ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]

<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship

  • To: "gnso-ff-pdp-may08@xxxxxxxxx" <gnso-ff-pdp-may08@xxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  • From: "Mike O'Connor" <mike@xxxxxxxxxx>
  • Date: Wed, 16 Jul 2008 06:55:15 -0500
At 06:41 AM 7/16/2008, Dave Piscitello wrote:
Fast flux is not an attack, but a technique ? one element ? of an attack. As we try to refine the terminology, we might want to be careful when we use each term. These definitions seem to be emerging: 
   * fast flux: an attack technique that 
involves rapidly changes the bindings of IP 
addresses to domain names, typically to prevent 
detection of hosts operating illegal or unauthorized services (DNS, mail, web)
   * fast flux hosting: employing fast flux as 
part of the hosting component of a criminal or 
other unauthorized activity (e.g., phishing)

   * fast flux attack: an attack that uses fast flux

   * short TTL: a value in the Time To Live 
parameter associated with a DNS resource 
record(s) that is observably less than the 
values encountered in the DNS under typical 
operating conditions, e.g., less than 3600 
seconds. Short TTLa may be used for both 
legitimate and abusive purposes; for example, 
the use of a short TTLa is one way to enable a fast flux attack.

Using an antispam analogy, you can?t conclude 
that an email is spam solely on the basis that 
it contains the brand name of an erectile 
dysfunction product. Ditto for short TTL.

The use of short TTLs is one of several 
?markers? that you might use to detect an attack 
that employs fast flux. Large numbers of NS name 
server resource records and frequent changes to 
those RRs is another. The use of IP addresses 
that fall outside the typical address range used 
for this domain is another. Evaluated in 
combination, these may be useful. Evaluated in 
isolation, they might result in false positives.

We are supposed to study fast flux. Do the 
definitions above help us with the scope we are struggling to identify?

yes.


but...  here's another example of where a posting 
to the private list has "escaped" to the public one.

dang.


m 



















<<<
Chronological Index
>>>    <<<
Thread Index
>>>













Privacy Policy | Terms of Service | Cookies Policy