ICANN Email Archives: [gnso-ff-pdp-may08]

ICANN ICANN Email List Archives
[gnso-ff-pdp-may08]

<<< Chronological Index >>> <<< Thread Index >>>
RE: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship

To: "'Dave Piscitello'" <dave.piscitello@xxxxxxxxx>, "'Marc Perkel'" <marc@xxxxxxxxxx>, "'Glen de Saint Géry'" <Glen@xxxxxxxxx>
Subject: RE: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
From: "Greg Aaron" <gaaron@xxxxxxxxxxxx>
Date: Wed, 16 Jul 2008 10:37:02 -0400
Dear Dave:

 

No, I do not find those definitions correct.  Fast flux is indeed a
technique, but it is not necessarily malicious.  Your definition below
classified the very technique as always malicious.

 

The existing definitions from our base documents clearly distinguish the
technical practice from the intent/end for which it is used.  The Issues
Report says:

 

Fast Flux: In this context, the term ?fast flux? refers to rapid and
repeated changes to A and/or NS resource records in a DNS zone, which have
the effect of rapidly changing the location (IP address) to which the domain
name of an Internet host (A) or name server (NS) resolves.  

[In other words, ?fast flux? is a technical practice or technique.  It can
be used for benign or malicious purposes.  It is not necessarily an ?attack
technique.?  Indeed, we know of examples where it is used as a legitimate
defensive technique.]

 

Fast Flux Hosting: The practice of using fast flux techniques to disguise
the location of web sites or other Internet services that host illegal
activities.

 

All best,

--Greg

 

 

  _____  

From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Dave Piscitello
Sent: Wednesday, July 16, 2008 7:41 AM
To: Marc Perkel; Glen de Saint Géry
Cc: gnso-ff-pdp-may08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example:
using fast-flux to escape censorship

 

Fast flux is not an attack, but a technique ? one element ? of an attack. As
we try to refine the terminology, we might want to be careful when we use
each term. These definitions seem to be emerging:

*       fast flux: an attack technique that involves rapidly changes the
bindings of IP addresses to domain names, typically to prevent detection of
hosts operating illegal or unauthorized services (DNS, mail, web) 
*       fast flux hosting: employing fast flux as part of the hosting
component of a criminal or other unauthorized activity (e.g., phishing) 
*       fast flux attack: an attack that uses fast flux 
*       short TTL: a value in the Time To Live parameter associated with a
DNS resource record(s) that is observably less than the values encountered
in the DNS under typical operating conditions, e.g., less than 3600 seconds.
Short TTLa may be used for both legitimate and abusive purposes; for
example, the use of a short TTLa is one way to enable a fast flux attack.


Using an antispam analogy, you can?t conclude that an email is spam solely
on the basis that it contains the brand name of an erectile dysfunction
product. Ditto for short TTL. 

The use of short TTLs is one of several ?markers? that you might use to
detect an attack that employs fast flux. Large numbers of NS name server
resource records and frequent changes to those RRs is another. The use of IP
addresses that fall outside the typical address range used for this domain
is another. Evaluated in combination, these may be useful. Evaluated in
isolation, they might result in false positives.

We are supposed to study fast flux. Do the definitions above help us with
the scope we are struggling to identify?
 
On 7/15/08 5:51 PM, "Marc Perkel" <marc@xxxxxxxxxx> wrote:

OK - so if there is a legitimate used for fast flux then that kills the
solution to restrict name server TTLs to higher values because if we do then
we can't circumvent Chinese censorship. Wouldn't we have to allow some
people to fast flux and not others?

Glen de Saint Géry wrote: 


Posted on behalf of Greg Aaron
Subject: example: using fast-flux to escape censorship

Dear group:
  
 


I'm posting this to the private list because it
is more suitable for group members' eyes only for confidentiality purposes.

Wendy, Dave, and Eric have each touched on
whether there may be legitimate uses of
fast-flux hosting by entities that use it to
escape censorship.  Let's examine a real-world
example to see if it fits.  Below are query
results for a real domain.  The TTL is 60, and
the IPs are being changed rapidly and are
globally distributed on multiple ASNs.  It
therefore seems to meet the definition of fast-flux.

The registrant is an entity called Domain
UltraReach.  Domain UltraReach says it offers a
proxy service designed to allow Web users to
circumvent Chinese government Internet censorship.
<
 <http://www.ultrareach.com/company/aboutus.htm>
<http://www.ultrareach.com/company/aboutus.htm>http://www.ultrareach.com/com
pany/aboutus.htm
    
 
Domain UltraReach operates multiple such fluxy domain names besides the
below.

So, what do we have here?

Domain Query / Query timestamp / name server / IP result / AS
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.0.5.32 NTT-COMMUNICATIONS-2914 - NTT America,
Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.252.142.121 UUNET -
MCI Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.223.32.233
PENS-NET-AS - Navy Network Information Center (NNIC)
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.151.115.197 SERVEPATH - ServePath, LLC
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.196.254.49 MCLEOD - McLeod, Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.4.109.127 NTELOSINC - Ntelos Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.192.149.102
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.234.155.122 CHINANET-BACKBONE No.31,Jin-rong
Street
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.141.216.67 HANARO-AS Hanaro Telecom Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns2.AVONMPRODUCTS.INFO 194.67.57.226 SOVAM-AS Golden Telecom, Moscow, Russia
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.13.52.50
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns2.AVONMPRODUCTS.INFO 194.121.16.127 KPN KPN Internet Backbone AS
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.129.63.31 SKYROCK Skyrock content delivery
network
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.105.133.231 Euronext
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.230.244.4 AS15704 Xtratelecom Spain AS
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.239.94.45 DXTNET
Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.10.51.50 GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.98.11.127 SO-NET So-net Entertainment Corporation
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns1.AVONMPRODUCTS.INFO 79.170.89.4 XL-AS XL Network
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.44.193.230
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns1.AVONMPRODUCTS.INFO 79.219.201.4 DTAG Deutsche Telekom AG
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.27.48.10 PROXAD AS for Proxad/Free ISP
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.222.48.229 INTEROUTE Interoute Communications Ltd
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.123.105.4 IP-EXCHANGE IP Exchange GmbH
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.17.70.11 PHOTOBUCKET - PHOTOBUCKET.COM, INC.
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.71.142.194 VOICENET - Voicenet
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.66.40.124 JERSEY - InterActive Network Services
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.214.39.56 WAN - Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.88.255.172 LVLT-8043 - Level 3 Communications,
Inc.
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.77.20.79 ETHERN -
Global Communications INTERNETworking Corp.
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.99.77.80 EZRI-36323 - Ezri Inc
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.180.8.183 COGENT Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.172.214.108 COGENT Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.172.81.21
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.85.245.171 NCREN - MCNC
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.94.171.227 LEVEL3 Level 3 Communications
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.33.59.200 GRONO-AS grono.net
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.6.168.165 HBONE-AS HUNGARNET
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.248.13.227 AS3215 France Telecom - Orange
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.99.250.195 WAN - Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.88.39.116 UUNET - MCI
Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.11.31.2 UUNET - MCI
Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.17.132.149 LEASEWEB LEASEWEB AS
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.187.85.229 B-NET BiConsult Eood
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.237.255.4 ORANGE SLOVENSKO Autonomous system
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.201.49.22 HP-DIGITAL-10782 - Hewlett-Packard
Company
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.200.102.165
TELSTRA-AS-AP Telstra International HK Limited
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.54.195.227 HP-INTERNET-AS Hewlett-Packard Company
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.7.178.45 TV GLOBO LTDA
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.213.120.166 Prima S.A.
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.48.105.79 Companhia
de Telecomunicacoes do Brasil Central
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.70.92.80 DATAPIPE - DataPipe
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.246.26.231 NET-ACCESS-CORP - Net Access
Corporation
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.125.111.4 SBIS-AS - AT&T Internet Services
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns1.AVONMPRODUCTS.INFO 199.89.199.26 MATTEL - Mattel, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns1.AVONMPRODUCTS.INFO 199.217.173.127
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.7.82.67
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.48.10.150 MATRIX-AS Matrix S.p.A.
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.121.2.112 JANET The JANET IP Service
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.23.66.67 Ural Relcom Ltd.
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.135.200.146 EBAY - eBay, Inc
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.70.35.110 DATAPIPE - DataPipe
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.228.240.2 PRMTC - Park Region Mutual Telephone Co
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.12.228.40
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.148.167.56 GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.101.119.4 GIGAINFRA BB TECHNOLOGY Corp.



**********************************
Greg Aaron
Director, Key Account Management and Domain Security
Afilias
vox: +1.215.706.5700 x104
fax: 1.215.706.5701
gaaron@xxxxxxxxxxxx
**********************************
The information contained in this message may be
privileged and confidential and protected from
disclosure. If the reader of this message is not
the intended recipient, or an employee or agent
responsible for delivering this message to the
intended recipient, you are hereby notified that
any dissemination, distribution or copying of
this communication is strictly prohibited. If
you have received this communication in error,
please notify us immediately by replying to the
message and deleting it from your computer.


No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.11/1553
- Release Date: 7/15/2008 5:48 AM
Follow-Ups:
- Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  - From: Dave Piscitello
References:
- Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  - From: Dave Piscitello
<<< Chronological Index >>> <<< Thread Index >>>
Privacy Policy | Terms of Service | Cookies Policy