ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship

  • To: joe@xxxxxxxxxxxxxxxxxx
  • Subject: Re: [gnso-ff-pdp-may08] Re: [ntfy-gnso-ff-pdp-may08] FW: example: using fast-flux to escape censorship
  • From: Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 16 Jul 2008 14:41:52 -0400


Joe,

If you look at the prior notes, Marc Perkel's, in particular, there is are two points I missed at first reading.

The motivation "to escape censorship" may not be limited to the PRC or Burma or ...

and

The value of an instance of "to escape censorship" may be orders of magnitude greater than the value of an instance of "fast flux".

I agree that we haven't found a good "to escape censorship" example yet, which employs more than one nameserver, and more than one A record, and uses "small TTLs" to manage which nameserver(s) and which A record(s) are authoritative and resolvable, respectively, at any point in time.

Eric

Joe St Sauver wrote:
Eric mentioned:

#How about wikileaks? Bank Julius Baer obtained a takedown. Ignoring the
#eventual outcome of the case in the US courts (takedown reversed),
#suppose the authors of wikileaks decided to make the site resistant to
#takedown? [In fact what they did was simply stop using the DNS, so the
#ip address still worked, and the content was still available. Think of
#that as "wicked fast flux" (so fast it leaves no trace in the DNS).]

For what it may be worth, in addition to use of raw IPs, Wikileaks also used alternative domain names (e.g., in .cx, etc.)

But dropping back to raw IPs (or using alternative domain names) is *not*
fastflux. Spammers who advertise raw IPs simply find any raw IPs they spamvertise listed on things like the SURBL and URIBL (remember, those block lists
list *URIs,*  which obviously can including dotted quads as well as domain
names). If you're a spammer and you've just spammed out a few million copies of "Psst, hey, go to 1.2.3.4 to find ways to fix your inadequate <whatever>," I imagine it would be a real bummer to have 1.2.3.4 get torn down, making all those spam effectively pointless. For that reason,
spammers dislike getting locked into hard coded IP's, and prefer domain
names. Remember, fastflux is used for stuff that's so inherently illegal or reprehensible that no legitimate hosting company will knowingly host it, and no network service provider will intentionally provide connectivity for it, and thus a combination of domain name longevity and IP address agility is required for survivability (as well as potentially for things like load balancing).
Wikileaks is demonstrably able to obtain conventional hosting. I would
also note that those who want to share controversial documents in a censorship-resistent manner have other alternatives, such as peer-to-peer applications, or heck, distribution of physical CDs (you'll note that Cryptome sells CDs of its content, for example).
Regards,

Joe

Disclaimer: all opinions strictly my own





<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy