[gnso-ff-pdp-may08] RE: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship? -- what's the conclusion?

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

Dear Joe:

Are you saying that this site uses the fast-flux technique, but does not
look malicious? 

If so, then it seems to demonstrate that undiscriminating counter-measures
that limit or disrupt use of the fast-flux technique could impact legitimate
users and stifle free expression.

I am going by the definition in our Issues Report, which defines the fast
flux technique as "the rapid and repeated changes to A and/or NS resource
records in a DNS zone, which have the effect of rapidly changing the
location (IP address) to which the domain name of an Internet host (A) or
name server (NS) resolves."  This is distinguished from "fast-flux hosting,"
which the Issues Report defines as use of the fast-flux technique with
malicious or illegal intent.  The particular domain under discussion meets
the fast-flux definition -- it has rapidly changing A records and its
hosting is moving across multiple ASNs around the world.

It is important to note that WHOIS veracity, reputation of the sponsoring
registrar, Web site content, presence of a broadband consumer netblock, and
whether the domain is on a spam blacklist are useful indicators of INTENT.
But NONE of those -- whether individually or collectively -- indicate
whether the fast-flux technique is being employed.  

The lengths you went through illustrate how tricky it can sometimes be to
figure out whether a use of fast-flux is actually malicious or not.

All best,
--Greg



-----Original Message-----
From: owner-ntfy-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-ntfy-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Glen de Saint
Géry
Sent: Wednesday, July 16, 2008 3:28 AM
To: mail=ntfy-gnso-ff-pdp-may08@xxxxxxxxx
Subject: FW: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape
censorship?


Posted on behalf of Joe St Sauver
FW: example: using fast-flux to escape censorship?

Greg mentioned:

>Wendy, Dave, and Eric have each touched on whether there may be legitimate
>uses of fast-flux hosting by entities that use it to escape censorship.
>Let's examine a real-world example to see if it fits.  Below are query
>results for a real domain.  The TTL is 60, and the IPs are being changed
>rapidly and are globally distributed.  It therefore seems to exhibit
>behaviors associated with fast-flux.

While this domain has a short TTL, IPs periodically change, and the IPs it
uses are distributed, this example doesn't meet the fastflux usage
profile...

Let's start with the domain itself:

When I check the [redacted] domain you mentioned, I see a domain
registered to a corporate entity, with prima facie valid address
information,
and at a notoriously anti-spam registrar (Godaddy):

[redacted]
The [redacted] domain is NOT listed on the SURBL or URIBL

All of that's inconsistent with a fastflux profile.

What do we see if we visit the domain?

Visiting the domain with curl, I'm seeing a server that's at least claiming
to be Apache (rather than nginx, as is most commonly used by real FF sites).

The server even includes cache information, e.g.:

X-Cache: MISS from www.rakuten.co.jp

Checking the rakuten server, it answers with information consisten with
what was served via the [redacted] domain. Real fastflux
domains try VERY hard not to disclose that sort of "upstream server" info.

What do we see if we look at the DNS we're given for the domain?

Resolving the domain with dig once, I see:

[redacted] 60      IN      A       66.223.44.229
[redacted] 60      IN      A       66.55.141.19
[redacted] 60      IN      A       66.172.32.135

Only three IPs, and the TTL's are, if anything, TOO short at just one
minute.

Checking the IP's returned for that domain, I see:

-- 66.223.44.229 --> NXDOMAIN
   66.223.44.229 --> AS11305 (Peer 1 Dedicated Hosting)

   66.223.44.229 isn't listed on the SBL/XBL/PBL

   [whois.arin.net]
   OrgName:    Peer 1 Dedicated Hosting
   OrgID:      P1DH-1
   Address:    101 Marietta Street
   Address:    Suite 500
   City:       Atlanta
   StateProv:  GA
   PostalCode: 30303
   Country:    US

   NetRange:   66.223.0.0 - 66.223.127.255
   CIDR:       66.223.0.0/17
   NetName:    66-223-0-0-NET
   NetHandle:  NET-66-223-0-0-1
   Parent:     NET-66-0-0-0-0
   NetType:    Direct Allocation
   NameServer: A.NS.INTERLAND.NET
   NameServer: B.NS.INTERLAND.NET
   NameServer: C.NS.INTERLAND.NET
   Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
   RegDate:    2002-01-25
   Updated:    2007-12-04

   OrgTechHandle: DCOPE2-ARIN
   OrgTechName:   DC Operations
   OrgTechPhone:  +1-678-365-2835
   OrgTechEmail:  dhswip@xxxxxxxxx

   This fails normal FF usage patterns in that this is an IP from a
dedicated
   US hosting netblock, not an international consumer broadband netblock.

-- 66.55.141.19 --> SERVFAIL
   66.55.141.19 --> AS20473 (Choopa, LLC, another well known hosting
company)

   66.55.141.19 isn't listed on the SBL/XBL/PBL

   %rwhois V-1.5:003eff:00 rwhois.choopa.com (by Network Solutions, Inc.
V-1.5.9.6)
   66.55.141.19
   network:Class-Name:network
   network:ID:NETBLK-ISPWIDGET.66.55.128.0/19
   network:Auth-Area:66.55.128.0/19
   network:Network-Name:ISPWIDGET-66.55.141.0/24
   network:IP-Network:66.55.141.0/24
   network:Organization;I:Bright_Imperial_Limited
   network:Tech-Contact;I:hostmaster.com
   network:Admin-Contact;I:ARIN-NIC-HANDLE
   network:Created:20070101
   network:Updated:20080615
   network:Updated-By:hostmaster.com
   [snip]

   Again, this is not an IP from an international consumer broadband
netblock

-- 66.172.32.135 --> NXDOMAIN
   66.172.32.135 --> AS13704 (Fastserve Network, Inc., LA California,
      yet another hosting company)

   66.172.32.135 is not on the SBL/XBL/PBL

   [whois.arin.net]
   OrgName:    Fastserve Network, Inc.
   OrgID:      FSRV
   Address:    600 W. 7th Street
   Address:    Suite 310
   City:       Los Angeles
   StateProv:  CA
   PostalCode: 90017
   Country:    US

   NetRange:   66.172.0.0 - 66.172.63.255
   CIDR:       66.172.0.0/18
   NetName:    FASTSERVE-LA5
   NetHandle:  NET-66-172-0-0-1
   Parent:     NET-66-0-0-0-0
   NetType:    Direct Allocation
   NameServer: NS1.FASTSERVE.NET
   NameServer: NS2.FASTSERVE.NET
   Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
   RegDate:    2001-09-20
   Updated:    2003-07-18

   RTechHandle: ZF61-ARIN
   RTechName:   Fastserve Network
   RTechPhone:  +1-213-673-4440
   RTechEmail:  hostmaster@xxxxxxxxxxxxx

   OrgTechHandle: ZF61-ARIN
   OrgTechName:   Fastserve Network
   OrgTechPhone:  +1-213-673-4440
   OrgTechEmail:  hostmaster@xxxxxxxxxxxxx

   Again, this is not an IP from a consumer broadband netblock

While what it's doing now is no guarantee of what it will do later,
checking it at least one more time:

[redacted] 60      IN      A       15.46.162.135
[redacted] 60      IN      A       15.189.78.229
[redacted] 60      IN      A       15.201.49.22

-- 15.46.162.135 --> NXDOMAIN
   15.46.162.135 --> AS71 (HP)

   15.46.162.135 isn't listed on the SBL/XBL/PBL

-- 15.189.78.229 --> NXDOMAIN
   15.189.78.229 --> AS71 (HP)

   15.189.78.229 isn't listed on the SBL/XBL/PBL

-- 15.201.49.22 --> g4u0180.houston.hp.com
   15.201.49.22 --> AS10782 (another HP ASN)

   15.201.49.22 isn't listed on the SBL/XBL/PBL

Again, all just *ONE* US corporation's IP addresses, which is the wrong
profile for fastflux.

Sorry, these guys stand out like a Red Delicious in a bowl of Granny Smiths.

Regards,

Joe