ICANN Email Archives: [gnso-ff-pdp-may08]

ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship

To: "gnso-ff-pdp-may08@xxxxxxxxx" <gnso-ff-pdp-may08@xxxxxxxxx>
Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
From: "Mike O'Connor" <mike@xxxxxxxxxx>
Date: Wed, 16 Jul 2008 06:55:15 -0500


At 06:41 AM 7/16/2008, Dave Piscitello wrote:

Fast flux is not an attack, but a technique ?one element ? of an attack. As we try to refinethe terminology, we might want to be carefulwhen we use each term. These definitions seem to be emerging:
* fast flux: an attack technique thatinvolves rapidly changes the bindings of IPaddresses to domain names, typically to preventdetection of hosts operating illegal or unauthorized services (DNS, mail, web)* fast flux hosting: employing fast flux aspart of the hosting component of a criminal orother unauthorized activity (e.g., phishing)
   * fast flux attack: an attack that uses fast flux
* short TTL: a value in the Time To Liveparameter associated with a DNS resourcerecord(s) that is observably less than thevalues encountered in the DNS under typicaloperating conditions, e.g., less than 3600seconds. Short TTLa may be used for bothlegitimate and abusive purposes; for example,the use of a short TTLa is one way to enable a fast flux attack.
Using an antispam analogy, you can?t concludethat an email is spam solely on the basis thatit contains the brand name of an erectiledysfunction product. Ditto for short TTL.
The use of short TTLs is one of several?markers? that you might use to detect an attackthat employs fast flux. Large numbers of NS nameserver resource records and frequent changes tothose RRs is another. The use of IP addressesthat fall outside the typical address range usedfor this domain is another. Evaluated incombination, these may be useful. Evaluated inisolation, they might result in false positives.
We are supposed to study fast flux. Do thedefinitions above help us with the scope we are struggling to identify?


yes.

but... here's another example of where a postingto the private list has "escaped" to the public one.


dang.

m

References:
- [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  - From: Marc Perkel
- Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  - From: Dave Piscitello

<<< Chronological Index >>> <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy