Re: [gnso-ff-pdp-may08] The Definition of Fast Flux

["Mike O'Connor" <mike@xxxxxxxxxx>]

At 08:54 AM 7/21/2008, Dave Piscitello wrote:



> On 7/20/08 12:37 PM, "Mike O'Connor" <mike@xxxxxxxxxx> wrote:
> >
> > -- Proposal:  remove references to intent from our definition of
> > Fastflux.  On re-listening to the conversation, I didn't detect a
> > strong demand to include intent in the definition and a lot of good
> > arguments for removing it.  Let's have a discussion about that.  I'm
> > leaning in favor at the moment.
>
> I missed the call so I need a clarification regarding intent. Do you mean
> making a value/moral distinction as in "this application of fast flux is
> good and this one is bad"?
Yeah, that's it in a nutshell.  I took a little more than my usual 
care when I hammered this sentence together from several pieces of 
the conversation;
"Intent can be viewed as criminal or benign, depending on vantage 
point -- and, given how difficult this is to determine, we should be 
careful when thinking about building that distinction-making into the 
solutions that we propose. "

> I still believe that it's important to distinguish a fast flux network as
> something operated on systems using software installed without the user's
> knowledge and consent. This to me is a key differentiation: simply put, I do
> not believe that there you can claim good/legal/legitimate/noble intent if
> you are running your network on someone else's property in an unauthorized
> and covert fashion.
We had a pretty long discussion around the notion of some kind of 
"fingerprint" that we could use to distinguish between good and bad 
uses of fastflux.  I tried out the very point you're making, but 
learned that there are *consentual* botnets,  which again makes this 
difficult to determine from afar.

> > -- Proposal: let the solution drive the definition.  One approach is
> > to let the solution-defining continue for a bit and let that inform
> > the definition.  My instincts tell me that this isn't terrible, but
> > runs the risk of "hammer looking for a nail" or "if we build it they
> > will come."  So I'm neutral on this one.
>
> This is indeed "hammer looking for a nail".
>
> > -- Proposal: let the definition allow for "slow fast flux".  Rod
> > pointed out that some people use all the same techniques, but don't
> > do the constant-IP-changing part and that we shouldn't limit our
> > discussion/proposals just to "fast."  My initial reaction (in Paris)
> > was a scope concern, but now that I've had the benefit of the last
> > couple weeks of email, I think we could handle the scope issue and
> > agree with Rod that we don't want to be so narrow that we exclude
> > solutions that would address this broader case.  So I'm leaning in favor.
>
> Agree entirely. Instead of a "jumbo shrimp" label, I would suggest that we
> say "flux"  or "slow and fast flux".
>
> This will dramatically change the hammer.