names

#are associated with bot nets and phishing attacks that are linked to fast flux
#activities. These operators also bear the burden of switching the
#unauthorized traffic that phishing attacks generate and they may also incur
#the cost of diverting staff and resources to respond to abuse reports or
#legal inquiries.

... or helping users to get cleaned up, or purchasing antivirus products
to hand out to users, or deploying network-based remediation solutions.

They also get slammed on the other end of the pipe, when fastflux enables
spamvertised sites, and they get deluged with piles of inbound spam
advertising those fastflux hosted spamvertised domains.

ISPs may also experience excess DNS-related traffic as a result of fastflux,
resulting in the need for more recursive resolver capacity than they'd
otherwise need to deploy.

ISPs may also be forced to deploy deep packet inspection equipment or
other gear to detect and respond to fastflux hosted sites on customer
systems. (Because web sites can be easily hosted on arbitrary ports,
port-based blocking solutions won't work to control fastflux hosting,
unlike port 25 blocks depoloyed to control direct-to-MX spam).

#5. Registrars are harmed when their registration and DNS hosting services
#are used to abet "double flux" attacks. Like Internet access providers, they
#may also incur the cost of diverting staff and resources to monitor abuse,
#or to respond to abuse reports or legal inquiries.

I'd also explicitly recognize that registrars will likely see things like
wdprs.internic.net complaints in conjunction with fast flux domains, simply
because that's one of the only complaint mechanisms which are available, so
antispam activists have become very good at carefully scrutinizing domain
whois data for whois problems. Dealing with those WDPRS reports represents
an additional specific cost, and one possibility might be to provide a
reporting channel that focusses on the actual issue (a domain has been
detected which engaged in criminal activity) rather than the substitute
issue (there's a problem with the domain's whois data).

#6. Businesses and organizations who are "phished" from bogus web sites
#hosted on fast fluxing networks may experience financial or material loss,
#tarnish to brand, or loss of customer/consumer confidence. They also incur
#the cost associated with brand abuse monitoring, detection and mitigation.
#7. Individuals or businesses whose lives or livelihoods are affected by the
#illegal activities abetted through fast flux networks, as are persons who
#are defrauded of funds or identities, whose products are imitated or brands
#infringed upon, and persons who are exploited emotionally or physically by
#the distribution of images or enslavement.

The intent of that paragraph might be clarified by explicitly talking about
child pornography, unauthorized distribution of proprietary software (warez),
unauthorized distribution of copyrighted music and movies, unauthorized
distribution of counterfeit merchandise, etc.

#8. Registries may incur the cost of diverting staff and resources to monitor
#abuse or to respond to abuse reports or legal inquiries.

Uptake/legitimate use of some TLDs may also be impacted by fast flux abuse.
If the public perceives that simple use of a domain from a particular TLD
may result in negative scoring by things like SpamAssassin, that can be a
powerful disincentive hindering use of that registry's TLD.

#Who benefits from the use of short TTLs?

I'd emphasize that "short TTLs" are NOT synonymous with "fastflux" and that
short TTLs are only one characteristic associated with fastflux domains.
It is important to discuss legitimate use of short TTLs, however, because
they have legitimate uses as well as a strong association with some fastflux

#1. Organizations that operate highly targetable networks (e.g., government
#and military/tactical networks) that must adhere to very stringent
#availability metrics and use short TTLs to rapidly relocate network
#resources which may come under attack (Assumes the attack
#targets a dotted quad and not a FQDN.
#(From Joe St. Sauver:

No dot in my last name, BTW. :-)

#Targetting a dotted quad rather than a FQDN is
#generally preferred by intelligent attackers because then you avoid creating
#a "steerable death ray" which can be repointed by whomever controls the DNS
#for the targeted domain name)
#2. Content distribution networks such as Akamai, where "add, drop, change"
#of servers are common activities to complement existing servers with
#additional capacity, to load balance or location-adjust servers to meet
#performance metrics (latency, for example, can be reduced by making servers
#available that are fewer hops from the current most active locus of users
#and by avoiding lower capacity or higher cost international/intercontinental
#transmission links).

Some providers may also selectively return different IP addresses in response
to DNS queries from different audiences -- e.g., you might get German content
if you're connecting from what appears to be a German IP address, or French
content if you're connecting from what appears to be a French IP address.

#3. Organizations that provide channels for free speech, minority advocacies,
#and activities, revolutionary thinking may use short TTLs and operate
#fast-flux like networks to avoid detection.

I haven't seen this. I've certainly seen organizations offer encrypted,
non-attributable, or covert communication channels, such as use of PGP/Gnu
Privacy Guard, remailers, steganographic methods, Tor/"onion routing,"
anonymous VPN services, etc., but I've NOT seen those organizations use
fastflux web hosting.

Fastflux, when I've seen it used, has been to host spamvertised web sites.

Those spamvertised web sites may be phishing web sites, or malware web
dropping sites, or child porn sites, or warez sites, or carding sites,
or whatever, but I can't think of even a single case where political,
religious or other dissident web sites have ended up hosted on fastflux.

Why? Because in every case I'm aware of, dissident web sites can simply
purchase legitimate extraterritorial web hosting, so that even if
Kerblechistan won't allow their web site to be hosted domestically,
someone abroad will typically happily step up to the table.

The only folks who end up on fastflux are those who are so beyond the
pale that NO ONE will host them *anywhere* in the world. Dissidents
simply aren't "bad enough" to have trouble getting hosting, and
fastflux does not encompass attempts to covertly access Internet
resources without detection by authoritative regimes.

So... I'd love to see a concrete example of a free speech or other web
site that *is* using fastflux hosting (and by this I mean "a web site
that's hosted on, or which appears to be hosted on, compromised consumer
PCs, without that PC owner's informed consent"). [I say "appears to be
hosted on" because most fastflux sites don't actually host content
locally, they just reverse proxy traffic back to the backend "mother
ship" elsewhere, where the content is really hosted]


Joe St Sauver

Disclaimer: all opinions expressed are strictly my own.

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy