ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship

  • To: "gnso-ff-pdp-may08@xxxxxxxxx" <gnso-ff-pdp-may08@xxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  • From: "Mike O'Connor" <mike@xxxxxxxxxx>
  • Date: Wed, 16 Jul 2008 06:55:15 -0500

At 06:41 AM 7/16/2008, Dave Piscitello wrote:
Fast flux is not an attack, but a technique ? one element ? of an attack. As we try to refine the terminology, we might want to be careful when we use each term. These definitions seem to be emerging:

* fast flux: an attack technique that involves rapidly changes the bindings of IP addresses to domain names, typically to prevent detection of hosts operating illegal or unauthorized services (DNS, mail, web) * fast flux hosting: employing fast flux as part of the hosting component of a criminal or other unauthorized activity (e.g., phishing)
   * fast flux attack: an attack that uses fast flux
* short TTL: a value in the Time To Live parameter associated with a DNS resource record(s) that is observably less than the values encountered in the DNS under typical operating conditions, e.g., less than 3600 seconds. Short TTLa may be used for both legitimate and abusive purposes; for example, the use of a short TTLa is one way to enable a fast flux attack.

Using an antispam analogy, you can?t conclude that an email is spam solely on the basis that it contains the brand name of an erectile dysfunction product. Ditto for short TTL.

The use of short TTLs is one of several ?markers? that you might use to detect an attack that employs fast flux. Large numbers of NS name server resource records and frequent changes to those RRs is another. The use of IP addresses that fall outside the typical address range used for this domain is another. Evaluated in combination, these may be useful. Evaluated in isolation, they might result in false positives.

We are supposed to study fast flux. Do the definitions above help us with the scope we are struggling to identify?


but... here's another example of where a posting to the private list has "escaped" to the public one.



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy