Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

My $.02 remains:

Use FF for malicious uses. This is (for the nth time) more than short TTLs and 
commonly involves compromised systems, unauthorized software, etc.

Distinguish FF from "short TTLs" as per RFC 1987 for conventional traffic 
engineering and operations.This commonly involves systems used by the 
operators/owners for the purposes intended by the operators/owners and commonly 
uses approved software.

We have this incredible problem that short TTL is equated 1:1 with FF and it 
sucks up considerable bandwidth in this discussion.

I will refrain from commenting on pr0n site techniques and their adoption as 
"commonly accepted" marketing techniques except to say that marketing and 
social engineering have a lot in common. We'll chat on an ethics mailing list 
when we conclude this one.


On 7/16/08 2:33 PM, "Greg Aaron" <gaaron@xxxxxxxxxxxx> wrote:

Hi, Dave:

I agree that what we're interested in is malicious uses of the technique.  But 
the group is also tasked with pointing out any legitimate or benign uses of the 
technique.  If you define "fast flux" as illegal/malicious, what do you call a 
site that uses the same technique for legitimate or benign purposes?  I don't 
think there is such a term.  ("Good fast flux"?)  I therefore suggest we have a 
term for the technique, and a term for the malicious use for the technique.  
Which is what the Issues Paper did.

* The use of short TTLs has been around since at least the time RFC 1034 was 
written in 1987.  That RFC is one of several to describe uses of short TTLs in 
conventional traffic and operations.
* I don't know when the term "fast flux" was coined.  But just because a 
criminal was the first to exploit a technique is not a reason to brand the 
technique as all-bad, all-the-time.  (Hey, prOn sites pioneered many 
now-commonly-accepted Internet marketing techniques....)
* Wikipedia notes that while security researchers have been aware of the 
fast-flux technique since at least November 2006, the technique has only 
received wider attention in the security trade press starting from July 2007.

All best,
--Greg


________________________________

From: Dave Piscitello [mailto:dave.piscitello@xxxxxxxxx]
Sent: Wednesday, July 16, 2008 1:41 PM
To: Greg Aaron; Marc Perkel; Glen de Saint Géry
Cc: gnso-ff-pdp-may08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: 
using fast-flux to escape censorship

I stand by my definitions until you answer a question for me.

Which came first, the use of short TTLs to adapt to conventional traffic and 
operational issues, or the application of the term "fast flux" to this 
technique in the phishing and ecrime community?

My original encounter with the term "fast flux" was in the context of attacks. 
I spent a fair chunk of my career in the routing and addressing world and had 
never heard anyone in the enterprise, traffic engineering or load-balancing 
communities use this specific term prior to its adoption as a name for an 
attack. If you or others have, please help me create an accurate time line.

If the term fast flux has a history prior to its use in attacks, then I concede 
you and the Issues Report are correct. If it does not, I suggest that the term 
is overloaded and that overloading creates problems when it comes to 
classifying activites as good/bad/legitimate/illegal.

On 7/16/08 10:37 AM, "Greg Aaron" <gaaron@xxxxxxxxxxxx> wrote:
Dear Dave:

No, I do not find those definitions correct.  Fast flux is indeed a technique, 
but it is not necessarily malicious.  Your definition below classified the very 
technique as always malicious.

The existing definitions from our base documents clearly distinguish the 
technical practice from the intent/end for which it is used.  The Issues Report 
says:

Fast Flux: In this context, the term "fast flux" refers to rapid and repeated 
changes to A and/or NS resource records in a DNS zone, which have the effect of 
rapidly changing the location (IP address) to which the domain name of an 
Internet host (A) or name server (NS) resolves.
[In other words, "fast flux" is a technical practice or technique.  It can be 
used for benign or malicious purposes. It is not necessarily an "attack 
technique."  Indeed, we know of examples where it is used as a legitimate 
defensive technique.]

Fast Flux Hosting: The practice of using fast flux techniques to disguise the 
location of web sites or other Internet services that host illegal activities.

All best,
--Greg



________________________________

From: owner-gnso-ff-pdp-may08@xxxxxxxxx 
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] 
<mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d><mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx%5d>
 On Behalf Of Dave Piscitello
Sent: Wednesday, July 16, 2008 7:41 AM
To: Marc Perkel; Glen de Saint Géry
Cc: gnso-ff-pdp-may08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: 
using fast-flux to escape censorship

Fast flux is not an attack, but a technique - one element - of an attack. As we 
try to refine the terminology, we might want to be careful when we use each 
term. These definitions seem to be emerging:

 *   fast flux: an attack technique that involves rapidly changes the bindings 
of IP addresses to domain names, typically to prevent detection of hosts 
operating illegal or unauthorized services (DNS, mail, web)
 *   fast flux hosting: employing fast flux as part of the hosting component of 
a criminal or other unauthorized activity (e.g., phishing)
 *   fast flux attack: an attack that uses fast flux
 *   short TTL: a value in the Time To Live parameter associated with a DNS 
resource record(s) that is observably less than the values encountered in the 
DNS under typical operating conditions, e.g., less than 3600 seconds. Short 
TTLa may be used for both legitimate and abusive purposes; for example, the use 
of a short TTLa is one way to enable a fast flux attack.

Using an antispam analogy, you can't conclude that an email is spam solely on 
the basis that it contains the brand name of an erectile dysfunction product. 
Ditto for short TTL.

The use of short TTLs is one of several "markers" that you might use to detect 
an attack that employs fast flux. Large numbers of NS name server resource 
records and frequent changes to those RRs is another. The use of IP addresses 
that fall outside the typical address range used for this domain is another. 
Evaluated in combination, these may be useful. Evaluated in isolation, they 
might result in false positives.

We are supposed to study fast flux. Do the definitions above help us with the 
scope we are struggling to identify?

On 7/15/08 5:51 PM, "Marc Perkel" <marc@xxxxxxxxxx> wrote:
OK - so if there is a legitimate used for fast flux then that kills the 
solution to restrict name server TTLs to higher values because if we do then we 
can't circumvent Chinese censorship. Wouldn't we have to allow some people to 
fast flux and not others?

Glen de Saint Géry wrote:

Posted on behalf of Greg Aaron
Subject: example: using fast-flux to escape censorship

Dear group:



I'm posting this to the private list because it
is more suitable for group members' eyes only for confidentiality purposes.

Wendy, Dave, and Eric have each touched on
whether there may be legitimate uses of
fast-flux hosting by entities that use it to
escape censorship.  Let's examine a real-world
example to see if it fits.  Below are query
results for a real domain.  The TTL is 60, and
the IPs are being changed rapidly and are
globally distributed on multiple ASNs.  It
therefore seems to meet the definition of fast-flux.

The registrant is an entity called Domain
UltraReach.  Domain UltraReach says it offers a
proxy service designed to allow Web users to
circumvent Chinese government Internet censorship.
<
<http://www.ultrareach.com/company/aboutus.htm><http://www.ultrareach.com/company/aboutus.htm>http://www.ultrareach.com/company/aboutus.htm


Domain UltraReach operates multiple such fluxy domain names besides the below.

So, what do we have here?

Domain Query / Query timestamp / name server / IP result / AS
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.0.5.32 NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.252.142.121 UUNET -
MCI Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns1.AVONMPRODUCTS.INFO 204.223.32.233
PENS-NET-AS - Navy Network Information Center (NNIC)
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.151.115.197 SERVEPATH - ServePath, LLC
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.196.254.49 MCLEOD - McLeod, Inc.
AVONMPRODUCTS.INFO 2008-06-03 20:26
ns2.AVONMPRODUCTS.INFO 64.4.109.127 NTELOSINC - Ntelos Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.192.149.102
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.234.155.122 CHINANET-BACKBONE No.31,Jin-rong Street
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns1.AVONMPRODUCTS.INFO 221.141.216.67 HANARO-AS Hanaro Telecom Inc.
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns2.AVONMPRODUCTS.INFO 194.67.57.226 SOVAM-AS Golden Telecom, Moscow, Russia
AVONMPRODUCTS.INFO 2008-06-03 18:51 ns2.AVONMPRODUCTS.INFO 194.13.52.50
AVONMPRODUCTS.INFO 2008-06-03 18:51
ns2.AVONMPRODUCTS.INFO 194.121.16.127 KPN KPN Internet Backbone AS
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.129.63.31 SKYROCK Skyrock content delivery network
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.105.133.231 Euronext
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns1.AVONMPRODUCTS.INFO 212.230.244.4 AS15704 Xtratelecom Spain AS
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.239.94.45 DXTNET
Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.10.51.50 GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-03 17:17
ns2.AVONMPRODUCTS.INFO 219.98.11.127 SO-NET So-net Entertainment Corporation
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns1.AVONMPRODUCTS.INFO 79.170.89.4 XL-AS XL Network
AVONMPRODUCTS.INFO 2008-06-03 09:41 ns1.AVONMPRODUCTS.INFO 79.44.193.230
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns1.AVONMPRODUCTS.INFO 79.219.201.4 DTAG Deutsche Telekom AG
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.27.48.10 PROXAD AS for Proxad/Free ISP
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.222.48.229 INTEROUTE Interoute Communications Ltd
AVONMPRODUCTS.INFO 2008-06-03 09:41
ns2.AVONMPRODUCTS.INFO 212.123.105.4 IP-EXCHANGE IP Exchange GmbH
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.17.70.11 PHOTOBUCKET - PHOTOBUCKET.COM, INC.
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.71.142.194 VOICENET - Voicenet
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns1.AVONMPRODUCTS.INFO 209.66.40.124 JERSEY - InterActive Network Services
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.214.39.56 WAN - Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.88.255.172 LVLT-8043 - Level 3 Communications, Inc.
AVONMPRODUCTS.INFO 2008-06-03 07:13
ns2.AVONMPRODUCTS.INFO 65.77.20.79 ETHERN -
Global Communications INTERNETworking Corp.
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.99.77.80 EZRI-36323 - Ezri Inc
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.180.8.183 COGENT Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns1.AVONMPRODUCTS.INFO 38.172.214.108 COGENT Cogent/PSI
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.172.81.21
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.85.245.171 NCREN - MCNC
AVONMPRODUCTS.INFO 2008-06-03 04:46
ns2.AVONMPRODUCTS.INFO 198.94.171.227 LEVEL3 Level 3 Communications
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.33.59.200 GRONO-AS grono.net
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.6.168.165 HBONE-AS HUNGARNET
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns1.AVONMPRODUCTS.INFO 193.248.13.227 AS3215 France Telecom - Orange
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.99.250.195 WAN - Worldcom Advance Networks
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.88.39.116 UUNET - MCI
Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 02:26
ns2.AVONMPRODUCTS.INFO 63.11.31.2 UUNET - MCI
Communications Services, Inc. d/b/a Verizon Business
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.17.132.149 LEASEWEB LEASEWEB AS
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.187.85.229 B-NET BiConsult Eood
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns1.AVONMPRODUCTS.INFO 85.237.255.4 ORANGE SLOVENSKO Autonomous system
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.201.49.22 HP-DIGITAL-10782 - Hewlett-Packard Company
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.200.102.165
TELSTRA-AS-AP Telstra International HK Limited
AVONMPRODUCTS.INFO 2008-06-03 00:11
ns2.AVONMPRODUCTS.INFO 15.54.195.227 HP-INTERNET-AS Hewlett-Packard Company
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.7.178.45 TV GLOBO LTDA
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.213.120.166 Prima S.A.
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns1.AVONMPRODUCTS.INFO 201.48.105.79 Companhia
de Telecomunicacoes do Brasil Central
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.70.92.80 DATAPIPE - DataPipe
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.246.26.231 NET-ACCESS-CORP - Net Access Corporation
AVONMPRODUCTS.INFO 2008-06-02 21:59
ns2.AVONMPRODUCTS.INFO 66.125.111.4 SBIS-AS - AT&T Internet Services
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns1.AVONMPRODUCTS.INFO 199.89.199.26 MATTEL - Mattel, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns1.AVONMPRODUCTS.INFO 199.217.173.127
NTT-COMMUNICATIONS-2914 - NTT America, Inc.
AVONMPRODUCTS.INFO 2008-06-02 19:47 ns1.AVONMPRODUCTS.INFO 199.7.82.67
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.48.10.150 MATRIX-AS Matrix S.p.A.
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.121.2.112 JANET The JANET IP Service
AVONMPRODUCTS.INFO 2008-06-02 19:47
ns2.AVONMPRODUCTS.INFO 212.23.66.67 Ural Relcom Ltd.
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.135.200.146 EBAY - eBay, Inc
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.70.35.110 DATAPIPE - DataPipe
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns1.AVONMPRODUCTS.INFO 66.228.240.2 PRMTC - Park Region Mutual Telephone Co
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.12.228.40
CHINA169-BACKBONE CNCGROUP China169 Backbone
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.148.167.56 GIGAINFRA BB TECHNOLOGY Corp.
AVONMPRODUCTS.INFO 2008-06-02 17:48
ns2.AVONMPRODUCTS.INFO 60.101.119.4 GIGAINFRA BB TECHNOLOGY Corp.



**********************************
Greg Aaron
Director, Key Account Management and Domain Security
Afilias
vox: +1.215.706.5700 x104
fax: 1.215.706.5701
gaaron@xxxxxxxxxxxx
**********************************
The information contained in this message may be
privileged and confidential and protected from
disclosure. If the reader of this message is not
the intended recipient, or an employee or agent
responsible for delivering this message to the
intended recipient, you are hereby notified that
any dissemination, distribution or copying of
this communication is strictly prohibited. If
you have received this communication in error,
please notify us immediately by replying to the
message and deleting it from your computer.


No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.11/1553
- Release Date: 7/15/2008 5:48 AM