ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Data from Arbor Networks

  • To: Minaxi Gupta <minaxi@xxxxxxxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] Data from Arbor Networks
  • From: "Mike O'Connor" <mike@xxxxxxxxxx>
  • Date: Mon, 14 Jul 2008 20:06:42 -0500

At 04:47 PM 7/14/2008, Minaxi Gupta wrote:

Hi all,

My research group at Indiana University has been tracking the IPs
hosting phishing site for many months.  We are currently analyzing the
fast flux data that may be useful to this working group.

Hi Minaxi, welcome to the working group.

As you can probably tell, I love the prospect of more data with regard to fast flux. Anything you would like to share would be welcome indeed.

I would also like to point to a recent paper on identifying fast
flux.  The paper does not measure fast flux, nor does it deal with
double flux (which we are looking into) but is a good starting point:


This paper is *excellent* work -- I highly recommend it, especially to our more technical members. One thing that strikes me is the possibility of future collaborations, both on methods and on monitoring systems. Thank you!



On Jul 14, 2008, at 4:52 PM, Mike O'Connor wrote:

Many thanks to Joe St Sauver for putting me in touch with Jose
Nazario of Arbor Networks.  "Arbor Networks is a leading provider of
secure service control solutions for global networks. Arbor's
customers include over 70 percent of the world's ISPs and many large
enterprises. By providing unmatched network-wide visibility, Arbor
solutions deliver best-in-class network security, traffic
management, network monitoring, bandwidth management and broadband
service optimization " (from their web site).

Jose has offered to help us out on the fact-gathering front.  here's
his email, responding to some very general questions that I just
posed to him.  I wanted to share this with the group as a great
example of a helpful partnership and resource.   Many thanks Jose!

I asked Jose whether these numbers are a good representation of the
total numbers, or are they sub-totals (based on the networks that
they're monitoring).   He says it's independent of their sensors.
He goes on to say that they get candidate domains from an internal
spam feed, malcode URLs and a few blacklists.  They screen for
"fluxy" characteristics and then track the live ones.

Here's a presentation to FIRST (last month) that he shared with me.
I found it very interesting, all the way from data-presented to
issues that we're charged with looking into.  Worth the read IMHO;


Here's his email response to my broadly-framed questions (I promised
him that our questions would get more carefully-crafted);

Date: Mon, 14 Jul 2008 14:39:22 -0400 (EDT)
From: Jose Nazario <jose@xxxxxxxxx>
To: Mike O'Connor <mike@xxxxxxxxxx>
cc: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
Subject: Re: fast flux data for ICANN
X-Antivirus: AVG for E-mail 8.0.138 [270.4.10/1551]

On Mon, 14 Jul 2008, Mike O'Connor wrote:

- the scale and scope of fast-flux activities (ie, what percent of
 addresses, and what percent of domain-names are used for fast- flux?)

ATLAS measures fast flux botnet membership via active polling of
the domain names. that said, ATLAS sees ~3000 unique IPs for those
addresses every 24 hours or so.

ATLAS is currently tracking ~6400 fast flux domain names.

both values are sub 1% for their entity class. even if we're off by
a reasonsable factor of 10 it's just not a "big" problem in terms
of populations.

active polling gives us between 1 and 5 % botnet visibility for
botnets using fast flux (a small minority of all botnets) when we
compare actve botnet measurements vs DNS-based methods.

- the impact of fast flux (how many networks, businesses, etc.
 harm -- and what kind of harm)

there are at least two sides to the "harm" question: infected
machines participating in the fast flux network and victims who
click the links to go there (ie folks lured in by the storm worm
campaigns). the latter is well measured by various groups. the
former is something we can eastimate in ATLAS.

here's top 20 ASNs by infected bot count in the past 24 hours:

   150 | AS7132 SBIS-AS - AT&T Internet Services
   121 | AS8708 RDSNET RCS & RDS S.A.
   117 | AS8402 CORBINA-AS Corbina Telecom
    88 | AS9121 TTNET TTnet Autonomous System
    72 | AS5617 TPNET Polish Telecom's commercial IP network
    57 | AS8997 ASN-SPBNIT OJSC North-West Telecom Autonomous System
    53 | AS13184 HANSENET HanseNet Telekommunikation GmbH
    50 | AS8615 CNT-AS CNT Autonomous System
    50 | AS8551 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
    50 | AS4766 KIXS-AS-KR Korea Telecom
    47 | AS9304 HUTCHISON-AS-AP Hutchison Global Communications
    47 | AS12714 TI-AS NetByNet Holding
    43 | AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone
    43 | AS3209 Arcor IP-Network
    36 | AS9829 BSNL-NIB National Internet Backbone
    36 | AS6830 UPC UPC Broadband
    36 | AS1680 NetVision Ltd.
    32 | AS6746 ASTRAL ASTRAL Telecom SA, Romania
    32 | AS3320 DTAG Deutsche Telekom AG

none of these stand out as a big corporation like microsoft or GM
(as opposed to consumer broadband).

based on these numbers i would say the scale of the problem just
based on populations is small.

i think there is more to it than that, including dollar values,
stress on the infrastructure, facilitating spam and fraud, etc.

jose nazario, ph.d.     <jose@xxxxxxxxx>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427             http://asert.arbornetworks.com/

No virus found in this incoming message.
Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.4.10/1551 - Release Date: 7/14/2008 6:49 AM

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy