RE: [gnso-ff-pdp-may08] RE: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship? -- what's the conclusion?

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Greg asked...

#Are you saying that this site uses the fast-flux technique, but does not
#look malicious?

No. I'm saying that it simply doesn't meet a fully-informed definition 
of what's "fastflux." Let me explain what I mean. 

If we have a definition of "pony" that's "a mammalian farm animal with four 
legs that's ridden by children," that (obviously poor) definition of "pony"
admits the inclusion of adult horses, donkeys, mules, large dogs, pigs and 
who knows what all else wrongly to the set of potential "ponies."

So, too, with fastflux. A sloppy initial definition leads to lots of stuff
that may superficially look like fastflux, but which on closer inspection
anyone who's familiar with real fastflux nodes would immediately recognize
as being out of scope based on objectively observable criteria, and not
requiring us to attempt to peer into the hearts and minds of the (ab)user
to determine "intent."

#If so, then it seems to demonstrate that undiscriminating 
#counter-measures that limit or disrupt use of the fast-flux technique 
#could impact legitimate users and stifle free expression.

*Any* attempt to control an unwanted phenomena, but definition, can also
impact wanted phenomena. For example, controls on the sale of spray paint
used for "tagging" may inconvenience a teen ager who wants to purchase
spray paint for some use other than grafiti. Controls on the sale of 
tablet form pseudephedrine, imposed in many states to help stem the tide
of illegal methamphetamine production, may inconvenience an allergy 
sufferer with a stuffed-up head.

Society normally attempts to balance the impact of control measures,
weighing things like:

-- relative impacts (relative numbers impacted, relative severity of
   the illness vs the relative pain of the cure, etc.),

-- the breadth of proposed control measures (can the desired goal be
   achieved with a narrower proposed measure?),

-- whether control measures completely ban or merely regulate a particular
   activity,

-- whether substitutes exist which allow a desired end to be reached by
   different means,

-- whether there were procedural opportunities for varying voices to be
   heard during the policy development process, and

-- whether there are avenues for appeal or exception once the general
   policy is operative,

-- etc., etc., etc. 

Those balances -- and the underlying values they represent -- will 
vary from place to place, and from time to time, and from person to person.

But the point is that most societies permit some degree of encroachment upon
what might otherwise be a purely anarchic environment. The ones that get the 
balance wrong too far in the opposite direction become totalitarian. The rest 
of us happily live somewhere in the middle.

#I am going by the definition in our Issues Report, which defines the fast
#flux technique as "the rapid and repeated changes to A and/or NS resource
#records in a DNS zone, which have the effect of rapidly changing the
#location (IP address) to which the domain name of an Internet host (A) or
#name server (NS) resolves."  

That's what I call a "a pony is a mammalian farm animal with four legs 
that's ridden by children," definition. It alludes to the phenomena of 
interest, but it completely fails close scrutiny.

#This is distinguished from "fast-flux hosting," which the Issues Report 
#defines as use of the fast-flux technique with malicious or illegal intent.  

Based on Dave's early definition, alluding to fastflux attacks, fastflux
web hosting is arguably used for malicious activities other than just
web hosting and DNS hosting (although we still need to tease out precisely
what those other malicious uses may be).

I think one objective of the group should be to clean up our definition(s)
of fastflux and related phenomena.

One helpful step might be to categorize the definitions of fastflux which have 
already been offered by the community. For example, Spamhaus defines it as
( http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164 ):

   "Fast flux domain hosting involves the use of botnet zombie drones on 
   broadband IPs infected to act as reverse proxies for the spammer's 
   website or nameservers. The spamvertised domain, or its nameserver, is 
   pointed at a rapidly changing series of zombie IPs (hence the name) with 
   very short "TTL" values -- usually less than five minutes (300s). There 
   are typically four or five "A" records to distribute the load and 
   increase the odds of the website staying up. Their proxy service hides 
   the IP location of the spammer's dedicated servers. As the very action 
   of hijacking computers is illegal in most jurisdictions, such fast flux 
   hosting is only used for further criminal activities such as phishing 
   and child pornography. Because the criminals know they could be 
   identified if they used valid "whois" data, they always use bogus data, 
   so registrars can confidently HOLD (suspend) the domain based on ICANN 
   3.7.7.2."

And I'm sure there are others that folks might like to mention, other 
than just the one from the charter?

Regards,

Joe

Disclaimer: all opinions strictly my own.