RE: [gnso-ff-pdp-may08] The need for facts

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Hi!

#1) what facts would we need in order to understand its scale and scope?

1a. How many IP addresses are known to be participating as fastflux nodes?
1b. How many domains names use fastflux?
1c. How many unique name servers support fastflux domains?
1d. What fraction of those unique name servers are themselves served on
    fastflux IPs?
1e. What registrars or registration service providers have been used to 
    create fastflux domains?
1f. If notified that a customer's domain is fast fluxing, what (if anything)
    will a registrar or registration service provider do? How long does it
    take them to do it? If they do nothing, why? If they *do* do something,
    what do they do?
1g. If notification is made to ISPs, will they pass those notifications 
    along to the infected customers? If so, do the customers, once notified,
    appear to be remediated (or at least cease to be seen as fastflux nodes?)

#2) where could we get those facts?

2a. Accept a feed of fastflux domain name candidates, and verify the IP
    addresses on which they live.
2b. From the 2a list, extract name servers and registrars/registration 
    service providers
2c. Contact the registrar/registration service provider with the observed
    data, and note their response (including the time required to make 
    those reports, and the time required for the registrar/registration
    service provider to respond/react). Truncating the right tail of the
    response window at some reasonable time period may be desirable.
2d. Track individual fastflux IP's over time, including noting time of
    ISP notification. 

#3) are the statistics being collected now? how well -- is the data credible?

3. I'm a big believer of data replication and validation. I'd encourage folks
   who feel likewise to participate in measuring this phenomena. Replication
   brings validity and trust. 

#4) if they're being collected, is the person/organization willing to 
#share them?

4. In the "everyone a gardner/hunter, everyone a chef" model, that's up 
   to each gardner/hunter chef. :-)

#5) if they're not being collected now, what's the best place to get 
#them and is it worth it to go after them?

WRT to the "is it worth it to go after them," Am I detecting backsliding 
from the earlier "we like facts/data?" :-;

Data collection isn't completely painless, but it doesn't need to be 
particularly painFUL, either. 

#at this stage of the game, i'm yearning more for reliable information 
#*sources* than raw data.  

Be paranoid. Trust no one. A thousand eyes are better than one (or even 
two :-) ). Information you collect yourself is the best information of all.

#reliable/public/published methods of analyzing that data to help us 
#understand the breadth and depth of the problems we're looking at.

The nice thing about fastflux is that it is "self-exposing" once you 
know where to look. Happy to start suggesting relevant rocks.

#one of the things that i'm pondering is the need for some sort of 
#collaboration between us (ICANN) and some of the other institutions 
#that are out there.  

Collaboration is very good, as is your list. At the risk of stating the
obvious, I'd also suggest the APWG be formally on that list, and MAAWG. 

The Educause Security Task Force is actually the Educause/Internet2
(or Internet2/Educause) Security Task force, and that's yet another 
activity I'm involved with as part of my $DAYJOB. :-)

#sorry about the US-centric list, this is just a list that comes to 
#mind, left over from the days when i worked for a living.   

Terena is one technically oriented possibility from Europe.

Since we're talking about cybercrime, I also wonder about law 
enforcement agencies, such as Interpol.

Would vendors also provide a useful source of data?

#thanks Joe for the speedy reply, even though it did sorta make my 
#eyeballs peel.  :-)

De nada. :-) Happy to peel eyeballs anytime. :-)

Regards,

Joe

Disclaimer: all opinions strictly my own.