ICANN Email Archives: [gnso-ff-pdp-may08]

ICANN ICANN Email List Archives
[gnso-ff-pdp-may08]

<<< Chronological Index >>> <<< Thread Index >>>
RE: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship

To: "'Dave Piscitello'" <dave.piscitello@xxxxxxxxx>, "'Marc Perkel'" <marc@xxxxxxxxxx>, "'Glen de Saint Géry'" <Glen@xxxxxxxxx>
Subject: RE: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
From: "Greg Aaron" <gaaron@xxxxxxxxxxxx>
Date: Wed, 16 Jul 2008 14:33:51 -0400
Hi, Dave:

 

I agree that what we?re interested in is malicious uses of the technique.
But the group is also tasked with pointing out any legitimate or benign uses
of the technique.  If you define ?fast flux? as illegal/malicious, what do
you call a site that uses the same technique for legitimate or benign
purposes?  I don?t think there is such a term.  (?Good fast flux??)  I
therefore suggest we have a term for the technique, and a term for the
malicious use for the technique.  Which is what the Issues Paper did.

 

* The use of short TTLs has been around since at least the time RFC 1034 was
written in 1987.  That RFC is one of several to describe uses of short TTLs
in conventional traffic and operations.

* I don?t know when the term ?fast flux? was coined.  But just because a
criminal was the first to exploit a technique is not a reason to brand the
technique as all-bad, all-the-time.  (Hey, prOn sites pioneered many
now-commonly-accepted Internet marketing techniques?.)

* Wikipedia notes that while security researchers have been aware of the
fast-flux technique since at least November 2006, the technique has only
received wider attention in the security trade press starting from July
2007.

 

All best,

--Greg

 

  _____  

From: Dave Piscitello [mailto:dave.piscitello@xxxxxxxxx] 
Sent: Wednesday, July 16, 2008 1:41 PM
To: Greg Aaron; Marc Perkel; Glen de Saint Géry
Cc: gnso-ff-pdp-may08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example:
using fast-flux to escape censorship

 

I stand by my definitions until you answer a question for me.

Which came first, the use of short TTLs to adapt to conventional traffic and
operational issues, or the application of the term ?fast flux? to this
technique in the phishing and ecrime community?

My original encounter with the term ?fast flux? was in the context of
attacks. I spent a fair chunk of my career in the routing and addressing
world and had never heard anyone in the enterprise, traffic engineering or
load-balancing communities use this specific term prior to its adoption as a
name for an attack. If you or others have, please help me create an accurate
time line.

If the term fast flux has a history prior to its use in attacks, then I
concede you and the Issues Report are correct. If it does not, I suggest
that the term is overloaded and that overloading creates problems when it
comes to classifying activites as good/bad/legitimate/illegal. 

On 7/16/08 10:37 AM, "Greg Aaron" <gaaron@xxxxxxxxxxxx> wrote:

Dear Dave:
 
No, I do not find those definitions correct.  Fast flux is indeed a
technique, but it is not necessarily malicious.  Your definition below
classified the very technique as always malicious.
 
The existing definitions from our base documents clearly distinguish the
technical practice from the intent/end for which it is used.  The Issues
Report says:
 
Fast Flux: In this context, the term ?fast flux? refers to rapid and
repeated changes to A and/or NS resource records in a DNS zone, which have
the effect of rapidly changing the location (IP address) to which the domain
name of an Internet host (A) or name server (NS) resolves.  
[In other words, ?fast flux? is a technical practice or technique.  It can
be used for benign or malicious purposes. It is not necessarily an ?attack
technique.?  Indeed, we know of examples where it is used as a legitimate
defensive technique.]
 
Fast Flux Hosting: The practice of using fast flux techniques to disguise
the location of web sites or other Internet services that host illegal
activities.

All best,
--Greg

 

  _____  

From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx]
<mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d>  On Behalf Of Dave Piscitello
Sent: Wednesday, July 16, 2008 7:41 AM
To: Marc Perkel; Glen de Saint Géry
Cc: gnso-ff-pdp-may08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example:
using fast-flux to escape censorship

Fast flux is not an attack, but a technique ? one element ? of an attack. As
we try to refine the terminology, we might want to be careful when we use
each term. These definitions seem to be emerging:

*       fast flux: an attack technique that involves rapidly changes the
bindings of IP addresses to domain names, typically to prevent detection of
hosts operating illegal or unauthorized services (DNS, mail, web) 
*       fast flux hosting: employing fast flux as part of the hosting
component of a criminal or other unauthorized activity (e.g., phishing) 
*       fast flux attack: an attack that uses fast flux 
*       short TTL: a value in the Time To Live parameter associated with a
DNS resource record(s) that is observably less than the values encountered
in the DNS under typical operating conditions, e.g., less than 3600 seconds.
Short TTLa may be used for both legitimate and abusive purposes; for
example, the use of a short TTLa is one way to enable a fast flux attack. 


Using an antispam analogy, you can?t conclude that an email is spam solely
on the basis that it contains the brand name of an erectile dysfunction
product. Ditto for short TTL. 

The use of short TTLs is one of several ?markers? that you might use to
detect an attack that employs fast flux. Large numbers of NS name server
resource records and frequent changes to those RRs is another. The use of IP
addresses that fall outside the typical address range used for this domain
is another. Evaluated in combination, these may be useful. Evaluated in
isolation, they might result in false positives.

We are supposed to study fast flux. Do the definitions above help us with
the scope we are struggling to identify?
 
On 7/15/08 5:51 PM, "Marc Perkel" <marc@xxxxxxxxxx> wrote:
OK - so if there is a legitimate used for fast flux then that kills the
solution to restrict name server TTLs to higher values because if we do then
we can't circumvent Chinese censorship. Wouldn't we have to allow some
people to fast flux and not others?

Glen de Saint Géry wrote: 

Posted on behalf of Greg Aaron
Subject: example: using fast-flux to escape censorship

Dear group:
  
 

I'm posting this to the private list because it
is more suitable for group members' eyes only for confidentiality purposes.

Wendy, Dave, and Eric have each touched on
whether there may be legitimate uses of
fast-flux hosting by entities that use it to
escape censorship.  Let's examine a real-world
example to see if it fits.  Below are query
results for a real domain.  The TTL is 60, and
the IPs are being changed rapidly and are
globally distributed on multiple ASNs.  It
therefore seems to meet the definition of fast-flux.

The registrant is an entity called Domain
UltraReach.  Domain UltraReach says it offers a
proxy service designed to allow Web users to
circumvent Chinese government Internet censorship.
<
 <http://www.ultrareach.com/company/aboutus.htm>
<http://www.ultrareach.com/company/aboutus.htm>http://www.ultrareach.com/com
pany/aboutus.htm
    
 
Domain UltraReach operates multiple such fluxy domain names besides the
below.

So, what do we have here?

Domain Query / Query timestamp / name server / IP result / AS
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.0.5.32 NTT-COMMUNICATIONS-2914 - NTT America,
Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.252.142.121 UUNET -
MCI Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.223.32.233
PENS-NET-AS - Navy Network Information Center (NNIC)
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.151.115.197 SERVEPATH - ServePath, LLC
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.196.254.49 MCLEOD - McLeod, Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.4.109.127 NTELOSINC - Ntelos Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.192.149.102
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.234.155.122 CHINANET-BACKBONE No.31,Jin-rong
Street
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.141.216.67 HANARO-AS Hanaro Telecom Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns2.AVONMPRODUCTS.INFO 194.67.57.226 SOVAM-AS Golden Telecom, Moscow, Russia
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.13.52.50
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns2.AVONMPRODUCTS.INFO 194.121.16.127 KPN KPN Internet Backbone AS
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.129.63.31 SKYROCK Skyrock content delivery
network
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.105.133.231 Euronext
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.230.244.4 AS15704 Xtratelecom Spain AS
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.239.94.45 DXTNET
Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.10.51.50 GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.98.11.127 SO-NET So-net Entertainment Corporation
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns1.AVONMPRODUCTS.INFO 79.170.89.4 XL-AS XL Network
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.44.193.230
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns1.AVONMPRODUCTS.INFO 79.219.201.4 DTAG Deutsche Telekom AG
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.27.48.10 PROXAD AS for Proxad/Free ISP
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.222.48.229 INTEROUTE Interoute Communications Ltd
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.123.105.4 IP-EXCHANGE IP Exchange GmbH
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.17.70.11 PHOTOBUCKET - PHOTOBUCKET.COM, INC.
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.71.142.194 VOICENET - Voicenet
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.66.40.124 JERSEY - InterActive Network Services
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.214.39.56 WAN - Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.88.255.172 LVLT-8043 - Level 3 Communications,
Inc.
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.77.20.79 ETHERN -
Global Communications INTERNETworking Corp.
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.99.77.80 EZRI-36323 - Ezri Inc
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.180.8.183 COGENT Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.172.214.108 COGENT Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.172.81.21
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.85.245.171 NCREN - MCNC
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.94.171.227 LEVEL3 Level 3 Communications
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.33.59.200 GRONO-AS grono.net
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.6.168.165 HBONE-AS HUNGARNET
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.248.13.227 AS3215 France Telecom - Orange
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.99.250.195 WAN - Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.88.39.116 UUNET - MCI
Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.11.31.2 UUNET - MCI
Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.17.132.149 LEASEWEB LEASEWEB AS
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.187.85.229 B-NET BiConsult Eood
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.237.255.4 ORANGE SLOVENSKO Autonomous system
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.201.49.22 HP-DIGITAL-10782 - Hewlett-Packard
Company
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.200.102.165
TELSTRA-AS-AP Telstra International HK Limited
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.54.195.227 HP-INTERNET-AS Hewlett-Packard Company
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.7.178.45 TV GLOBO LTDA
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.213.120.166 Prima S.A.
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.48.105.79 Companhia
de Telecomunicacoes do Brasil Central
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.70.92.80 DATAPIPE - DataPipe
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.246.26.231 NET-ACCESS-CORP - Net Access
Corporation
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.125.111.4 SBIS-AS - AT&T Internet Services
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns1.AVONMPRODUCTS.INFO 199.89.199.26 MATTEL - Mattel, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns1.AVONMPRODUCTS.INFO 199.217.173.127
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.7.82.67
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.48.10.150 MATRIX-AS Matrix S.p.A.
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.121.2.112 JANET The JANET IP Service
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.23.66.67 Ural Relcom Ltd.
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.135.200.146 EBAY - eBay, Inc
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.70.35.110 DATAPIPE - DataPipe
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.228.240.2 PRMTC - Park Region Mutual Telephone Co
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.12.228.40
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.148.167.56 GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.101.119.4 GIGAINFRA BB TECHNOLOGY Corp.



**********************************
Greg Aaron
Director, Key Account Management and Domain Security
Afilias
vox: +1.215.706.5700 x104
fax: 1.215.706.5701
gaaron@xxxxxxxxxxxx
**********************************
The information contained in this message may be
privileged and confidential and protected from
disclosure. If the reader of this message is not
the intended recipient, or an employee or agent
responsible for delivering this message to the
intended recipient, you are hereby notified that
any dissemination, distribution or copying of
this communication is strictly prohibited. If
you have received this communication in error,
please notify us immediately by replying to the
message and deleting it from your computer.


No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.11/1553
- Release Date: 7/15/2008 5:48 AM
Follow-Ups:
- Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  - From: Dave Piscitello
References:
- Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  - From: Dave Piscitello
<<< Chronological Index >>> <<< Thread Index >>>
Privacy Policy | Terms of Service | Cookies Policy